If you’ve been using SpamAssassin and have been reporting to SpamCop then you’ll have found overnight that you got a heap of bounces back saying things like:
<firstname.lastname@example.org> (expanded from
<email@example.com>): unknown user: "devnull"
It turns out that the firstname.lastname@example.org appears to be something that the SpamAssassin developers set without consulting with SpamCop, and SpamCop have just been blackholing those reports for an unknown amount of time. Last night it went away and so now IronPort are rejecting them which was how I learnt of this. I’m not impressed by what the SA developers did her, it should have required you to put in a registered SpamCop address and not reported if that wasn’t set.
I’ve disabled my SpamCop reporting by commenting out this line in /etc/mail/spamassassin/v310.pre on my Debian mailserver:
If you use SpamAssassin and don’t have a registered SpamCop account you’ll want to do the same.
Of course you must be sure to read the disclaimer..
DISCLAIMER: The Kogan “Portector” Internet Filter is not a real product. This product is in no way affiliated with Communications Minister Stephen Conroy, The Australian Labor Party, or the Australian Government. Incorrect use may result in uncensored Internet content, freedom of speech, freedom of choice, freedom of thought, and protection of your civil liberties.
I’ve just spent a bit of time fixing up a fairly simple bug that was preventing Rich Boakes’s “Worst Offenders” plugin (( This plugin classifies your Akismet spam queue by various criteria to let you do bulk deletes for comments matching various criteria )) from working in current WordPress versions (basically it was assuming it had created a submenu somewhere it wasn’t) and merged my branch back into trunk to check the content of comments for a list of bad words. No release yet, this is just in trunk, but if you are feeling adventurous you can go into your WordPress’s wp-content/plugins directory and do:
svn co http://plugins.svn.wordpress.org/worst-offenders/trunk/ worst-offenders
Of course make sure you’ve nuked any earlier version of Worst Offenders first!
Update: removed the link to the SpamAssassin announcement as the link isn’t permanent!
In case you’ve not noticed – SpamAssassin had a nasty Y2K10 bug which had been fixed months ago but the fix never got pushed out into a release or updates.
Those of you using SpamAssassin to filter your mail may want to watch things a bit more closely than usual; it seems that current versions still include the rule known as FH_DATE_PAST_20XX, which adds 2-3 points to any message with a 2010 date in the headers. Surprisingly enough, such dates have suddenly become common, with the result that SpamAssassin may be generating more false positives than usual.
The fix is now included in the updates pushed out by sa-update, run it with -D to get debug output and check you’ve picked up 895075 or later. You’ll see it say:
 dbg: dns: 5.2.3.updates.spamassassin.org => 895075, parsed as 895075
If you’re running Zimbra then you’ll need to fix this manually, in the VPAC install (5.0.x) I changed a line in /opt/zimbra/conf/spamassassin/72_active.cf from:
header FH_DATE_PAST_20XX Date =~ /20[1-9][0-9]/ [if-unset: 2006]
header FH_DATE_PAST_20XX Date =~ /20[2-9][0-9]/ [if-unset: 2006]
The other alternative is to set the score of the rule to 0 in your local.cf file:
score FH_DATE_PAST_20XX 0.0
Then go hunting for legitimate email in your spam folder (I’m lucky enough that none got picked up).
To speed up the process, you are required to call us at our free toll free number (+61) 731-235-996 to verify your Commonwealth Maestro Card.
First time I’ve seen a phishing attack that uses (presumably VOIP) phone numbers (in this case allocated to GoTalk in Brisbane, they own 0731230000 to 0731239999 according to the search you can do here) rather than a web site (though I suspect it’s been around for a while).
US-CERT has a form for reporting security incidents – I wanted to report a .gov system that had been hacked and used as part of a phishing scam but cannot because it won’t accept my Australian phone number! Sigh..
The email to the technical contact in WHOIS will have to be sufficient then.
The WordPress UI balked at deleting 194,000 (okay, I ignored it for a while) comment spams. I had to dig in as admin and run a fun sql query on the database to delete all 47 meg of them.
I guess I’ve got a couple of suggestions for Michael to make his life a little easier should he decide to try again.
Akismet has an option to “Automatically discard spam comments older than a month“, that might help (though it’d be nice to be able to adjust the time).
Run, do not walk, to Rich Boakes most excellent Worst Offenders plugin. This will both group comments for deletion based on various criteria but also (if you have permission) add Apache “Deny From” rules for the offending IP addresses. It’s also worth bumping the number of IP addresses it can ban up, Donna’s blog is up to over 8,000 at the moment!