Nick wrote:
Seems to be a very sophisticated campain - of which at least 90% so far are coming from clean domains/clean ip's. Maybe someone Matt? , can figure out some sort of pattern we can target from the spamware?I could code up a quick external test in VBScript that would capture this stuff regardless of the subject or the exact payload, but I'm not going to bother for the time being because the subject filters are working nicely and I didn't get any reports of leakage yet. My recollection of the same guys doing this last year was that it was short-lived and it might go away as soon as it appears. The subject filters are also a good way to catch the backscatter (use a CONTAINS filter).
Sniffer seems to be catching most if not all of it and it also seems to always fail HELOBOGUS because the HELO is randomized. I have another filter that adds more points when both occur at the same time (along with many other patterns), so I don't think that this stuff is getting through so long as I get Sniffer hitting it or they just so happen to hit a valid HELO when randomizing. With the volumes that they are pushing out, almost all of the source IP's will end up SpamCopped or CBL'd quite quickly. Their generally clean IP's early on are likely the result of using newly infected Sober zombies that are fresh enough to have not yet been used for spamming.
I have also noted that most of the addresses being used are non-existent, so if people have nobody aliases, they should strongly consider removing them, or if they have gateways that aren't doing address validation, this should be a kick in the pants to do so. There are clearly massive dictionary attacks involved with this.
Matt
-- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
