On Sep 30, 2014, at 11:41 AM, David Jones <djo...@ena.com> wrote: > >> ________________________________________ >> From: Philip Prindeville <philipp_s...@redfish-solutions.com> >> Sent: Tuesday, September 30, 2014 12:30 PM >> To: SpamAssassin >> Subject: Googlasi, blacklotus, etc. > >> I’m seeing spams like: > >> http://pastebin.com/XXQrNURW > >> Notice: > >> * the message is almost always text/plain single part; >> * the only Received: line is the local one, even though it was received on >> port 25; >> * the message id contains the string be2aaf2163fd72c9975ec76b00288831, which >> seems to be a SHA1 hash associated with the destination email address; >> * there are two or more nonsense header fields containing the SHA1 hash plus >> some small integer, and both values are repeated in the message body; >> * there’s sometimes a third integer value both in the message and optionally >> in some nonsense header field; >> * the message begins with either “Hello ____” or “Dear ____” as the >> destination email address, >> * the phishing URL is either hosted by googlasi (as an amazon instance >> 54.69.70.160), or else >> blacklotus instance as 192.31.186.4; > >> I’m occasionally seeing text/html which also contains the same hash as part >> of the phishing URL. > >> Anyone else seeing this? > >> I’m currently defeating this by locally blacklisting the 2 IP addresses >> associated with the URL, plus >> finding the SHA1 in the message. > >> I’d like to not have to rely on the specific value of the hash for the 2nd >> test. > >> -Philip > > That IP is in a number of RBLs. Do you have any RBLs in your MTA?
I do, but the problem is that the SPAM needs to be seen a few times before the RBL’s get updated with it. 5.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist [URIs: lookmediXXXcarehelp.net] I’m getting quite a few of these messages before the site gets blacklisted. So I need to rely only on local rules to catch it. -Philip > > http://multirbl.valli.org/lookup/206.221.187.70.html > > By the way, I want to saw the Invaluement RBL is awesome. It's is very cheap > and almost as > good as spamhaus based on my reports so I recommend everyone purchase a feed > of it to > knock down the crap before it gets to SA. > > I am not affiliated with the IVM product, just a happy customer. > > Dave