On Jun 11, 2014, at 9:43 AM, Gary Gendel <g...@genashor.com> wrote: > In the last month, I've seen a large increase in spam that breezes through > spamdyke and spamassassin. These are html only emails mainly for jobs from > the big web companies (Google, Facebook, etc.). The html is biased with > bayes poisoning keywords.
These aren't _actually_ job offers from Google and Facebook. If you followed the links (which I don't necessarily, advise, because the spammers 'tag' the links so they can see who looked at the message) you'd find that they redirect to syndicated marketing links promoting scammy "work-at-home" make-money-fast schemes. I think the only connection with Google or Facebook is that these fake jobs are somehow "on the Internet". > The links point to a page with a number of unrelated links via a tracker. I > assume they are trying to get click-through cash. Yep. > Anyone else see this kind of problem? If so, what are you doing about it? I wrote about the difficulty of blocking these in another thread on 'spamdyke-users' with the subject "Fwd; Search for High Speed Internet options near you" (someone else posted a sample of a similar spam). Basically, because the senders change domain names, IP addresses, 'From' lines, 'Subject' lines, and even URL formats continuously, and because the messages contain hashbuster text, they're extremely difficult to block reliably. They're pretty much the state-of-the-art when it comes to randomizing every possible element that could be used as the basis for filtering. > I don't know if this helps, but I'm seeing that some come from sites without > a compliant dns setup. For example: > > 162.210.198.19 -> hosted-by.EqServers.com > hosted-by.EqServers.com -> 65.60.49.189 Would spamdyke's rDNS tests help here? In my experience, these particular spammers usually have their DNS properly set up -- they're posting from rented servers hosted by a variety of hosting companies, rather than botnet PCs -- so they don't usually get turned away by Spamdyke's rDNS checks. I think Bayesians may work on them, despite the presence of hashbuster text: most of them that I see trigger SpamAssassin's BAYES_99 rule, and in my tests with CRM-114 I can usually get CRM-114 to say "Oh yeah, it's one of those." However, BAYES_99 defaults to a score of 3.5, which may not be enough on its own to take the message over the threshold to be tagged as spam. Now that you're starting to see these, you're going to get more and more. They have ramped up their sending volume enormously over time, and are sending more and more in an attempt to brute-force their way through. Angus _______________________________________________ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
