RE: New bitcoin ransom message today

On Wed, 18 Dec 2019, John Hardin wrote: >Can you post a spample This is a very interesting pattern that I've seen in a few (9) spams this week. Here's a spample (with only the To header MUNGED): http://puffin.net/software/spam/samples/0062_snow_style_chaff_aws.txt Lindsay, is that what

RE: New bitcoin ransom message today

As requested: http://puffin.net/software/spam/samples/0061_bitcoin_splosion.txt I MUNGED the "To". It's the latest of two sent to me by an awesome volunteer. :) First thoughts: Both were base64 encoded. Both have "disclaimers" that they're not terrorists. :roll-eyes: John Hardin: I'll

Re: 9D character used in words to avoid detection

Ditto to what John said, however, thanks for the spample Mark. :) Mark, is that the exact network image? If not, do you have access to it? If so, please pastebin it. By "network image", I mean not-mangled by any post filter software. Your posted spample is quoted-printable, and should have been

spample: porn extortion with pure numeric From domain and base64 body

There's a new morph of the porn extortion campaign, with some interesting under-the-hood changes. The previous ones were always: - two "quoted-printable" parts (plain text, html) - "From" Outlook accounts - sent via Outlook/Hotmail/MS IPs (no other IPs in route) - passed both DKIM and SPF The

SPF PermError (was: "Re: Scans and Invoice spam containg HREF to something bad")

On Tue, Jun 19, 2018 at 11:00 AM, Andy Smith wrote: > Testing despite these errors the only rule I'm getting a hit on from KAM > is JMQ_SPF_NEUTRAL_ALL Andy, thanks for the very useful spamples! :) Could somebody do a sanity check on the SPF record for "ballybofeycarpets.com"? I get a

Re: spample: Microsoft Office DDE exploit (in OpenXML attachment)

On Tue, Oct 31, 2017, David Jones wrote: >Add the Lashback RBL. I am trying to get this added to the default SA >rules. See my post on 2017-10-17 in the following link and increase the >scores after some testing. David, after your Lashback post, I had added it to my FP

spample: Microsoft Office DDE exploit (in OpenXML attachment)

Starting Monday late pm (Iowa time), I've been seeing my first DDE exploits, with significant volume. Here's a spample, with only the account part of the To header munged: http://puffin.net/software/spam/samples/0056_dde_auto.txt The MIME part Content Types are all of the same form, with

Re: new campaign: bitly & appengine.google

KAM, thanks! I took a look at your rules, and like your scoring. :) Over my years, I've seen enough BBB scare campaigns which use shorteners, that perhaps it would make sense to add "KAM_SHORT" to your additive list of metas (I forget what that's called). To all the other repliers: Thanks for

new campaign: bitly & appengine.google

There's a new campaign that uses Bitly shorteners to some sort of Google forwarder ("appengine"). Here's some sample Locations returned by HEADing the shorteners:

Re: Anyone else just blocking the ".top" TLD?

Just spotted my first snow with the TLD ".jetzt". It's selling for $1.88 at NameCheap so should become widespread. On Sat, 05 Nov 2016, at 11:54, @lbutlr (kreme.com) wrote: >We get some (very little) real mail from info, biz, and name domains. >All the other new domains are on a "prove you're not

Re: Today's Google Docs phish

Alex, thanks for the spample! I've only received one (so far), containing the same base domain with the ".win" TLD, also freshly registered at NameCheap with privacy protection and CloudFlare. On Thu, 04 May 2017, Axb wrote: >SA's redirect patterns detected these domains and my logs show >most

spample: banking credential phish using linked image (with no text)

SpamAssassin caught this phish, however some tweaks would have let it thru, and it's an interesting new (to me) approach, so I figured I'd share it with y'all. Full raw spample (with MUNGED email addresses): http://puffin.net/software/spam/samples/0053_phish_image.txt At arrival time,

