I haven't seen this sort of thing in quite some time (thankfully).

Have you sent them through sa-learn so bayes can detect them?

-Eric 'shubes'

On 06/03/2014 09:53 AM, David wrote:
Thats where I was headed with this one..
How annoying.
  We need a honeypot approach for these guys and then tarpit them into a
I will post a resolve on this once a I try a few things.

On 06/03/2014 11:19 AM, Angus McIntyre wrote:
On Jun 3, 2014, at 11:25 AM, David
<dmilho...@wletc.com> wrote:
How in the world do I stop these annoying emails.
according to the headers they change the
and the domains and ips change as well.
It looks like an affiliate spammer. They typically rent a block of IP
addresses from one or more hosting providers, then start pumping out
spam with syndicated marketing links in it, and get paid when suckers
click on the links.

I don't recognize this particular one's style, but the bad news is
that they tend to be really hard to filter. As you've found out, they
constantly change domain names (they probably use domain-kiting to
ensure that they never have to pay for names), they constantly change
IPs (so-called snowshoe spamming, aided by compliant ISPs), they use
hashbuster text in their messages to get past or poison statistical
filters, and they constantly change their subjects, from lines, and in
some cases even their URL formats.

Unfortunately, Spamdyke isn't a lot of help against these guys. They
are actually delivering from real mailservers (as opposed to botnet
PCs), so graylisting won't help. They generally have their DNS set up
correctly, so rDNS checks won't reject them. They change names and IPs
so fast that RBLs struggle to keep up. They are among the hardest
spammers to block.

I suggest that you collect samples of the spam that you're receiving
and then analyze them. It's possible that you may be able to identify
a small number of IP blocks used by the spammer and block those,
although they change IPs and hosting services continually to avoid
that. A more productive approach may be to try to identify patterns in
the URLs that they use and write a SpamAssassin rule to recognize
them. The URL in the sample you sent is very long and complex, which
means that you have quite a good chance of writing a regex that would
recognize their spams but wouldn't generate false positives on
legitimate emails.


spamdyke-users mailing list

spamdyke-users mailing list

Reply via email to