Re: [spamdyke-users] Fwd: Search for High Speed Internet options near you
I haven't seen this sort of thing in quite some time (thankfully). Have you sent them through sa-learn so bayes can detect them? -- -Eric 'shubes' On 06/03/2014 09:53 AM, David wrote: Thats where I was headed with this one.. UGH! How annoying. We need a honeypot approach for these guys and then tarpit them into a blackhole. I will post a resolve on this once a I try a few things. thanks Dave On 06/03/2014 11:19 AM, Angus McIntyre wrote: On Jun 3, 2014, at 11:25 AM, David wrote: How in the world do I stop these annoying emails. according to the headers they change the From: Subject: and the domains and ips change as well. It looks like an affiliate spammer. They typically rent a block of IP addresses from one or more hosting providers, then start pumping out spam with syndicated marketing links in it, and get paid when suckers click on the links. I don't recognize this particular one's style, but the bad news is that they tend to be really hard to filter. As you've found out, they constantly change domain names (they probably use domain-kiting to ensure that they never have to pay for names), they constantly change IPs (so-called snowshoe spamming, aided by compliant ISPs), they use hashbuster text in their messages to get past or poison statistical filters, and they constantly change their subjects, from lines, and in some cases even their URL formats. Unfortunately, Spamdyke isn't a lot of help against these guys. They are actually delivering from real mailservers (as opposed to botnet PCs), so graylisting won't help. They generally have their DNS set up correctly, so rDNS checks won't reject them. They change names and IPs so fast that RBLs struggle to keep up. They are among the hardest spammers to block. I suggest that you collect samples of the spam that you're receiving and then analyze them. It's possible that you may be able to identify a small number of IP blocks used by the spammer and block those, although they change IPs and hosting services continually to avoid that. A more productive approach may be to try to identify patterns in the URLs that they use and write a SpamAssassin rule to recognize them. The URL in the sample you sent is very long and complex, which means that you have quite a good chance of writing a regex that would recognize their spams but wouldn't generate false positives on legitimate emails. Angus ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Fwd: Search for High Speed Internet options near you
Thats where I was headed with this one.. UGH! How annoying. We need a honeypot approach for these guys and then tarpit them into a blackhole. I will post a resolve on this once a I try a few things. thanks Dave On 06/03/2014 11:19 AM, Angus McIntyre wrote: On Jun 3, 2014, at 11:25 AM, David wrote: How in the world do I stop these annoying emails. according to the headers they change the From: Subject: and the domains and ips change as well. It looks like an affiliate spammer. They typically rent a block of IP addresses from one or more hosting providers, then start pumping out spam with syndicated marketing links in it, and get paid when suckers click on the links. I don't recognize this particular one's style, but the bad news is that they tend to be really hard to filter. As you've found out, they constantly change domain names (they probably use domain-kiting to ensure that they never have to pay for names), they constantly change IPs (so-called snowshoe spamming, aided by compliant ISPs), they use hashbuster text in their messages to get past or poison statistical filters, and they constantly change their subjects, from lines, and in some cases even their URL formats. Unfortunately, Spamdyke isn't a lot of help against these guys. They are actually delivering from real mailservers (as opposed to botnet PCs), so graylisting won't help. They generally have their DNS set up correctly, so rDNS checks won't reject them. They change names and IPs so fast that RBLs struggle to keep up. They are among the hardest spammers to block. I suggest that you collect samples of the spam that you're receiving and then analyze them. It's possible that you may be able to identify a small number of IP blocks used by the spammer and block those, although they change IPs and hosting services continually to avoid that. A more productive approach may be to try to identify patterns in the URLs that they use and write a SpamAssassin rule to recognize them. The URL in the sample you sent is very long and complex, which means that you have quite a good chance of writing a regex that would recognize their spams but wouldn't generate false positives on legitimate emails. Angus ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Fwd: Search for High Speed Internet options near you
On Jun 3, 2014, at 11:25 AM, David wrote: > How in the world do I stop these annoying emails. > according to the headers they change the > From: > Subject: > and the domains and ips change as well. It looks like an affiliate spammer. They typically rent a block of IP addresses from one or more hosting providers, then start pumping out spam with syndicated marketing links in it, and get paid when suckers click on the links. I don't recognize this particular one's style, but the bad news is that they tend to be really hard to filter. As you've found out, they constantly change domain names (they probably use domain-kiting to ensure that they never have to pay for names), they constantly change IPs (so-called snowshoe spamming, aided by compliant ISPs), they use hashbuster text in their messages to get past or poison statistical filters, and they constantly change their subjects, from lines, and in some cases even their URL formats. Unfortunately, Spamdyke isn't a lot of help against these guys. They are actually delivering from real mailservers (as opposed to botnet PCs), so graylisting won't help. They generally have their DNS set up correctly, so rDNS checks won't reject them. They change names and IPs so fast that RBLs struggle to keep up. They are among the hardest spammers to block. I suggest that you collect samples of the spam that you're receiving and then analyze them. It's possible that you may be able to identify a small number of IP blocks used by the spammer and block those, although they change IPs and hosting services continually to avoid that. A more productive approach may be to try to identify patterns in the URLs that they use and write a SpamAssassin rule to recognize them. The URL in the sample you sent is very long and complex, which means that you have quite a good chance of writing a regex that would recognize their spams but wouldn't generate false positives on legitimate emails. Angus ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users