On Wed, 18 Dec 2019, John Hardin wrote:
>Can you post a spample
This is a very interesting pattern that I've seen in a few (9) spams
this week.
Here's a spample (with only the To header MUNGED):
http://puffin.net/software/spam/samples/0062_snow_style_chaff_aws.txt
Lindsay, is that what you
As requested:
http://puffin.net/software/spam/samples/0061_bitcoin_splosion.txt
I MUNGED the "To".
It's the latest of two sent to me by an awesome volunteer. :)
First thoughts:
Both were base64 encoded.
Both have "disclaimers" that they're not terrorists. :roll-eyes:
John Hardin: I'll ask
Ditto to what John said, however, thanks for the spample Mark. :)
Mark, is that the exact network image?
If not, do you have access to it? If so, please pastebin it.
By "network image", I mean not-mangled by any post filter software.
Your posted spample is quoted-printable, and should have been
There's a new morph of the porn extortion campaign, with some
interesting under-the-hood changes.
The previous ones were always:
- two "quoted-printable" parts (plain text, html)
- "From" Outlook accounts
- sent via Outlook/Hotmail/MS IPs (no other IPs in route)
- passed both DKIM and SPF
The new
On Tue, Jun 19, 2018 at 11:00 AM, Andy Smith wrote:
> Testing despite these errors the only rule I'm getting a hit on from KAM
> is JMQ_SPF_NEUTRAL_ALL
Andy, thanks for the very useful spamples! :)
Could somebody do a sanity check on the SPF record for
"ballybofeycarpets.com"?
I get a PermEr
On Tue, Oct 31, 2017, David Jones wrote:
>Add the Lashback RBL. I am trying to get this added to the default SA
>rules. See my post on 2017-10-17 in the following link and increase the
>scores after some testing.
David, after your Lashback post, I had added it to my FP pipeline
(i.e. run fro
Starting Monday late pm (Iowa time), I've been seeing my first DDE
exploits, with significant volume.
Here's a spample, with only the account part of the To header munged:
http://puffin.net/software/spam/samples/0056_dde_auto.txt
The MIME part Content Types are all of the same form, with o
KAM, thanks!
I took a look at your rules, and like your scoring. :)
Over my years, I've seen enough BBB scare campaigns which use
shorteners, that perhaps it would make sense to add "KAM_SHORT"
to your additive list of metas (I forget what that's called).
To all the other repliers:
Thanks for your
There's a new campaign that uses Bitly shorteners to some sort of
Google forwarder ("appengine").
Here's some sample Locations returned by HEADing the shorteners:
appengine.google.com/_ah/logout?continue=https://appengine.google.com/_ah/logout?continue=http://bbbcomplianceglobal.com/repor
Just spotted my first snow with the TLD ".jetzt".
It's selling for $1.88 at NameCheap so should become widespread.
On Sat, 05 Nov 2016, at 11:54, @lbutlr (kreme.com) wrote:
>We get some (very little) real mail from info, biz, and name domains.
>All the other new domains are on a "prove you're not
Alex, thanks for the spample!
I've only received one (so far), containing the same base domain
with the ".win" TLD, also freshly registered at NameCheap with
privacy protection and CloudFlare.
On Thu, 04 May 2017, Axb wrote:
>SA's redirect patterns detected these domains and my logs show
>most
SpamAssassin caught this phish, however some tweaks would have
let it thru, and it's an interesting new (to me) approach, so I
figured I'd share it with y'all.
Full raw spample (with MUNGED email addresses):
http://puffin.net/software/spam/samples/0053_phish_image.txt
At arrival time, the
On Sun, 25 Sep 2016, RW wrote:
>If you mean you poison-pill anything with a redirect, then this
>doesn't seem all that clever because tinyurl is such a well known
>shortener.
