You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Marc Perkel <ma...@perkel.com> on 2007/04/30 06:52:39 UTC

Catching and stopping 419 spam

OK - I did this with Exim rules but the same trick could be used in SA. 
I figured out a trick that catches 419 spam with amazing accuracy.

419 spammers generally use Yahoo, Hotmail, Gmail, and other popular free 
mailers. And they generally have different from and reply-to addresses. 
And both the from and reply-to are popular free mail sites. For example 
the sender is spammer@yahoo.co.jp and the reply-to is hotmail.com.

The idea is they get busted for sending spam but not receiving the 
replies. So as the sending accounts get shut down the receiving accounts 
are still intact. So they just create a new sending account and continue.

So - who uses one freemail address with a reply-to of another? 419 
spammers. So if you make a list of domains that are popular freemail 
vendors used by spammers and if both the from and reply-to addresses are 
in this list and they are different, it's a 419 spammer.

And - after detecting these spams I forward the email in real time to 
abuse@ for both the from and the reply-to domains. My hope is that when 
the big boys get these they can shut these spammers down.

I'm thinking if a lot of people start using this kind of automated 
reporting and say yahoo starts seeing a lot of complaint on a single 
address they could automatically shut down both accounts. Here's my Exim 
code.

Anyhow - I figure this trick would be easy to code up for SA and someone 
should try it.

warn    message = X-Freemail-From: ${domain:$h_From:}
    condition = ${if 
match_domain{${domain:$h_From:}}{dbm;/etc/exim/run/freemaildomains.db}}

warn    message = X-Freemail-Reply-to: ${domain:$h_Reply-to:}
    condition = ${if 
match_domain{${domain:$h_Reply-to:}}{dbm;/etc/exim/run/freemaildomains.db}}


drop    condition = ${if 
match_domain{${domain:$h_Reply-to:}}{dbm;/etc/exim/run/freemaildomains.db}}
    condition = ${if 
match_domain{${domain:$h_From:}}{dbm;/etc/exim/run/freemaildomains.db}}
    !condition = ${if 
eqi{${local_part:$h_From:}@${domain:$h_From:}}{${local_part:$h_Reply-to:}@${domain:$h_Reply-to:}}}
    message = X-Spam-feed: 419
    message = spamsave - 419scam - Reply-to domain does not match From 
domain - R=$h_Reply-to: F=$h_From:
  
# Exim Filter

if $h_X-Spam-Class: contains "SPAM-HIGH-VERY"
then

   if "$h_X-Freemail-From:" is not ""
   then
      unseen deliver abuse@$h_X-Freemail-From:
   endif

   if "$h_X-Freemail-Reply-to:" is not ""
   then
      unseen deliver abuse@$h_X-Freemail-Reply-to:
   endif

endif

Re: Catching and stopping 419 spam

Posted by Marc Perkel <ma...@perkel.com>.

  oh - and - here's my freemail list

aim.com
aol.co.uk
aol.com
bellsouth.net
comcast.net
compuserve.com
cox.net
excite.com
excite.co.uk
fastmail.com
gci.net
gmail.com
google.com
hotmail.co.uk
hotmail.com
hotmail.fr
hotpop.com
juno.com
lycos.com
mail.com
msn.com
myspace.com
myway.com
sbcglobal.com
sify.com
terra.com
tripod-mail.com
uymail.com
walla.com
web.de
yahoo.ca
yahoo.co.au
yahoo.co.in
yahoo.co.jp
yahoo.co.uk
yahoo.com
yahoo.com.cn
yahoo.com.hk
yahoo.de
yahoo.es
yahoo.fr
yahoo.it
yahoo.mx
yahoo.ru
yahoo.tw

Re: Catching and stopping 419 spam

Posted by Chris Edwards <ch...@eng.gla.ac.uk>.

On Sun, 29 Apr 2007, Marc Perkel wrote:

| And - after detecting these spams I forward the email in real time to abuse@
| for both the from and the reply-to domains. My hope is that when the big boys
| get these they can shut these spammers down.

Take care - in particular for sending to abuse@ for the "from" domain, as 
many of these will be forgeries.

Re: Catching and stopping 419 spam

Posted by Henrik Krohns <he...@hege.li>.

