Re: [Declude.JunkMail] German political spam
Has anyone but me noticed that the german spam subjects appear to be changing? We just blocked on that has the subject Armenian Genocide Plagues Ankara 90 Years On but that's not on any of the lists that I have seen. Thanks, Dan - Original Message - From: Markus Gufler [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Monday, May 16, 2005 5:49 PM Subject: RE: [Declude.JunkMail] German political spam If someone is interested in, I've updated my sober-q filter files. I've split the patterns in two files: SUBJECT and BODY lines. They will not catch more but: 1.) The SUBJECT filterfile will be processed only if CMDSPACE has failed before. This will save resources and as some subject lines can be used also in legit german messages it will prevent FP's. 2.) The BODY-file is primary there to filter out bounces so it cannot be combined with CMDSPACE but at least it can be skipped if the SUBJECT-based filterfile has already failed. In addition both filterfiles will now STOPATFIRSTHIT. Here are the config lines for both filterfiles: SOBERQ filter C:\[filter_path]\filter_soberq.txt x 0 0 SOBERQBODY filter C:\[filter_path]\filter_soberq-body.txt x 0 0 Markus --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] German political spam
There are a few missing from Joe Wein's list, but I thought Markus' list is complete. Here are the ones that I found that needed to be added: Dr--esden Bombing Is To Be R--egretted Enormously The Wh--ore Lived Like a G--erman Tu--rkish Tabloid Enrages Ge--rmany with Na--zi Comparisons Arm--enian Genoc--ide Plagues An--kara 90 Years On (I've sprinkled -- through the samples to perhaps escape text filtering) Also, Markus' optimization of checking CMDSPACE before SUBJECT checking will not work in two cases: 1) If your mailsystem is based on Smartwhatever, this test is not available, so you will never execute the SUBJECT tests. 2) You will fail to catch blow back messages like re: Tu--rkish Tabloid ... and Out of office: Tu--rkish Tabloid ... and Undeliverable: Tu--rkish Tabloid ... so I suggest that unless you are catching 2) elsewise, then don't try to use the CMDSPACE short-circuit optimization. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Geiser Sent: Tuesday, May 17, 2005 12:17 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] German political spam Has anyone but me noticed that the german spam subjects appear to be changing? We just blocked on that has the subject Armenian Genocide Plagues Ankara 90 Years On but that's not on any of the lists that I have seen. Thanks, Dan - Original Message - From: Markus Gufler [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Monday, May 16, 2005 5:49 PM Subject: RE: [Declude.JunkMail] German political spam If someone is interested in, I've updated my sober-q filter files. I've split the patterns in two files: SUBJECT and BODY lines. They will not catch more but: 1.) The SUBJECT filterfile will be processed only if CMDSPACE has failed before. This will save resources and as some subject lines can be used also in legit german messages it will prevent FP's. 2.) The BODY-file is primary there to filter out bounces so it cannot be combined with CMDSPACE but at least it can be skipped if the SUBJECT-based filterfile has already failed. In addition both filterfiles will now STOPATFIRSTHIT. Here are the config lines for both filterfiles: SOBERQ filter C:\[filter_path]\filter_soberq.txt x 0 0 SOBERQBODY filter C:\[filter_path]\filter_soberq-body.txt x 0 0 Markus --- E-mail scanned for viruses by Nexus (http://www.ntgrp.com/mailscan) --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] German political spam
Also, Markus' optimization of checking CMDSPACE before SUBJECT checking will not work in two cases: I've discovered another rare one. It seems like certain MTA's does correct commandspaces and so a forwarded messages from one of this MTA's will pass the filter files as it hasn't failed CMDSPACE Markus --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] German political spam
http://www.joewein.de/sw/spam-sober-h.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Marchette Sent: Sunday, May 15, 2005 00:07 To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] German political spam Anyone else getting hit with massive waves of German spam as a byproduct of modified Sober code continuing from around 2 pm EDT today, or am I 'unique' in this? --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses at TNWEB LLC] --- [This E-mail scanned for viruses at TNWEB LLC] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] German political spam
Markus Wrote: If someone is interested in, I've updated my sober-q filter files. I'm interested! Thanks Markus! Bill Green dfn Systems --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] German political spam
