Re: [spamdyke-users] Fwd: Search for High Speed Internet options near you
Yes, sorry, I posted resolution there. Fixed by cleaning all email accounts and correcting tcp.rules then adding a spam assassin rule to catch all email with a common phrase html tag Thanks Dave On 06/23/2014 03:12 PM, Eric Shubert wrote: You got this resolved on the QMT list, right? ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Fwd: Search for High Speed Internet options near you
SA logs show nothing for scanning here is what I have qtp-whatami v0.3.8 Fri Jun 13 21:45:41 CDT 2014 REAL_DIST=CentOS DISTRO=CentOS OSVER=5.10 QTARCH=i686 QTKERN=2.6.18-371.3.1.el5 BUILD_DIST=cnt50 BUILD_DIR=/usr/src/redhat On 6/3/2014 9:10 PM, Eric Shubert wrote: I haven't seen this sort of thing in quite some time (thankfully). Have you sent them through sa-learn so bayes can detect them? -- ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Fwd: Search for High Speed Internet options near you
Ok, found the issue.. We use webmin to admin alot of servers and a few weeks ago we attempted to write a rule that would detect certain phrases within a body of the message and when it was applied all seemed fine but webmin did not know how to properly restart spamd. Anyways looking into webmin index to see what it was trying to restart. Thanks Dave On 06/03/2014 09:10 PM, Eric Shubert wrote: I haven't seen this sort of thing in quite some time (thankfully). Have you sent them through sa-learn so bayes can detect them? ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Fwd: Search for High Speed Internet options near you
Just found out my spamassassin doesnt seem to be working.. Ill post logs soon On 06/03/2014 09:10 PM, Eric Shubert wrote: I haven't seen this sort of thing in quite some time (thankfully). Have you sent them through sa-learn so bayes can detect them? ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Fwd: Search for High Speed Internet options near you
On Jun 3, 2014, at 11:25 AM, David dmilho...@wletc.com wrote: How in the world do I stop these annoying emails. according to the headers they change the From: Subject: and the domains and ips change as well. It looks like an affiliate spammer. They typically rent a block of IP addresses from one or more hosting providers, then start pumping out spam with syndicated marketing links in it, and get paid when suckers click on the links. I don't recognize this particular one's style, but the bad news is that they tend to be really hard to filter. As you've found out, they constantly change domain names (they probably use domain-kiting to ensure that they never have to pay for names), they constantly change IPs (so-called snowshoe spamming, aided by compliant ISPs), they use hashbuster text in their messages to get past or poison statistical filters, and they constantly change their subjects, from lines, and in some cases even their URL formats. Unfortunately, Spamdyke isn't a lot of help against these guys. They are actually delivering from real mailservers (as opposed to botnet PCs), so graylisting won't help. They generally have their DNS set up correctly, so rDNS checks won't reject them. They change names and IPs so fast that RBLs struggle to keep up. They are among the hardest spammers to block. I suggest that you collect samples of the spam that you're receiving and then analyze them. It's possible that you may be able to identify a small number of IP blocks used by the spammer and block those, although they change IPs and hosting services continually to avoid that. A more productive approach may be to try to identify patterns in the URLs that they use and write a SpamAssassin rule to recognize them. The URL in the sample you sent is very long and complex, which means that you have quite a good chance of writing a regex that would recognize their spams but wouldn't generate false positives on legitimate emails. Angus ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Fwd: Search for High Speed Internet options near you
Thats where I was headed with this one.. UGH! How annoying. We need a honeypot approach for these guys and then tarpit them into a blackhole. I will post a resolve on this once a I try a few things. thanks Dave On 06/03/2014 11:19 AM, Angus McIntyre wrote: On Jun 3, 2014, at 11:25 AM, David dmilho...@wletc.com wrote: How in the world do I stop these annoying emails. according to the headers they change the From: Subject: and the domains and ips change as well. It looks like an affiliate spammer. They typically rent a block of IP addresses from one or more hosting providers, then start pumping out spam with syndicated marketing links in it, and get paid when suckers click on the links. I don't recognize this particular one's style, but the bad news is that they tend to be really hard to filter. As you've found out, they constantly change domain names (they probably use domain-kiting to ensure that they never have to pay for names), they constantly change IPs (so-called snowshoe spamming, aided by compliant ISPs), they use hashbuster text in their messages to get past or poison statistical filters, and they constantly change their subjects, from lines, and in some cases even their URL formats. Unfortunately, Spamdyke isn't a lot of help against these guys. They are actually delivering from real mailservers (as opposed to botnet PCs), so graylisting won't help. They generally have their DNS set up correctly, so rDNS checks won't reject them. They change names and IPs so fast that RBLs struggle to keep up. They are among the hardest spammers to block. I suggest that you collect samples of the spam that you're receiving and then analyze them. It's possible that you may be able to identify a small number of IP blocks used by the spammer and block those, although they change IPs and hosting services continually to avoid that. A more productive approach may be to try to identify patterns in the URLs that they use and write a SpamAssassin rule to recognize them. The URL in the sample you sent is very long and complex, which means that you have quite a good chance of writing a regex that would recognize their spams but wouldn't generate false positives on legitimate emails. Angus ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
Re: [spamdyke-users] Fwd: Search for High Speed Internet options near you
I haven't seen this sort of thing in quite some time (thankfully). Have you sent them through sa-learn so bayes can detect them? -- -Eric 'shubes' On 06/03/2014 09:53 AM, David wrote: Thats where I was headed with this one.. UGH! How annoying. We need a honeypot approach for these guys and then tarpit them into a blackhole. I will post a resolve on this once a I try a few things. thanks Dave On 06/03/2014 11:19 AM, Angus McIntyre wrote: On Jun 3, 2014, at 11:25 AM, David dmilho...@wletc.com wrote: How in the world do I stop these annoying emails. according to the headers they change the From: Subject: and the domains and ips change as well. It looks like an affiliate spammer. They typically rent a block of IP addresses from one or more hosting providers, then start pumping out spam with syndicated marketing links in it, and get paid when suckers click on the links. I don't recognize this particular one's style, but the bad news is that they tend to be really hard to filter. As you've found out, they constantly change domain names (they probably use domain-kiting to ensure that they never have to pay for names), they constantly change IPs (so-called snowshoe spamming, aided by compliant ISPs), they use hashbuster text in their messages to get past or poison statistical filters, and they constantly change their subjects, from lines, and in some cases even their URL formats. Unfortunately, Spamdyke isn't a lot of help against these guys. They are actually delivering from real mailservers (as opposed to botnet PCs), so graylisting won't help. They generally have their DNS set up correctly, so rDNS checks won't reject them. They change names and IPs so fast that RBLs struggle to keep up. They are among the hardest spammers to block. I suggest that you collect samples of the spam that you're receiving and then analyze them. It's possible that you may be able to identify a small number of IP blocks used by the spammer and block those, although they change IPs and hosting services continually to avoid that. A more productive approach may be to try to identify patterns in the URLs that they use and write a SpamAssassin rule to recognize them. The URL in the sample you sent is very long and complex, which means that you have quite a good chance of writing a regex that would recognize their spams but wouldn't generate false positives on legitimate emails. Angus ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users ___ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
