|
The first one of these hit my system at about 8:30 a.m. From the first
dozen, two passed and 10 failed a score of 13 (my minimum weight to
block the message for most domains). By 11:30 a.m. messages from this
class C were being picked up by MailPolice, SURBL, Sniffer and SpamCop
and they have been scoring 75 or more ever since (I don't run custom
filters after the score reaches 25 in most cases, so it probably would
have been over 100). IMO, it's often not worth it to spend time dealing with high volume sources as they will often be picked up before you can react to them. This guy is 2 for 29 so far today on what was a clean block, though I was already giving Minerva's IP space a few points for being a notorious Spam supporter. Matt Colbeck, Andrew wrote: Welcome to the list, Dave! Sometimes the bad guys win. Like virus detection, spam detection is mostly a matter of reacting to the bad guys and blocking them, so they do get some in.If you try to achieve 100% spam blocking, you will devote your life to it and you'll burn out after spending too much time finding false positives and dealing with the resultant customer complaints. A couple of points about this particular message: 1) I got one copy of it in my organization, too. It scored 15 of 20 so it passed. The recipient didn't complain. 2) At the time it came in, the netblock was clean. SPEWS2 is the only RBL I know of that listed it at that point, and it still does. Nobody who has customers uses SPEWS2 to fight spam. Most don't use SPEWS1 for that matter. There's been a thread about this in the last few days. 3) Sniffer hadn't seen the message yet, so it didn't trigger either. I still recommend Sniffer. 4) URI blacklisting hadn't seen the message yet, so it didn't trigger either. I still recommend URI blacklisting. 5) Snips of text like "-mydomain.com?" and "myaddress@" in the MAILFROM can be tested for, but must have a light weight or only be used in combination with other tests. VERP is commonly used by legitimate mailers so that they can scrub their lists when an email account is cancelled and they receive bounces, or scrub their list when a legitimate subscriber reports them as spammers because they're too lazy to unsubscribe. 6) Not that *I* would do such a thing, but if *one* were to strobe the /24 netblock that the message came from, you would see definite patterns in the naming conventions and could certainly predict how the spammer is going to change his domain names for the next spam runs. I've put them into my IP blacklist text file. 206.131.224.0/19 matched 206.131.224.0/19 SPEWS OffersCentral, see http://spews.org/html/S1528.html Sep-02-2005 Along with the neighbours which have been there for a long time: 206.128.156.0/24 matched 206.128.156.0/24 SPEWS stubberfield, see http://spews.org/ask.cgi?S359 206.131.243.0/24 matched 206.131.243.0/24 SPEWS elistmarketers, see http://spews.org/ask.cgi?S1710 Andrew 8)-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Dave Beckstrom Sent: Friday, September 02, 2005 9:59 AM To: [email protected] Subject: [Declude.JunkMail] Suggestions on catching a spam message? Hi Everyone, I just purchased declude two days ago. I'm running Declude with message sniffer on a smartermail server. So far, it is working very well. The approach that I have been trying to take is to, wherever possible, avoid creating a custom filter entry to trap a specific email. Below is an example of a spam email which slipped through this morning. I sanitized the mail headers so any reference to myserver or mydomain or myaddress is where I replaced our details in the headers. As you can see from the headers, there was very little wrong with this email that would enable us to score it high enough for it to be considered spam. I tag the subject at a score of 14. At the bottom of this message is the actual body of the html email. Obviously I could add a filter entry to look for "agnheqe3.com" and to delete or hold the message. The problem with that approach, in my opinion, is it never ends. If they have 1000 different domains that means a 1000 filter entries. I hate filtering to block a specific email and I would rather block based upon a pattern common to all spam. I am wondering if you have had any success on trapping emails like the one below? What would you add or change to have caught this message? The only thing I saw, that is common to spam, which I think I could filter on is the "/track?" in the URL. I've seen a lot of spam that triggers various ASP or PHP or other programs in the IMG SRC tag which enables a spammer to verify that the email was opened and read. What do you think? How can I tighten up my filtering to catch an email such as the one below? Do you guys forward spam to spamcop or other places to help with the RBLs? Thanks! Dave Return-Path: <[EMAIL PROTECTED]> Fri Sep 02 07:34:48 2005 Received: from sip.agnheqe3.com [206.131.238.29] by myserver.mydomain.com with SMTP; Fri, 2 Sep 2005 07:34:48 -0500 MIME-Version: 1.0 X-Accept-Language: en X-Priority: Normal From: Energy Drink <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Nationwide Energy Drink Survey Date: Fri, 2 Sep 2005 04:08:28 EST Message-ID: <q8tz5,[EMAIL PROTECTED]> Content-Type: text/html; charset="ISO-8859-1" Content-Transfer-Encoding: 7bit X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [8008000e]. X-RBL-Warning: SPFUNKNOWN: SPF returned UNKNOWN for this E-mail. X-RBL-Warning: Filter_Country: Message failed Filter_Country test (line 223, weight 0) X-Note: ======================================== X-Note: Spam Score: [6] X-Note: Scan Time: 07:35:08 on 02 Sep 2005 X-Note: Spool File: 37143703.EML X-Note: Server Name: sip.agnheqe3.com X-Note: SMTP Sender: [EMAIL PROTECTED] X-Note: Reverse DNS & IP: sip.agnheqe3.com [206.131.238.29] X-Note: Recipient(s): <fwd>[EMAIL PROTECTED] X-Note: Country Chain: UNITED STATES->destination X-Note: Failed Weights: BADHEADERS [8], SPFUNKNOWN [1], Filter_Country [0] X-Note: ======================================== <html> <body><br> <a href="" class="moz-txt-link-rfc2396E" href="http://agnheqe3.com/track?e=3p5seppESTe4spEnBsK4I3YMp1&m=6225115&l=0">"http://agnheqe3.com/track?e=3p5seppESTe4spEnBsK4I3YMp1&m =6225115&l=0"> <img src="" class="moz-txt-link-rfc2396E" href="http://agnheqe3.com/t?m=6225115&l=3">"http://agnheqe3.com/t?m=6225115&l=3" border=0></a><br><br> <img src="" class="moz-txt-link-rfc2396E" href="http://agnheqe3.com/t?m=6225115&l=2">"http://agnheqe3.com/t?m=6225115&l=2" border=0></a><br><br> <a href="" class="moz-txt-link-rfc2396E" href="http://agnheqe3.com/t?m=6225115&l=4">"http://agnheqe3.com/t?m=6225115&l=4"> <img src="" class="moz-txt-link-rfc2396E" href="http://agnheqe3.com/track?e=46UqH66PCSHeq6PD4qbeBnKu6z&m=6225115&l=1">"http://agnheqe3.com/track?e=46UqH66PCSHeq6PD4qbeBnKu6z&m= 6225115&l=1" border=0></a><br> <br><br><font color='#ffffff' face='arial,helvetica' size='1'><5;46UqH66PCSHeq6PD4qbeBnKu6z;6225115></font></body></html> --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. |