On 16 May 2005 at 23:49, Markus Gufler wrote: Thanks! -Nick If someone is interested in, I've updated my sober-q filter files. I've split the patterns in two files: SUBJECT and BODY lines. They will not catch more but: 1.) The SUBJECT filterfile will be processed only if CMDSPACE has failed before. This will save resources and as some subject lines can be used also in legit german messages it will prevent FP's. 2.) The BODY-file is primary there to filter out bounces so it cannot be combined with CMDSPACE but at least it can be skipped if the SUBJECT-based filterfile has already failed. In addition both filterfiles will now STOPATFIRSTHIT. Here are the config lines for both filterfiles: SOBERQfilter C:\[filter_path]\filter_soberq.txt x 0 0 SOBERQBODYfilter C:\[filter_path]\filter_soberq-body.txt x 0 0 Markus --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] German political spam
Anyone else getting hit with massive waves of German spam as a byproduct of modified Sober code continuing from around 2 pm EDT today, or am I 'unique' in this? Update: I've noted that this type of messages always will fail CMDSPACE Please take care that the links that are part of the message body does not have to do anything with the initiator(s) of this messages. For example www.heise.de is an important german computer magazine and always strive for announcing security risk, spam tecniques and so on. www.spiegel.de is a big german magazine and I'm 100% sure that it has nothing to do with this type of spam. Largely blocking this URI's in Blacklists maybe it's exactly what this spammers want. Markus --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] German political spam
What are the return/sender addresses looking like? Randomized? Darrell --- Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail Queue Monitoring, Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Marc Catuogno [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Sunday, May 15, 2005 9:34 AM Subject: RE: [Declude.JunkMail] German political spam I've added all the phases that I have found in the e-mails that got through to me. I don't do much internationally so my weighting and inclusion may be harsh for those that do. Marc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Sunday, May 15, 2005 3:50 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] German political spam Attached is the updated filter file containing 3 additional subject filter lines. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Sunday, May 15, 2005 9:25 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] German political spam Anyone else getting hit with massive waves of German spam as a byproduct of modified Sober code continuing from around 2 pm EDT today, or am I 'unique' in this? Yes, I've identified 3 tipical body phrases that can be used to filter for. Se atached zip/txt file. Maybe it's incomplete and so should be updated. Please send additional strings also in zipped ttxt files in order to bypass already existing filters. Markus --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] German political spam
Markus, I have noticed that most of these messages at the start of this campaign were getting caught on SURBL using invURIBL. Do you know anything about that domain listed below? 2005-05-15 00:19:19.890 2005-05-15 00:19:19.968 E:\IMAIL\SPOOL\DCDC4C1BB006E894A.SMD libasoli.de 127.0.0.2 on multi.surbl.org [2] [Total Weight=7] Darrell --- invURIBL - Intelligent URI Filtering. Stops 85%+ SPAM with the default configuration. Download a copy today - http://www.invariantsystems.com - Original Message - From: Markus Gufler [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Sunday, May 15, 2005 3:37 AM Subject: RE: [Declude.JunkMail] German political spam Anyone else getting hit with massive waves of German spam as a byproduct of modified Sober code continuing from around 2 pm EDT today, or am I 'unique' in this? Update: I've noted that this type of messages always will fail CMDSPACE Please take care that the links that are part of the message body does not have to do anything with the initiator(s) of this messages. For example www.heise.de is an important german computer magazine and always strive for announcing security risk, spam tecniques and so on. www.spiegel.de is a big german magazine and I'm 100% sure that it has nothing to do with this type of spam. Largely blocking this URI's in Blacklists maybe it's exactly what this spammers want. Markus --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] German political spam
Random addresses on the ones I'm getting. All from SWBell DSL IPs. Not failing any tests other than GIBBERISH, and not even that oneall the time. I'm using SmarterMail, soCMDSPACE isn't an available test for us. I'vehad more than 15 messages get through on my personalaccount alonesince Saturday afternoon.ShayneWhat are the return/sender addresses looking like? Randomized?Darrell---Check out http://www.invariantsystems.com for utilities for Declude AndImail. IMail Queue Monitoring, Declude Overflow Queue Monitoring, SURBL/URIintegration, MRTG Integration, and Log Parsers.