I poison pill by default, not always. :)
If the arrival time HEAD is a redirect to a "skip" listed domain,
the poison pill
Here's a spample of a well done "Dropbox" Phish sent thru Gmail,
containing a custom URL shortener which (apparently) did _NOT_
exist at message arrival time:
http://puffin.net/software/spam/samples/0045_shortener_phish.txt
I MUNGED the To & From headers, however I left the original From
do
On Fri, 16 Sep 2016, John Hardin wrote:
>Chip, could you send me some spamples of non-image data: messages
>offlist? The only ones I have anywhere are images.
Sent last week - thanks for your ongoing work on this John! :)
After that request, I decided to add (in my post SA filter)
a minimally sc
John,
thanks a TON for your efforts! I was afraid this would be hard
to catch. :(
On the bright side, the campaign has been morphing, and they are
now (IMO) much less enticing, which is a partial victory. :)
** Update:
The emails have gone thru two more significant morphs, first with
To.Realname
On Thu, 30 Jun 2016, Olivier Coutu wrote:
>The other way to fix that is to detect the lexical distance between the
>sender's domain and your organisation's domains, e.g. by building a
>plugin that uses https://en.wikipedia.org/wiki/Levenshtein_distance.
>That could be done for a small number of
On Thu, 8 Sep 2016, John Hardin wrote:
>Yes. Given that ID on the first line the corpus owner can find the message
>in question, review it, potentially fix misclassifications (that has
>happened before), etc.
Shiny - that sounds perfect! :)
>There's one more exclusion I can add that will take o
On Thu, 8 Sep 2016, "lists [at] rhsoft.net" wrote:
>i get a diff-output per mail each time the mailserver configs
>are changing
That's a completely valid approach, and I am a big fan of
pre-emptive first strike (only as applied to potentially evil
email).
However, the vast majority of those TLDs
On Sat, 09 Jul 2016, jasonsu wrote:
>Fwiw, atm I block all of the following TLDs
...
>men,
..
>That list is auto-generated. Any & all TLDs that have
>sent > 100 messages within the last year *AND* have a
Great approach Jason! :)
".men" just recently appeared in my data, and is not showing up
on
Spample:
http://puffin.net/software/spam/samples/0043_driveby_from-rn_in_url.txt
I removed 19 (of 20 original) email addresses out of the
To header, ST:TOS munged all remaining email addresses, and
munged the target URL to match the other mungings.
Everything else is exactly as received, im
On Sat, 3 Sep 2016, John Hardin wrote:
>I've tweaked the FP avoidance a bit, maybe that will be enough
>to get the S/O up high enough to publish it.
John, do you have any detailed info about the Ham hits?
I just datamined my three best corpora, from the beginning of
2014 thru this weekend, and fo
Freshly caught Spample:
http://puffin.net/software/spam/samples/0042_data_embedded_phish.txt
The only munging was inserting ".EXAMPLE" between "wellsfargo"
and ".com".
Four years ago, I read this fascinating article:
http://isc.sans.edu/diary/%22Data%22+URLs+used+for+in-URL+phishin
On Wed, 8 Jun 2016 17:23:59 -0400 Alex wrote:
>Meanwhile, there is RTF spam that's circulating which is
>currently bypassing the sanesecurity sigs. I've just submitted a
>sample to Steve, but the db hasn't yet been updated. Here's a
>sample:
>
>http://pastebin.com/ALsSAmwa
Alex, thanks for the spa
Thanks for all the lists and references, everyone! :)
+1 on block-by-default combined with "skips" for the VERY rare
exceptions.
I'm scoring (poison pill level), not gateway blocking (more about
that in a later post).
*** New Snow TLD sighting:
Since June 30, the TLD ".stream" has been snowballin
On Tue, 28 Jun 2016 14:13:57 + David Jones wrote:
>If I search the Internet for the CEO/CIO/CTO/etc of a company
>and send and email from my domain but make the displayed name
>in the visible From: be that CEO/CIO/CTO/etc's full name that
>the recipient is used to seeing in the mail client, the
At 04:07 AM 5/20/2016, Dianne/RoaringPenguin wrote:
>We list the contents of attached archives
>(using "lsar") and have filename-extension rules that block .js
>inside .zip files. While this can lead to some FPs, which we handle
>with selective whitelisting, it's very effective at catching the
At 04:07 AM 5/20/2016, RoaringPenguin wrote:
>filename-extension rules that block .js
>inside .zip files.