Re: spample of not(?)-yet-registered "custom" URL Shortener in Phish

On Sun, 25 Sep 2016, RW wrote: >If you mean you poison-pill anything with a redirect, then this >doesn't seem all that clever because tinyurl is such a well known >shortener. I poison pill by default, not always. :) If the arrival time HEAD is a redirect to a "skip" listed domain, the poison

spample of not(?)-yet-registered "custom" URL Shortener in Phish

Here's a spample of a well done "Dropbox" Phish sent thru Gmail, containing a custom URL shortener which (apparently) did _NOT_ exist at message arrival time: http://puffin.net/software/spam/samples/0045_shortener_phish.txt I MUNGED the To & From headers, however I left the original From

Re: spample of "data" URL in well-crafted Phish

On Fri, 16 Sep 2016, John Hardin wrote: >Chip, could you send me some spamples of non-image data: messages >offlist? The only ones I have anywhere are images. Sent last week - thanks for your ongoing work on this John! :) After that request, I decided to add (in my post SA filter) a minimally

Re: drive-by malware customized to the From.RealName of actual Friends

John, thanks a TON for your efforts! I was afraid this would be hard to catch. :( On the bright side, the campaign has been morphing, and they are now (IMO) much less enticing, which is a partial victory. :) ** Update: The emails have gone thru two more significant morphs, first with

Re: Catching well directed spear phishing messages

On Thu, 30 Jun 2016, Olivier Coutu wrote: >The other way to fix that is to detect the lexical distance between the >sender's domain and your organisation's domains, e.g. by building a >plugin that uses https://en.wikipedia.org/wiki/Levenshtein_distance. >That could be done for a small number of

Re: spample of "data" URL in well-crafted Phish

On Thu, 8 Sep 2016, John Hardin wrote: >Yes. Given that ID on the first line the corpus owner can find the message >in question, review it, potentially fix misclassifications (that has >happened before), etc. Shiny - that sounds perfect! :) >There's one more exclusion I can add that will take

Re: Anyone else just blocking the ".top" TLD?

On Thu, 8 Sep 2016, "lists [at] rhsoft.net" wrote: >i get a diff-output per mail each time the mailserver configs >are changing That's a completely valid approach, and I am a big fan of pre-emptive first strike (only as applied to potentially evil email). However, the vast majority of those TLDs

Re: Anyone else just blocking the ".top" TLD?

On Sat, 09 Jul 2016, jasonsu wrote: >Fwiw, atm I block all of the following TLDs ... >men, .. >That list is auto-generated. Any & all TLDs that have >sent > 100 messages within the last year *AND* have a Great approach Jason! :) ".men" just recently appeared in my data, and is not showing up

drive-by malware customized to the From.RealName of actual Friends

Spample: http://puffin.net/software/spam/samples/0043_driveby_from-rn_in_url.txt I removed 19 (of 20 original) email addresses out of the To header, ST:TOS munged all remaining email addresses, and munged the target URL to match the other mungings. Everything else is exactly as received,

Re: spample of "data" URL in well-crafted Phish

On Sat, 3 Sep 2016, John Hardin wrote: >I've tweaked the FP avoidance a bit, maybe that will be enough >to get the S/O up high enough to publish it. John, do you have any detailed info about the Ham hits? I just datamined my three best corpora, from the beginning of 2014 thru this weekend, and

spample of "data" URL in well-crafted Phish

Freshly caught Spample: http://puffin.net/software/spam/samples/0042_data_embedded_phish.txt The only munging was inserting ".EXAMPLE" between "wellsfargo" and ".com". Four years ago, I read this fascinating article:

Re: SA cannot block messages with attached zip

On Wed, 8 Jun 2016 17:23:59 -0400 Alex wrote: >Meanwhile, there is RTF spam that's circulating which is >currently bypassing the sanesecurity sigs. I've just submitted a >sample to Steve, but the db hasn't yet been updated. Here's a >sample: > >http://pastebin.com/ALsSAmwa Alex, thanks for the

Re: Anyone else just blocking the ".top" TLD?