Re: [Declude.JunkMail] German political spam
Actually, looking at this again I checked yesterday's log files. It seems that most of the domains were starting to be caught on SURBL and other URI lists around 8pm Eastern. 2005-05-14 20:02:57.171 2005-05-14 20:02:57.296 E:\IMAIL\SPOOL\D91ACBA660122CE0A.SMD rocknord.de 127.0.0.4 on multi.surbl.org [4] [Total Weight=2] 2005-05-14 21:47:07.609 2005-05-14 21:47:08.828 E:\IMAIL\SPOOL\DAA10CCE60118147C.SMD spiegel.de 127.0.0.2 on multi.surbl.org [2] [Total Weight=7] 2005-05-14 21:48:01.046 2005-05-14 21:48:02.328 E:\IMAIL\SPOOL\DAA4D12BC0264FFE5.SMD npd.de 127.0.0.2 on multi.surbl.org [2] [Total Weight=7] 2005-05-14 21:50:54.968 2005-05-14 21:50:55.281 E:\IMAIL\SPOOL\DAAFBBD960122AAD1.SMD rp-online.de 127.0.0.2 on multi.surbl.org [2] [Total Weight=7] Darrell - invURIBL - Intelligent URI Filtering. Stops 85%+ SPAM with the default configuration. Download a copy today - http://www.invariantsystems.com - Original Message - From: Darrell ([EMAIL PROTECTED]) [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Sunday, May 15, 2005 10:02 AM Subject: Re: [Declude.JunkMail] German political spam Markus, I have noticed that most of these messages at the start of this campaign were getting caught on SURBL using invURIBL. Do you know anything about that domain listed below? 2005-05-15 00:19:19.890 2005-05-15 00:19:19.968 E:\IMAIL\SPOOL\DCDC4C1BB006E894A.SMD libasoli.de 127.0.0.2 on multi.surbl.org [2] [Total Weight=7] Darrell --- invURIBL - Intelligent URI Filtering. Stops 85%+ SPAM with the default configuration. Download a copy today - http://www.invariantsystems.com - Original Message - From: Markus Gufler [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Sunday, May 15, 2005 3:37 AM Subject: RE: [Declude.JunkMail] German political spam Anyone else getting hit with massive waves of German spam as a byproduct of modified Sober code continuing from around 2 pm EDT today, or am I 'unique' in this? Update: I've noted that this type of messages always will fail CMDSPACE Please take care that the links that are part of the message body does not have to do anything with the initiator(s) of this messages. For example www.heise.de is an important german computer magazine and always strive for announcing security risk, spam tecniques and so on. www.spiegel.de is a big german magazine and I'm 100% sure that it has nothing to do with this type of spam. Largely blocking this URI's in Blacklists maybe it's exactly what this spammers want. Markus --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] German political spam
I am seeing randomized addresses, but they seem to be from related industries. We are in real-estate, the address are random then @ other real-estate companies, title companies, etc. All the e-mails that have gotten through have been from conversent.net 204.17.110.18 Probably some genius real-estate agent that got infected - I haven't looked at all the e-mails that get held yet. Marc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Sunday, May 15, 2005 9:51 AM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] German political spam What are the return/sender addresses looking like? Randomized? Darrell --- Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail Queue Monitoring, Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. - Original Message - From: Marc Catuogno [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Sunday, May 15, 2005 9:34 AM Subject: RE: [Declude.JunkMail] German political spam I've added all the phases that I have found in the e-mails that got through to me. I don't do much internationally so my weighting and inclusion may be harsh for those that do. Marc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Sunday, May 15, 2005 3:50 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] German political spam Attached is the updated filter file containing 3 additional subject filter lines. Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Gufler Sent: Sunday, May 15, 2005 9:25 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] German political spam Anyone else getting hit with massive waves of German spam as a byproduct of modified Sober code continuing from around 2 pm EDT today, or am I 'unique' in this? Yes, I've identified 3 tipical body phrases that can be used to filter for. Se atached zip/txt file. Maybe it's incomplete and so should be updated. Please send additional strings also in zipped ttxt files in order to bypass already existing filters. Markus --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] German political spam
