On Jun 3, 2014, at 11:25 AM, David <dmilho...@wletc.com> wrote:
> How in the world do I stop these annoying emails.
> according to the headers they change the 
> From:
> Subject:
> and the domains and ips change as well.

It looks like an affiliate spammer. They typically rent a block of IP addresses 
from one or more hosting providers, then start pumping out spam with syndicated 
marketing links in it, and get paid when suckers click on the links.

I don't recognize this particular one's style, but the bad news is that they 
tend to be really hard to filter. As you've found out, they constantly change 
domain names (they probably use domain-kiting to ensure that they never have to 
pay for names), they constantly change IPs (so-called snowshoe spamming, aided 
by compliant ISPs), they use hashbuster text in their messages to get past or 
poison statistical filters, and they constantly change their subjects, from 
lines, and in some cases even their URL formats.

Unfortunately, Spamdyke isn't a lot of help against these guys. They are 
actually delivering from real mailservers (as opposed to botnet PCs), so 
graylisting won't help. They generally have their DNS set up correctly, so rDNS 
checks won't reject them. They change names and IPs so fast that RBLs struggle 
to keep up. They are among the hardest spammers to block.

I suggest that you collect samples of the spam that you're receiving and then 
analyze them. It's possible that you may be able to identify a small number of 
IP blocks used by the spammer and block those, although they change IPs and 
hosting services continually to avoid that. A more productive approach may be 
to try to identify patterns in the URLs that they use and write a SpamAssassin 
rule to recognize them. The URL in the sample you sent is very long and 
complex, which means that you have quite a good chance of writing a regex that 
would recognize their spams but wouldn't generate false positives on legitimate 
emails.

Angus


_______________________________________________
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users

Reply via email to