+1
We also block these scripting related Windows extensions:
.hta
.jse
.vbs
.wsf
Those were originally "pre-emptive", however I've now seen
both ".hta" and ".
Thanks Andreas! :)
Wednesday am, after re-checking that the specific spam URL was
still forwarding to the spam payload destination, I emailed that
role account... and to my (VERY pleasant) shock, received an
auto-reply which did NOT direct me to an unuseable web form
(i.e. the Google model of prev
Spotted a new exploited forwarder of some sort at LinkedIn -
full spample:
http://puffin.net/software/spam/samples/0041_linked_forward.txt
Except for the munged "To" and "From" email addresses, that's the
pristine network image.
It came From a known friend at "swbell", who normally sends t
Thanks guys, for all the helpful info and sanity checks! :)
Sorry about the Message-ID munging - I get some really useful
malware at that domain but no ham, and am a bit paranoid about
losing that feed.
Followup:
>I had considered anchoring the MIME string, however we have a
>very powerful quar
Starting about two hours ago, about 40% of my real-time
honeypot spam is a new malware campaign. About a third are
hitting "BAYES_00", with about 10% of all having negative SA
scores. :(
Full spample (with munged email addresses):
http://puffin.net/software/spam/samples/0040_mal_tgz.txt
T
Starting about two hours ago, more than 80% of my real-time
honeypot spam is a new malware campaign.
Full spample (with redacted/munged email addresses and
Message-ID):
http://puffin.net/software/spam/samples/0039_mal_rtf_mime.txt
This is a variation on an XML file malware campaign that b
James, are these botnet or "snowshoe" spam?
When you get a chance, please provide some spamples (pastebin or
elsewhere), as Kevin recommended. Please mung JUST the email
addresses (e.g. change all email domains to "example.com", and
change the victim account name to "victim"). If the victim
acc
Thanks Alex! :)
As Alex's rules imply, it switched over to 100% image spam
(in my spamtraps), and continued its excellent syncing.
Just on April 11, the volume more than tripled, and it hit many
different spamtraps than all previous days. Some of those traps
had never been hit before, and/or are
Starting Apr 5, about _HALF_ of our spam volume is a
new pump and dump campaign for stock symbol "RCHA".
As well as the high volume, there are several noteworthy
characteristics:
- victim account name is used as the sender/From account name
- very clean HTML
- very few hits on non-DNS/RBL Spa
I just checked the last six months of my most diverse corpus,
and found: two Ham, zero spam.
Both ham were sent via different ESPs, each of mediocre
quality though with multiple legitimate (albeit Pakled-y)
customers.
One was from "Marriott Rewards" with terse SA report:
score=0.9 requi
There's a new (to me), overly clever campaign combining Google
Translate with a URL shortener. It's fairly low volume, but most
are sailing thru SA. It's such a goofy pattern it feels like it's
worthy of an Extinction level score. :)
These started yesterday (Dec 9) at around 2am Eastern US time
Hi Alex!
Actually, that's a Snowshoe IP.
Which, on balance, can be a good thing, slaying-wise. :)
Almost four years ago, I posted my approach to snowshoe slaying:
http://mail-archives.apache.org/mod_mbox/spamassassin-users/200902.mbox/%3c20090204.0...@iowahoneypot.com%3e
It has cont
There's yet another variant in the ongoing campaign of HTML file
attachments with javascript malware payloads. :(
The trick is that it sets the Content-Type to "application/zip",
and uses an ".htm" file extension, for example (actual spam):
Content-Type: application/zip
Content-Tr
There's a new campaign using "bitly.com", instead of "bit.ly".
