Flavour of the day: Relevant bits of the header:
Received: from payoff.all-debt-forever.com [173.192.161.27] Subject: Stay on top of your credit report Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit Content-Disposition: inline Header has DKIM. Network allocation is: 173.192.161.16/28 to pikinetworks >From the header you can see that the body will be plain text, not HTML. The payload link has 37 characters 0-9 and a-z: http://payoff.all-debt-forever.com/02138174505792882531178a7d79a040f797d The unsubscribe link has 33 characters 0-9 and a-z: http://payoff.all-debt-forever.com/78a7d79a040f797d40213817450579288 Andrew 8) -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Pete McNeil Sent: Friday, July 23, 2010 6:40 PM To: [email protected] Subject: Re: [Declude.JunkMail] Regex to block this? On 7/23/2010 9:19 PM, Matt wrote: > I guess my point here is that they are both very high volume spammers, > and they both randomize sufficiently so that blocking them requires > blocking their domains and having the samples available, but putting > in proactive rules will only last a short time. What Sniffer may need > is a better source of this spam. Between the two, I believe I am > getting about 15,000 each day. Better sources are always good -- the sooner we see it the faster we can code solutions. As it turns out all of the samples provided had current rules in place based on our standard vectors... so we are capturing these. My guess is that you're right and the timing of these attacks is important. That said, I was able to find some structural vectors for the first group -- I've set up some abstracts based on those vectors and I'm waiting to see what the capture rates will be... If this approach is successful we should be able to preemptively defeat some of next few campaigns. Then I will apply the same types of mechanisms to the other groups and see if we can generate some internal methodologies to evolve structural abstracts for these as we see new variants based on the successful models we've generated. _M -- President MicroNeil Research Corporation www.microneil.com --- [This E-mail scanned for viruses by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [email protected], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [email protected], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