Thanks for all the lists and references, everyone! :) +1 on block-by-default combined with "skips" for the VERY rare exceptions. I'm scoring (poison pill level), not gateway blocking (more about that in a later post). *** New Snow TLD sighting: Since June 30, the TLD ".stream" has been

Re: Catching well directed spear phishing messages

On Tue, 28 Jun 2016 14:13:57 + David Jones wrote: >If I search the Internet for the CEO/CIO/CTO/etc of a company >and send and email from my domain but make the displayed name >in the visible From: be that CEO/CIO/CTO/etc's full name that >the recipient is used to seeing in the mail client,

Re: SA cannot block messages with attached zip

At 04:07 AM 5/20/2016, Dianne/RoaringPenguin wrote: >We list the contents of attached archives >(using "lsar") and have filename-extension rules that block .js >inside .zip files. While this can lead to some FPs, which we handle >with selective whitelisting, it's very effective at catching the

Re: SA cannot block messages with attached zip

At 04:07 AM 5/20/2016, RoaringPenguin wrote: >filename-extension rules that block .js >inside .zip files. +1 We also block these scripting related Windows extensions: .hta .jse .vbs .wsf Those were originally "pre-emptive", however I've now seen both ".hta" and

re: exploitable LinkedIn forwarder/whatever

Thanks Andreas! :) Wednesday am, after re-checking that the specific spam URL was still forwarding to the spam payload destination, I emailed that role account... and to my (VERY pleasant) shock, received an auto-reply which did NOT direct me to an unuseable web form (i.e. the Google model of

exploitable LinkedIn forwarder/whatever

Spotted a new exploited forwarder of some sort at LinkedIn - full spample: http://puffin.net/software/spam/samples/0041_linked_forward.txt Except for the munged "To" and "From" email addresses, that's the pristine network image. It came From a known friend at "swbell", who normally sends

Re: new(ish) malware: RTF with MIME payload

Thanks guys, for all the helpful info and sanity checks! :) Sorry about the Message-ID munging - I get some really useful malware at that domain but no ham, and am a bit paranoid about losing that feed. Followup: >I had considered anchoring the MIME string, however we have a >very powerful

malware campaign: javascript in ".tgz"

Starting about two hours ago, about 40% of my real-time honeypot spam is a new malware campaign. About a third are hitting "BAYES_00", with about 10% of all having negative SA scores. :( Full spample (with munged email addresses): http://puffin.net/software/spam/samples/0040_mal_tgz.txt

new(ish) malware: RTF with MIME payload

Starting about two hours ago, more than 80% of my real-time honeypot spam is a new malware campaign. Full spample (with redacted/munged email addresses and Message-ID): http://puffin.net/software/spam/samples/0039_mal_rtf_mime.txt This is a variation on an XML file malware campaign that

RE: SPAM from a registrar

James, are these botnet or snowshoe spam? When you get a chance, please provide some spamples (pastebin or elsewhere), as Kevin recommended. Please mung JUST the email addresses (e.g. change all email domains to example.com, and change the victim account name to victim). If the victim accounts

Re: unusual new pump-and-dump campaign (RCHA)

Thanks Alex! :) As Alex's rules imply, it switched over to 100% image spam (in my spamtraps), and continued its excellent syncing. Just on April 11, the volume more than tripled, and it hit many different spamtraps than all previous days. Some of those traps had never been hit before, and/or

unusual new pump-and-dump campaign (RCHA)

Starting Apr 5, about _HALF_ of our spam volume is a new pump and dump campaign for stock symbol RCHA. As well as the high volume, there are several noteworthy characteristics: - victim account name is used as the sender/From account name - very clean HTML - very few hits on non-DNS/RBL

Re: Rule FH_RANDOM_SURE causing FPs

I just checked the last six months of my most diverse corpus, and found: two Ham, zero spam. Both ham were sent via different ESPs, each of mediocre quality though with multiple legitimate (albeit Pakled-y) customers. One was from Marriott Rewards with terse SA report: score=0.9

new (?) Google Translate trick using URL Shorteners

There's a new (to me), overly clever campaign combining Google Translate with a URL shortener. It's fairly low volume, but most are sailing thru SA. It's such a goofy pattern it feels like it's worthy of an Extinction level score. :) These started yesterday (Dec 9) at around 2am Eastern US

re: Trouble with bayes poisoning spam

Hi Alex! Actually, that's a Snowshoe IP. Which, on balance, can be a good thing, slaying-wise. :) Almost four years ago, I posted my approach to snowshoe slaying: http://mail-archives.apache.org/mod_mbox/spamassassin-users/200902.mbox/%3c20090204.0...@iowahoneypot.com%3e It has

another malware MIME header trick that works with at least one email client

There's yet another variant in the ongoing campaign of HTML file attachments with javascript malware payloads. :( The trick is that it sets the Content-Type to application/zip, and uses an .htm file extension, for example (actual spam): Content-Type: application/zip

new twist on BitLy

There's a new campaign using bitly.com, instead of bit.ly. Other characteristics are: 1. empty plain text Part, followed by a quoted-printable HTML Part 2. very long HTML Title 3. large Style section, with random text (Bayes salad like) 4. current Subject is FW: your arrest record I expect the

