Day Old Bread/Spammers - SpamAssassin

This is a discussion on Day Old Bread/Spammers - SpamAssassin ; I'm getting dozens of emails daily from a few different spammers. The emails consistently are graphic based, but the graphics are html img refs and not consistent names - the last image in each one is their send mail to ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Day Old Bread/Spammers

  1. Day Old Bread/Spammers

    I'm getting dozens of emails daily from a few different spammers. The emails
    consistently are graphic based, but the graphics are html img refs and not consistent
    names - the last image in each one is their send mail to this address to be removed (or
    actually to guarantee even MORE spam).

    One is from "Wagonjumpers" another is from some address in Florida (those images in the
    spam are consistent). Each day, it seems they set up a few new hostnames, and start
    spamming. We immediately (upon notification from our users) add that hostname to our
    access denied list, since they are spammer addresses, but is there an easier way to
    trap the email?

    I know that the various img evaluation plugins & image ocr plugins do not appear to
    work, since they don't download referenced images.

    --Will


  2. Re: Day Old Bread/Spammers

    Could you give an example? Are these newly registered top level domains
    spotted in the body of the spams?

    Rob McEwen

    Mailing Lists wrote:
    > I'm getting dozens of emails daily from a few different spammers. The emails
    > consistently are graphic based, but the graphics are html img refs and not consistent
    > names - the last image in each one is their send mail to this address to be removed (or
    > actually to guarantee even MORE spam).
    >
    > One is from "Wagonjumpers" another is from some address in Florida (those images in the
    > spam are consistent). Each day, it seems they set up a few new hostnames, and start
    > spamming. We immediately (upon notification from our users) add that hostname to our
    > access denied list, since they are spammer addresses, but is there an easier way to
    > trap the email?
    >
    > I know that the various img evaluation plugins & image ocr plugins do not appear to
    > work, since they don't download referenced images.
    >
    > --Will
    >
    >



  3. Re: Day Old Bread/Spammers

    Mailing Lists wrote:
    > Here's today's first WagonJumper's email ... the domain has a registry date back in
    > October 2007.
    >
    > One of the bottom img src tags is the WagonJumper's logo img. I'd love to find a way
    > to be able to scan those imgs - but since they are image refs, and not embedded - that
    > doesn't occur.
    >
    >>From nicepay@contagiousensemble.com Thu Jul 3 06:36:24 2008

    > Return-Path:
    > X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on myhost
    > X-Spam-Level: *****
    > X-Spam-Status: No, score=5.4 required=8.0 tests=DCC_CHECK,DIGEST_MULTIPLE,

    ^^^^^^^^^^^^^^^^^^^^^^
    SA's core ruleset, and many of the addon rulesets, are targetted at a
    threshold of 5.

    I only run a higher threshold on role accounts that I *know* tend to
    receive spammy content (like, oh, say, forwarded missed spams ).

    From the core filter cluster here (watch for linewrap):

    X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on *.vianet.ca
    X-Spam-Level: ******
    X-Spam-Status: Yes, score=6.1 required=5.0
    tests=BAYES_95=3,HTML_MESSAGE=0.001,

    SPF_HELO_PASS=-0.001,SPF_PASS=-0.001,TO_MALFORMED=1.17,URIBL_BLACK=1.955
    autolearn=no version=3.2.4
    X-Spam-Report:
    * 1.2 TO_MALFORMED To: has a malformed address
    * -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
    * -0.0 SPF_PASS SPF: sender matches SPF record
    * 0.0 HTML_MESSAGE BODY: HTML included in message
    * 3.0 BAYES_95 BODY: Bayesian spam probability is 95 to 99%
    * [score: 0.9756]
    * 2.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist
    * [URIs: contagiousensemble.com]

    > HTML_MESSAGE,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANG E_E4_51_100,
    > RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,SPF_HELO_PA SS,SPF_PASS
    > autolearn=disabled version=3.2.4


    Hmm. I don't see Bayes in your score list, do you have it disabled?
    I'd say Bayes is a must if you're running a non-default threshold.

    -kgd


+ Reply to Thread