Re: [Declude.JunkMail] Regex to block this?

2010-07-23 Thread Pete McNeil

On 7/23/2010 9:19 PM, Matt wrote:
I guess my point here is that they are both very high volume spammers, 
and they both randomize sufficiently so that blocking them requires 
blocking their domains and having the samples available, but putting 
in proactive rules will only last a short time.  What Sniffer may need 
is a better source of this spam.  Between the two, I believe I am 
getting about 15,000 each day.


Better sources are always good -- the sooner we see it the faster we can 
code solutions.


As it turns out all of the samples provided had current rules in place 
based on our standard vectors... so we are capturing these. My guess is 
that you're right and the timing of these attacks is important.


That said, I was able to find some structural vectors for the first 
group -- I've set up some abstracts based on those vectors and I'm 
waiting to see what the capture rates will be... If this approach is 
successful we should be able to preemptively defeat some of next few 
campaigns. Then I will apply the same types of mechanisms to the other 
groups and see if we can generate some internal methodologies to evolve 
structural abstracts for these as we see new variants based on the 
successful models we've generated.


_M

--
President
MicroNeil Research Corporation
www.microneil.com

---
[This E-mail scanned for viruses by Declude]



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



Re: [Declude.JunkMail] Regex to block this?

2010-07-23 Thread Matt
I guess my point here is that they are both very high volume spammers, 
and they both randomize sufficiently so that blocking them requires 
blocking their domains and having the samples available, but putting in 
proactive rules will only last a short time.  What Sniffer may need is a 
better source of this spam.  Between the two, I believe I am getting 
about 15,000 each day.


Matt



On 7/23/2010 8:00 PM, Pete McNeil wrote:


On 7/23/2010 6:37 PM, Matt wrote:

Pete,

Will do.  I call this spammer Whitestone,


Much appreciated. I'll take a closer look with the team to see what we 
can do to close these guys down better.


Thanks!

_M



---
[This E-mail scanned for viruses by Declude]



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



Re: [Declude.JunkMail] Regex to block this?

2010-07-23 Thread Pete McNeil

On 7/23/2010 6:37 PM, Matt wrote:

Pete,

Will do.  I call this spammer Whitestone,


Much appreciated. I'll take a closer look with the team to see what we 
can do to close these guys down better.


Thanks!

_M

--
President
MicroNeil Research Corporation
www.microneil.com

---
[This E-mail scanned for viruses by Declude]



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



Re: [Declude.JunkMail] Regex to block this?

2010-07-23 Thread Matt

Pete,

Will do.  I call this spammer Whitestone, but there is another very 
prolific spammer that also has the same volume named BlooSky Interactive 
(real company name) that is also frequently missed.  I'm guessing that 
they aren't landing in spam traps to the same degree as some others, or 
your rules trail far enough behind that their constant supply of domains 
and IP's are avoiding detection early on in campaigns.


I have a personal account that is hardly used which gets hit by both.  
This account is sent around 350 spams per day, probably around 50 to 75 
of which come from the two named above.  The problem with Whitestone is 
that they recently started changing their construction.  Here is the 
former linking pattern which you will probably recognize:


http://igw197.adtranslate.com/25_2_6966868_7B3431155618.htm
http://fy238.employedreas.com/934_2_338710_649866459330.htm
http://hbo5.personnelcha.com/32_2_7700225_5D5C3538530.htm

The new linking pattern is like so:


http://mail.latrecultradatabase.net/5767cb88bdaeba8b31221108277c5693307034

http://mail.eqxosuperiorweb.net/4656ba77ac9da9c7314012dd52c007874f85f5

http://mail.eqxoexpertsolutions.net/5767cb88bdaeba6d313518f54ac7ba8f750287


I believe they may actually have two different header patterns now, one 
randomized, and the other one with that NextPart boundary, though I 
can't say for sure if they are the same spammer or not.


BlooSky Interactive has the following linking pattern (though it is 
obfuscated and therefore not reliable to track):


http://bnqjy.fumblingmetal.info/pfjc/jnmqn/fjr/
http://smhg.thelincolnfield.com/yhdmy/nywcvpchyt/
http://dmyjyo.jollyevent.info/fjrhz/mqstjr/

Matt




On 7/23/2010 3:05 PM, Pete McNeil wrote:


On 7/23/2010 2:29 PM, Matt wrote:
This spammer accounts for about 7% of all E-mail that makes it to my 
deep scanning layer.  Sniffer seems to miss a good deal of their 
spam, so there isn't much protection from it otherwise. 


Matt -- Is it possible for you to zip up some samples from this guy 
and send them to me? I would like to do a deeper analysis of the 
things we've missed from them to see how we can improve our capture 
rate and understand how the normal process might be improved.


Thanks!

_M



---
[This E-mail scanned for viruses by Declude]



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



RE: [Declude.JunkMail] Regex to block this?

2010-07-23 Thread Scott Fisher
To second Matt's comment about this spammer's volume, I'm a pretty small
email fry, but I've seen 337 emails from this spammer today. Very prolific.

