RE: New method of spamming

2007-03-26 Thread Larry Ludwig 
Ok so I'm confused on how to SA could catch this..
 
URIBL OR Razor isn't catching these because of how quickly they are going
out (sure a few days/hours later running SA against the email it will catch
it) but that isn't the point.
 
My question is how can SA check the previous mail relay from specific
sources (ie yahoo, hotmail and a few other free webmail providers)
Obviously you don't want to do this for every incoming email because of
forged Received: only from specific sources.

I think a new SA rule needs to be created... just not sure how to approach
it.
 
Thanks.
 
-L
 
--
Larry Ludwig
Empowering Media
1-866-792-0489 x600
Have you visited our customer service blog?
http://www.supportem.com/blog/
 


Again, no direct plugin for host IPs. You have to use URIBL and SURBL
lookups. But the time from initial spam run to being listed is pretty quick.
The IP you listed has been watched for over a month now. ;) 

Thanks, 

Chris Santerre 
SysAdmin and Spamfighter 
www.rulesemporium.com 
www.uribl.com

RE: New method of spamming

2007-03-26 Thread Chris Santerre 

> 
> I think that a SA plugin which resolves URIs would be enough: 
> I received
> some of these spams, everyone containing a URI pointing to 
> the very same web

No direct plugin, but URIBL will catch most of these fairly quickly. Its not
a new tactic, but has recently picked up on the spam runs. Throw away domain
names are on the rise this month. 


> host (124.0.208.235) also, the DNS server is:
> 
>   a) defined with two different names, but only one (again
> 124.0.208.235);
> 
>   b) the same of the web host in your case (in mines, it was a
> different one).

Pretty common. The whois info seems to match a pattern as well. 

> 
> By "black-listing" URI's host IPs, one could easily score 
> high this kind of
> e-mails. Maybe there is also some RBL regarding web hosts, by 
> the way. Is
> it?
> 
> Such a plugin doesn't yet exists, anyway (or, at least, I 
> don't know about
> it).

Again, no direct plugin for host IPs. You have to use URIBL and SURBL
lookups. But the time from initial spam run to being listed is pretty quick.
The IP you listed has been watched for over a month now. ;) 

Thanks,

Chris Santerre
SysAdmin and Spamfighter
www.rulesemporium.com
www.uribl.com