Re: Googlasi, blacklotus, etc.

Tue, 30 Sep 2014 13:39:06 -0700 

On 09/30/2014 10:27 PM, Philip Prindeville wrote:


On Sep 30, 2014, at 11:41 AM, David Jones <djo...@ena.com> wrote:




________________________________________
From: Philip Prindeville <philipp_s...@redfish-solutions.com>
Sent: Tuesday, September 30, 2014 12:30 PM
To: SpamAssassin
Subject: Googlasi, blacklotus, etc.



I’m seeing spams like:



http://pastebin.com/XXQrNURW



Notice:



* the message is almost always text/plain single part;
* the only Received: line is the local one, even though it was received on port 
25;
* the message id contains the string be2aaf2163fd72c9975ec76b00288831, which 
seems to be a SHA1 hash associated with the destination email address;
* there are two or more nonsense header fields containing the SHA1 hash plus 
some small integer, and both values are repeated in the message body;
* there’s sometimes a third integer value both in the message and optionally in 
some nonsense header field;
* the message begins with either “Hello ____” or “Dear ____” as the destination 
email address,
* the phishing URL is either hosted by googlasi (as an amazon instance 
54.69.70.160), or else
blacklotus instance as 192.31.186.4;



I’m occasionally seeing text/html which also contains the same hash as part of 
the phishing URL.



Anyone else seeing this?



I’m currently defeating this by locally blacklisting the 2 IP addresses 
associated with the URL, plus
finding the SHA1 in the message.



I’d like to not have to rely on the specific value of the hash for the 2nd test.



-Philip


That IP is in a number of RBLs.  Do you have any RBLs in your MTA?


I do, but the problem is that the SPAM needs to be seen a few times before the 
RBL’s get updated with it.

5.0 URIBL_BLACK            Contains an URL listed in the URIBL blacklist
                            [URIs: lookmediXXXcarehelp.net]

I’m getting quite a few of these messages before the site gets blacklisted.

So I need to rely only on local rules to catch it.



This is where datafeeds to run local mirrors of the BLs gives you a huge 
advantage over querying public mirrors which usually lag a bit behind 
PLUS offering data which may not be available from public mirrors. 
Obviously these data feeds can make a hole in your budget, but if you're 
big enough to justofy the cost, they're well worth it.


























					Reply via email to