On 07/03/18 11:25, Leandro wrote:
2018-03-07 5:52 GMT-03:00 Sebastian Arcus <s.ar...@open-t.co.uk <mailto:s.ar...@open-t.co.uk>>:

    6. The links they include in the body of the email are almost never
    flagged up either by Clam or Spamassassin - and they point to a
    different domain in every single message.

Although they use multiple domains in the URLs at body, many of these URLs are addressed to the same IPv4/IPv6 address or IP ranges, that is just one shared web server or a group of shared web servers of the spammer.

The key to solving this problem is that you all start to cross the data and start scoring the URL host IP, that is the exact fiscal place they want to you visit even fired by many hacked mail servers at world and many distinct domains. The mail services and domains are very disperse but the web servers are very concentrated.

As far as I can tell, the URL's in the spam I see point to php scripts on various compromised servers - which, maybe, further redirect to the final payment servers. But thank you for the suggestion - I will keep an eye on it.

Reply via email to