On 06/11/2014 01:51 PM, Angus McIntyre wrote:
On Jun 11, 2014, at 9:43 AM, Gary Gendel wrote:
In the last month, I've seen a large increase in spam that breezes through
spamdyke and spamassassin. These are html only emails mainly for jobs from the
big web companies (Google, Facebook, etc.). The html is biased with bayes
poisoning keywords.
These aren't _actually_ job offers from Google and Facebook. If you followed the links (which I
don't necessarily, advise, because the spammers 'tag' the links so they can see who looked at the
message) you'd find that they redirect to syndicated marketing links promoting scammy
"work-at-home" make-money-fast schemes. I think the only connection with Google or
Facebook is that these fake jobs are somehow "on the Internet".
The links point to a page with a number of unrelated links via a tracker. I
assume they are trying to get click-through cash.
Yep.
Anyone else see this kind of problem? If so, what are you doing about it?
I wrote about the difficulty of blocking these in another thread on 'spamdyke-users' with
the subject "Fwd; Search for High Speed Internet options near you" (someone
else posted a sample of a similar spam).
Basically, because the senders change domain names, IP addresses, 'From' lines,
'Subject' lines, and even URL formats continuously, and because the messages
contain hashbuster text, they're extremely difficult to block reliably. They're
pretty much the state-of-the-art when it comes to randomizing every possible
element that could be used as the basis for filtering.
I don't know if this helps, but I'm seeing that some come from sites without a
compliant dns setup. For example:
162.210.198.19 -> hosted-by.EqServers.com
hosted-by.EqServers.com -> 65.60.49.189
Would spamdyke's rDNS tests help here? In my experience, these particular
spammers usually have their DNS properly set up -- they're posting from rented
servers hosted by a variety of hosting companies, rather than botnet PCs -- so
they don't usually get turned away by Spamdyke's rDNS checks.
I think Bayesians may work on them, despite the presence of hashbuster text: most of them
that I see trigger SpamAssassin's BAYES_99 rule, and in my tests with CRM-114 I can
usually get CRM-114 to say "Oh yeah, it's one of those." However, BAYES_99
defaults to a score of 3.5, which may not be enough on its own to take the message over
the threshold to be tagged as spam.
Now that you're starting to see these, you're going to get more and more. They
have ramped up their sending volume enormously over time, and are sending more
and more in an attempt to brute-force their way through.
Angus
Good points.
Personally, I've adjusted my SA scoring to weigh bayes heaver. FWIW,
this is what I use:
score BAYES_00 0 0 -2.612 -2.899
score BAYES_05 0 0 -1.110 -1.110
score BAYES_20 0 0 -0.740 -0.740
score BAYES_40 0 0 -0.185 -0.185
score BAYES_50 0 0 0.001 0.001
score BAYES_60 0 0 1.5 1.5
score BAYES_80 0 0 3.0 3.0
score BAYES_95 0 0 4.0 4.0
score BAYES_99 0 0 5.1 5.1
I also use:
required_score 3.7
Personally, I haven't noticed this problem.
--
-Eric 'shubes'
___
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users