Other characteristics are:
1. empty plain text Part, followed by a quoted-printable HTML Part
2. very long HTML Title
3. large Style section, with random text (Bayes salad like)
4. current Subject is "FW: your arrest record"
I expect
R - elists wrote:
>does anyone get legit emails that come from the mailengine1.com
>email marketing servers?
Yes, I've seen a trickle of ham, so did some data mining for you...
The IP ranges I have for them are:
66.59.0.0 - 66.59.31.255
72.19.192.0 - 72.19.255.255
Does anyone h
There's an interesting new zip attachment obfuscation that uses
an encoded EMPTY filename.
I've seen barely a trickle, but so far, all have had VERY low
SA scores ("1.1" with generally unremarkable test hits).
I'm still waiting for permission from the recipient to publish
a complete sample.
Here'
mouss wrote:
>with a stock config, and without Bayes, it now yields:
Hmmm, interesting!
Yes, all the "caught" spam here were due to RBL hits.
Which begs the question, what SpamAssassin tests are hitting for
the misses vs the kills?
Here's what hit (here), for the first 38 missed spams:
Test
There's a new morph from our old nuisance, the inline PNG/RTF, and
all manner of wavy image insecure-boy-drugs spammer. :(
Here's a sample:
http://puffin.net/software/spam/samples/0009_jpg_oct.txt
It began (here) on Sep 10, and replaced his (relatively boring)
"Your wife photos attached"
On 19 Sep 2010, John Hardin wrote:
>> Adding to my sandbox for masscheck:
>>
>> rawbody HTML_OBFU_ESC /document\.write\(unescape\("(?:%[0-9a-f]{2}){10}/i
>
>It performs pretty well. It should be in the next rules update, under a
>slightly different name (OBFU_JVSCR_ESC).
Shiny!
How about com
Steve Freegard wrote:
>Hopefully it will be useful to others; you can grab it from:
Thanks Steve!
Suggestions (for future enhancements):
1. Consider splitting the list of shorteners between those that
are well established and KNOWN to be reasonably diligent, and
"all others" (e.g. the anti-patte
>I'm seeing an increase in zip attachment spam, and hoped someone
>could help me figure out why it isn't being properly tagged. Are
>others seeing this? Is BAYES_99 being triggered or is it lower?
Alex, does Bayes understand/check INSIDE zips, at least for file
properties? If not, then it is inhe
About a month ago, Didier Stevens found a nifty way to exploit
PDFs, using their "launch action".
Original article:
http://blog.didierstevens.com/2010/03/29/escape-from-pdf/
More info:
http://www.sophos.com/blogs/sophoslabs/?p=9301
Yesterday morning, several of these showed up in
On Sun, 28 Feb 2010, LuKreme wrote:
> SPF!
>
>
You're a brave person. ;)
It's easier to understand the challenge Dave faces, if we look at
some actual From headers.
In my stream, these started in early November of last year, so I
just checked a few months of data from one domain which has h
I've been running it since 1:51 Eastern (US) time, yesterday.
>You risk wrongly flagging legitimate email if you make IP queries
>to the DBL.
For now, I'm :) cheating, by mapping one of the (officially)
unused high bits to a negative score, which should wipe out the
positive score for a raw IP UR
Jonas, do you have any performance and/or efficacy stats for your
URLRedirect plugin?
After months of near silence, I'm seeing an interesting (albeit
low volume) shortener campaign, that's picking up volume AND
effectiveness.
Only one of my 40-ish domains was getting these, then this week two
oth
Every few months, someone suggests detecting phish by looking for a
different domain in the target vs display URL in HTML links.
Other suggestions have included testing for different domain in the
SMTP envelope Sender and the hostname of the sending IP.
Every time, the grizzled veterans patiently
Jason Haar wrote:
>They aren't triggering (enough) network rule matches, contain a
>bayes-killer, and even FuzzyOCR can't manage the swirly image trick
>they pull. Has anyone come up with a way to fight these?
