RE: [Declude.JunkMail] Regex to block this?
Flavour of the day: Relevant bits of the header: Received: from payoff.all-debt-forever.com [173.192.161.27] Subject: Stay on top of your credit report Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit Content-Disposition: inline Header has DKIM. Network allocation is: 173.192.161.16/28 to pikinetworks From the header you can see that the body will be plain text, not HTML. The payload link has 37 characters 0-9 and a-z: http://payoff.all-debt-forever.com/02138174505792882531178a7d79a040f797d The unsubscribe link has 33 characters 0-9 and a-z: http://payoff.all-debt-forever.com/78a7d79a040f797d40213817450579288 Andrew 8) -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Pete McNeil Sent: Friday, July 23, 2010 6:40 PM To: declude.junkmail@declude.com Subject: Re: [Declude.JunkMail] Regex to block this? On 7/23/2010 9:19 PM, Matt wrote: I guess my point here is that they are both very high volume spammers, and they both randomize sufficiently so that blocking them requires blocking their domains and having the samples available, but putting in proactive rules will only last a short time. What Sniffer may need is a better source of this spam. Between the two, I believe I am getting about 15,000 each day. Better sources are always good -- the sooner we see it the faster we can code solutions. As it turns out all of the samples provided had current rules in place based on our standard vectors... so we are capturing these. My guess is that you're right and the timing of these attacks is important. That said, I was able to find some structural vectors for the first group -- I've set up some abstracts based on those vectors and I'm waiting to see what the capture rates will be... If this approach is successful we should be able to preemptively defeat some of next few campaigns. Then I will apply the same types of mechanisms to the other groups and see if we can generate some internal methodologies to evolve structural abstracts for these as we see new variants based on the successful models we've generated. _M -- President MicroNeil Research Corporation www.microneil.com --- [This E-mail scanned for viruses by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Regex to block this?
On 7/27/2010 2:10 PM, Colbeck, Andrew wrote: Flavour of the day: Relevant bits of the header: Received: from payoff.all-debt-forever.com [173.192.161.27] Subject: Stay on top of your credit report Thanks -- coded some rules, will be looking for abstract opportunities. Also coded several abstracts for new campaigns using the mail.spamdomain.net today and last night. _M -- President MicroNeil Research Corporation www.microneil.com --- [This E-mail scanned for viruses by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Regex to block this?
I strongly suggest not doing this exact test. Scott's is more refined,
however it's still not refined enough to not have false positives.
This spammer is better caught by his boundary, for example:
Content-type: multipart/alternative;
boundary=_NextPart_Njg3YmQ3N2JiYzdlZGU3YzZlZmFhY2NhNGQwOWU2MTY_
You need to target the _NextPart_ along with a long string of letters
and numbers (and without underscores in between. For instance, you
would search the headers for the following:
boundary=_Nextpart_(a-z0-9){20,}_
The bad news is that this particular spammer has changed their pattern
twice in the last two months after being fixed for over a year, so this
detection will likely be short-lived as the spammer is figuring out how
to randomize. This spammer accounts for about 7% of all E-mail that
makes it to my deep scanning layer. Sniffer seems to miss a good deal
of their spam, so there isn't much protection from it otherwise.
Matt
On 7/20/2010 11:42 AM, Dave Beckstrom wrote:
Thanks. David's regex worked well. I'll give the fine tuning a try.
Also, all of this spammer's domains are in DNS servers ns1.domainsite.com -
ns4.domainsite.com.
I might fine tune it a bit.
I've only seen length 37 and 38 characters after the tld
It is only lower case hex codes so you can exclude (g-z)
I've seen lots of .info and a few .nets as additional tld.
Very active spammer here
(?i:href=.+\.(com|info|net)/[a-f0-9]{37,38})
-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dave
Beckstrom
Sent: Tuesday, July 20, 2010 8:00 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] Regex to block this?
I'm getting hit by one spammer who manages to get through most of my
filters. His spam consistently uses the format of:
a
href=http://gcc128.blinksroads.com/5768cbbeb6bba86c3157116a6de8e54b31dab5;
img src=http://gcc128.blinksroads.com/images/157286c08.jpg;
How would I write a regex that would look for .com/ followed by a string
of
garbage with no .htm or other web extension on the end?