-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Matt
Sent: Friday, July 23, 2010 1:30 PM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] Regex to block this?


I strongly suggest not doing this exact test.  Scott's is more refined, 
however it's still not refined enough to not have false positives.

This spammer is better caught by his boundary, for example:

 Content-type: multipart/alternative; 
boundary="_NextPart_Njg3YmQ3N2JiYzdlZGU3YzZlZmFhY2NhNGQwOWU2MTY_"

You need to target the "_NextPart_" along with a long string of letters 
and numbers (and without underscores in between.  For instance, you 
would search the headers for the following:

 boundary="_Nextpart_(a-z0-9){20,}_"

The bad news is that this particular spammer has changed their pattern 
twice in the last two months after being fixed for over a year, so this 
detection will likely be short-lived as the spammer is figuring out how 
to randomize.  This spammer accounts for about 7% of all E-mail that 
makes it to my deep scanning layer.  Sniffer seems to miss a good deal 
of their spam, so there isn't much protection from it otherwise.

Matt



On 7/20/2010 11:42 AM, Dave Beckstrom wrote:
> Thanks.   David's regex worked well.  I'll give the fine tuning a try.
>
> Also, all of this spammer's domains are in DNS servers ns1.domainsite.com
-
> ns4.domainsite.com.
>
>
>
>
>> I might fine tune it a bit.
>> I've only seen length 37 and 38 characters after the tld
>> It is only lower case hex codes so you can exclude (g-z)
>> I've seen lots of .info and a few .nets as additional tld.
>> Very active spammer here
>>
>> (?i:href=.+\.(com|info|net)/[a-f0-9]{37,38}">)
>>
>> -Original Message-
>> From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dave
>> Beckstrom
>> Sent: Tuesday, July 20, 2010 8:00 AM
>> To: declude.junkmail@declude.com
>> Subject: [Declude.JunkMail] Regex to block this?
>>
>>
>> I'm getting hit by one spammer who manages to get through most of my
>> filters.  His spam consistently uses the format of:
>>
>> >
>>  
>
href="http://gcc128.blinksroads.com/5768cbbeb6bba86c3157116a6de8e54b31dab5";
>
>>>
>> http://gcc128.blinksroads.com/images/157286c08.jpg";
>>
>> How would I write a regex that would look for .com/  followed by a string
>>  
> of
>
>> garbage with no .htm or other web extension on the end?
>>
>>
>>
>>
>>
>>
>>
>>
>> ---
>> [This E-mail scanned for viruses by Declude]
>>
>>
>>
>> ---
>> This E-mail came from the Declude.JunkMail mailing list.  To
>> unsubscribe, just send an E-mail to imail...@declude.com, and
>> type "unsubscribe Declude.JunkMail".  The archives can be found
>> at http://www.mail-archive.com.
>>
>>
>>
>> ---
>> [This E-mail scanned for viruses by Declude]
>>
>>
>>
>> ---
>> This E-mail came from the Declude.JunkMail mailing list.  To
>> unsubscribe, just send an E-mail to imail...@declude.com, and
>> type "unsubscribe Declude.JunkMail".  The archives can be found
>> at http://www.mail-archive.com.
>>  
>
>
>
> ---
> [This E-mail scanned for viruses by Declude]
>
>
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to imail...@declude.com, and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
>
>
>

---
[This E-mail scanned for viruses by Declude]



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail scanned for viruses by Declude]



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



RE: [Declude.JunkMail] Regex to block this?

2010-07-23 Thread Scott Fisher
Most of my samples don't have a boundary just plain text.

Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 8bit
Content-Disposition: inline



-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Matt
Sent: Friday, July 23, 2010 1:30 PM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] Regex to block this?


I strongly suggest not doing this exact test.  Scott's is more refined, 
however it's still not refined enough to not have false positives.

This spammer is better caught by his boundary, for example:

 Content-type: multipart/alternative; 
boundary="_NextPart_Njg3YmQ3N2JiYzdlZGU3YzZlZmFhY2NhNGQwOWU2MTY_"

You need to target the "_NextPart_" along with a long string of letters 
and numbers (and without underscores in between.  For instance, you 
would search the headers for the following:

 boundary="_Nextpart_(a-z0-9){20,}_"

The bad news is that this particular spammer has changed their pattern 
twice in the last two months after being fixed for over a year, so this 
detection will likely be short-lived as the spammer is figuring out how 
to randomize.  This spammer accounts for about 7% of all E-mail that 
makes it to my deep scanning layer.  Sniffer seems to miss a good deal 
of their spam, so there isn't much protection from it otherwise.