Re: all spam emails from mailengine1.com servers

R - elists wrote: does anyone get legit emails that come from the mailengine1.com email marketing servers? Yes, I've seen a trickle of ham, so did some data mining for you... The IP ranges I have for them are: 66.59.0.0 - 66.59.31.255 72.19.192.0 - 72.19.255.255 Does anyone

new technique: borked zip attachment w/malware

There's an interesting new zip attachment obfuscation that uses an encoded EMPTY filename. I've seen barely a trickle, but so far, all have had VERY low SA scores (1.1 with generally unremarkable test hits). I'm still waiting for permission from the recipient to publish a complete sample. Here's

Re: new gappy domain campaign (w/sample)

mouss wrote: with a stock config, and without Bayes, it now yields: Hmmm, interesting! Yes, all the caught spam here were due to RBL hits. Which begs the question, what SpamAssassin tests are hitting for the misses vs the kills? Here's what hit (here), for the first 38 missed spams: Test

Re: New plugin: DecodeShortURLs

Steve Freegard wrote: Hopefully it will be useful to others; you can grab it from: Thanks Steve! Suggestions (for future enhancements): 1. Consider splitting the list of shorteners between those that are well established and KNOWN to be reasonably diligent, and all others (e.g. the anti-pattern

Re: Yahoo HTML Base64 Attachments

On 19 Sep 2010, John Hardin wrote: Adding to my sandbox for masscheck: rawbody HTML_OBFU_ESC /document\.write\(unescape\((?:%[0-9a-f]{2}){10}/i It performs pretty well. It should be in the next rules update, under a slightly different name (OBFU_JVSCR_ESC). Shiny! How about

application/octet-stream obfuscated JPEGs

There's a new morph from our old nuisance, the inline PNG/RTF, and all manner of wavy image insecure-boy-drugs spammer. :( Here's a sample: http://puffin.net/software/spam/samples/0009_jpg_oct.txt It began (here) on Sep 10, and replaced his (relatively boring) Your wife photos attached

new PDF Launch malware exploit (with sample)

About a month ago, Didier Stevens found a nifty way to exploit PDFs, using their launch action. Original article: http://blog.didierstevens.com/2010/03/29/escape-from-pdf/ More info: http://www.sophos.com/blogs/sophoslabs/?p=9301 Yesterday morning, several of these showed up in

Re: Filtering zip spam

I'm seeing an increase in zip attachment spam, and hoped someone could help me figure out why it isn't being properly tagged. Are others seeing this? Is BAYES_99 being triggered or is it lower? Alex, does Bayes understand/check INSIDE zips, at least for file properties? If not, then it is

Re: Spamhaus DBL

I've been running it since 1:51 Eastern (US) time, yesterday. You risk wrongly flagging legitimate email if you make IP queries to the DBL. For now, I'm :) cheating, by mapping one of the (officially) unused high bits to a negative score, which should wipe out the positive score for a raw IP URL

Re: Finding URLs in html attachments

On Sun, 28 Feb 2010, LuKreme wrote: SPF! runs; ducking, shucking, and weaving You're a brave person. ;) It's easier to understand the challenge Dave faces, if we look at some actual From headers. In my stream, these started in early November of last year, so I just checked a few months

Phish - two simple techniques that make the obvious tests viable

Every few months, someone suggests detecting phish by looking for a different domain in the target vs display URL in HTML links. Other suggestions have included testing for different domain in the SMTP envelope Sender and the hostname of the sending IP. Every time, the grizzled veterans

new (small) shortener campaign suggestion for URLRedirect

Jonas, do you have any performance and/or efficacy stats for your URLRedirect plugin? After months of near silence, I'm seeing an interesting (albeit low volume) shortener campaign, that's picking up volume AND effectiveness. Only one of my 40-ish domains was getting these, then this week two

