Spam flooding recent days

[Michał Jęczalik <mi...@jeczalik.com>]

Hello,

I've noticed a huge increase of spam rate in past 2-3 weeks. Most of it 
are messages with some quite normal Subject:, often (but not neccesarily) 
referring to some fake event (i.e. some politician stabbed to death) and 
there's only a link, sometimes together with a single sentence, in the 
body. How to fight this? Bayes doesn't catch this much, perhaps because 
these messages contain few text.

I don't have example of a message of exactly this kind at this moment, but 
this one below is similar. Well, it does catch DRUGS_ERECTILE, so it's an 
easier case, but most of these spams don't refer to viagra and usually 
scores BAYES_50 (max) and nothing more.

X-Spam-Level: ***
X-Spam-Status: No, score=3.6 required=3.9 tests=BAYES_50,DRUGS_ERECTILE,
     HTML_MESSAGE autolearn=no version=3.2.5
[...]
Received: from 190-95-40-158.bk18-dsl.surnet.cl 
(190-95-40-158.bk18-dsl.surnet.cl [190.95.40.158])
     by xxxxxxxx (8.12.8/8.12.8) with SMTP id m6LH0TnX015727
     for <mi...@xxxxxxxxxxxxx>; Mon, 21 Jul 2008 19:00:29 +0200
Message-ID: <6A...@alltel.net>
From: "World Pharmacy -A22 " <{W...@alltel.net>
Subject: Sale on all items.. viagra for $1
Date: Mon, 21 Jul 2008 17:00:32 GMT
MIME-Version: 1.0
Content-Type: multipart/alternative;
     boundary="-------=_NextPart_191_031A_0000040D.00007EC0"
X-Priority: 3
X-MSMail-Priority: Normal
X-MimeOLE: Microsoft MimeOLE V6.00.2900.2527

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
<body>
<h2>
<a href="http://www.geocities.com/bettyaphdjnx/"> see site </a></h2>

</body></html>

Re: Spam flooding recent days

[David B Funk <db...@engineering.uiowa.edu>]

On Mon, 21 Jul 2008, [ISO-8859-2] Micha? J?czalik wrote:

> Hello,
>
> I've noticed a huge increase of spam rate in past 2-3 weeks. Most of it
> are messages with some quite normal Subject:, often (but not neccesarily)
> referring to some fake event (i.e. some politician stabbed to death) and
> there's only a link, sometimes together with a single sentence, in the
> body. How to fight this? Bayes doesn't catch this much, perhaps because
> these messages contain few text.
>
> I don't have example of a message of exactly this kind at this moment, but
> this one below is similar. Well, it does catch DRUGS_ERECTILE, so it's an
> easier case, but most of these spams don't refer to viagra and usually
> scores BAYES_50 (max) and nothing more.
>
> X-Spam-Level: ***
> X-Spam-Status: No, score=3.6 required=3.9 tests=BAYES_50,DRUGS_ERECTILE,
>      HTML_MESSAGE autolearn=no version=3.2.5
> [...]
> Received: from 190-95-40-158.bk18-dsl.surnet.cl
> (190-95-40-158.bk18-dsl.surnet.cl [190.95.40.158])
>      by xxxxxxxx (8.12.8/8.12.8) with SMTP id m6LH0TnX015727
>      for <mi...@xxxxxxxxxxxxx>; Mon, 21 Jul 2008 19:00:29 +0200
> Message-ID: <6A...@alltel.net>
> From: "World Pharmacy -A22 " <{W...@alltel.net>
> Subject: Sale on all items.. viagra for $1
> Date: Mon, 21 Jul 2008 17:00:32 GMT
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
>      boundary="-------=_NextPart_191_031A_0000040D.00007EC0"
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-MimeOLE: Microsoft MimeOLE V6.00.2900.2527
>
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
> <HTML>
> <body>
> <h2>
> <a href="http://www.geocities.com/bettyaphdjnx/"> see site </a></h2>
>
> </body></html>

First thing, do you have network tests turned off? That IP address
hit 5 different DNSBL lists here, some of which we use at the SMTP
level so that message would not even made it in our front door. ;)
(I realize that it might not have been listed earlier today).

Install the BOTNET plugin, it will add points to those PC-on-DSL/CABLE
clients, even before they get listed in DNSBLs.

I'm guessing that the kind of message you are referring to looks more
like:

  Date: Mon, 21 Jul 2008 11:49:04 +0200
  From: Froskary <Fr...@txps.com>
  To: YYYYYY@icaen.uiowa.edu
  Subject: CNN Wire: Obama arrives in Iraq

  B-52 bomber crashes off island of Guam
  http://pelledilunaaXXXXX.it/begin.html

These are not strictly speaking spam, they're actually trojan
bot messages attempting to get people to download a trojan
onto their PCs. (If you are foolish enough to read that message
on a PC and click on that link, you are pOwn3d.)

Those things seem to regularly hit BOTNET, DNSBLs like Spamhaus &
abuseat-CBL, and the URLs tend to get listed in SURBL/URIBL.


-- 
Dave Funk                                  University of Iowa
<dbfunk (at) engineering.uiowa.edu>        College of Engineering
319/335-5751   FAX: 319/384-0549           1256 Seamans Center
Sys_admin/Postmaster/cell_admin            Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{

RE: Spam flooding recent days

["Rosenbaum, Larry M." <ro...@ornl.gov>]

> From: Michał Jęczalik [mailto:michal@jeczalik.com]
> Subject: Spam flooding recent days
>
> Hello,
>
> I've noticed a huge increase of spam rate in past 2-3 weeks. Most of it
> are messages with some quite normal Subject:, often (but not
> neccesarily)
> referring to some fake event (i.e. some politician stabbed to death)
> and
> there's only a link, sometimes together with a single sentence, in the
> body

It's called "tabloid spam".

http://redtape.msnbc.com/2008/07/no-presidential.html#posts

Re: Spam flooding recent days

[Karsten Bräckelmann <gu...@rudersport.de>]

On Mon, 2008-07-21 at 22:50 +0200, Michał Jęczalik wrote:
> Hello,
> 
> I've noticed a huge increase of spam rate in past 2-3 weeks. Most of it 
> are messages with some quite normal Subject:, often (but not neccesarily) 
> referring to some fake event (i.e. some politician stabbed to death) and 
> there's only a link, sometimes together with a single sentence, in the 
> body.

This sounds like ratware spreading phishes to me. Well, based on the
vague and fuzzy description, anyway. Nicely caught by ClamAV with
SaneSecurity phish sigs, and never even being processed by SA here.

I personally don't really see them as spam, though, but malware
distribution mail. Hence the dropping with ClamAV. ;)

However, they seem to be generated by the very same software. In every
backscatter wave, I do see a lot of these, too. Also, by pure collateral
coincidence (I was investigating low-scoring spam), I might be cooking
up a rule that does hit on these. Needs some more investigation the next
days, though.


> How to fight this? Bayes doesn't catch this much, perhaps because 
> these messages contain few text.

See above, maybe. Other than that -- no example, no hint how to stop
them.


> I don't have example of a message of exactly this kind at this moment, but 
> this one below is similar. Well, it does catch DRUGS_ERECTILE, so it's an 
> easier case, but most of these spams don't refer to viagra and usually 
> scores BAYES_50 (max) and nothing more.

This example seems to be unrelated to the one described initially, IMHO.
It is a real spam, selling drugs.

  guenther


-- 
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}