---
[This E-mail scanned for viruses by Declude]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
Re: [Declude.JunkMail] Regex to block this?
On 7/23/2010 2:29 PM, Matt wrote: This spammer accounts for about 7% of all E-mail that makes it to my deep scanning layer. Sniffer seems to miss a good deal of their spam, so there isn't much protection from it otherwise. Matt -- Is it possible for you to zip up some samples from this guy and send them to me? I would like to do a deeper analysis of the things we've missed from them to see how we can improve our capture rate and understand how the normal process might be improved. Thanks! _M -- President MicroNeil Research Corporation www.microneil.com --- [This E-mail scanned for viruses by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Regex to block this?
Most of my samples don't have a boundary just plain text.
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 8bit
Content-Disposition: inline
-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Matt
Sent: Friday, July 23, 2010 1:30 PM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] Regex to block this?
I strongly suggest not doing this exact test. Scott's is more refined,
however it's still not refined enough to not have false positives.
This spammer is better caught by his boundary, for example:
Content-type: multipart/alternative;
boundary=_NextPart_Njg3YmQ3N2JiYzdlZGU3YzZlZmFhY2NhNGQwOWU2MTY_
You need to target the _NextPart_ along with a long string of letters
and numbers (and without underscores in between. For instance, you
would search the headers for the following:
boundary=_Nextpart_(a-z0-9){20,}_
The bad news is that this particular spammer has changed their pattern
twice in the last two months after being fixed for over a year, so this
detection will likely be short-lived as the spammer is figuring out how
to randomize. This spammer accounts for about 7% of all E-mail that
makes it to my deep scanning layer. Sniffer seems to miss a good deal
of their spam, so there isn't much protection from it otherwise.
Matt
On 7/20/2010 11:42 AM, Dave Beckstrom wrote:
Thanks. David's regex worked well. I'll give the fine tuning a try.
Also, all of this spammer's domains are in DNS servers ns1.domainsite.com
-
ns4.domainsite.com.
I might fine tune it a bit.
I've only seen length 37 and 38 characters after the tld
It is only lower case hex codes so you can exclude (g-z)
I've seen lots of .info and a few .nets as additional tld.
Very active spammer here
(?i:href=.+\.(com|info|net)/[a-f0-9]{37,38})
-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dave
Beckstrom
Sent: Tuesday, July 20, 2010 8:00 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] Regex to block this?
I'm getting hit by one spammer who manages to get through most of my
filters. His spam consistently uses the format of:
a
href=http://gcc128.blinksroads.com/5768cbbeb6bba86c3157116a6de8e54b31dab5;
img src=http://gcc128.blinksroads.com/images/157286c08.jpg;
How would I write a regex that would look for .com/ followed by a string
of
garbage with no .htm or other web extension on the end?
---
[This E-mail scanned for viruses by Declude]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
RE: [Declude.JunkMail] Regex to block this?
To second Matt's comment about this spammer's volume, I'm a pretty small
email fry, but I've seen 337 emails from this spammer today. Very prolific.
-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Matt
Sent: Friday, July 23, 2010 1:30 PM
To: declude.junkmail@declude.com
Subject: Re: [Declude.JunkMail] Regex to block this?
I strongly suggest not doing this exact test. Scott's is more refined,
however it's still not refined enough to not have false positives.
This spammer is better caught by his boundary, for example:
Content-type: multipart/alternative;
boundary=_NextPart_Njg3YmQ3N2JiYzdlZGU3YzZlZmFhY2NhNGQwOWU2MTY_
You need to target the _NextPart_ along with a long string of letters
and numbers (and without underscores in between. For instance, you
would search the headers for the following:
boundary=_Nextpart_(a-z0-9){20,}_
The bad news is that this particular spammer has changed their pattern
twice in the last two months after being fixed for over a year, so this
detection will likely be short-lived as the spammer is figuring out how
to randomize. This spammer accounts for about 7% of all E-mail that
makes it to my deep scanning layer. Sniffer seems to miss a good deal
of their spam, so there isn't much protection from it otherwise.
