On Wed, 18 Dec 2019, John Hardin wrote:
>Can you post a spample
This is a very interesting pattern that I've seen in a few (9) spams
this week.
Here's a spample (with only the To header MUNGED):
http://puffin.net/software/spam/samples/0062_snow_style_chaff_aws.txt
Lindsay, is that what
As requested:
http://puffin.net/software/spam/samples/0061_bitcoin_splosion.txt
I MUNGED the "To".
It's the latest of two sent to me by an awesome volunteer. :)
First thoughts:
Both were base64 encoded.
Both have "disclaimers" that they're not terrorists. :roll-eyes:
John Hardin: I'll
Ditto to what John said, however, thanks for the spample Mark. :)
Mark, is that the exact network image?
If not, do you have access to it? If so, please pastebin it.
By "network image", I mean not-mangled by any post filter software.
Your posted spample is quoted-printable, and should have been
There's a new morph of the porn extortion campaign, with some
interesting under-the-hood changes.
The previous ones were always:
- two "quoted-printable" parts (plain text, html)
- "From" Outlook accounts
- sent via Outlook/Hotmail/MS IPs (no other IPs in route)
- passed both DKIM and SPF
The
On Tue, Jun 19, 2018 at 11:00 AM, Andy Smith wrote:
> Testing despite these errors the only rule I'm getting a hit on from KAM
> is JMQ_SPF_NEUTRAL_ALL
Andy, thanks for the very useful spamples! :)
Could somebody do a sanity check on the SPF record for
"ballybofeycarpets.com"?
I get a
On Tue, Oct 31, 2017, David Jones wrote:
>Add the Lashback RBL. I am trying to get this added to the default SA
>rules. See my post on 2017-10-17 in the following link and increase the
>scores after some testing.
David, after your Lashback post, I had added it to my FP
Starting Monday late pm (Iowa time), I've been seeing my first DDE
exploits, with significant volume.
Here's a spample, with only the account part of the To header munged:
http://puffin.net/software/spam/samples/0056_dde_auto.txt
The MIME part Content Types are all of the same form, with
KAM, thanks!
I took a look at your rules, and like your scoring. :)
Over my years, I've seen enough BBB scare campaigns which use
shorteners, that perhaps it would make sense to add "KAM_SHORT"
to your additive list of metas (I forget what that's called).
To all the other repliers:
Thanks for
There's a new campaign that uses Bitly shorteners to some sort of
Google forwarder ("appengine").
Here's some sample Locations returned by HEADing the shorteners:
Just spotted my first snow with the TLD ".jetzt".
It's selling for $1.88 at NameCheap so should become widespread.
On Sat, 05 Nov 2016, at 11:54, @lbutlr (kreme.com) wrote:
>We get some (very little) real mail from info, biz, and name domains.
>All the other new domains are on a "prove you're not
Alex, thanks for the spample!
I've only received one (so far), containing the same base domain
with the ".win" TLD, also freshly registered at NameCheap with
privacy protection and CloudFlare.
On Thu, 04 May 2017, Axb wrote:
>SA's redirect patterns detected these domains and my logs show
>most
SpamAssassin caught this phish, however some tweaks would have
let it thru, and it's an interesting new (to me) approach, so I
figured I'd share it with y'all.
Full raw spample (with MUNGED email addresses):
http://puffin.net/software/spam/samples/0053_phish_image.txt
At arrival time,
On Sun, 25 Sep 2016, RW wrote:
>If you mean you poison-pill anything with a redirect, then this
>doesn't seem all that clever because tinyurl is such a well known
>shortener.
I poison pill by default, not always. :)
If the arrival time HEAD is a redirect to a "skip" listed domain,
the poison
Here's a spample of a well done "Dropbox" Phish sent thru Gmail,
containing a custom URL shortener which (apparently) did _NOT_
exist at message arrival time:
http://puffin.net/software/spam/samples/0045_shortener_phish.txt
I MUNGED the To & From headers, however I left the original From
On Fri, 16 Sep 2016, John Hardin wrote:
>Chip, could you send me some spamples of non-image data: messages
>offlist? The only ones I have anywhere are images.
Sent last week - thanks for your ongoing work on this John! :)
After that request, I decided to add (in my post SA filter)
a minimally
John,
thanks a TON for your efforts! I was afraid this would be hard
to catch. :(
On the bright side, the campaign has been morphing, and they are
now (IMO) much less enticing, which is a partial victory. :)
** Update:
The emails have gone thru two more significant morphs, first with
On Thu, 30 Jun 2016, Olivier Coutu wrote:
>The other way to fix that is to detect the lexical distance between the
>sender's domain and your organisation's domains, e.g. by building a
>plugin that uses https://en.wikipedia.org/wiki/Levenshtein_distance.
