Spammers know how to vary their headers, some more than others, and it
appears that they are also using the signature merely to take advantage
of bayesian filtering weaknesses. As a Declude user, if you had no
issues before this campaign, you probably will continue to have no
issues, and if you had issues before, you will still have them. Surely
whatever you see as repeating will surely change in a matter of hours or
days. The only reason why this made news is because someone mistakenly
suggested that the messages were coming from Androids when in fact they
are not.
Google says spam emails not coming from Android botnets
http://www.networkworld.com/news/2012/070512-spammers-have-started-using-android-260693.html?hpg1=bn
Move on, there's nothing to see here
(http://www.youtube.com/watch?v=5NNOrp_83RU).
Matt
On 7/6/2012 1:55 PM, John Dobbin wrote:
>
> After review of my samples, the message ID is not consistent so it
> would be a poor criteria. I’ve added a body filter to add weight for
> the yahoo via android text at the end of each message, but not enough
> to block by itself and let the rest of the rules add weight to
> quarantine. This seems to be working well enough at the moment.
> Andrew’s assessment questioning the author of the article appears to
> be dead on.
>
> Thanks
>
> John Dobbin
> Pen Publishing Interactive - http://www.penpublishing.com
>
>
> *From:*David Barker [mailto:dbar...@declude.com]
> *Sent:* Friday, July 06, 2012 11:51 AM
> *To:* Declude.JunkMail@declude.com
> *Subject:* RE: [Declude.JunkMail] Android Yahoo Mail app spam
>
> To clarify the message ID is always exactly the same or is similar too ?
>
> Message-ID: <1341147286.19774.androidmob...@web140302.mail.bf1.yahoo.com
> <mailto:1341147286.19774.androidmob...@web140302.mail.bf1.yahoo.com>>
>
> *From:*John Dobbin [mailto:jo...@penpublishing.com]
> <mailto:[mailto:jo...@penpublishing.com]>
> *Sent:* Thursday, July 05, 2012 4:28 PM
> *To:* Declude.JunkMail@declude.com <mailto:Declude.JunkMail@declude.com>
> *Subject:* [Declude.JunkMail] Android Yahoo Mail app spam
>
> http://www.networkworld.com/community/blog/android-botnet-army-spouting-spam-yahoo-mail-app?source=NWWNLE_nlt_daily_pm_2012-07-05
>
> The spam messages share two similarities, Zink, who discovered the
> botnet, explained in a blog post
> <http://blogs.msdn.com/b/tzink/archive/2012/07/03/spam-from-an-android-botnet.aspx>.
> First, each message closes with the signature "*Sent from Yahoo! Mail
> on Android."* Secondly, they all share a message ID that reads:
>
> Message-ID: <1341147286.19774.androidmob...@web140302.mail.bf1.yahoo.com
> <mailto:1341147286.19774.androidmob...@web140302.mail.bf1.yahoo.com>>
>
> Is there a preferred way to look for the message header? This way,
> these can be scored high enough to delete. We’re seeing large amounts
> of these the last week.
>
> Thanks
>
> John Dobbin
> Pen Publishing Interactive - http://www.penpublishing.com
>
>
>
> --- This E-mail came from the Declude.JunkMail mailing list. To
> unsubscribe, just send an E-mail to imail...@declude.com
> <mailto:imail...@declude.com>, and type "unsubscribe
> Declude.JunkMail". The archives can be found at
> http://www.mail-archive.com.
>
>
> --- This E-mail came from the Declude.JunkMail mailing list. To
> unsubscribe, just send an E-mail to imail...@declude.com
> <mailto:imail...@declude.com>, and type "unsubscribe
> Declude.JunkMail". The archives can be found at
> http://www.mail-archive.com.
>
>
> --- This E-mail came from the Declude.JunkMail mailing list. To
> unsubscribe, just send an E-mail to imail...@declude.com, and type
> "unsubscribe Declude.JunkMail". The archives can be found at
> http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
