You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by "Chip M." <sa...@IowaHoneypot.com> on 2019/12/19 16:45:26 UTC

RE: New bitcoin ransom message today

On Wed, 18 Dec 2019, John Hardin wrote:
>Can you post a spample

This is a very interesting pattern that I've seen in a few (9) spams
this week.
Here's a spample (with only the To header MUNGED):
	http://puffin.net/software/spam/samples/0062_snow_style_chaff_aws.txt
Lindsay, is that what you're seeing?

All 9 have scored above SA's default threshold, however most just
barely. The biggest scoring hit was "TO_NO_BRKTS_DYNIP".
None hit any GIBBERISH test, though that could be an issue with the
webhost (it's a shared "plain vanilla" SA install, not a custom
tuned one).

What I found interesting was both the style chaff and the use of 
"storage.googleapis" to hide the payload.
Google appears to have disabled the one in this spample.
The one I looked at yesterday had a "Meta refresh" to an 
intermediate URL, which had a javascript redirect
(via "window.location.href") to the final target.
Both domains were relatively recently registered and both are _NOT_
on any major domain blocklist.

Another interesting "tell" is its sloppy/ridiculous SPF:
	v=spf1 ip4:52.0.0.0/8 ip4:3.0.0.0/8 ip4:54.0.0.0/8 ip4:107.0.0.0/8 ip4:18.0.0.0/8 ip4:34.0.0.0/8 -all
Perhaps they're anticipating Amazon gobbling up more IP space?!?


Since the OP asked about non-SA approaches...
All hit my own filter's style size ratio test, with a
range of 98.3% to 99.1%.
I'm not a Perl programmer, so do not know if that is a practical
test to implement in SA.
It amazes me how much ham scores high on that!
I did a quick check of the last month for a highly diverse domain
and of emails with at least 90% "style", 16.7% were spam (all snow)
and 7% were ham (all ESP).
Next week I'll be datamining, so will look at that in more detail.


I've been scoring "storage.googleapis", however it's used by a lot
of non-security-competent Hammers, so it's difficult to give it more
than a small score.
IMO it would be worthwhile to score it at least a wee bit in case
that would help anybody convince their PHB that it's a Bad Practice.

John, perhaps a meta for style issues, AWS, and googleapis?
	- "Chip"

Re: SPAM message format, or not ?

Posted by Lindsay Haisley <fm...@fmp.com>.
On Thu, 2019-12-19 at 16:56 +0000, Chip M. wrote:
> On Wed, 18 Dec 2019, John Hardin wrote:
> > Can you post a spample
> 
> This is a very interesting pattern that I've seen in a few (9) spams
> this week.
> Here's a spample (with only the To header MUNGED):
>         
> http://puffin.net/software/spam/samples/0062_snow_style_chaff_aws.txt
> Lindsay, is that what you're seeing?

Exactly.

All of these verifiably come from Amazon IP addresses. I filed one
abuse report with Amazon, jumping through all the hoops spec'd in their
whois listing, but I doubt if it does any good. The Big Guys don't need
to allocate any of their hard-earned resources to clamping down on spam
sent trom their customers' accounts :(

-- 
Lindsay Haisley       | "UNIX is user-friendly, it just
FMP Computer Services |       chooses its friends."
512-259-1190          |          -- Andreas Bogk
http://www.fmp.com    |

Re: New bitcoin ransom message today

Posted by Benny Pedersen <me...@mx.junc.eu>.
On 2019-12-19 17:45, Chip M. wrote:

> Another interesting "tell" is its sloppy/ridiculous SPF:
> 	v=spf1 ip4:52.0.0.0/8 ip4:3.0.0.0/8 ip4:54.0.0.0/8 ip4:107.0.0.0/8
> ip4:18.0.0.0/8 ip4:34.0.0.0/8 -all
> Perhaps they're anticipating Amazon gobbling up more IP space?!?

sadly spf supports 0.0.0.0/0, if spf was designed sane it would be max 
256 ipv4 and one ipv6

if one create a perl module to calc ipv4 / ipv6 in that it can see if 
ips is under 256 to be accepted as pass, then it changes

time to block domains with over so many ips