block spam from cloyne.org listserv

[sunnysideofthescreen]

there has been pretty obscene and unwanted emails to various cloyne.org listservs. see my spam box below:

[ck2qsuZT]

.One issue is that a message was approved once and now spam bots know that it's a valid list. besides that, there's not much we can do but blacklist email addresses. These messages are not going through though, they are asking for moderation and the unmoderated messages are being sent to spam by google. The messages can be ignored if they're in your spam folder or marked as spam if they go to you're inbox. Mostly it's just a matter of ignoring it. This is going to your br email right?

[sunnysideofthescreen]

these are going to my board rep email, but they go straight to my inbox (at least when i use apple mail). it is hard for me to ignore them since i am one of the few managers that actually moderate emails on our listserv, so i like to open all sympa emails.

please blacklist the emails that have been sending them thus far. you might have different reactions, but I find it particularly repulsive opening emails only to find cartoon nudes...

[ck2qsuZT]

I'm not undermining how disturbing it is but there's also not much that I can do, there are so many emails sending spam that we can't really moderate/blacklist it on our own. Maybe there are some established blacklist that we could import and I'll look into that but even then alot are still going to slip through. Usually just the email from address and the subject are enough information to moderate it, if you have any doubts about a particular email then let someone else moderate it. I wish I could give better advice / do more than say ignore it but that's how spam works, when the spammer's email gets blacklisted, they just use a new email.

On Feb 27, 2017 06:43, "kelly archer" notifications@github.com wrote:

these are going to my board rep email, but they go straight to my inbox (at least when i use apple mail). it is hard for me to ignore them since i am one of the few managers that actually moderate emails on our listserv, so i like to open all sympa emails.

please blacklist the emails that have been sending them thus far. you might have different reactions, but I find it particularly repulsive opening emails only to find cartoon nudes...

— You are receiving this because you commented.

Reply to this email directly, view it on GitHub https://github.com/cloyne/network/issues/105#issuecomment-282739153, or mute the thread https://github.com/notifications/unsubscribe-auth/AHwZSpZGAMLFT_IzJodMWQJnfYECU3Tuks5rguD5gaJpZM4MMmIa .

[mitar]

So it seems sender e-mails are changing all the time. Is there anything which is not changing? Is there any text snippet which is the same in all e-mails?

One solution could be that any e-mail which is coming from an address (@outlook.com OR @sbcglobal.net) AND is not subscribed to a target mailing list, is automatically dropped.

[mitar]

So I configured *@sbcglobal.net to be blacklisted on the following mailing lists/files:

/srv/sympa/data/list_data/hack-news/search_filters/blacklist.txt
/srv/sympa/data/list_data/clones.2015s/search_filters/blacklist.txt
/srv/sympa/data/list_data/alumni/search_filters/blacklist.txt
/srv/sympa/data/list_data/clones/search_filters/blacklist.txt

Those will be quietly rejected automatically.

For outlook.com we could do something similar, but the no sender to the mailing list can be from there.

Alternatively, we can define a custom more complicated scenario.

Or, if we find any fixed string in body, we can filter based on that. Or is there something fixed in subjects? Those are simpler to use in rules and we can just use some of existing conditions. But we will have to create a custom scenario, probably extending the current one with a new first rule to reject quietly those e-mails. Similar to the blacklist rule.

[sunnysideofthescreen]

thanks for doing something about this, i appreciate it. let’s hope this helps!

On Feb 27, 2017, at 2:54 PM, Mitar notifications@github.com wrote:

So I configured *@sbcglobal.net to be blacklisted on the following mailing lists/files:

/srv/sympa/data/list_data/hack-news/search_filters/blacklist.txt /srv/sympa/data/list_data/clones.2015s/search_filters/blacklist.txt /srv/sympa/data/list_data/alumni/search_filters/blacklist.txt /srv/sympa/data/list_data/clones/search_filters/blacklist.txt Those will be quietly rejected automatically https://www.sympa.org/manual/authorization-scenarios#blacklist_implicit_rule.

For outlook.com we could do something similar, but the no sender to the mailing list can be from there.

Alternatively, we can define a custom more complicated scenario https://www.sympa.org/manual/authorization-scenarios#custom_perl_package_conditions.

Or, if we find any fixed string in body, we can filter based on that. Or is there something fixed in subjects?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/cloyne/network/issues/105#issuecomment-282883830, or mute the thread https://github.com/notifications/unsubscribe-auth/AOZcI8DLn5XTgNukAKaJ1CU8CBtvdCdxks5rg1QYgaJpZM4MMmIa.

[ck2qsuZT]

http://spamassassin.apache.org/

I'll look into this a bit more. Blocking sbcglobal by domain is probably fine because it's such a niche email provider but Outlook is harder since actual members send to the list from different emails, including ones not registered, and apparently a few people use Outlook.

