RE: new type of email spam
Title: RE: new type of email spam Sounds great, thx! __Anton Krall Intruder Consulting A Division of IntruderEnterprises S.A. de C.V. www.intruder.com.mx Email: [EMAIL PROTECTED] Tel. 5781-5112 ext. 201 FWD Number: 613602 Messenger: [EMAIL PROTECTED] From: Chris Santerre [mailto:[EMAIL PROTECTED] Sent: Friday, April 28, 2006 3:30 PMTo: 'Ronald I. Nutter'; Anton Krall; users@spamassassin.apache.orgSubject: RE: new type of email spam I seem to stop a ton of them. I'll post what rules are hitting when the next one comes in. Sorry, I just finished clearing thru todays fresh catches and then read this thread :) -Chris > -Original Message- > From: Ronald I. Nutter [mailto:[EMAIL PROTECTED]] > Sent: Friday, April 28, 2006 7:59 AM > To: Anton Krall; users@spamassassin.apache.org > Subject: RE: new type of email spam > > > I havent had any luck so far. The gif content name used is never the > same in any of the messages I have been getting. > > Ron > > > Ron Nutter [EMAIL PROTECTED] > Network Infrastructure & Security Manager > Information Technology Services (502)863-7002 > Georgetown College > Georgetown, KY 40324-1696 > > > > -Original Message- > From: Anton Krall [mailto:[EMAIL PROTECTED]] On Behalf Of > Anton Krall > Sent: Friday, April 28, 2006 12:36 AM > To: users@spamassassin.apache.org > Subject: new type of email spam > > > Guys, today I got a flow of new type of spam, this new email has some > sort of gif or image inside that contains like a letter or some > letters... Hasanybody seens this and know how to block it? > > >
RE: new type of email spam
Title: RE: new type of email spam > -Original Message- > From: Anton Krall [mailto:[EMAIL PROTECTED]] > Sent: Friday, April 28, 2006 12:36 AM > To: users@spamassassin.apache.org > Subject: new type of email spam > > > Guys, today I got a flow of new type of spam, this new email > has some sort > of gif or image inside that contains like a letter or some letters... > Hasanybody seens this and know how to block it? Well I got the ones that were caught over the weekend. All stock spams that were gif images only. All Caught. Attached are teh ruls that hit. Any rule that starts with "MY" is something I've written for here. And may or may not have been converted to a SARE rule. HTH, Chris Santerre SysAdmin and SARE/URIBL ninja http://www.uribl.com http://www.rulesemporium.com -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.0.385 / Virus Database: 268.5.1/327 - Release Date: 4/28/2006 X-Spam-Status: Yes, score=10.9 required=5.0 tests=EXTRA_MPART_TYPE, FROM_HAS_MIXED_NUMS,HTML_IMAGE_ONLY_08,HTML_MESSAGE,MIME_HTML_MOSTLY, MPART_ALT_DIFF,MY_ALT,MY_NO_QU,MY_PHRS_LOW,RCVD_IN_NJABL_DUL, SARE_FWDLOOK,SARE_RECV_IP_218080 autolearn=disabled version=3.0.0 X-Spam-Status: Yes, score=7.3 required=5.0 tests=EXTRA_MPART_TYPE,HTML_90_100, HTML_IMAGE_ONLY_04,HTML_MESSAGE,MIME_HTML_MOSTLY,MPART_ALT_DIFF, MY_ALT,MY_NO_QU,MY_TO_SALES,RCVD_IN_NJABL_DUL autolearn=disabled X-Spam-Status: Yes, score=7.6 required=5.0 tests=EXTRA_MPART_TYPE,HTML_90_100, HTML_IMAGE_ONLY_08,HTML_MESSAGE,MIME_HTML_MOSTLY,MPART_ALT_DIFF, MY_ALT,MY_DSL,RCVD_IN_NJABL_DUL autolearn=disabled X-Spam-Status: Yes, score=8.6 required=5.0 tests=EXTRA_MPART_TYPE, HELO_DYNAMIC_IPADDR,HTML_90_100,HTML_IMAGE_ONLY_04,HTML_MESSAGE, MIME_HTML_MOSTLY,MPART_ALT_DIFF,MY_ALT autolearn=disabled
RE: new type of email spam
Title: RE: new type of email spam I seem to stop a ton of them. I'll post what rules are hitting when the next one comes in. Sorry, I just finished clearing thru todays fresh catches and then read this thread :) -Chris > -Original Message- > From: Ronald I. Nutter [mailto:[EMAIL PROTECTED]] > Sent: Friday, April 28, 2006 7:59 AM > To: Anton Krall; users@spamassassin.apache.org > Subject: RE: new type of email spam > > > I havent had any luck so far. The gif content name used is never the > same in any of the messages I have been getting. > > Ron > > > Ron Nutter [EMAIL PROTECTED] > Network Infrastructure & Security Manager > Information Technology Services (502)863-7002 > Georgetown College > Georgetown, KY 40324-1696 > > > > -Original Message- > From: Anton Krall [mailto:[EMAIL PROTECTED]] On Behalf Of > Anton Krall > Sent: Friday, April 28, 2006 12:36 AM > To: users@spamassassin.apache.org > Subject: new type of email spam > > > Guys, today I got a flow of new type of spam, this new email has some > sort of gif or image inside that contains like a letter or some > letters... Hasanybody seens this and know how to block it? > > >
RE: new type of email spam
Ill try that, thx Matt |-Original Message- |From: Matt Kettler [mailto:[EMAIL PROTECTED] |Sent: Thursday, April 27, 2006 11:44 PM |To: Anton Krall |Cc: users@spamassassin.apache.org |Subject: Re: new type of email spam | |Anton Krall wrote: |> Guys, today I got a flow of new type of spam, this new email |has some |> sort of gif or image inside that contains like a letter or |some letters... |> Hasanybody seens this and know how to block it? |> |I've seen two variants of this. One doing stock pump-and-dump |scams, one doing 419 scams. | |Both seem to be fairly well covered by using Razor at my site. | |The SARE stocks ruleset also helps, as it has some rules |looking for filename patterns of the stock ones. | | |> |> |> | |
RE: new type of email spam
I havent had any luck so far. The gif content name used is never the same in any of the messages I have been getting. Ron Ron Nutter [EMAIL PROTECTED] Network Infrastructure & Security Manager Information Technology Services(502)863-7002 Georgetown College Georgetown, KY40324-1696 -Original Message- From: Anton Krall [mailto:[EMAIL PROTECTED] On Behalf Of Anton Krall Sent: Friday, April 28, 2006 12:36 AM To: users@spamassassin.apache.org Subject: new type of email spam Guys, today I got a flow of new type of spam, this new email has some sort of gif or image inside that contains like a letter or some letters... Hasanybody seens this and know how to block it?
Re: new type of email spam
Anton Krall wrote: > Guys, today I got a flow of new type of spam, this new email has some sort > of gif or image inside that contains like a letter or some letters... > Hasanybody seens this and know how to block it? > I've seen two variants of this. One doing stock pump-and-dump scams, one doing 419 scams. Both seem to be fairly well covered by using Razor at my site. The SARE stocks ruleset also helps, as it has some rules looking for filename patterns of the stock ones. > > >