On Jul 19, 2013, at 10:35 PM, Andrea <m...@vp44.net> wrote: > Hi all. > > Since a few days ago I'm being buried under spam messages that slip through > my amavis/SA setup. > The messages all look alike: plaintext with random junk + URL in the body. > Pastebin with a few examples here: http://g2z.me/ed64d > > I've tried running a sa-update but I don't have enough samples (yet). The > thing that bothers me is that all the messages have been classified as HAM by > the auto learn (which I have now disabled). > What could be an effective rule/ruleset to block emails like this?
The emitting IPs appear to be on some fairly prominent blacklists : 65.20.0.50 http://multirbl.valli.org/lookup/65.20.0.50.html Blacklisted: 10 Brownlisted: 0 Yellowlisted: 0 Whitelisted: 0 210.188.175.148 http://multirbl.valli.org/lookup/210.188.175.148.html Blacklisted: 14 Brownlisted: 0 Yellowlisted: 0 Whitelisted: 0 217.16.6.131 http://multirbl.valli.org/lookup/217.16.6.131.html Blacklisted: 17 Brownlisted: 0 Yellowlisted: 0 Whitelisted: 0 The problem, or at least part of it, is that the payloads are all redirects via compromised legitimate sites on hosting companies http://prembhatiatrust . com/public-sex.html?cuzahetysu http://auto-atendimentos . info/algerie.html?japu http://chapcanhuocmo . vn./springbreak.html prembhatiatrust. com | Creation Date: 23-apr-2002 | 74.208.211.99 auto-atendimentos. info | Created On:30-Mar-2013 11:25:09 UTC | 173.192.200.207 chapcanhuocmo. vn | Ngày đăng ký: 04-04-2011 | 222.255.29.22 for those who care, the ultimate payloads are: mega-hot-sites . com hot-hot-sites . com lovely-sites . com all sitting on 213.183.59.30 (anders. ru) which has a couple NS SBLed, which cover all of the payloads (1): ns1.eliteadultsites. com 213.183.59.30 SBL ns2.eliteadultsites. com 213.183.59.30 SBL Passive DNS for 213.183.59.30_32 Records found: 31 (moved & 404 elided) lovely-sites. com 213.183.59.30 www.lovely-sites. com 213.183.59.30 pretty-sites. com 213.183.59.30 www.pretty-sites. com 213.183.59.30 mail.pretty-sites. com 213.183.59.30 hot-hot-sites. com 213.183.59.30 www.hot-hot-sites. com 213.183.59.30 fineadultvideo. com 213.183.59.30 www.fineadultvideo. com 213.183.59.30 mega-hot-sites. com 213.183.59.30 www.mega-hot-sites. com 213.183.59.30 mail.mega-hot-sites. com 213.183.59.30 cool-cool-sites. com 213.183.59.30 eliteadultsites. com 213.183.59.30 ns1.eliteadultsites. com 213.183.59.30 ns2.eliteadultsites. com 213.183.59.30 www.eliteadultsites. com 213.183.59.30 mail.eliteadultsites. com 213.183.59.30 right-adult-sites. com 213.183.59.30 www.right-adult-sites. com 213.183.59.30 top-quality-sites. com 213.183.59.30 www.top-quality-sites. com 213.183.59.30 (1) Domain Name: COOL-COOL-SITES . com Registrar: BIZCN . com, INC. Whois Server: whois.bizcn . com Referral URL: http://www.bizcn . com Name Server: NS1.ELITEADULTSITES . com Name Server: NS2.ELITEADULTSITES . com Status: clientDeleteProhibited Status: clientTransferProhibited Updated Date: 15-jun-2013 Creation Date: 16-nov-2012 Expiration Date: 16-nov-2013 Domain Name: ELITEADULTSITES . com Registrar: BIZCN . com, INC. Whois Server: whois.bizcn . com Referral URL: http://www.bizcn . com Name Server: NS1.ELITEADULTSITES . com Name Server: NS2.ELITEADULTSITES . com Status: clientDeleteProhibited Status: clientTransferProhibited Updated Date: 15-jun-2013 Creation Date: 16-oct-2012 Expiration Date: 16-oct-2013 Domain Name: FINEADULTVIDEO . com Registrar: BIZCN . com, INC. Whois Server: whois.bizcn . com Referral URL: http://www.bizcn . com Name Server: NS1.ELITEADULTSITES . com Name Server: NS2.ELITEADULTSITES . com Status: clientDeleteProhibited Status: clientTransferProhibited Updated Date: 15-jun-2013 Creation Date: 05-oct-2012 Expiration Date: 05-oct-2013 Domain Name: HOT-HOT-SITES . com Registrar: BIZCN . com, INC. Whois Server: whois.bizcn . com Referral URL: http://www.bizcn . com Name Server: NS1.ELITEADULTSITES . com Name Server: NS2.ELITEADULTSITES . com Status: clientDeleteProhibited Status: clientTransferProhibited Updated Date: 15-jun-2013 Creation Date: 13-nov-2012 Expiration Date: 13-nov-2013 Domain Name: LOVELY-SITES . com Registrar: BIZCN . com, INC. Whois Server: whois.bizcn . com Referral URL: http://www.bizcn . com Name Server: NS1.ELITEADULTSITES . com Name Server: NS2.ELITEADULTSITES . com Status: clientDeleteProhibited Status: clientTransferProhibited Updated Date: 15-jun-2013 Creation Date: 20-nov-2012 Expiration Date: 20-nov-2013 Domain Name: MEGA-HOT-SITES . com Registrar: BIZCN . com, INC. Whois Server: whois.bizcn . com Referral URL: http://www.bizcn . com Name Server: NS1.ELITEADULTSITES . com Name Server: NS2.ELITEADULTSITES . com Status: clientDeleteProhibited Status: clientTransferProhibited Updated Date: 15-jun-2013 Creation Date: 18-oct-2012 Expiration Date: 18-oct-2013 Domain Name: PRETTY-SITES . com Registrar: BIZCN . com, INC. Whois Server: whois.bizcn . com Referral URL: http://www.bizcn . com Name Server: NS1.ELITEADULTSITES . com Name Server: NS2.ELITEADULTSITES . com Status: clientDeleteProhibited Status: clientTransferProhibited Updated Date: 15-jun-2013 Creation Date: 30-nov-2012 Expiration Date: 30-nov-2013 Domain Name: RIGHT-ADULT-SITES . com Registrar: BIZCN . com, INC. Whois Server: whois.bizcn . com Referral URL: http://www.bizcn . com Name Server: NS1.ELITEADULTSITES . com Name Server: NS2.ELITEADULTSITES . com Status: clientDeleteProhibited Status: clientTransferProhibited Updated Date: 15-jun-2013 Creation Date: 05-nov-2012 Expiration Date: 05-nov-2013 Domain Name: TOP-QUALITY-SITES . com Registrar: BIZCN . com, INC. Whois Server: whois.bizcn . com Referral URL: http://www.bizcn . com Name Server: NS1.ELITEADULTSITES . com Name Server: NS2.ELITEADULTSITES . com Status: clientDeleteProhibited Status: clientTransferProhibited Updated Date: 15-jun-2013 Creation Date: 22-nov-2012 Expiration Date: 22-nov-2013