Another interesting thing is that some of these messages get caught by Gmail spam filters in some manager accounts but not others. Also some managers spam filters just catch all sympa moderation requests, even actual ones

On Feb 27, 2017 5:07 PM, "kelly archer" notifications@github.com wrote:

thanks for doing something about this, i appreciate it. let’s hope this helps!

On Feb 27, 2017, at 2:54 PM, Mitar notifications@github.com wrote:

So I configured *@sbcglobal.net to be blacklisted on the following mailing lists/files:

/srv/sympa/data/list_data/hack-news/search_filters/blacklist.txt /srv/sympa/data/list_data/clones.2015s/search_filters/blacklist.txt /srv/sympa/data/list_data/alumni/search_filters/blacklist.txt /srv/sympa/data/list_data/clones/search_filters/blacklist.txt Those will be quietly rejected automatically < https://www.sympa.org/manual/authorization-scenarios# blacklist_implicit_rule>.

For outlook.com we could do something similar, but the no sender to the mailing list can be from there.

Alternatively, we can define a custom more complicated scenario < https://www.sympa.org/manual/authorization-scenarios# custom_perl_package_conditions>.

Or, if we find any fixed string in body, we can filter based on that. Or is there something fixed in subjects?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub < https://github.com/cloyne/network/issues/105#issuecomment-282883830>, or mute the thread https://github.com/notifications/unsubscribe-auth/ AOZcI8DLn5XTgNukAKaJ1CU8CBtvdCdxks5rg1QYgaJpZM4MMmIa.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/cloyne/network/issues/105#issuecomment-282909173, or mute the thread https://github.com/notifications/unsubscribe-auth/AHwZSko8OTRWXOhn_GrmUXnTKB6tjA1kks5rg3NTgaJpZM4MMmIa .

[mitar]

We do not need a spam assassin. We do not want to be in the place where we want to do our own spam filtering (what about false positives?). Because for now e-mails seems to follow some patterns, we can just hard-code to them.

[mitar]

So what is the state of this? How much spam is coming?

[sunnysideofthescreen]

a couple a day, sometimes more.

one old member definitely has a phished email account, she sends a lot: donyayazdi@yahoo.com mailto:donyayazdi@yahoo.com. maybe we can permanently block that account?

On May 18, 2017, at 3:44 AM, Mitar notifications@github.com wrote:

So what is the state of this? How much spam is coming?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/cloyne/network/issues/105#issuecomment-302368830, or mute the thread https://github.com/notifications/unsubscribe-auth/AOZcI6GWOuTEAarOABQfSQwjpc2QWEmVks5r7CEGgaJpZM4MMmIa.

[mitar]

a couple a day, sometimes more.

Are they of the same kind? Like same sender? Like we saw before? That could be easier to filter.

one old member definitely has a phished email account, she sends a lot: donyayazdi@yahoo.com mailto:donyayazdi@yahoo.com. maybe we can permanently block that account?

That is probably fake anyway, it is not necessary that she was hacked. But yes, we could just limit any e-mail saying that it is from this address.

[sunnysideofthescreen]

Are the of the same kind? Not verbatim, but they are all generally along the lines of promoting viagra (or something of the like) or prostitution-type deals.

Truly, Kelly

On May 18, 2017, at 3:48 PM, Mitar notifications@github.com wrote:

a couple a day, sometimes more.

Are they of the same kind? Like same sender? Like we saw before? That could be easier to filter.

one old member definitely has a phished email account, she sends a lot: donyayazdi@yahoo.com mailto:donyayazdi@yahoo.com mailto:donyayazdi@yahoo.com mailto:donyayazdi@yahoo.com. maybe we can permanently block that account?

That is probably fake anyway, it is not necessary that she was hacked. But yes, we could just limit any e-mail saying that it is from this address.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/cloyne/network/issues/105#issuecomment-302562432, or mute the thread https://github.com/notifications/unsubscribe-auth/AOZcIzvMbUX_5o-Loo3eQAk4P09CDnUBks5r7Mq_gaJpZM4MMmIa.

[mitar]

With "kind" I was more asking if there is some simple pattern to it. Like the one you observed for donyayazdi@yahoo.com. Does those other have some pattern like that?

[sunnysideofthescreen]

hmmm not sure. can you take a look yourself? :)

On May 19, 2017, at 2:30 PM, Mitar notifications@github.com wrote:

With "kind" I was more asking if there is some simple pattern to it. Like the one you observed for donyayazdi@yahoo.com. Does those other have some pattern like that?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/cloyne/network/issues/105#issuecomment-302816125, or mute the thread https://github.com/notifications/unsubscribe-auth/AOZcIzR6vi9IjPFcecYVPdSvA7cUqDsYks5r7gn5gaJpZM4MMmIa.

[mitar]

I think I will leave to the network manager to do so. ;-)