On 15 May 2005 at 10:50, Marc Catuogno wrote: I am seeing randomized addresses, but they seem to be from related industries. We are in real-estate, the address are random then @ other real-estate companies, title companies, etc. Good observation - all of the ones I have received have come from medical - educational targeting a large physician database we host. Seems to be a very sophisticated campain - of which at least 90% so far are coming from clean domains/clean ip's. Maybe someone Matt? , can figure out some sort of pattern we can target from the spamware? -Nick --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] German political spam
more than 15 is all you got? I've had at least 112. G.Z. -- Original Message -- From: Shayne Embry [EMAIL PROTECTED] Reply-To: Declude.JunkMail@declude.com Date: Sun, 15 May 2005 09:04:48 -0500 Random addresses on the ones I'm getting. All from SWBell DSL IPs. Not failing any tests other than GIBBERISH, and not even that one all the time. I'm using SmarterMail, so CMDSPACE isn't an available test for us. I've had more than 15 messages get through on my personal account alone since Saturday afternoon. Shayne What are the return/sender addresses looking like? Randomized? Darrell --- Check out http://www.invariantsystems.com for utilities for Declude And Imail. IMail Queue Monitoring, Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. Sent via the WebMail system at wcnet.net --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] German political spam
I don't know l ibasoli.de but other domains like s piegel.de has absolutely nothing to do with the spammers. It's the online version of a really big, important and excellent german magazine and it's not good to block messages containing this domain if you don't want block also the flow of legit information. The same for h eise.de http://www.h eise.de/newsticker/meldung/59562 For example contains a short description of whats going on and also some user comments that have posted their spamassassin and postfix filter files for this type of spam: http://www.h eise.de/newsticker/foren/go.shtml?forum_id=78695list=1hs=0c=7992164 On the other side there are also links like n pd.de and I fear this is also the source of this spam campain. It's a german party, fortunately not realy large but unfortunately growing. The idea behind this party: look backwards in german story for 60-70 years. :-/ Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Sunday, May 15, 2005 4:27 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] German political spam Actually, looking at this again I checked yesterday's log files. It seems that most of the domains were starting to be caught on SURBL and other URI lists around 8pm Eastern. 2005-05-14 20:02:57.171 2005-05-14 20:02:57.296 E:\IMAIL\SPOOL\D91ACBA660122CE0A.SMD rocknord.de 127.0.0.4 on multi.surbl.org [4] [Total Weight=2] 2005-05-14 21:47:07.609 2005-05-14 21:47:08.828 E:\IMAIL\SPOOL\DAA10CCE60118147C.SMD spiegel.de 127.0.0.2 on multi.surbl.org [2] [Total Weight=7] 2005-05-14 21:48:01.046 2005-05-14 21:48:02.328 E:\IMAIL\SPOOL\DAA4D12BC0264FFE5.SMD npd.de 127.0.0.2 on multi.surbl.org [2] [Total Weight=7] 2005-05-14 21:50:54.968 2005-05-14 21:50:55.281 E:\IMAIL\SPOOL\DAAFBBD960122AAD1.SMD rp-online.de 127.0.0.2 on multi.surbl.org [2] [Total Weight=7] Darrell -- --- invURIBL - Intelligent URI Filtering. Stops 85%+ SPAM with the default configuration. Download a copy today - http://www.invariantsystems.com - Original Message - From: Darrell ([EMAIL PROTECTED]) [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Sunday, May 15, 2005 10:02 AM Subject: Re: [Declude.JunkMail] German political spam Markus, I have noticed that most of these messages at the start of this campaign were getting caught on SURBL using invURIBL. Do you know anything about that domain listed below? 2005-05-15 00:19:19.890 2005-05-15 00:19:19.968 E:\IMAIL\SPOOL\DCDC4C1BB006E894A.SMD libasoli.de 127.0.0.2 on multi.surbl.org [2] [Total Weight=7] Darrell --- invURIBL - Intelligent URI Filtering. Stops 85%+ SPAM with the default configuration. Download a copy today - http://www.invariantsystems.com - Original Message - From: Markus Gufler [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Sunday, May 15, 2005 3:37 AM Subject: RE: [Declude.JunkMail] German political spam Anyone else getting hit with massive waves of German spam as a byproduct of modified Sober code continuing from around 2 pm EDT today, or am I 'unique' in this? Update: I've noted that this type of messages always will fail CMDSPACE Please take care that the links that are part of the message body does not have to do anything with the initiator(s) of this messages. For example www.heise.de is an important german computer magazine and always strive for announcing security risk, spam tecniques and so on. www.spiegel.de is a big german magazine and I'm 100% sure that it has nothing to do with this type of spam. Largely blocking this URI's in Blacklists maybe it's exactly what this spammers want. Markus --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] German political spam