Matt



On 7/20/2010 11:42 AM, Dave Beckstrom wrote:
> Thanks.   David's regex worked well.  I'll give the fine tuning a try.
>
> Also, all of this spammer's domains are in DNS servers ns1.domainsite.com
-
> ns4.domainsite.com.
>
>
>
>
>> I might fine tune it a bit.
>> I've only seen length 37 and 38 characters after the tld
>> It is only lower case hex codes so you can exclude (g-z)
>> I've seen lots of .info and a few .nets as additional tld.
>> Very active spammer here
>>
>> (?i:href=.+\.(com|info|net)/[a-f0-9]{37,38}">)
>>
>> -Original Message-
>> From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dave
>> Beckstrom
>> Sent: Tuesday, July 20, 2010 8:00 AM
>> To: declude.junkmail@declude.com
>> Subject: [Declude.JunkMail] Regex to block this?
>>
>>
>> I'm getting hit by one spammer who manages to get through most of my
>> filters.  His spam consistently uses the format of:
>>
>> >
>>  
>
href="http://gcc128.blinksroads.com/5768cbbeb6bba86c3157116a6de8e54b31dab5";
>
>>>
>> http://gcc128.blinksroads.com/images/157286c08.jpg";
>>
>> How would I write a regex that would look for .com/  followed by a string
>>  
> of
>
>> garbage with no .htm or other web extension on the end?
>>
>>
>>
>>
>>
>>
>>
>>
>> ---
>> [This E-mail scanned for viruses by Declude]
>>
>>
>>
>> ---
>> This E-mail came from the Declude.JunkMail mailing list.  To
>> unsubscribe, just send an E-mail to imail...@declude.com, and
>> type "unsubscribe Declude.JunkMail".  The archives can be found
>> at http://www.mail-archive.com.
>>
>>
>>
>> ---
>> [This E-mail scanned for viruses by Declude]
>>
>>
>>
>> ---
>> This E-mail came from the Declude.JunkMail mailing list.  To
>> unsubscribe, just send an E-mail to imail...@declude.com, and
>> type "unsubscribe Declude.JunkMail".  The archives can be found
>> at http://www.mail-archive.com.
>>  
>
>
>
> ---
> [This E-mail scanned for viruses by Declude]
>
>
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to imail...@declude.com, and
> type "unsubscribe Declude.JunkMail".  The archives can be found
> at http://www.mail-archive.com.
>
>
>

---
[This E-mail scanned for viruses by Declude]



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail scanned for viruses by Declude]



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



Re: [Declude.JunkMail] Regex to block this?

2010-07-23 Thread Pete McNeil

On 7/23/2010 2:29 PM, Matt wrote:
This spammer accounts for about 7% of all E-mail that makes it to my 
deep scanning layer.  Sniffer seems to miss a good deal of their spam, 
so there isn't much protection from it otherwise. 


Matt -- Is it possible for you to zip up some samples from this guy and 
send them to me? I would like to do a deeper analysis of the things 
we've missed from them to see how we can improve our capture rate and 
understand how the normal process might be improved.


Thanks!

_M

--
President
MicroNeil Research Corporation
www.microneil.com

---
[This E-mail scanned for viruses by Declude]



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



Re: [Declude.JunkMail] Regex to block this?

2010-07-23 Thread Matt
I strongly suggest not doing this exact test.  Scott's is more refined, 
however it's still not refined enough to not have false positives.


This spammer is better caught by his boundary, for example:

Content-type: multipart/alternative; 
boundary="_NextPart_Njg3YmQ3N2JiYzdlZGU3YzZlZmFhY2NhNGQwOWU2MTY_"


You need to target the "_NextPart_" along with a long string of letters 
and numbers (and without underscores in between.  For instance, you 
would search the headers for the following:


boundary="_Nextpart_(a-z0-9){20,}_"

The bad news is that this particular spammer has changed their pattern 
twice in the last two months after being fixed for over a year, so this 
detection will likely be short-lived as the spammer is figuring out how 
to randomize.  This spammer accounts for about 7% of all E-mail that 
makes it to my deep scanning layer.  Sniffer seems to miss a good deal 
of their spam, so there isn't much protection from it otherwise.


Matt



On 7/20/2010 11:42 AM, Dave Beckstrom wrote:

Thanks.   David's regex worked well.  I'll give the fine tuning a try.

Also, all of this spammer's domains are in DNS servers ns1.domainsite.com -
ns4.domainsite.com.



   

I might fine tune it a bit.
I've only seen length 37 and 38 characters after the tld
It is only lower case hex codes so you can exclude (g-z)
I've seen lots of .info and a few .nets as additional tld.
Very active spammer here

(?i:href=.+\.(com|info|net)/[a-f0-9]{37,38}">)

-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dave
Beckstrom
Sent: Tuesday, July 20, 2010 8:00 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] Regex to block this?


I'm getting hit by one spammer who manages to get through most of my
filters.  His spam consistently uses the format of:

 

href="http://gcc128.blinksroads.com/5768cbbeb6bba86c3157116a6de8e54b31dab5";
   
   

http://gcc128.blinksroads.com/images/157286c08.jpg";

How would I write a regex that would look for .com/  followed by a string
 

of
   

garbage with no .htm or other web extension on the end?








---
[This E-mail scanned for viruses by Declude]



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
[This E-mail scanned for viruses by Declude]



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.
 




---
[This E-mail scanned for viruses by Declude]



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


   


---
[This E-mail scanned for viruses by Declude]



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.