On 07/03/18 11:25, Leandro wrote:
2018-03-07 5:52 GMT-03:00 Sebastian Arcus <s.ar...@open-t.co.uk
<mailto:s.ar...@open-t.co.uk>>:
6. The links they include in the body of the email are almost never
flagged up either by Clam or Spamassassin - and they point to a
different domain in every single message.
Although they use multiple domains in the URLs at body, many of these
URLs are addressed to the same IPv4/IPv6 address or IP ranges, that is
just one shared web server or a group of shared web servers of the spammer.
The key to solving this problem is that you all start to cross the data
and start scoring the URL host IP, that is the exact fiscal place they
want to you visit even fired by many hacked mail servers at world and
many distinct domains. The mail services and domains are very disperse
but the web servers are very concentrated.
As far as I can tell, the URL's in the spam I see point to php scripts
on various compromised servers - which, maybe, further redirect to the
final payment servers. But thank you for the suggestion - I will keep an
eye on it.