{Spam?} RE: Latest spammers' trick - email address in body instead of url
There's more of this stuff out today, with the addy [EMAIL PROTECTED] My current list email addresses used in this sort of spam is [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] The rule to catch these is trivial. Cheers, Phil Phil Randal Network Engineer Herefordshire Council Hereford, UK -Original Message- From: Randal, Phil Sent: 10 March 2006 17:13 To: users@spamassassin.apache.org Subject: RE: Latest spammers' trick - email address in body instead of url I think email addresses should be scored differently from urls. Clicking on an email address isn't going to take you to a site which auto-installs all manner of malware on your PC. But these spams are still a nuisance - especially to us thankless admins who get enormous amounts of hassle from our end-users and management everytime spam slips through with a very low spamassassin score. Cheers, Phil Phil Randal Network Engineer Herefordshire Council Hereford, UK -Original Message- From: Daryl C. W. O'Shea [mailto:[EMAIL PROTECTED] Sent: 10 March 2006 15:47 To: Matt Kettler Cc: Randal, Phil; users@spamassassin.apache.org Subject: Re: Latest spammers' trick - email address in body instead of url On 10/03/06 10:26 AM, Matt Kettler wrote: Randal, Phil wrote: Hi folks, We're seeing increasing amounts of spam coming in which the email's body contains seemingly innocuous (but obviously irrelevant) text plus an email address for more information. With no urls in the message, uribls are useless... Currently we've had spams with emails from whoever (AT) nicerealmail .info and whoever (AT) marketez-bonds .net. Currently handling it by adding specific rules as we encounter them, but there has to be a better way of handling this. Anyone for emailbls? Or updating uribl to fire on [EMAIL PROTECTED] email addresses in message bodies? Thoughts, anyone? Um... SA should already be treating email addresses in the body as URIs... Are you sure yours isn't looking up the offending domains agianst the URIBLs you're using? I don't believe that's accurate. I know Jeff C. argued that it wasn't what SURBL was intended for so we ended up disabling it. Personally, I still think email address should be looked up. Either the domain is bad or it isn't. http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4201 Daryl
Re: Latest spammers' trick - email address in body instead of url
... ... Thoughts, anyone? Um... SA should already be treating email addresses in the body as URIs... Are you sure yours isn't looking up the offending domains agianst the URIBLs you're using? I don't believe that's accurate. I know Jeff C. argued that it wasn't what SURBL was intended for so we ended up disabling it. Personally, I still think email address should be looked up. Either the domain is bad or it isn't. http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4201 Daryl Agreed. They are called URI rules, not URL rules. All URIs should be checked (including Message-IDs, and all other cases in RFC2396, RFC2483 and the new Standards Track RFC3986). Also note that URI types are IANA registered and a complete list of allocations is available at iana.org. NOTE: the issue of incomplete URIs is still an open problem (e.g. email addresses like [EMAIL PROTECTED] are not properly formated URIs, but an entry like mailto:[EMAIL PROTECTED] is). At least some of us use far more than just SURBL (and URIBL) for URI rules - very effective, though low scores are needed because of FPs, but multiple rule hits add up very quickly, even on brand new domains and spam runs with IP based BLs. BTW. The OP's example domains both appear to be Yambo Financials, though the second is hosted at Yahoo! (Yambo's favorite free provider to abuse). Paul Shupak [EMAIL PROTECTED]
Re: Latest spammers' trick - email address in body instead of url
Randal, Phil wrote: Hi folks, We're seeing increasing amounts of spam coming in which the email's body contains seemingly innocuous (but obviously irrelevant) text plus an email address for more information. With no urls in the message, uribls are useless... Currently we've had spams with emails from whoever (AT) nicerealmail .info and whoever (AT) marketez-bonds .net. Currently handling it by adding specific rules as we encounter them, but there has to be a better way of handling this. Anyone for emailbls? Or updating uribl to fire on [EMAIL PROTECTED] email addresses in message bodies? Thoughts, anyone? Um... SA should already be treating email addresses in the body as URIs... Are you sure yours isn't looking up the offending domains agianst the URIBLs you're using?
