You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by jp <jp...@saucer.midcoast.com> on 2009/04/02 22:20:57 UTC
spam from valid spammer domains
We're receiving a bunch of mail from domains that appear built for
spamming.
Here's an example.
pastelmedal.com spam comes from 66.132.203.125. This address isn't
listed by spamhaus, surbl, or any of 122 blacklists at mxtoolbox.com.
The email is here:
http://www.midcoast.com/~jp/p.txt
I get email from lots of different domains that have the same USPS
mailing address(es) listed, either in Denver CO or Wilmington DE.
They all have identical unsubscribe email forms if your visit their
webpage or IP:
http://mapwonder.com/
http://www.pastelmedal.com/
http://www.chestindigo.com/
What can I do to prevent more of these? I have a high volume mail
servers using SA 3.2.5, network checks, no bayes, no awl, postfix
allowing anything except sbl-xbl listed things and some helo and
recipient restrictions.
It seems to be well formed spam that just isn't tripping anything up.
Thanks,
Jason
--
/*
Jason Philbrook | Midcoast Internet Solutions - Wireless and DSL
KB1IOJ | Broadband Internet Access, Dialup, and Hosting
http://f64.nu/ | for Midcoast Maine http://www.midcoast.com/
*/
Re: spam from valid spammer domains
Posted by "McDonald, Dan" <Da...@austinenergy.com>.
On Thu, 2009-04-02 at 23:08 +0200, Karsten Bräckelmann wrote:
> > body AE_STOP_REMOVE5 /\bwish\bto\bend\b.{0,20}(?: ... )/i
>
> I guess you don't get a lot of hits for that one. ;)
>
> \b is a zero-width assertion, matching a word boundary, but not matching
> an actual character. /wish\bto/ will never match...
Oops!
--
Daniel J McDonald, CCIE #2495, CISSP #78281, CNX
Austin Energy
http://www.austinenergy.com
Re: spam from valid spammer domains
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
> body AE_STOP_REMOVE5 /\bwish\bto\bend\b.{0,20}(?: ... )/i
I guess you don't get a lot of hits for that one. ;)
\b is a zero-width assertion, matching a word boundary, but not matching
an actual character. /wish\bto/ will never match...
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: spam from valid spammer domains
Posted by "McDonald, Dan" <Da...@austinenergy.com>.
On Thu, 2009-04-02 at 16:20 -0400, jp wrote:
> We're receiving a bunch of mail from domains that appear built for
> spamming.
>
> Here's an example.
> pastelmedal.com spam comes from 66.132.203.125. This address isn't
> listed by spamhaus, surbl, or any of 122 blacklists at mxtoolbox.com.
Yup. That's snowshoe spam.
> The email is here:
> http://www.midcoast.com/~jp/p.txt
I kill off a lot of those with these rules, but I'm finding that Rob
McEwen's Invaluement list works reasonably well. It doesn't have this
spammer listed (yet!) but....
body AE_STOP_REMOVE /to stop rec[ei]{2}ving.{0,20}(?:mailings|offers|messages|notices)/i
describe AE_STOP_REMOVE Talks about how to be removed from mailings
score AE_STOP_REMOVE 2.999
body AE_STOP_REMOVE2 /to no longer rec[ei]{2}ve.{0,20}(?:mailings|offers|messages|notices)/i
describe AE_STOP_REMOVE2 Talks about how to be removed from mailings
score AE_STOP_REMOVE2 1.5
body AE_STOP_REMOVE3 /to suspend future.{0,20}(?:mailings|offers|messages|notices)/i
describe AE_STOP_REMOVE3 Talks about how to be removed from mailings
score AE_STOP_REMOVE3 3.0
body AE_STOP_REMOVE4 /\bend\b.{0,20}future.{0,20}(?:mailings|offers|messages|notices)/i
describe AE_STOP_REMOVE4 Talks about how to be removed from mailings
score AE_STOP_REMOVE4 2.5
body AE_STOP_REMOVE5 /\bwish\bto\bend\b.{0,20}(?:mailings|offers|messages|service|notices)/i
describe AE_STOP_REMOVE5 Talks about how to be removed from mailings
score AE_STOP_REMOVE5 2.5
uri AE_ASM /\/[[:alpha:]]{28,40}$/
describe AE_ASM long gibberish path used by ASM Marketing
score AE_ASM 1
meta AE_GIBBERISH AE_ASM && (AE_STOP_REMOVE || AE_STOP_REMOVE2 || AE_STOP_REMOVE3 || AE_STOP_REMOVE4 || AE_STOP_REMOVE5)
describe AE_GIBBERISH Looks like spam we see a lot of
score AE_GIBBERISH 5
Looks like I need to add ADVERTISEMENTS to my list ;-)
> I get email from lots of different domains that have the same USPS
> mailing address(es) listed, either in Denver CO or Wilmington DE.
>
> They all have identical unsubscribe email forms if your visit their
> webpage or IP:
>
> http://mapwonder.com/
> http://www.pastelmedal.com/
> http://www.chestindigo.com/
>
> What can I do to prevent more of these? I have a high volume mail
> servers using SA 3.2.5, network checks, no bayes, no awl, postfix
> allowing anything except sbl-xbl listed things and some helo and
> recipient restrictions.
>
> It seems to be well formed spam that just isn't tripping anything up.
>
> Thanks,
> Jason
>
--
Daniel J McDonald, CCIE #2495, CISSP #78281, CNX
Austin Energy
http://www.austinenergy.com
Re: spam from valid spammer domains
Posted by John Hardin <jh...@impsec.org>.
On Thu, 2 Apr 2009, jp wrote:
> I get email from lots of different domains that have the same USPS
> mailing address(es) listed, either in Denver CO or Wilmington DE.
Some specific rules for those addresses, perhaps?
Which leads to the question: would having something analogous to URIBL for
mailing addresses and phone numbers be worthwhile?
Phone numbers would be pretty simple, but doing BL lookups for a mailing
address would probably involve a format standardization pass (non-trivial,
but tools are already available) and MD5 hashing the result for the
lookup.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...in the 2nd amendment the right to arms clause means you have
the right to choose how many arms you want, and the militia clause
means that Congress can punish you if the answer is "none."
-- David Hardy, 2nd Amendment scholar
-----------------------------------------------------------------------
71 days since Obama's inauguration and still no unicorn!