Pete,
Will do. I call this spammer Whitestone, but there is another very
prolific spammer that also has the same volume named BlooSky Interactive
(real company name) that is also frequently missed. I'm guessing that
they aren't landing in spam traps to the same degree as some others, or
your rules trail far enough behind that their constant supply of domains
and IP's are avoiding detection early on in campaigns.
I have a personal account that is hardly used which gets hit by both.
This account is sent around 350 spams per day, probably around 50 to 75
of which come from the two named above. The problem with Whitestone is
that they recently started changing their construction. Here is the
former linking pattern which you will probably recognize:
http://igw197.adtranslate.com/25_2_6966868_7B3431155618.htm
http://fy238.employedreas.com/934_2_338710_649866459330.htm
http://hbo5.personnelcha.com/32_2_7700225_5D5C3538530.htm
The new linking pattern is like so:
http://mail.latrecultradatabase.net/5767cb88bdaeba8b31221108277c5693307034
http://mail.eqxosuperiorweb.net/4656ba77ac9da9c7314012dd52c007874f85f5
http://mail.eqxoexpertsolutions.net/5767cb88bdaeba6d313518f54ac7ba8f750287
I believe they may actually have two different header patterns now, one
randomized, and the other one with that NextPart boundary, though I
can't say for sure if they are the same spammer or not.
BlooSky Interactive has the following linking pattern (though it is
obfuscated and therefore not reliable to track):
http://bnqjy.fumblingmetal.info/pfjc/jnmqn/fjr/
http://smhg.thelincolnfield.com/yhdmy/nywcvpchyt/
http://dmyjyo.jollyevent.info/fjrhz/mqstjr/
Matt
On 7/23/2010 3:05 PM, Pete McNeil wrote:
On 7/23/2010 2:29 PM, Matt wrote:
This spammer accounts for about 7% of all E-mail that makes it to my
deep scanning layer. Sniffer seems to miss a good deal of their
spam, so there isn't much protection from it otherwise.
Matt -- Is it possible for you to zip up some samples from this guy
and send them to me? I would like to do a deeper analysis of the
things we've missed from them to see how we can improve our capture
rate and understand how the normal process might be improved.
Thanks!
_M
---
[This E-mail scanned for viruses by Declude]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.