On Mon, 2008-07-21 at 22:50 +0200, Michał Jęczalik wrote:
> Hello,
>
> I've noticed a huge increase of spam rate in past 2-3 weeks. Most of it
> are messages with some quite normal Subject:, often (but not neccesarily)
> referring to some fake event (i.e. some politician stabbed to death) and
> there's only a link, sometimes together with a single sentence, in the
> body.
This sounds like ratware spreading phishes to me. Well, based on the
vague and fuzzy description, anyway. Nicely caught by ClamAV with
SaneSecurity phish sigs, and never even being processed by SA here.
I personally don't really see them as spam, though, but malware
distribution mail. Hence the dropping with ClamAV. ;)
However, they seem to be generated by the very same software. In every
backscatter wave, I do see a lot of these, too. Also, by pure collateral
coincidence (I was investigating low-scoring spam), I might be cooking
up a rule that does hit on these. Needs some more investigation the next
days, though.
> How to fight this? Bayes doesn't catch this much, perhaps because
> these messages contain few text.
See above, maybe. Other than that -- no example, no hint how to stop
them.
> I don't have example of a message of exactly this kind at this moment, but
> this one below is similar. Well, it does catch DRUGS_ERECTILE, so it's an
> easier case, but most of these spams don't refer to viagra and usually
> scores BAYES_50 (max) and nothing more.
This example seems to be unrelated to the one described initially, IMHO.
It is a real spam, selling drugs.
guenther
--
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
