You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Sebastian Arcus <s....@open-t.co.uk> on 2018/03/07 08:52:18 UTC
Extremely persistent sex/make money spam with very little text in the
body
I have this one email account receiving, for more than a year, a very
specific type of spam which I find very difficult to block:
1. The messages are all kept very short, generally below 20 words - I
assume so that Bayes is less efficient at classifying them?
2. Although they are all invitations to sex, or making money - they are
phrased differently every time and use different words - so Bayes scores
are consistently low.
3. They come from servers all around the world - possibly compromised,
or maybe quickly setup and taken down - so they are usually not flagged
by blacklists
4. Pyzor tends to flag most of them up though.
5. In most cases, DKIM is correct, SPF is fine, and the headers are all
correct - so they don't hit any other rules.
6. The links they include in the body of the email are almost never
flagged up either by Clam or Spamassassin - and they point to a
different domain in every single message.
The bizarre thing is that I only see them coming to this one particular
email account, at a single domain of all the ones I administer. Based on
the above whoever sends them really know what they are doing, and must
have significant resources at their disposal - but I still have no idea
why they only hit this particular email address. I can only assume that
greylisting wouldn't help much, as they seem to arrive from properly
configured smpt servers, which would retry like any other regular smtp
server and bypass greylisting. Has anybody else seen these, and is there
anything else that I could try to block them?
Re: Extremely persistent sex/make money spam with very little text in
the body
Posted by Sebastian Arcus <s....@open-t.co.uk>.
On 07/03/18 11:25, Leandro wrote:
> 2018-03-07 5:52 GMT-03:00 Sebastian Arcus <s.arcus@open-t.co.uk
> <ma...@open-t.co.uk>>:
>
>
> 6. The links they include in the body of the email are almost never
> flagged up either by Clam or Spamassassin - and they point to a
> different domain in every single message.
>
>
> Although they use multiple domains in the URLs at body, many of these
> URLs are addressed to the same IPv4/IPv6 address or IP ranges, that is
> just one shared web server or a group of shared web servers of the spammer.
>
> The key to solving this problem is that you all start to cross the data
> and start scoring the URL host IP, that is the exact fiscal place they
> want to you visit even fired by many hacked mail servers at world and
> many distinct domains. The mail services and domains are very disperse
> but the web servers are very concentrated.
As far as I can tell, the URL's in the spam I see point to php scripts
on various compromised servers - which, maybe, further redirect to the
final payment servers. But thank you for the suggestion - I will keep an
eye on it.
Re: Extremely persistent sex/make money spam with very little text in
the body
Posted by Leandro <le...@spfbl.net>.
2018-03-07 5:52 GMT-03:00 Sebastian Arcus <s....@open-t.co.uk>:
>
> 6. The links they include in the body of the email are almost never
> flagged up either by Clam or Spamassassin - and they point to a different
> domain in every single message.
>
Although they use multiple domains in the URLs at body, many of these URLs
are addressed to the same IPv4/IPv6 address or IP ranges, that is just one
shared web server or a group of shared web servers of the spammer.
The key to solving this problem is that you all start to cross the data and
start scoring the URL host IP, that is the exact fiscal place they want to
you visit even fired by many hacked mail servers at world and many distinct
domains. The mail services and domains are very disperse but the web
servers are very concentrated.
We are doing this technique here and the problem has been mitigated to our
customers.
>
> The bizarre thing is that I only see them coming to this one particular
> email account, at a single domain of all the ones I administer. Based on
> the above whoever sends them really know what they are doing, and must have
> significant resources at their disposal - but I still have no idea why they
> only hit this particular email address. I can only assume that greylisting
> wouldn't help much, as they seem to arrive from properly configured smpt
> servers, which would retry like any other regular smtp server and bypass
> greylisting. Has anybody else seen these, and is there anything else that I
> could try to block them?
>
Re: Extremely persistent sex/make money spam with very little text in
the body
Posted by Sebastian Arcus <s....@open-t.co.uk>.
On 07/03/18 09:08, Daniele Duca wrote:
> On 07/03/2018 09:52, Sebastian Arcus wrote:
>
>> I have this one email account receiving, for more than a year, a very
>> specific type of spam which I find very difficult to block:
>>
>> 1. The messages are all kept very short, generally below 20 words - I
>> assume so that Bayes is less efficient at classifying them?
>>
>> 2. Although they are all invitations to sex, or making money - they
>> are phrased differently every time and use different words - so Bayes
>> scores are consistently low.
> <snip>
>
> Hi Sebastian,
>
> I perfectly know what type of email you are talking about, I've seen
> them written at least in italian, english and spanish. If you click the
> link you are being redirected to shady dating websites or
> bitcoin/investment scams sites (at least in my experience).
>
> Since I get the majority of these emails in italian, I've written a meta
> rule that takes in account:
>
> - Common mispelled words/phrases
> - Body lines must be < 5
> - The common pattern in all the urls. Take a close look at them, there
> IS a pattern, not writing it here for obvious reasons :)
Thank you so much for that! The emails I see don't usually have spelling
mistakes, but you are right, it seems that the url is the way to go.
I've been looking for patters in the headers and source servers all
along - it never crossed my mind to check the body! Thanks again
Re: Extremely persistent sex/make money spam with very little text in
the body
Posted by Daniele Duca <du...@staff.spin.it>.
On 07/03/2018 17:32, Jakob Curdes wrote:
>
>>
>> Since I get the majority of these emails in italian, I've written a
>> meta rule that takes in account:
> Hello Duca, would you share this rule with us? I would be interested
> in looking at the resulst, as we also have lots of these messages here.
> JC
Hi,
I believe my rule wouldn't be as useful for you because a part of it is
related to mispelled italian words (i believe they sloppily translated
from english)
However, I'll drop an email to you offlist with the other relevant parts
to avoid eventual spammers lurking here ;)
Daniele
Re: Extremely persistent sex/make money spam with very little text in
the body
Posted by Jakob Curdes <jc...@info-systems.de>.
>
> Since I get the majority of these emails in italian, I've written a meta rule that takes in account:
Hello Duca, would you share this rule with us? I would be interested in looking at the resulst, as
we also have lots of these messages here.
JC
Re: Extremely persistent sex/make money spam with very little text in
the body
Posted by Daniele Duca <du...@staff.spin.it>.
On 07/03/2018 09:52, Sebastian Arcus wrote:
> I have this one email account receiving, for more than a year, a very
> specific type of spam which I find very difficult to block:
>
> 1. The messages are all kept very short, generally below 20 words - I
> assume so that Bayes is less efficient at classifying them?
>
> 2. Although they are all invitations to sex, or making money - they
> are phrased differently every time and use different words - so Bayes
> scores are consistently low.
<snip>
Hi Sebastian,
I perfectly know what type of email you are talking about, I've seen
them written at least in italian, english and spanish. If you click the
link you are being redirected to shady dating websites or
bitcoin/investment scams sites (at least in my experience).
Since I get the majority of these emails in italian, I've written a meta
rule that takes in account:
- Common mispelled words/phrases
- Body lines must be < 5
- The common pattern in all the urls. Take a close look at them, there
IS a pattern, not writing it here for obvious reasons :)
If all these conditions are matched the email is flagged. So far (about
6 months), no complaints. If you have only one address that receives
these emails I'd add a test to see if the recipient is that specific one
for more precision
Hope it helps
Daniele