>That could be done for a small number of
On Thu, 8 Sep 2016, John Hardin wrote:
>Yes. Given that ID on the first line the corpus owner can find the message
>in question, review it, potentially fix misclassifications (that has
>happened before), etc.
Shiny - that sounds perfect! :)
>There's one more exclusion I can add that will take
On Thu, 8 Sep 2016, "lists [at] rhsoft.net" wrote:
>i get a diff-output per mail each time the mailserver configs
>are changing
That's a completely valid approach, and I am a big fan of
pre-emptive first strike (only as applied to potentially evil
email).
However, the vast majority of those TLDs
On Sat, 09 Jul 2016, jasonsu wrote:
>Fwiw, atm I block all of the following TLDs
...
>men,
..
>That list is auto-generated. Any & all TLDs that have
>sent > 100 messages within the last year *AND* have a
Great approach Jason! :)
".men" just recently appeared in my data, and is not showing up
Spample:
http://puffin.net/software/spam/samples/0043_driveby_from-rn_in_url.txt
I removed 19 (of 20 original) email addresses out of the
To header, ST:TOS munged all remaining email addresses, and
munged the target URL to match the other mungings.
Everything else is exactly as received,
On Sat, 3 Sep 2016, John Hardin wrote:
>I've tweaked the FP avoidance a bit, maybe that will be enough
>to get the S/O up high enough to publish it.
John, do you have any detailed info about the Ham hits?
I just datamined my three best corpora, from the beginning of
2014 thru this weekend, and
Freshly caught Spample:
http://puffin.net/software/spam/samples/0042_data_embedded_phish.txt
The only munging was inserting ".EXAMPLE" between "wellsfargo"
and ".com".
Four years ago, I read this fascinating article:
On Wed, 8 Jun 2016 17:23:59 -0400 Alex wrote:
>Meanwhile, there is RTF spam that's circulating which is
>currently bypassing the sanesecurity sigs. I've just submitted a
>sample to Steve, but the db hasn't yet been updated. Here's a
>sample:
>
>http://pastebin.com/ALsSAmwa
Alex, thanks for the
Thanks for all the lists and references, everyone! :)
+1 on block-by-default combined with "skips" for the VERY rare
exceptions.
I'm scoring (poison pill level), not gateway blocking (more about
that in a later post).
*** New Snow TLD sighting:
Since June 30, the TLD ".stream" has been
On Tue, 28 Jun 2016 14:13:57 + David Jones wrote:
>If I search the Internet for the CEO/CIO/CTO/etc of a company
>and send and email from my domain but make the displayed name
>in the visible From: be that CEO/CIO/CTO/etc's full name that
>the recipient is used to seeing in the mail client,
At 04:07 AM 5/20/2016, Dianne/RoaringPenguin wrote:
>We list the contents of attached archives
>(using "lsar") and have filename-extension rules that block .js
>inside .zip files. While this can lead to some FPs, which we handle
>with selective whitelisting, it's very effective at catching the
At 04:07 AM 5/20/2016, RoaringPenguin wrote:
>filename-extension rules that block .js
>inside .zip files.
+1
We also block these scripting related Windows extensions:
.hta
.jse
.vbs
.wsf
Those were originally "pre-emptive", however I've now seen
both ".hta" and
Thanks Andreas! :)
Wednesday am, after re-checking that the specific spam URL was
still forwarding to the spam payload destination, I emailed that
role account... and to my (VERY pleasant) shock, received an
auto-reply which did NOT direct me to an unuseable web form
(i.e. the Google model of
Spotted a new exploited forwarder of some sort at LinkedIn -
full spample:
http://puffin.net/software/spam/samples/0041_linked_forward.txt
Except for the munged "To" and "From" email addresses, that's the
pristine network image.
It came From a known friend at "swbell", who normally sends
Thanks guys, for all the helpful info and sanity checks! :)
Sorry about the Message-ID munging - I get some really useful
malware at that domain but no ham, and am a bit paranoid about
losing that feed.
Followup:
>I had considered anchoring the MIME string, however we have a
>very powerful
Starting about two hours ago, about 40% of my real-time
honeypot spam is a new malware campaign. About a third are
hitting "BAYES_00", with about 10% of all having negative SA
scores. :(
Full spample (with munged email addresses):
http://puffin.net/software/spam/samples/0040_mal_tgz.txt
Starting about two hours ago, more than 80% of my real-time
honeypot spam is a new malware campaign.