The direct link for spamassassins filter file is http://www.filterregel.de.vu/rassistische_mails_2.cf Markus --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] German political spam
All of the links appear to be to legitimate sites that just so happen to have stories on them that the Nazi's are interested in having people read. This happened before about a year ago. Anyway, it just goes to show the English-centric approach that many of the blacklist maintainers use, or the general lack of appropriate procedure for qualifying such domains for being listed. Personally, I have many issues with international traffic primarily due to blacklists and these two things. SBL is one of the largest offenders, but SURBL also has an issue with qualifying domains of all sorts and they could definitely do better. The way that things stand, some spammer could probably send out a million E-mail's with your domain in it and it would likely get listed in SURBL despite you being a completely innocent party. Matt Markus Gufler wrote: I don't know "l ibasoli.de" but other domains like "s piegel.de" has absolutely nothing to do with the spammers. It's the online version of a really big, important and excellent german magazine and it's not good to block messages containing this domain if you don't want block also the flow of legit information. The same for "h eise.de" http://www.h eise.de/newsticker/meldung/59562 For example contains a short description of whats going on and also some user comments that have posted their spamassassin and postfix filter files for this type of spam: http://www.h eise.de/newsticker/foren/go.shtml?forum_id=78695list=1hs=0c=7992164 On the other side there are also links like "n pd.de" and I fear this is also the source of this spam campain. It's a german party, fortunately not realy large but unfortunately growing. The idea behind this party: look backwards in german story for 60-70 years. :-/ Markus -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Darrell ([EMAIL PROTECTED]) Sent: Sunday, May 15, 2005 4:27 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] German political spam Actually, looking at this again I checked yesterday's log files. It seems that most of the domains were starting to be caught on SURBL and other URI lists around 8pm Eastern. 2005-05-14 20:02:57.171 2005-05-14 20:02:57.296 E:\IMAIL\SPOOL\D91ACBA660122CE0A.SMD rocknord.de 127.0.0.4 on multi.surbl.org [4] [Total Weight=2] 2005-05-14 21:47:07.609 2005-05-14 21:47:08.828 E:\IMAIL\SPOOL\DAA10CCE60118147C.SMD spiegel.de 127.0.0.2 on multi.surbl.org [2] [Total Weight=7] 2005-05-14 21:48:01.046 2005-05-14 21:48:02.328 E:\IMAIL\SPOOL\DAA4D12BC0264FFE5.SMD npd.de 127.0.0.2 on multi.surbl.org [2] [Total Weight=7] 2005-05-14 21:50:54.968 2005-05-14 21:50:55.281 E:\IMAIL\SPOOL\DAAFBBD960122AAD1.SMD rp-online.de 127.0.0.2 on multi.surbl.org [2] [Total Weight=7] Darrell -- --- invURIBL - Intelligent URI Filtering. Stops 85%+ SPAM with the default configuration. Download a copy today - http://www.invariantsystems.com - Original Message - From: "Darrell ([EMAIL PROTECTED])" [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Sunday, May 15, 2005 10:02 AM Subject: Re: [Declude.JunkMail] German political spam Markus, I have noticed that most of these messages at the start of this campaign were getting caught on SURBL using invURIBL. Do you know anything about that domain listed below? 2005-05-15 00:19:19.890 2005-05-15 00:19:19.968 E:\IMAIL\SPOOL\DCDC4C1BB006E894A.SMD libasoli.de 127.0.0.2 on multi.surbl.org [2] [Total Weight=7] Darrell --- invURIBL - Intelligent URI Filtering. Stops 85%+ SPAM with the default configuration. Download a copy today - http://www.invariantsystems.com - Original Message - From: "Markus Gufler" [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Sunday, May 15, 2005 3:37 AM Subject: RE: [Declude.JunkMail] German political spam Anyone else getting hit with massive waves of German spam as a byproduct of modified Sober code continuing from around 2 pm EDT today, or am I 'unique' in this? Update: I've noted that this type of messages always will fail CMDSPACE Please take care that the links that are part of the message body does not have to do anything with the initiator(s) of this messages. For example www.heise.de is an important german computer magazine and always strive for announcing security risk, spam tecniques and so on. www.spiegel.de is a big german magazine and I'm 100% sure that it has nothing to do with t
RE: [Declude.JunkMail] German political spam
On 15 May 2005 at 18:07, Markus Gufler wrote: The direct link for spamassassins filter file is http://www.filterregel.de.vu/rassistische_mails_2.cf Thank you Markus! -Nick --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] German political spam