Matt
On 7/20/2010 11:42 AM, Dave Beckstrom wrote:
Thanks. David's regex worked well. I'll give the fine tuning a try.
Also, all of this spammer's domains are in DNS servers ns1.domainsite.com
-
ns4.domainsite.com.
I might fine tune it a bit.
I've only seen length 37 and 38 characters after the tld
It is only lower case hex codes so you can exclude (g-z)
I've seen lots of .info and a few .nets as additional tld.
Very active spammer here
(?i:href=.+\.(com|info|net)/[a-f0-9]{37,38})
-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dave
Beckstrom
Sent: Tuesday, July 20, 2010 8:00 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] Regex to block this?
I'm getting hit by one spammer who manages to get through most of my
filters. His spam consistently uses the format of:
a
href=http://gcc128.blinksroads.com/5768cbbeb6bba86c3157116a6de8e54b31dab5;
img src=http://gcc128.blinksroads.com/images/157286c08.jpg;
How would I write a regex that would look for .com/ followed by a string
of
garbage with no .htm or other web extension on the end?
---
[This E-mail scanned for viruses by Declude]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
Re: [Declude.JunkMail] Regex to block this?
Pete, Will do. I call this spammer Whitestone, but there is another very prolific spammer that also has the same volume named BlooSky Interactive (real company name) that is also frequently missed. I'm guessing that they aren't landing in spam traps to the same degree as some others, or your rules trail far enough behind that their constant supply of domains and IP's are avoiding detection early on in campaigns. I have a personal account that is hardly used which gets hit by both. This account is sent around 350 spams per day, probably around 50 to 75 of which come from the two named above. The problem with Whitestone is that they recently started changing their construction. Here is the former linking pattern which you will probably recognize: http://igw197.adtranslate.com/25_2_6966868_7B3431155618.htm http://fy238.employedreas.com/934_2_338710_649866459330.htm http://hbo5.personnelcha.com/32_2_7700225_5D5C3538530.htm The new linking pattern is like so: http://mail.latrecultradatabase.net/5767cb88bdaeba8b31221108277c5693307034 http://mail.eqxosuperiorweb.net/4656ba77ac9da9c7314012dd52c007874f85f5 http://mail.eqxoexpertsolutions.net/5767cb88bdaeba6d313518f54ac7ba8f750287 I believe they may actually have two different header patterns now, one randomized, and the other one with that NextPart boundary, though I can't say for sure if they are the same spammer or not. BlooSky Interactive has the following linking pattern (though it is obfuscated and therefore not reliable to track): http://bnqjy.fumblingmetal.info/pfjc/jnmqn/fjr/ http://smhg.thelincolnfield.com/yhdmy/nywcvpchyt/ http://dmyjyo.jollyevent.info/fjrhz/mqstjr/ Matt On 7/23/2010 3:05 PM, Pete McNeil wrote: On 7/23/2010 2:29 PM, Matt wrote: This spammer accounts for about 7% of all E-mail that makes it to my deep scanning layer. Sniffer seems to miss a good deal of their spam, so there isn't much protection from it otherwise. Matt -- Is it possible for you to zip up some samples from this guy and send them to me? I would like to do a deeper analysis of the things we've missed from them to see how we can improve our capture rate and understand how the normal process might be improved. Thanks! _M --- [This E-mail scanned for viruses by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Regex to block this?
On 7/23/2010 6:37 PM, Matt wrote: Pete, Will do. I call this spammer Whitestone, Much appreciated. I'll take a closer look with the team to see what we can do to close these guys down better. Thanks! _M -- President MicroNeil Research Corporation www.microneil.com --- [This E-mail scanned for viruses by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Regex to block this?
I guess my point here is that they are both very high volume spammers, and they both randomize sufficiently so that blocking them requires blocking their domains and having the samples available, but putting in proactive rules will only last a short time. What Sniffer may need is a better source of this spam. Between the two, I believe I am getting about 15,000 each day. Matt On 7/23/2010 8:00 PM, Pete McNeil wrote: On 7/23/2010 6:37 PM, Matt wrote: Pete, Will do. I call this spammer Whitestone, Much appreciated. I'll take a closer look with the team to see what we can do to close these guys down better. Thanks! _M --- [This E-mail scanned for viruses by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Regex to block this?