Full spample (with redacted/munged email addresses and
Message-ID):
http://puffin.net/software/spam/samples/0039_mal_rtf_mime.txt
This is a variation on an XML file malware campaign that
James, are these botnet or snowshoe spam?
When you get a chance, please provide some spamples (pastebin or
elsewhere), as Kevin recommended. Please mung JUST the email
addresses (e.g. change all email domains to example.com, and
change the victim account name to victim). If the victim
accounts
Thanks Alex! :)
As Alex's rules imply, it switched over to 100% image spam
(in my spamtraps), and continued its excellent syncing.
Just on April 11, the volume more than tripled, and it hit many
different spamtraps than all previous days. Some of those traps
had never been hit before, and/or
Starting Apr 5, about _HALF_ of our spam volume is a
new pump and dump campaign for stock symbol RCHA.
As well as the high volume, there are several noteworthy
characteristics:
- victim account name is used as the sender/From account name
- very clean HTML
- very few hits on non-DNS/RBL
I just checked the last six months of my most diverse corpus,
and found: two Ham, zero spam.
Both ham were sent via different ESPs, each of mediocre
quality though with multiple legitimate (albeit Pakled-y)
customers.
One was from Marriott Rewards with terse SA report:
score=0.9
There's a new (to me), overly clever campaign combining Google
Translate with a URL shortener. It's fairly low volume, but most
are sailing thru SA. It's such a goofy pattern it feels like it's
worthy of an Extinction level score. :)
These started yesterday (Dec 9) at around 2am Eastern US
Hi Alex!
Actually, that's a Snowshoe IP.
Which, on balance, can be a good thing, slaying-wise. :)
Almost four years ago, I posted my approach to snowshoe slaying:
http://mail-archives.apache.org/mod_mbox/spamassassin-users/200902.mbox/%3c20090204.0...@iowahoneypot.com%3e
It has
There's yet another variant in the ongoing campaign of HTML file
attachments with javascript malware payloads. :(
The trick is that it sets the Content-Type to application/zip,
and uses an .htm file extension, for example (actual spam):
Content-Type: application/zip
There's a new campaign using bitly.com, instead of bit.ly.
Other characteristics are:
1. empty plain text Part, followed by a quoted-printable HTML Part
2. very long HTML Title
3. large Style section, with random text (Bayes salad like)
4. current Subject is FW: your arrest record
I expect the
R - elists wrote:
does anyone get legit emails that come from the mailengine1.com
email marketing servers?
Yes, I've seen a trickle of ham, so did some data mining for you...
The IP ranges I have for them are:
66.59.0.0 - 66.59.31.255
72.19.192.0 - 72.19.255.255
Does anyone
There's an interesting new zip attachment obfuscation that uses
an encoded EMPTY filename.
I've seen barely a trickle, but so far, all have had VERY low
SA scores (1.1 with generally unremarkable test hits).
I'm still waiting for permission from the recipient to publish
a complete sample.
Here's
mouss wrote:
with a stock config, and without Bayes, it now yields:
Hmmm, interesting!
Yes, all the caught spam here were due to RBL hits.
Which begs the question, what SpamAssassin tests are hitting for
the misses vs the kills?
Here's what hit (here), for the first 38 missed spams:
Test
Steve Freegard wrote:
Hopefully it will be useful to others; you can grab it from:
Thanks Steve!
Suggestions (for future enhancements):
1. Consider splitting the list of shorteners between those that
are well established and KNOWN to be reasonably diligent, and
all others (e.g. the anti-pattern
On 19 Sep 2010, John Hardin wrote:
Adding to my sandbox for masscheck:
rawbody HTML_OBFU_ESC /document\.write\(unescape\((?:%[0-9a-f]{2}){10}/i
It performs pretty well. It should be in the next rules update, under a
slightly different name (OBFU_JVSCR_ESC).
Shiny!
How about
There's a new morph from our old nuisance, the inline PNG/RTF, and
all manner of wavy image insecure-boy-drugs spammer. :(
Here's a sample:
http://puffin.net/software/spam/samples/0009_jpg_oct.txt
It began (here) on Sep 10, and replaced his (relatively boring)
Your wife photos attached
About a month ago, Didier Stevens found a nifty way to exploit
PDFs, using their launch action.