Re: Latest spammers' trick - email address in body instead of url
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Randal, Phil wrote: Hi folks, We're seeing increasing amounts of spam coming in which the email's body contains seemingly innocuous (but obviously irrelevant) text plus an email address for more information. [snip] Phil, Not seen any of these yet, any chance of some examples? C. - -- Craig McLeanhttp://fukka.co.uk [EMAIL PROTECTED] Where the fun never starts Powered by FreeBSD, and GIN! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.1 (GNU/Linux) iD8DBQFEEZ0gMDDagS2VwJ4RAsRfAJ4oB6Cu7MF7cS651zhFWaI65/XKaQCg3zdA MwxVGbyWV4hfzl22qFXgpmI= =hEdT -END PGP SIGNATURE-
Re: Latest spammers' trick - email address in body instead of url
On 10/03/06 10:26 AM, Matt Kettler wrote: Randal, Phil wrote: Hi folks, We're seeing increasing amounts of spam coming in which the email's body contains seemingly innocuous (but obviously irrelevant) text plus an email address for more information. With no urls in the message, uribls are useless... Currently we've had spams with emails from whoever (AT) nicerealmail .info and whoever (AT) marketez-bonds .net. Currently handling it by adding specific rules as we encounter them, but there has to be a better way of handling this. Anyone for emailbls? Or updating uribl to fire on [EMAIL PROTECTED] email addresses in message bodies? Thoughts, anyone? Um... SA should already be treating email addresses in the body as URIs... Are you sure yours isn't looking up the offending domains agianst the URIBLs you're using? I don't believe that's accurate. I know Jeff C. argued that it wasn't what SURBL was intended for so we ended up disabling it. Personally, I still think email address should be looked up. Either the domain is bad or it isn't. http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4201 Daryl
Re: Latest spammers' trick - email address in body instead of url
Here is one I have; body only: - Original Message - From: Brown Lane To: [EMAIL PROTECTED] Sent: Monday, March 6, 2006 10:15 AM Subject: billing | Not seen any of these yet, any chance of some examples? | | C.
Re: Latest spammers' trick - email address in body instead of url
Sorry all, It didn't go through. Let me find another way to send it. - Original Message - From: [EMAIL PROTECTED] To: Craig McLean [EMAIL PROTECTED]; Randal, Phil [EMAIL PROTECTED] Cc: users@spamassassin.apache.org Sent: Friday, March 10, 2006 8:46 AM Subject: Re: Latest spammers' trick - email address in body instead of url | Here is one I have; | | body only: | - Original Message - | From: Brown Lane | To: [EMAIL PROTECTED] | Sent: Monday, March 6, 2006 10:15 AM | Subject: billing | | | | | | | | Not seen any of these yet, any chance of some examples? | | | | C. | |
RE: Latest spammers' trick - email address in body instead of url
I think email addresses should be scored differently from urls. Clicking on an email address isn't going to take you to a site which auto-installs all manner of malware on your PC. But these spams are still a nuisance - especially to us thankless admins who get enormous amounts of hassle from our end-users and management everytime spam slips through with a very low spamassassin score. Cheers, Phil Phil Randal Network Engineer Herefordshire Council Hereford, UK -Original Message- From: Daryl C. W. O'Shea [mailto:[EMAIL PROTECTED] Sent: 10 March 2006 15:47 To: Matt Kettler Cc: Randal, Phil; users@spamassassin.apache.org Subject: Re: Latest spammers' trick - email address in body instead of url On 10/03/06 10:26 AM, Matt Kettler wrote: Randal, Phil wrote: Hi folks, We're seeing increasing amounts of spam coming in which the email's body contains seemingly innocuous (but obviously irrelevant) text plus an email address for more information. With no urls in the message, uribls are useless... Currently we've had spams with emails from whoever (AT) nicerealmail .info and whoever (AT) marketez-bonds .net. Currently handling it by adding specific rules as we encounter them, but there has to be a better way of handling this. Anyone for emailbls? Or updating uribl to fire on [EMAIL PROTECTED] email addresses in message bodies? Thoughts, anyone? Um... SA should already be treating email addresses in the body as URIs... Are you sure yours isn't looking up the offending domains agianst the URIBLs you're using? I don't believe that's accurate. I know Jeff C. argued that it wasn't what SURBL was intended for so we ended up disabling it. Personally, I still think email address should be looked up. Either the domain is bad or it isn't. http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4201 Daryl