On 7/23/2010 9:19 PM, Matt wrote: I guess my point here is that they are both very high volume spammers, and they both randomize sufficiently so that blocking them requires blocking their domains and having the samples available, but putting in proactive rules will only last a short time. What Sniffer may need is a better source of this spam. Between the two, I believe I am getting about 15,000 each day. Better sources are always good -- the sooner we see it the faster we can code solutions. As it turns out all of the samples provided had current rules in place based on our standard vectors... so we are capturing these. My guess is that you're right and the timing of these attacks is important. That said, I was able to find some structural vectors for the first group -- I've set up some abstracts based on those vectors and I'm waiting to see what the capture rates will be... If this approach is successful we should be able to preemptively defeat some of next few campaigns. Then I will apply the same types of mechanisms to the other groups and see if we can generate some internal methodologies to evolve structural abstracts for these as we see new variants based on the successful models we've generated. _M -- President MicroNeil Research Corporation www.microneil.com --- [This E-mail scanned for viruses by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Regex to block this?
Hi Dave, Give this a try it is what you have asked for. Test it first to see if it gives you the results you are looking for. (?i:href=.+\.com/[a-z0-9]+) David -Original Message- From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dave Beckstrom Sent: Tuesday, July 20, 2010 9:00 AM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Regex to block this? I'm getting hit by one spammer who manages to get through most of my filters. His spam consistently uses the format of: a href=http://gcc128.blinksroads.com/5768cbbeb6bba86c3157116a6de8e54b31dab5; img src=http://gcc128.blinksroads.com/images/157286c08.jpg; How would I write a regex that would look for .com/ followed by a string of garbage with no .htm or other web extension on the end? --- [This E-mail scanned for viruses by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail scanned for viruses by Declude] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Regex to block this?
I might fine tune it a bit.
I've only seen length 37 and 38 characters after the tld
It is only lower case hex codes so you can exclude (g-z)
I've seen lots of .info and a few .nets as additional tld.
Very active spammer here
(?i:href=.+\.(com|info|net)/[a-f0-9]{37,38})
-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dave
Beckstrom
Sent: Tuesday, July 20, 2010 8:00 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] Regex to block this?
I'm getting hit by one spammer who manages to get through most of my
filters. His spam consistently uses the format of:
a
href=http://gcc128.blinksroads.com/5768cbbeb6bba86c3157116a6de8e54b31dab5;
img src=http://gcc128.blinksroads.com/images/157286c08.jpg;
How would I write a regex that would look for .com/ followed by a string of
garbage with no .htm or other web extension on the end?
---
[This E-mail scanned for viruses by Declude]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
RE: [Declude.JunkMail] Regex to block this?
Thanks. David's regex worked well. I'll give the fine tuning a try.
Also, all of this spammer's domains are in DNS servers ns1.domainsite.com -
ns4.domainsite.com.
I might fine tune it a bit.
I've only seen length 37 and 38 characters after the tld
It is only lower case hex codes so you can exclude (g-z)
I've seen lots of .info and a few .nets as additional tld.
Very active spammer here
(?i:href=.+\.(com|info|net)/[a-f0-9]{37,38})
-Original Message-
From: supp...@declude.com [mailto:supp...@declude.com] On Behalf Of Dave
Beckstrom
Sent: Tuesday, July 20, 2010 8:00 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] Regex to block this?
I'm getting hit by one spammer who manages to get through most of my
filters. His spam consistently uses the format of:
a
href=http://gcc128.blinksroads.com/5768cbbeb6bba86c3157116a6de8e54b31dab5;
img src=http://gcc128.blinksroads.com/images/157286c08.jpg;
How would I write a regex that would look for .com/ followed by a string
of
garbage with no .htm or other web extension on the end?
---
[This E-mail scanned for viruses by Declude]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
---
[This E-mail scanned for viruses by Declude]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail. The archives can be found
at http://www.mail-archive.com.