Here's another one: http://mailscanner.prolocation.net/german.cf Bill - Original Message - From: Markus Gufler [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Sunday, May 15, 2005 9:07 AM Subject: RE: [Declude.JunkMail] German political spam The direct link for spamassassins filter file is http://www.filterregel.de.vu/rassistische_mails_2.cf Markus --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] German political spam
On 15 May 2005 at 18:41, Markus Gufler wrote: Excellent - Good job thanks for sharing! -Nick Ok, I've added all subject line patterns (my, Marc's Nicks and both Spamassassin cf-files) to one declude filter file. Please note that I've commented out h eise.de and s piegel.de body filter files and also that I usa a weight of 200. Markus --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] German political spam
Correct. And along those lines, two thoughts come to mind. 1 Many of your users may see hundreds(maybe thousands) of nondeliverable\unknown user bounces. 'Damage control Monday' should be fun this week. and 2 For those of you using whitelist from: address or entire @domains in Declude(not a best practice but still done often, I'd guess), then your spamfilters won't catch a fair chunk of the spam since you might be whitelisting your industry specific domains. Sniffer for instance is catching most of these with 060- a fact which rapidly approaches irrelevance if you are whitelisting the from: @domain.com of any of your related industries Just a few pre-caffeine random thoughts for a Sunday morning. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Nick Sent: Sunday, May 15, 2005 8:28 AM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] German political spam On 15 May 2005 at 10:50, Marc Catuogno wrote: I am seeing randomized addresses, but they seem to be from related industries. We are in real-estate, the address are random then @ other real-estate companies, title companies, etc. Good observation - all of the ones I have received have come from medical - educational targeting a large physician database we host. Seems to be a very sophisticated campain - of which at least 90% so far are coming from clean domains/clean ip's. Maybe someone Matt? , can figure out some sort of pattern we can target from the spamware? -Nick --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] German political spam
Nick wrote: Seems to be a very sophisticated campain - of which at least 90% so far are coming from clean domains/clean ip's. Maybe someone Matt? , can figure out some sort of pattern we can target from the spamware? I could code up a quick external test in VBScript that would capture this stuff regardless of the subject or the exact payload, but I'm not going to bother for the time being because the subject filters are working nicely and I didn't get any reports of leakage yet. My recollection of the same guys doing this last year was that it was short-lived and it might go away as soon as it appears. The subject filters are also a good way to catch the backscatter (use a CONTAINS filter). Sniffer seems to be catching most if not all of it and it also seems to always fail HELOBOGUS because the HELO is randomized. I have another filter that adds more points when both occur at the same time (along with many other patterns), so I don't think that this stuff is getting through so long as I get Sniffer hitting it or they just so happen to hit a valid HELO when randomizing. With the volumes that they are pushing out, almost all of the source IP's will end up SpamCopped or CBL'd quite quickly. Their generally clean IP's early on are likely the result of using newly infected Sober zombies that are fresh enough to have not yet been used for spamming. I have also noted that most of the addresses being used are non-existent, so if people have nobody aliases, they should strongly consider removing them, or if they have gateways that aren't doing address validation, this should be a kick in the pants to do so. There are clearly massive dictionary attacks involved with this. Matt -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] German political spam
Correct. And along those lines, two thoughts come to mind. 1 Many of your users may see hundreds(maybe thousands) of nondeliverable\unknown user bounces. 'Damage control Monday' should be fun this week. Strange but at the moment I can't see only a very low number of NDR's Some NDR's are filtered by the same subject line filters if the bouncing MTA does keep the original subject line in the subject. Maybe we have to change our filters to look for the known patterns also in the body. There are only some NDR's having the original message as attachment and some other challenge/response messages. What Do you think about body-filtering the already known subject lines in order to prevent NDR overfilled mailboxes tomorrow? BTW: A large part of italy, austria, germany and maybe others does have free this Monday so I believe the spammers has well choosen this date. Markus --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] German political spam
