Spam flooding recent days - SpamAssassin

This is a discussion on Spam flooding recent days - SpamAssassin ; Hello, I've noticed a huge increase of spam rate in past 2-3 weeks. Most of it are messages with some quite normal Subject:, often (but not neccesarily) referring to some fake event (i.e. some politician stabbed to death) and there's ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Spam flooding recent days

  1. Spam flooding recent days

    Hello,

    I've noticed a huge increase of spam rate in past 2-3 weeks. Most of it
    are messages with some quite normal Subject:, often (but not neccesarily)
    referring to some fake event (i.e. some politician stabbed to death) and
    there's only a link, sometimes together with a single sentence, in the
    body. How to fight this? Bayes doesn't catch this much, perhaps because
    these messages contain few text.

    I don't have example of a message of exactly this kind at this moment, but
    this one below is similar. Well, it does catch DRUGS_ERECTILE, so it's an
    easier case, but most of these spams don't refer to viagra and usually
    scores BAYES_50 (max) and nothing more.

    X-Spam-Level: ***
    X-Spam-Status: No, score=3.6 required=3.9 tests=BAYES_50,DRUGS_ERECTILE,
    HTML_MESSAGE autolearn=no version=3.2.5
    [...]
    Received: from 190-95-40-158.bk18-dsl.surnet.cl
    (190-95-40-158.bk18-dsl.surnet.cl [190.95.40.158])
    by xxxxxxxx (8.12.8/8.12.8) with SMTP id m6LH0TnX015727
    for ; Mon, 21 Jul 2008 19:00:29 +0200
    Message-ID: <6AB62D6CDA3697D208CCF8968D13911D@alltel.net>
    From: "World Pharmacy -A22 " <{WORLDPHARMACY}@alltel.net>
    Subject: Sale on all items.. viagra for $1
    Date: Mon, 21 Jul 2008 17:00:32 GMT
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
    boundary="-------=_NextPart_191_031A_0000040D.00007EC0"
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-MimeOLE: Microsoft MimeOLE V6.00.2900.2527





    see site






  2. Re: Spam flooding recent days

    On Mon, 21 Jul 2008, [ISO-8859-2] Micha? J?czalik wrote:

    > Hello,
    >
    > I've noticed a huge increase of spam rate in past 2-3 weeks. Most of it
    > are messages with some quite normal Subject:, often (but not neccesarily)
    > referring to some fake event (i.e. some politician stabbed to death) and
    > there's only a link, sometimes together with a single sentence, in the
    > body. How to fight this? Bayes doesn't catch this much, perhaps because
    > these messages contain few text.
    >
    > I don't have example of a message of exactly this kind at this moment, but
    > this one below is similar. Well, it does catch DRUGS_ERECTILE, so it's an
    > easier case, but most of these spams don't refer to viagra and usually
    > scores BAYES_50 (max) and nothing more.
    >
    > X-Spam-Level: ***
    > X-Spam-Status: No, score=3.6 required=3.9 tests=BAYES_50,DRUGS_ERECTILE,
    > HTML_MESSAGE autolearn=no version=3.2.5
    > [...]
    > Received: from 190-95-40-158.bk18-dsl.surnet.cl
    > (190-95-40-158.bk18-dsl.surnet.cl [190.95.40.158])
    > by xxxxxxxx (8.12.8/8.12.8) with SMTP id m6LH0TnX015727
    > for ; Mon, 21 Jul 2008 19:00:29 +0200
    > Message-ID: <6AB62D6CDA3697D208CCF8968D13911D@alltel.net>
    > From: "World Pharmacy -A22 " <{WORLDPHARMACY}@alltel.net>
    > Subject: Sale on all items.. viagra for $1
    > Date: Mon, 21 Jul 2008 17:00:32 GMT
    > MIME-Version: 1.0
    > Content-Type: multipart/alternative;
    > boundary="-------=_NextPart_191_031A_0000040D.00007EC0"
    > X-Priority: 3
    > X-MSMail-Priority: Normal
    > X-MimeOLE: Microsoft MimeOLE V6.00.2900.2527
    >
    >
    >
    >
    >


    > see site


    >
    >


    First thing, do you have network tests turned off? That IP address
    hit 5 different DNSBL lists here, some of which we use at the SMTP
    level so that message would not even made it in our front door.
    (I realize that it might not have been listed earlier today).

    Install the BOTNET plugin, it will add points to those PC-on-DSL/CABLE
    clients, even before they get listed in DNSBLs.

    I'm guessing that the kind of message you are referring to looks more
    like:

    Date: Mon, 21 Jul 2008 11:49:04 +0200
    From: Froskary
    To: YYYYYY@icaen.uiowa.edu
    Subject: CNN Wire: Obama arrives in Iraq

    B-52 bomber crashes off island of Guam
    http://pelledilunaaXXXXX.it/begin.html

    These are not strictly speaking spam, they're actually trojan
    bot messages attempting to get people to download a trojan
    onto their PCs. (If you are foolish enough to read that message
    on a PC and click on that link, you are pOwn3d.)

    Those things seem to regularly hit BOTNET, DNSBLs like Spamhaus &
    abuseat-CBL, and the URLs tend to get listed in SURBL/URIBL.


    --
    Dave Funk University of Iowa
    College of Engineering
    319/335-5751 FAX: 319/384-0549 1256 Seamans Center
    Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
    #include
    Better is not better, 'standard' is better. B{


  3. Re: Spam flooding recent days

    On Mon, 2008-07-21 at 22:50 +0200, Michał Jęczalik wrote:
    > Hello,
    >
    > I've noticed a huge increase of spam rate in past 2-3 weeks. Most of it
    > are messages with some quite normal Subject:, often (but not neccesarily)
    > referring to some fake event (i.e. some politician stabbed to death) and
    > there's only a link, sometimes together with a single sentence, in the
    > body.


    This sounds like ratware spreading phishes to me. Well, based on the
    vague and fuzzy description, anyway. Nicely caught by ClamAV with
    SaneSecurity phish sigs, and never even being processed by SA here.

    I personally don't really see them as spam, though, but malware
    distribution mail. Hence the dropping with ClamAV.

    However, they seem to be generated by the very same software. In every
    backscatter wave, I do see a lot of these, too. Also, by pure collateral
    coincidence (I was investigating low-scoring spam), I might be cooking
    up a rule that does hit on these. Needs some more investigation the next
    days, though.


    > How to fight this? Bayes doesn't catch this much, perhaps because
    > these messages contain few text.


    See above, maybe. Other than that -- no example, no hint how to stop
    them.


    > I don't have example of a message of exactly this kind at this moment, but
    > this one below is similar. Well, it does catch DRUGS_ERECTILE, so it's an
    > easier case, but most of these spams don't refer to viagra and usually
    > scores BAYES_50 (max) and nothing more.


    This example seems to be unrelated to the one described initially, IMHO.
    It is a real spam, selling drugs.

    guenther


    --
    char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a \x10\xf4\xf4\xc4";
    main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}


+ Reply to Thread