Re: pill image spam learns to walk

Jason Haar wrote: They aren't triggering (enough) network rule matches, contain a bayes-killer, and even FuzzyOCR can't manage the swirly image trick they pull. Has anyone come up with a way to fight these? Jason, thanks for the cheerful Subject. I needed that today. :) I'm catching all of

Re: facebook Spam Question

twofers wrote: What could be going on here? Any ideas? Is it coincidence? TwoFers, did these start after mid-afternoon (1600 Eastern time) of Oct 26? If so, this is PURE coincidence. :) I checked four of my domains, including one which (by policy) has NEVER received any authentic

Re: spam from noave.net 74.63.109.*

mouss wrote: snowshoe. block both ... the network: 74.63.64.0/18 (74.63.64.0 - 74.63.127.255) +1 That entire block belongs to FDCservers.net, which, from personal experience, AND based on regular discussions on Spam-L, is considered a snowshoe host (could be by conscious choice, could be by

Re: Lots of 419/scam and investment spams getting through suddenly

Owen B. Mehegan wrote: Lately a lot of 419 and investment spams have been getting through with very low SA scores. Can anyone take a look at these and see if there's another ruleset I should use to trap them? Owen, particularly with 419/scam spams, it's VERY helpful if you tell us more about your

Re: some URIBL accidentally listed .org?

DOB (Day Old Bread) had the same problem last year: http://mail-archives.apache.org/mod_mbox/spamassassin-users/200810.mbox/%3cva.33f1.14690...@news.conactive.com%3e With software bugs, lightning often DOES strike twice in the same spot. :) - Chip

Re: Botnet spam not being caught

Charles Gregory wrote: Do they all have message ID's that include the IP? You could score that 0.3 or so to help push it over the line. Also give a bit mroe Shiny - I had not noticed this pattern. Thanks guys! :) LuKreme wrote: and found it hit more mailinglist ham than spam, so I'd tread

Re: please help, getting hammered with snowshoe spam

While reading the html picture spam thread, it occurred to me to check the sizes of Ham hitting Barracuda. The largest one was 113,351 bytes. I then checked the nation-of-origin for all Barracuda hitting large spams (msg size = 256 kb), and (during the 3-week period I checked) only 4 out of 190

Re: please help, getting hammered with snowshoe spam

Rob McEwen wrote: (2) ivmSIP/24 is attempting a very dangerous mission... which is to preemptively block snowshoe spam by listing entire /24 blocks when only a handful of IPs on that block have sent spam so far. But keep in mind that (a) specifically--ivmSIP is going to block some spam where that

Re: please help, getting hammered with snowshoe spam

Dennis Hardy wrote: Do people generally have good non-FP experience with BRBL? I am thinking of bumping up the score, but I get so much spam per day it is hard to check for FPs with it enabled. Dennis, it depends on what sort of ham your people receive. For evaluation purposes, I've been running

Re: please help, getting hammered with snowshoe spam

This snowshoe stuff has been a PITA for a while. For most of my users (particularly the Geeks), it's not even on their radar. For others, (inluding my most complex domain), 80% of their FNs are from snowshoers. As well as the usual battery of anti-spam tests, I'm using a layered/meta approach

new(?) Geocities subsite obfuscation

Just noticed a new (to me) Geocities obfuscation technique that uses embedded relative path(s): http://geocities.com/./qryz/../cristinasantiago49/?q=u-og3sygmores7rhqzn5ba That breaks my own subsite extraction code. :( The pedantic part of my brain wants to rewrite my code to auto-adjust

new google trick: docs

They look like this: http://docs.google.com/doc?id=MUNGED_MUNGED I'm not sure if the id is personally identifiable, so MUNGED both halves of it. I've only seen two so far, and haven't visited either (again, due to the potential PII - both samples were from other people). Very little

Re: new google trick: docs

On Wed, 27 Feb 2008, Theo Van Dinter wrote: What's the trick here? Looks like a normal docs URL to me. Poor terminology on my part. I am Only An Egg. :) Is exploit a more correct term? I meant that this is the latest way that spammers are taking advantage of the trusting attitude most folks

Re: yahoo.co.uk

On Wed, 27 Feb 2008, JP Kelly wrote: it seems like they could/should be caught but they often have very low scores. they all have yahoo.co.uk in the from address In and of itself, yahoo.co.uk in the From isn't too helpful, unless you know you'll never get anything legit from there, then you

Re: Cute - another google spam trick!