Question.. If this message fails the test and I was to have it set to delete the message, Would the message create a postmaster for non exsisting users? or just delete the message? Robert Whitaker The Modem Pool - Original Message - From: Markus Gufler [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Sunday, May 15, 2005 3:00 PM Subject: RE: [Declude.JunkMail] German political spam Correct. And along those lines, two thoughts come to mind. 1 Many of your users may see hundreds(maybe thousands) of nondeliverable\unknown user bounces. 'Damage control Monday' should be fun this week. Strange but at the moment I can't see only a very low number of NDR's Some NDR's are filtered by the same subject line filters if the bouncing MTA does keep the original subject line in the subject. Maybe we have to change our filters to look for the known patterns also in the body. There are only some NDR's having the original message as attachment and some other challenge/response messages. What Do you think about body-filtering the already known subject lines in order to prevent NDR overfilled mailboxes tomorrow? BTW: A large part of italy, austria, germany and maybe others does have free this Monday so I believe the spammers has well choosen this date. Markus --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.JunkMail] German political spam
If this message fails the test and I was to have it set to delete the message, Would the message create a postmaster for non exsisting users? or just delete the message? The only reason _any_ post-delivery DSNs would be generated is if you specifically are choosing to use the BOUNCEONLYIFYOUMUST option. And a Declude DELETE action applied to a user fires before the IMail delivery process is attempted, by definition and common sense. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release/ Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2aliases/download/release/ http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/release/ --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: Re[2]: [Declude.JunkMail] German political spam
Thanks, Robert - Original Message - From: Sanford Whiteman [EMAIL PROTECTED] To: Robert Declude.JunkMail@declude.com Sent: Sunday, May 15, 2005 4:54 PM Subject: Re[2]: [Declude.JunkMail] German political spam If this message fails the test and I was to have it set to delete the message, Would the message create a postmaster for non exsisting users? or just delete the message? The only reason _any_ post-delivery DSNs would be generated is if you specifically are choosing to use the BOUNCEONLYIFYOUMUST option. And a Declude DELETE action applied to a user fires before the IMail delivery process is attempted, by definition and common sense. --Sandy Sanford Whiteman, Chief Technologist Broadleaf Systems, a division of Cypress Integrated Systems, Inc. e-mail: [EMAIL PROTECTED] SpamAssassin plugs into Declude! http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release / Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases! http://www.imprimia.com/products/software/freeutils/exchange2aliases/downloa d/release/ http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/re lease/ --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] German political spam
I cloned the subject lines and added them in this format to help combat the bounces: BODY 150 CONTAINS SUBJECT: (marcus's subjects) - Original Message - From: Markus Gufler [EMAIL PROTECTED] To: Declude.JunkMail@declude.com Sent: Sunday, May 15, 2005 11:41 AM Subject: RE: [Declude.JunkMail] German political spam Ok, I've added all subject line patterns (my, Marc's Nicks and both Spamassassin cf-files) to one declude filter file. Please note that I've commented out h eise.de and s piegel.de body filter files and also that I usa a weight of 200. Markus --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] German political spam
Anyone else getting hit with massive waves of German spam as a byproduct of modified Sober code continuing from around 2 pm EDT today, or am I 'unique' in this? --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] German political spam
Yup, got hit with loads of 'em! G.Z. -- Original Message -- From: Dave Marchette [EMAIL PROTECTED] Reply-To: Declude.JunkMail@declude.com Date: Sat, 14 May 2005 22:07:09 -0700 Anyone else getting hit with massive waves of German spam as a byproduct of modified Sober code continuing from around 2 pm EDT today, or am I 'unique' in this? --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. Sent via the WebMail system at wcnet.net --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
