Re: Googlasi, blacklotus, etc.

Tue, 30 Sep 2014 13:27:54 -0700 

On Sep 30, 2014, at 11:41 AM, David Jones <djo...@ena.com> wrote:

> 
>> ________________________________________
>> From: Philip Prindeville <philipp_s...@redfish-solutions.com>
>> Sent: Tuesday, September 30, 2014 12:30 PM
>> To: SpamAssassin
>> Subject: Googlasi, blacklotus, etc.
> 
>> I’m seeing spams like:
> 
>> http://pastebin.com/XXQrNURW
> 
>> Notice:
> 
>> * the message is almost always text/plain single part;
>> * the only Received: line is the local one, even though it was received on 
>> port 25;
>> * the message id contains the string be2aaf2163fd72c9975ec76b00288831, which 
>> seems to be a SHA1 hash associated with the destination email address;
>> * there are two or more nonsense header fields containing the SHA1 hash plus 
>> some small integer, and both values are repeated in the message body;
>> * there’s sometimes a third integer value both in the message and optionally 
>> in some nonsense header field;
>> * the message begins with either “Hello ____” or “Dear ____” as the 
>> destination email address,
>> * the phishing URL is either hosted by googlasi (as an amazon instance 
>> 54.69.70.160), or else
>> blacklotus instance as 192.31.186.4;
> 
>> I’m occasionally seeing text/html which also contains the same hash as part 
>> of the phishing URL.
> 
>> Anyone else seeing this?
> 
>> I’m currently defeating this by locally blacklisting the 2 IP addresses 
>> associated with the URL, plus
>> finding the SHA1 in the message.
> 
>> I’d like to not have to rely on the specific value of the hash for the 2nd 
>> test.
> 
>> -Philip
> 
> That IP is in a number of RBLs.  Do you have any RBLs in your MTA?

I do, but the problem is that the SPAM needs to be seen a few times before the 
RBL’s get updated with it.

5.0 URIBL_BLACK            Contains an URL listed in the URIBL blacklist
                           [URIs: lookmediXXXcarehelp.net]

I’m getting quite a few of these messages before the site gets blacklisted.

So I need to rely only on local rules to catch it.

-Philip



> 
> http://multirbl.valli.org/lookup/206.221.187.70.html
> 
> By the way, I want to saw the Invaluement RBL is awesome.  It's is very cheap 
> and almost as
> good as spamhaus based on my reports so I recommend everyone purchase a feed 
> of it to
> knock down the crap before it gets to SA.
> 
> I am not affiliated with the IVM product, just a happy customer.
> 
> Dave

Reply via email to