I'm thinking that maybe the success of the RBL's has turned these guys back to the ISP's. I would imagine that before, these people would not use the ISP mail servers for their blasts for fear of being detected earlier and kicked, but now, they can take a fully exploited machine that's well listed, and start relaying E-mail through an ISP's mail server for a chance at a second life, though probably in smaller volumes. In other words, I think the tactics have changed.
I would love to have a list of ISP mail servers so that I could add a few points to them by default because you have to rely mostly on content to find the spam that comes from them. Another thing that I need to get around to doing is testing on multiple hops. I'm thinking this could mix things up a bit on my system so I've been putting it off. No doubt this one would have been tagged by that, and maybe even deleted instead of passed or just held. Multiple hops may very well be the answer to the issue of zombies relaying through ISP mail servers.
I'm not complaining about my results, I'm doing better now than I thought possible two months ago. I'm just wondering about how to best tag what still gets through without causing more problems. Every false negative that I find seems to result in another pattern that I should have been tracking, or in this case, a credit that was too large, a pattern that I should have been scoring, and an opportunity missed from multiple hops. I guess that's better than being stumped :)
Thanks for the info, it was enlightening.
Matt
Colbeck, Andrew wrote:
Matt, I don't what my observation is worth but the only spam I've noticed in the past year from Yahoo! servers was always from the *.bizmail.yahoo.com servers (a related issue is/was a lack of confirmation for message group sign-ups).
Previous to that, Yahoo! and HoTMaiL and AOL were common targets for spammers to get a quick account on, blast a campaign out, then ditch the account. They commonly used stolen and fake credit card numbers to sign up with AOL and local dial-up ISPs. Much as the "17 trillion addresses" CDROMs, spammers also sold entire packages with illegal software to generate fake credit card numbers and software that would automatically sign up for dozens of new accounts with those fake credit cards, then send the spam through them.
(I think the matter of junk coming from otherwise valid servers is a real vindication for content inspection as a complement to blocking by IP.)
Now I find that it's pretty rare to get spam from a real account at one of the big providers. I notice that the "from:" and "to:" fields in the message were @cs.com which used to be CompuServe, now part of AOL.
What I do about spam like this is run it through my SpamCop account. I then *responsibly* use the info to make reports or let SpamCop do it for me. Despite your bad experiences with SpamCop as an ip4r test, the service does make an effort to not list ISPs that don't deserve it. For an *example only*, running a slightly munged version of your spam sample through SpamCop's anonymous submission web page produces these contacts for which information:
Re: 216.136.172.125 (Administrator interested in intermediary handling of spam) To: [EMAIL PROTECTED] (Notes) To: [EMAIL PROTECTED] (Notes)
Re: 68.234.34.67 (Administrator of network where email originates) To: [EMAIL PROTECTED] (Notes)
Re: 68.234.34.67 (Third party interested in email source) To: Cyveillance spam collection (Notes)
Re: http://www.mikostarinda.com?lxij (Administrator of network hosting website referenced in spam) To: [EMAIL PROTECTED] (refuses munged reports) (Notes) To: [EMAIL PROTECTED] (Notes)
Note that for the the Yahoo! mail address, they're notifying the contact address but not listing them.
Particularly illuminating is the SpamCop report on that Adelphia IP:
http://www.spamcop.net/w3m?action=checkblock&ip=68.234.34.67
68.234.34.67 listed in bl.spamcop.net (127.0.0.2)
Since SpamCop started counting, this system has been reported about 3390 times by about 210 users. It has been sending mail consistently for at least 18.0 days. It has been listed for 16.7 days.
In the past week, this system has: Been reported as a source of spam about 60 times Been detected sending mail to spam traps Been witnessed sending mail about 2910 times
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
-- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
