Re: [sniffer] Latest medication campaign
Quick update. I found a few false positives (about 1 in 50,000 messages) and as a result I modified things a little and added a few more checks for supposedly rather unique patterns. The new version is attached. Unless there is a problem I probably won't update it any more, but I felt that it was a good idea to share the update to prevent the possibility of problems. The new version is attached. Matt Matt wrote: Attached is something that I coded up last night for this guy. It's designed to be not totally dependant on one pattern so that it might have some longevity. His forging of a Microsoft format is quite good, but he does make mistakes and does leave patterns, some of which can be tagged with a standard Declude filter, but VBScript could do it even better and even less specifically. Nevertheless, this filter hits 100% of the time right now, levies very heavy points despite being variable, and I haven't seen a false positive yet due to the way that it was designed to operate. Note, the scores are based on a system that holds at a score of 10. Matt --- Global.cfg --- FORGEDPILLSPAMMERfilter C:\IMail\Declude\Filters\ForgedPillSpammer.txtx50 -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = # FORGEDPILLSPAMMER v1.0.1 SKIPIFWEIGHT40 MINWEIGHTTOFAIL 5 # Disable when it comes from an IP that is in the MX record just for safety since this targets zombies. TESTSFAILED END NOTCONTAINS IPNOTINMX # Prerequisites for spam pattern. Note that the spammer is near perfect for the headers. HEADERS END NOTCONTAINS X-MimeOLE: Produced By Microsoft MimeOLE V HEADERS END NOTCONTAINS To: " HEADERS END NOTCONTAINS From: " BODYEND NOTCONTAINS- Original Message - # Dead giveaway for Pharmacy spam (non-obfuscated part). BODY3 CONTAINSyByMail BODY3 CONTAINSBy-Mail BODY3 CONTAINSByMAlL BODY1 CONTAINSBy MAIL S # This line is too long for Outlook in quoted-printable format. BODY3 CONTAINS # Subject is always Re:. HEADERS 1 CONTAINSSubject: Re: # Body does text/html as us-ascii. BODY1 CONTAINSContent-Type: text/html; charset="us-ascii" # Quoted-printable line ended too early in body BODY3 CONTAINS> Hello, = Would # Text or code patterns uncommon in Outlook generated E-mails BODY1 CONTAINSsave up to BODY1 CONTAINSon the Net! BODY1 CONTAINSsize=3D4> C BODY1 CONTAINS and many BODY1 CONTAINS
Re: [sniffer] Latest medication campaign
Attached is something that I coded up last night for this guy. It's designed to be not totally dependant on one pattern so that it might have some longevity. His forging of a Microsoft format is quite good, but he does make mistakes and does leave patterns, some of which can be tagged with a standard Declude filter, but VBScript could do it even better and even less specifically. Nevertheless, this filter hits 100% of the time right now, levies very heavy points despite being variable, and I haven't seen a false positive yet due to the way that it was designed to operate. Note, the scores are based on a system that holds at a score of 10. Matt --- Global.cfg --- FORGEDPILLSPAMMERfilter C:\IMail\Declude\Filters\ForgedPillSpammer.txtx50 -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = # FORGEDPILLSPAMMER v1.0.0 SKIPIFWEIGHT40 MINWEIGHTTOFAIL 5 # Disable when it comes from an IP that is in the MX record just for safety since this targets zombies. TESTSFAILED END NOTCONTAINS IPNOTINMX # Prerequisites for spam pattern. Note that the spammer is near perfect for the headers. HEADERS END NOTCONTAINS X-MimeOLE: Produced By Microsoft MimeOLE V HEADERS END NOTCONTAINS To: " HEADERS END NOTCONTAINS From: " BODYEND NOTCONTAINS - Original Message - # Dead giveaway for Pharmacy spam (non-obfuscated part). BODY3 CONTAINSyByMail BODY3 CONTAINSBy-Mail # This line is too long for Outlook in quoted-printable format. BODY3 CONTAINS # Subject is always Re:. HEADERS 1 CONTAINSSubject: Re: # Body does text/html as us-ascii. BODY1 CONTAINSContent-Type: text/html; charset="us-ascii" # Body contains empty Style tags. BODY1 CONTAINS
RE: [sniffer] Latest medication campaign
Something I noticed about these. They are all using RE: or FW: and in the body they have the original message line. SpamCheck had a line the CheckWords giving negative 25 to that line. As such, SpamCheck was giving an overall weight of -19 which was taking away from everything else the message was failing. John T eServices For You > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Colbeck, Andrew > Sent: Wednesday, April 13, 2005 10:36 AM > To: sniffer@SortMonster.com > Subject: RE: [sniffer] Latest medication campaign > > On the weekend and since, I saw a lot of them get through but Sniffer > was dutifully catching them, unfortunately, they also served to > highlight Sniffer hyperaccuracy because those messages just weren't > reaching my HOLD weight. > > Check out the Message Sniffer change rates for the last few days: > > http://www.sortmonster.com/MessageSniffer/Performance/ChangeRates.jsp > > Something is definitely going on. On Sunday, the blue line was almost > the entire New Rule group. > > It started me thinking about making Sniffer my hold weight, and then > only applying counterweights. > > Meanwhile, I've added SURBL-ish testing with a tiny Declude weight, but > with a combo of the new test and any Sniffer hit, that seems to have > made the difference. I've only seen 1 undeliverable end up in the > postmaster box, and I've fixed why that happened (I set my skipweight > for various Declude filter text tests too low, so they weren't getting > run when the weight was close to my HOLD weight). > > So now it's back to the server room for me. > > Andrew 8) > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff > (Lists) > Sent: Wednesday, April 13, 2005 10:16 AM > To: sniffer@SortMonster.com > Subject: [sniffer] Latest medication campaign > > > I am seeing a lot of these get through > > John T > eServices For You > > > > This E-Mail came from the Message Sniffer mailing list. For information > and (un)subscription instructions go to > http://www.sortmonster.com/MessageSniffer/Help/Help.html > > This E-Mail came from the Message Sniffer mailing list. For information and > (un)subscription instructions go to > http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Latest medication campaign
On Wednesday, April 13, 2005, 1:16:29 PM, John wrote: JTL> I am seeing a lot of these get through Can you be specific about "these" ? Please send me a sipped plaintext or message file. (to [EMAIL PROTECTED]) Thanks, _M This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
Re: [sniffer] Latest medication campaign
I noticed a significantly higher amount of spam get through in the last few days. A few of them got tagged but didn't reach my delete weight. I didn't notice if the majority were pharmaceuticals. I forwarded them all to Sniffer, then . . . DELETE. G.Z. - Original Message - From: "Colbeck, Andrew" <[EMAIL PROTECTED]> To: Sent: Wednesday, April 13, 2005 12:36 PM Subject: RE: [sniffer] Latest medication campaign On the weekend and since, I saw a lot of them get through but Sniffer was dutifully catching them, unfortunately, they also served to highlight Sniffer hyperaccuracy because those messages just weren't reaching my HOLD weight. Check out the Message Sniffer change rates for the last few days: http://www.sortmonster.com/MessageSniffer/Performance/ChangeRates.jsp Something is definitely going on. On Sunday, the blue line was almost the entire New Rule group. It started me thinking about making Sniffer my hold weight, and then only applying counterweights. Meanwhile, I've added SURBL-ish testing with a tiny Declude weight, but with a combo of the new test and any Sniffer hit, that seems to have made the difference. I've only seen 1 undeliverable end up in the postmaster box, and I've fixed why that happened (I set my skipweight for various Declude filter text tests too low, so they weren't getting run when the weight was close to my HOLD weight). So now it's back to the server room for me. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Wednesday, April 13, 2005 10:16 AM To: sniffer@SortMonster.com Subject: [sniffer] Latest medication campaign I am seeing a lot of these get through John T eServices For You This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
RE: [sniffer] Latest medication campaign
On the weekend and since, I saw a lot of them get through but Sniffer was dutifully catching them, unfortunately, they also served to highlight Sniffer hyperaccuracy because those messages just weren't reaching my HOLD weight. Check out the Message Sniffer change rates for the last few days: http://www.sortmonster.com/MessageSniffer/Performance/ChangeRates.jsp Something is definitely going on. On Sunday, the blue line was almost the entire New Rule group. It started me thinking about making Sniffer my hold weight, and then only applying counterweights. Meanwhile, I've added SURBL-ish testing with a tiny Declude weight, but with a combo of the new test and any Sniffer hit, that seems to have made the difference. I've only seen 1 undeliverable end up in the postmaster box, and I've fixed why that happened (I set my skipweight for various Declude filter text tests too low, so they weren't getting run when the weight was close to my HOLD weight). So now it's back to the server room for me. Andrew 8) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Wednesday, April 13, 2005 10:16 AM To: sniffer@SortMonster.com Subject: [sniffer] Latest medication campaign I am seeing a lot of these get through John T eServices For You This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html
[sniffer] Latest medication campaign
I am seeing a lot of these get through John T eServices For You This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html