Original article:
http://blog.didierstevens.com/2010/03/29/escape-from-pdf/
More info:
http://www.sophos.com/blogs/sophoslabs/?p=9301
Yesterday morning, several of these showed up in
I'm seeing an increase in zip attachment spam, and hoped someone
could help me figure out why it isn't being properly tagged. Are
others seeing this? Is BAYES_99 being triggered or is it lower?
Alex, does Bayes understand/check INSIDE zips, at least for file
properties? If not, then it is
I've been running it since 1:51 Eastern (US) time, yesterday.
You risk wrongly flagging legitimate email if you make IP queries
to the DBL.
For now, I'm :) cheating, by mapping one of the (officially)
unused high bits to a negative score, which should wipe out the
positive score for a raw IP URL
On Sun, 28 Feb 2010, LuKreme wrote:
SPF!
runs; ducking, shucking, and weaving
You're a brave person. ;)
It's easier to understand the challenge Dave faces, if we look at
some actual From headers.
In my stream, these started in early November of last year, so I
just checked a few months
Every few months, someone suggests detecting phish by looking for a
different domain in the target vs display URL in HTML links.
Other suggestions have included testing for different domain in the
SMTP envelope Sender and the hostname of the sending IP.
Every time, the grizzled veterans
Jonas, do you have any performance and/or efficacy stats for your
URLRedirect plugin?
After months of near silence, I'm seeing an interesting (albeit
low volume) shortener campaign, that's picking up volume AND
effectiveness.
Only one of my 40-ish domains was getting these, then this week two
Jason Haar wrote:
They aren't triggering (enough) network rule matches, contain a
bayes-killer, and even FuzzyOCR can't manage the swirly image trick
they pull. Has anyone come up with a way to fight these?
Jason, thanks for the cheerful Subject. I needed that today. :)
I'm catching all of
twofers wrote:
What could be going on here? Any ideas? Is it coincidence?
TwoFers, did these start after mid-afternoon (1600 Eastern time)
of Oct 26? If so, this is PURE coincidence. :)
I checked four of my domains, including one which (by policy) has
NEVER received any authentic
mouss wrote:
snowshoe. block both
...
the network: 74.63.64.0/18 (74.63.64.0 - 74.63.127.255)
+1
That entire block belongs to FDCservers.net, which, from personal
experience, AND based on regular discussions on Spam-L, is considered a
snowshoe host (could be by conscious choice, could be by
Owen B. Mehegan wrote:
Lately a lot of 419 and investment spams have been getting through
with very low SA scores. Can anyone take a look at these and see
if there's another ruleset I should use to trap them?
Owen, particularly with 419/scam spams, it's VERY helpful if you
tell us more about your
DOB (Day Old Bread) had the same problem last year:
http://mail-archives.apache.org/mod_mbox/spamassassin-users/200810.mbox/%3cva.33f1.14690...@news.conactive.com%3e
With software bugs, lightning often DOES strike twice in the same
spot. :)
- Chip
Charles Gregory wrote:
Do they all have message ID's that include the IP? You could score
that 0.3 or so to help push it over the line. Also give a bit mroe
Shiny - I had not noticed this pattern. Thanks guys! :)
LuKreme wrote:
and found it hit more mailinglist ham than spam, so I'd tread
While reading the html picture spam thread, it occurred to me to
check the sizes of Ham hitting Barracuda.
The largest one was 113,351 bytes.
I then checked the nation-of-origin for all Barracuda hitting
large spams (msg size = 256 kb), and (during the 3-week period
I checked) only 4 out of 190
Rob McEwen wrote:
(2) ivmSIP/24 is attempting a very dangerous mission... which is to
preemptively block snowshoe spam by listing entire /24 blocks when
only a handful of IPs on that block have sent spam so far. But keep
in mind that (a) specifically--ivmSIP is going to block some spam
where that
Dennis Hardy wrote:
Do people generally have good non-FP experience with BRBL? I am
thinking of bumping up the score, but I get so much spam per day
it is hard to check for FPs with it enabled.
Dennis, it depends on what sort of ham your people receive.
For evaluation purposes, I've been running
This snowshoe stuff has been a PITA for a while.
For most of my users (particularly the Geeks), it's not even on their
radar.
For others, (inluding my most complex domain), 80% of their FNs are
from snowshoers.
