On 06/11/2014 01:51 PM, Angus McIntyre wrote:


On Jun 11, 2014, at 9:43 AM, Gary Gendel <g...@genashor.com> wrote:
In the last month, I've seen a large increase in spam that breezes through 
spamdyke and spamassassin.  These are html only emails mainly for jobs from the 
big web companies (Google, Facebook, etc.).  The html is biased with bayes 
poisoning keywords.

These aren't _actually_ job offers from Google and Facebook. If you followed the links (which I 
don't necessarily, advise, because the spammers 'tag' the links so they can see who looked at the 
message) you'd find that they redirect to syndicated marketing links promoting scammy 
"work-at-home" make-money-fast schemes. I think the only connection with Google or 
Facebook is that these fake jobs are somehow "on the Internet".

The links point to a page with a number of unrelated links via a tracker.  I 
assume they are trying to get click-through cash.

Yep.

Anyone else see this kind of problem?  If so, what are you doing about it?

I wrote about the difficulty of blocking these in another thread on 'spamdyke-users' with 
the subject "Fwd; Search for High Speed Internet options near you" (someone 
else posted a sample of a similar spam).

Basically, because the senders change domain names, IP addresses, 'From' lines, 
'Subject' lines, and even URL formats continuously, and because the messages 
contain hashbuster text, they're extremely difficult to block reliably. They're 
pretty much the state-of-the-art when it comes to randomizing every possible 
element that could be used as the basis for filtering.

I don't know if this helps, but I'm seeing that some come from sites without a 
compliant dns setup.  For example:

162.210.198.19 -> hosted-by.EqServers.com
hosted-by.EqServers.com -> 65.60.49.189

Would spamdyke's rDNS tests help here? In my experience, these particular 
spammers usually have their DNS properly set up -- they're posting from rented 
servers hosted by a variety of hosting companies, rather than botnet PCs -- so 
they don't usually get turned away by Spamdyke's rDNS checks.

I think Bayesians may work on them, despite the presence of hashbuster text: most of them 
that I see trigger SpamAssassin's BAYES_99 rule, and in my tests with CRM-114 I can 
usually get CRM-114 to say "Oh yeah, it's one of those." However, BAYES_99 
defaults to a score of 3.5, which may not be enough on its own to take the message over 
the threshold to be tagged as spam.

Now that you're starting to see these, you're going to get more and more. They 
have ramped up their sending volume enormously over time, and are sending more 
and more in an attempt to brute-force their way through.

Angus


Good points.

Personally, I've adjusted my SA scoring to weigh bayes heaver. FWIW, this is what I use:
score BAYES_00 0 0 -2.612 -2.899
score BAYES_05 0 0 -1.110 -1.110
score BAYES_20 0 0 -0.740 -0.740
score BAYES_40 0 0 -0.185 -0.185
score BAYES_50 0 0 0.001 0.001
score BAYES_60 0 0 1.5 1.5
score BAYES_80 0 0 3.0 3.0
score BAYES_95 0 0 4.0 4.0
score BAYES_99 0 0 5.1 5.1

I also use:
required_score 3.7

Personally, I haven't noticed this problem.

--
-Eric 'shubes'

_______________________________________________
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users

Reply via email to