I agree with Andrew's #6
6) Not that *I* would do such a thing, but if *one* were to strobe the
/24 netblock that the message came from, you would see definite patterns
in the naming conventions and could certainly predict how the spammer is
going to change his domain names for the next spam runs.
----- Original Message -----
From: "Colbeck, Andrew" <[EMAIL PROTECTED]>
To: <Declude.JunkMail@declude.com>
Sent: Friday, September 02, 2005 1:16 PM
Subject: RE: [Declude.JunkMail] Suggestions on catching a spam message?
Welcome to the list, Dave!
Sometimes the bad guys win. Like virus detection, spam detection is
mostly a matter of reacting to the bad guys and blocking them, so they
do get some in.
If you try to achieve 100% spam blocking, you will devote your life to
it and you'll burn out after spending too much time finding false
positives and dealing with the resultant customer complaints.
A couple of points about this particular message:
1) I got one copy of it in my organization, too. It scored 15 of 20 so
it passed. The recipient didn't complain.
2) At the time it came in, the netblock was clean. SPEWS2 is the only
RBL I know of that listed it at that point, and it still does. Nobody
who has customers uses SPEWS2 to fight spam. Most don't use SPEWS1 for
that matter. There's been a thread about this in the last few days.
3) Sniffer hadn't seen the message yet, so it didn't trigger either. I
still recommend Sniffer.
4) URI blacklisting hadn't seen the message yet, so it didn't trigger
either. I still recommend URI blacklisting.
5) Snips of text like "-mydomain.com?" and "myaddress@" in the MAILFROM
can be tested for, but must have a light weight or only be used in
combination with other tests. VERP is commonly used by legitimate
mailers so that they can scrub their lists when an email account is
cancelled and they receive bounces, or scrub their list when a
legitimate subscriber reports them as spammers because they're too lazy
to unsubscribe.
6) Not that *I* would do such a thing, but if *one* were to strobe the
/24 netblock that the message came from, you would see definite patterns
in the naming conventions and could certainly predict how the spammer is
going to change his domain names for the next spam runs.
I've put them into my IP blacklist text file.
206.131.224.0/19 matched 206.131.224.0/19 SPEWS OffersCentral, see
http://spews.org/html/S1528.html Sep-02-2005
Along with the neighbours which have been there for a long time:
206.128.156.0/24 matched 206.128.156.0/24 SPEWS stubberfield, see
http://spews.org/ask.cgi?S359
206.131.243.0/24 matched 206.131.243.0/24 SPEWS elistmarketers, see
http://spews.org/ask.cgi?S1710
Andrew 8)
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Friday, September 02, 2005 9:59 AM
To: Declude.JunkMail@declude.com
Subject: [Declude.JunkMail] Suggestions on catching a spam message?
Hi Everyone,
I just purchased declude two days ago. I'm running Declude
with message sniffer on a smartermail server. So far, it is
working very well.
The approach that I have been trying to take is to, wherever
possible, avoid creating a custom filter entry to trap a
specific email. Below is an example of a spam email which
slipped through this morning. I sanitized the mail headers
so any reference to myserver or mydomain or myaddress is
where I replaced our details in the headers.
As you can see from the headers, there was very little wrong
with this email that would enable us to score it high enough
for it to be considered spam.
I tag the subject at a score of 14.
At the bottom of this message is the actual body of the html email.
Obviously I could add a filter entry to look for
"agnheqe3.com" and to delete or hold the message. The
problem with that approach, in my opinion, is it never ends.
If they have 1000 different domains that means a 1000 filter
entries. I hate filtering to block a specific email and I
would rather block based upon a pattern common to all spam.
I am wondering if you have had any success on trapping emails
like the one below? What would you add or change to have
caught this message? The only thing I saw, that is common to
spam, which I think I could filter on is the "/track?" in the
URL. I've seen a lot of spam that triggers various ASP or
PHP or other programs in the IMG SRC tag which enables a
spammer to verify that the email was opened and read.
What do you think? How can I tighten up my filtering to
catch an email such as the one below?
Do you guys forward spam to spamcop or other places to help
with the RBLs?
Thanks!
Dave
Return-Path:
<[EMAIL PROTECTED]> Fri Sep 02
07:34:48 2005
Received: from sip.agnheqe3.com [206.131.238.29] by
myserver.mydomain.com with SMTP;
Fri, 2 Sep 2005 07:34:48 -0500
MIME-Version: 1.0
X-Accept-Language: en
X-Priority: Normal
From: Energy Drink <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Nationwide Energy Drink Survey
Date: Fri, 2 Sep 2005 04:08:28 EST
Message-ID: <q8tz5,[EMAIL PROTECTED]>
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken
mail client [8008000e].
X-RBL-Warning: SPFUNKNOWN: SPF returned UNKNOWN for this E-mail.
X-RBL-Warning: Filter_Country: Message failed Filter_Country
test (line 223, weight 0)
X-Note: ========================================
X-Note: Spam Score: [6]
X-Note: Scan Time: 07:35:08 on 02 Sep 2005
X-Note: Spool File: 37143703.EML
X-Note: Server Name: sip.agnheqe3.com
X-Note: SMTP Sender:
[EMAIL PROTECTED]
X-Note: Reverse DNS & IP: sip.agnheqe3.com [206.131.238.29]
X-Note: Recipient(s): <fwd>[EMAIL PROTECTED]
X-Note: Country Chain: UNITED STATES->destination
X-Note: Failed Weights: BADHEADERS [8], SPFUNKNOWN [1],
Filter_Country [0]
X-Note: ========================================
<html>
<body><br>
<a
href="http://agnheqe3.com/track?e=3p5seppESTe4spEnBsK4I3YMp1&m
=6225115&l=0">
<img
src="http://agnheqe3.com/t?m=6225115&l=3";
border=0></a><br><br> <img
src="http://agnheqe3.com/t?m=6225115&l=2";
border=0></a><br><br> <a href="http://agnheqe3.com/t?m=6225115&l=4";>
<img
src="http://agnheqe3.com/track?e=46UqH66PCSHeq6PD4qbeBnKu6z&m=
6225115&l=1"
border=0></a><br>
<br><br><font color='#ffffff' face='arial,helvetica'
size='1'><5;46UqH66PCSHeq6PD4qbeBnKu6z;6225115></font></body></html>
---
[This E-mail scanned for viruses by Declude Virus]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
