---------------------------------------- > From: hospice...@outlook.com > To: users@spamassassin.apache.org > Subject: RE: Detecting very recently registered domain names > Date: Mon, 6 Jan 2014 13:45:07 +0000 > > ---------------------------------------- >> Date: Mon, 6 Jan 2014 12:26:08 +0000 >> From: andrew.he...@aaisp.net.uk >> To: users@spamassassin.apache.org >> Subject: Re: Detecting very recently registered domain names >> >> On Thu, 19 Dec 2013 10:02:39 -0500 >> Joe Quinn <jqu...@pccc.com> wrote: >> >>> We are noticing a lot of spam coming from domains that are less than >>> two months old. Is there a good way to detect this automatically? >>> >>> We've thought about whois, but do not want to get blocked for looking >>> like we are harvesting information. >> >> >> May be off topic, but is this related to Communicado Ltd, who register >> domains daily in order to send spam, more info and a maintained list(at >> least at the moment) on: >> http://blog.hinterlands.org/2013/10/unwanted-email-from-communicado-ltd/ >> >> >> -- >> Andrew >> > > > > Communicado are probably a bit smarter than may people give them credit for. > They change tactics frequently, and are pretty good at what they do. They > have been around a long time and that probably says a lot, given the > characteristics of the industry they are in. > > In recent weeks they have moved from the 'day old' .co.uk domains to > relatively old com/org/net domains (Aug last year). I'm sure they will change > back again at some point though ... its not like NOMINET give a darn about > spam, is it?? > > Playing 'whack-a-mole' with them isn't half as effective is focusing in on > the common traits of the mail they sent out, like phone numbers (01799 > 252xxx), common phrases, the names of the instructors they use, the structure > of the HTML in the mails themselves, and so on. Even the price they charge > for their courses helps (everything seems to be £149.00 + VAT :) > > Registering a new domain costs peanuts, compared to re-working this kind of > stuff on a regular basis, and as we all know, at the end of the day, its all > about money.
---------------- A couple of folks ashed me for specific details regarding rules, so thought it may be helpful to post here. There's nothing fancy, and probably prone to FP out side of our particular context, but here you go: rawbody CDO_Phone0 /01227[\s\-_]+252\s*\d\d\d/ aescribe CDO_Phone0 CDO Phone Number rawbody CDO_Phone1 /01799[\s\-_]+252\s*\d\d\d/ aescribe CDO_Phone1 CDO Phone Number rawbody CDO_Phone2 /0800[\s\-_]+084\s*5076/ aescribe CDO_Phone2 CDO Phone Number body CDO_DT /Distinguished Traveller/i describe CDO_DT Mentions Distinguished Traveller body CDO_BS /Bitesize/i describe CDO_BS Mentions Bitesize uri CDO_US /\/sub\.php\?clt=.+\&email=/i describe CDO_US Contains common Comunicado Unsubscribe Code Sure, some of this is easy for the spammers to change, and your mileage may vary (which is why I've left you to fill in the scores that seem right for you). What do seem to be a fairly solid indicator are the phone numbers I mentioned. BT love to tie you into long term contracts, so changing these takes some forethought and planning ... unlike reacting to any possible change the spammers make. To me, targeting this stuff for all spammers (not just the guy at the centre of this particular witch hunt) makes more sense than domain or IP whack-a-mole ... [which isn't the same as to say the results aren't great. Just that the time to benefit doesn't work out unless all you do for a living is e-mail]. So far, the approach has worked great for me - I presently get no Communicado SPAM, and I have the time to run a Hospice IT department in the mean time ... bet that changes as soon as CDO guys finish reading this post though ... ANyway - Hope this helps somewhat, and despite the potentially negative sway of my comments - great work on the EXCOMMUNICADO stuff. Here's hoping someone does something similar re- Merrehill Limited, EMediaSolutions :) Judy