As well as the usual battery of anti-spam tests,
I'm using a layered/meta approach
Just noticed a new (to me) Geocities obfuscation technique that uses
embedded relative path(s):
http://geocities.com/./qryz/../cristinasantiago49/?q=u-og3sygmores7rhqzn5ba
That breaks my own subsite extraction code. :(
The pedantic part of my brain wants to rewrite my code to
auto-adjust
They look like this:
http://docs.google.com/doc?id=MUNGED_MUNGED
I'm not sure if the id is personally identifiable, so MUNGED both halves of
it.
I've only seen two so far, and haven't visited either (again, due to the
potential PII - both samples were from other people).
Very little
On Wed, 27 Feb 2008, Theo Van Dinter wrote:
What's the trick here? Looks like a normal docs URL to me.
Poor terminology on my part. I am Only An Egg. :)
Is exploit a more correct term?
I meant that this is the latest way that spammers are taking advantage of
the trusting attitude most folks
On Wed, 27 Feb 2008, JP Kelly wrote:
it seems like they could/should be caught but they often have very low
scores.
they all have yahoo.co.uk in the from address
In and of itself, yahoo.co.uk in the From isn't too helpful, unless you
know you'll never get anything legit from there, then you
On Sun, 20 Jan 2008, Loren Wilton wrote:
Is [letters][numbers] a required format, or just what this spammer picked?
It's not required. It is the single most common format (that I've seen).
What's the cute trick? That looks like a pretty typical one.
(It's late-ish, I could be missing the
On Wed, 16 Jan 2008, Matt Kettler wrote:
Yes. In fact, IP based URLs occur more commonly in nonspam than spam.
Matt, yes this is correct, however in this particular case nonspam is
perhaps a bit broad. It's been my experience that these almost always
occur in mass marketing ham, not
The latest variant is gooogle.com, which is a legit alias for Google,
and appears to work with all the regular spammer trick parameters.
I've also seen two more google TLD variants.
- Chip
On Sun, 13 Jan 2008, Mike Cisar wrote:
However, these last bunch seem to have a trick, the only other text in the
message aside from the URL seems to be a date string. Somehow that must
totally be screwing with Bayes since those messages are also triggering
BAYES_00 or BAYES_02 and pretty much
Just clued into a new Google search parameter spam variant: adurl.
A quick search shows that is some sort of AdSense thingie.
Does anyone have a marketing-dweeb-free technical explanation?
I've sent out a new rule to my Team to MassCheck, but it'll probably be a
few days before I have numbers.
Continuing a, um, :) 'sub' discussion from the
Googlepages Livefilestore spams thread...
Alex, do you have a test point for this?
I've run a couple handfuls thru, and had no hits.
I'm not sure if I'm doing something wrong, or they're just not listed yet.
Is this what we should be resolving (to
On Wed, 9 Jan 2008, Ben Lentz wrote:
any other tips would be greatly appreciated. We obviously don't want to
blanket block google, but this URI redirection stuff isn't very friendly
when used by a spammer.
Ben, the key is the btnI param, which maps to the I'm feeling lucky
button.
This
Alberto, your reasoning is correct, based on my experience of actually
implementing and using such a system, albeit in a small scale environment.
As sm points out, it is particularly useful as a pass rule for exact
matches to your users' actual email client real names.
I've implemented this as
Here's a new style of PDF spam (recipient email address is munged):
http://Puffin.net/software/spam/samples/0004_pdf_gen3.eml
This time, it (apparently) is plain text with a link to an ED site, with
rather explicit language. I've only found two of these so far.
From a technical point of
At 01:09 PM 7/5/2007 -0700, you wrote:
You could match on the application/octet-steam and the file
extension being .pdf.
Good idea, but sorry, I should have been clearer (my BIM):
I meant use that in COMBINATION with OTHER signs, mainly to detect the
difference between the two styles.
To clear
Chris, thanks for your detailed analysis!
Please don't be discouraged, as you're generally on the right track,
you just need to do some fine tuning.
Since last spring, I've been running some word tests that include
something similar to the obfuscation approach you've described, and
have had good
At 10:26 PM 8/21/2006 -0700, John Rudd wrote:
I also heard that interlaced gif spam is appearing now.
Yes, I saw that post, however there wasn't a publicly available sample.
Any such would be much appreciated.
It'd be interesting to see how to counter them.
Should be easy. One approach is
While skimming thru my daily rejected spam pile, did a double take when a
GIF spam seemed to blink at me. Thought it was a sw glitch at first...
then realized the sneaky Borg had adapted again.
Took a look at the frames in PaintShopPro's AnimationShop, and the first
three are all but blank (wee
80 matches
Mail list logo