Jason, thanks for the cheerful Subject. I needed that today. :)
I'm catching all of th
twofers wrote:
>What could be going on here? Any ideas? Is it coincidence?
TwoFers, did these start after mid-afternoon (1600 Eastern time)
of Oct 26? If so, this is PURE coincidence. :)
I checked four of my domains, including one which (by policy) has
NEVER received any authentic Facebook/Twit
mouss wrote:
>snowshoe. block both
...
> the network: 74.63.64.0/18 (74.63.64.0 - 74.63.127.255)
+1
That entire block belongs to "FDCservers.net", which, from personal
experience, AND based on regular discussions on Spam-L, is considered a
snowshoe host (could be by conscious choice, could be by
Owen B. Mehegan wrote:
>Lately a lot of 419 and investment spams have been getting through
>with very low SA scores. Can anyone take a look at these and see
>if there's another ruleset I should use to trap them?
Owen, particularly with 419/scam spams, it's VERY helpful if you
tell us more about yo
Charles Gregory wrote:
>Do they all have message ID's that include the IP? You could score
>that 0.3 or so to help push it over the line. Also give a bit mroe
Shiny - I had not noticed this pattern. Thanks guys! :)
LuKreme wrote:
>and found it hit more mailinglist ham than spam, so I'd tread
>ca
DOB ("Day Old Bread") had the same problem last year:
http://mail-archives.apache.org/mod_mbox/spamassassin-users/200810.mbox/%3cva.33f1.14690...@news.conactive.com%3e
With software bugs, lightning often DOES strike twice in the same
spot. :)
- "Chip"
Rob McEwen wrote:
>(2) ivmSIP/24 is attempting a very dangerous mission... which is to
>preemptively block snowshoe spam by listing entire /24 blocks when
>only a handful of IPs on that block have sent spam so far. But keep
>in mind that (a) specifically--ivmSIP is going to block some spam
>where t
While reading the "html picture spam" thread, it occurred to me to
check the sizes of Ham hitting Barracuda.
The largest one was 113,351 bytes.
I then checked the nation-of-origin for all Barracuda hitting
"large" spams (msg size >= 256 kb), and (during the 3-week period
I checked) only 4 out of
This snowshoe stuff has been a PITA for a while.
For most of my users (particularly the Geeks), it's not even on their
radar.
For others, (inluding my most complex domain), 80% of their FNs are
from snowshoers.
As well as the usual battery of anti-spam tests,
I'm using a layered/meta approach of
Dennis Hardy wrote:
>Do people generally have good non-FP experience with BRBL? I am
>thinking of bumping up the score, but I get so much spam per day
>it is hard to check for FPs with it enabled.
Dennis, it depends on what sort of ham your people receive.
For evaluation purposes, I've been runni
Just noticed a new (to me) Geocities obfuscation technique that uses
embedded relative path(s):
http://geocities.com/./qryz/../cristinasantiago49/?q=u-og3sygmores7rhqzn5ba
That breaks my own subsite extraction code. :(
The pedantic part of my brain wants to rewrite my code to
auto-adjust
On Wed, 27 Feb 2008, JP Kelly wrote:
>it seems like they could/should be caught but they often have very low
scores.
>they all have yahoo.co.uk in the from address
In and of itself, "yahoo.co.uk" in the From isn't too helpful, unless you
know you'll never get anything legit from there, then you c
On Wed, 27 Feb 2008, Theo Van Dinter wrote:
>What's the trick here? Looks like a normal docs URL to me.
Poor terminology on my part. I am Only An Egg. :)
Is "exploit" a more correct term?
I meant that this is the latest way that spammers are taking advantage of
the trusting attitude most folk
They look like this:
http://docs.google.com/doc?id=MUNGED_MUNGED
I'm not sure if the id is personally identifiable, so MUNGED both halves of
it.