On Sun, 20 Jan 2008, Loren Wilton wrote: Is [letters][numbers] a required format, or just what this spammer picked? It's not required. It is the single most common format (that I've seen). What's the cute trick? That looks like a pretty typical one. (It's late-ish, I could be missing the

Re: are the NORMAL_HTTP_TO_IP scores still valid?

On Wed, 16 Jan 2008, Matt Kettler wrote: Yes. In fact, IP based URLs occur more commonly in nonspam than spam. Matt, yes this is correct, however in this particular case nonspam is perhaps a bit broad. It's been my experience that these almost always occur in mass marketing ham, not

Re: Googlepages Livefilestore spams

The latest variant is gooogle.com, which is a legit alias for Google, and appears to work with all the regular spammer trick parameters. I've also seen two more google TLD variants. - Chip

Re: Googlepages Livefilestore spams

On Sun, 13 Jan 2008, Mike Cisar wrote: However, these last bunch seem to have a trick, the only other text in the message aside from the URL seems to be a date string. Somehow that must totally be screwing with Bayes since those messages are also triggering BAYES_00 or BAYES_02 and pretty much

Re: Googlepages Livefilestore spams

Just clued into a new Google search parameter spam variant: adurl. A quick search shows that is some sort of AdSense thingie. Does anyone have a marketing-dweeb-free technical explanation? I've sent out a new rule to my Team to MassCheck, but it'll probably be a few days before I have numbers.

sub-sites and URIBL

Continuing a, um, :) 'sub' discussion from the Googlepages Livefilestore spams thread... Alex, do you have a test point for this? I've run a couple handfuls thru, and had no hits. I'm not sure if I'm doing something wrong, or they're just not listed yet. Is this what we should be resolving (to

Re: Googlepages Livefilestore spams

On Wed, 9 Jan 2008, Ben Lentz wrote: any other tips would be greatly appreciated. We obviously don't want to blanket block google, but this URI redirection stuff isn't very friendly when used by a spammer. Ben, the key is the btnI param, which maps to the I'm feeling lucky button. This

Re: why not doing a test that checks name-email address pairs

Alberto, your reasoning is correct, based on my experience of actually implementing and using such a system, albeit in a small scale environment. As sm points out, it is particularly useful as a pass rule for exact matches to your users' actual email client real names. I've implemented this as

sample of new style PDF spam (containing embedded link, no image)

Here's a new style of PDF spam (recipient email address is munged): http://Puffin.net/software/spam/samples/0004_pdf_gen3.eml This time, it (apparently) is plain text with a link to an ED site, with rather explicit language. I've only found two of these so far. From a technical point of

Re: sample of new style PDF spam (containing embedded link, no image)

At 01:09 PM 7/5/2007 -0700, you wrote: You could match on the application/octet-steam and the file extension being .pdf. Good idea, but sorry, I should have been clearer (my BIM): I meant use that in COMBINATION with OTHER signs, mainly to detect the difference between the two styles. To clear

Re: double letter porn

Chris, thanks for your detailed analysis! Please don't be discouraged, as you're generally on the right track, you just need to do some fine tuning. Since last spring, I've been running some word tests that include something similar to the obfuscation approach you've described, and have had good

Re: animated GIF spam

At 10:26 PM 8/21/2006 -0700, John Rudd wrote: I also heard that interlaced gif spam is appearing now. Yes, I saw that post, however there wasn't a publicly available sample. Any such would be much appreciated. It'd be interesting to see how to counter them. Should be easy. One approach is

animated GIF spam

While skimming thru my daily rejected spam pile, did a double take when a GIF spam seemed to blink at me. Thought it was a sw glitch at first... then realized the sneaky Borg had adapted again. Took a look at the frames in PaintShopPro's AnimationShop, and the first three are all but blank (wee