I've only seen two so far, and haven't visited either (again, due to the
potential PII - both samples were from other people).
Very little else
On Sun, 20 Jan 2008, Loren Wilton wrote:
>Is [letters][numbers] a required format, or just what this spammer picked?
It's not required. It is the single most common format (that I've seen).
What's the "cute" trick? That looks like a pretty typical one.
(It's late-ish, I could be missing the obv
The latest variant is "gooogle.com", which is a legit alias for Google,
and appears to work with all the regular spammer trick parameters.
I've also seen two more google TLD variants.
- "Chip"
On Wed, 16 Jan 2008, Matt Kettler wrote:
>Yes. In fact, IP based URLs occur more commonly in nonspam than spam.
Matt, yes this is correct, however in this particular case "nonspam" is
perhaps a bit broad. It's been my experience that these almost always
occur in mass marketing ham, not person-t
On Sun, 13 Jan 2008, Mike Cisar wrote:
>However, these last bunch seem to have a trick, the only other text in the
>message aside from the URL seems to be a date string. Somehow that must
>totally be screwing with Bayes since those messages are also triggering
>BAYES_00 or BAYES_02 and pretty mu
Continuing a, um, :) 'sub' discussion from the
"Googlepages & Livefilestore spams" thread...
Alex, do you have a test point for this?
I've run a couple handfuls thru, and had no hits.
I'm not sure if I'm doing something wrong, or they're just not listed yet.
Is this what we should be resolving (
Just clued into a new Google search parameter spam variant: "adurl".
A quick search shows that is some sort of AdSense thingie.
Does anyone have a marketing-dweeb-free technical explanation?
I've sent out a new rule to my Team to MassCheck, but it'll probably be a
few days before I have numbers.
On Wed, 9 Jan 2008, Ben Lentz wrote:
>any other tips would be greatly appreciated. We obviously don't want to
>blanket block google, but this URI redirection stuff isn't very friendly
>when used by a spammer.
Ben, the key is the "btnI" param, which maps to the "I'm feeling lucky"
button.
This te
Alberto, your reasoning is correct, based on my experience of actually
implementing and using such a system, albeit in a small scale environment.
As "sm" points out, it is particularly useful as a "pass" rule for exact
matches to your users' actual email client "real name"s.
I've implemented this
At 01:09 PM 7/5/2007 -0700, you wrote:
>You could match on the "application/octet-steam" and the file
>extension being ".pdf".
Good idea, but sorry, I should have been clearer (my BIM):
I meant use that in COMBINATION with OTHER signs, mainly to detect the
difference between the two styles.
To c
Here's a new style of PDF spam (recipient email address is munged):
http://Puffin.net/software/spam/samples/0004_pdf_gen3.eml
This time, it (apparently) is plain text with a link to an ED site, with
rather explicit language. I've only found two of these so far.
>From a technical point of
Chris, thanks for your detailed analysis!
Please don't be discouraged, as you're generally on the right track,
you just need to do some fine tuning.
Since last spring, I've been running some word tests that include
something similar to the obfuscation approach you've described, and
have had good
Finally got my first interlaced GIF spam!
Here's the raw message:
http://Puffin.net/software/spam/samples/0003_interlaced.eml
and a page containing each frame extracted into its own separate GIF,
followed by the "whole" raw GIF:
http://Puffin.net/software/spam/samples/0003_interla
At 10:26 PM 8/21/2006 -0700, John Rudd wrote:
>I also heard that interlaced gif spam is appearing now.
Yes, I saw that post, however there wasn't a publicly available sample.
Any such would be much appreciated.
>It'd be interesting to see how to counter them.
Should be easy. One approach is "pi
While skimming thru my daily rejected spam pile, did a double take when a
GIF spam seemed to "blink" at me. Thought it was a sw glitch at first...
then realized the sneaky Borg had adapted again.
Took a look at the frames in PaintShopPro's AnimationShop, and the first
three are all but blank (we
81 matches
Mail list logo