On Tue, May 22, 2007 at 10:36:20AM +0300, Henrik Krohns wrote:
> On Mon, Apr 30, 2007 at 12:41:44PM +0300, Henrik Krohns wrote:
> > On Sun, Apr 29, 2007 at 09:52:39PM -0700, Marc Perkel wrote:
> > > OK - I did this with Exim rules but the same trick could be used in SA. 
> > > I figured out a trick that catches 419 spam with amazing accuracy.
> > > 
> > > ...
> > > So - who uses one freemail address with a reply-to of another? 419 
> > > spammers. So if you make a list of domains that are popular freemail 
> > > vendors used by spammers and if both the from and reply-to addresses are 
> > > in this list and they are different, it's a 419 spammer.
> > > 
> > > ...
> > > Anyhow - I figure this trick would be easy to code up for SA and someone 
> > > should try it.
> > 
> > Good idea. I made a simple plugin for testing..
> > 
> > http://sa.hege.li/FreeMail.pm
> 
> I updated this with a large default freemail list. No need to define anything
> manually anymore, unless you have something that's not in the list.
> 
> It also checks addresses found in message body. Except when there are more
> than 2 found or "foo@bar.net Wrote:" format, to reduce false positives.
> 
> Maybe someone could do a mass check, I'm too lazy to set it up..

Tiny update again, emails with underscores in body could create some FPs..

Cheers,
Henrik

Re: Catching and stopping 419 spam

Posted by Henrik Krohns <he...@hege.li>.

On Thu, May 24, 2007 at 09:51:07AM -0500, Mike Grau wrote:
> 
> >I'd like to see other people's states as well. I'm using it to block and 
> >my 419 spam is almost completely gone. But I'm wondering what other 
> >people's experiences are.
> >
> 
> FPs here on emails that have been forwarded and have email addresses in 
> the message body. These have all been from cox.net which is listed in 
> FreeMail.pm. cox.net does not offer free email; you have to be a cox 
> customer.

Ok thanks, removed that..

-hk

Re: Catching and stopping 419 spam

Posted by Mike Grau <m....@kcc.state.ks.us>.

> I'd like to see other people's states as well. I'm using it to block and 
> my 419 spam is almost completely gone. But I'm wondering what other 
> people's experiences are.
> 

FPs here on emails that have been forwarded and have email addresses in 
the message body. These have all been from cox.net which is listed in 
FreeMail.pm. cox.net does not offer free email; you have to be a cox 
customer.

-- Mike G

Re: Catching and stopping 419 spam

Posted by Marc Perkel <ma...@perkel.com>.


Henrik Krohns wrote:
> On Mon, Apr 30, 2007 at 12:41:44PM +0300, Henrik Krohns wrote:
>   
>> On Sun, Apr 29, 2007 at 09:52:39PM -0700, Marc Perkel wrote:
>>     
>>> OK - I did this with Exim rules but the same trick could be used in SA. 
>>> I figured out a trick that catches 419 spam with amazing accuracy.
>>>
>>> ...
>>> So - who uses one freemail address with a reply-to of another? 419 
>>> spammers. So if you make a list of domains that are popular freemail 
>>> vendors used by spammers and if both the from and reply-to addresses are 
>>> in this list and they are different, it's a 419 spammer.
>>>
>>> ...
>>> Anyhow - I figure this trick would be easy to code up for SA and someone 
>>> should try it.
>>>       
>> Good idea. I made a simple plugin for testing..
>>
>> http://sa.hege.li/FreeMail.pm
>>     
>
> I updated this with a large default freemail list. No need to define anything
> manually anymore, unless you have something that's not in the list.
>
> It also checks addresses found in message body. Except when there are more
> than 2 found or "foo@bar.net Wrote:" format, to reduce false positives.
>
> Maybe someone could do a mass check, I'm too lazy to set it up..
>
> Cheers,
> Henrik
>
>   

I'd like to see other people's states as well. I'm using it to block and 
my 419 spam is almost completely gone. But I'm wondering what other 
people's experiences are.

Re: Catching and stopping 419 spam

Posted by Matthias Häker <mh...@its-h.de>.


Matthias Häker schrieb:
> Hi
>
> i would like to give the Plugin a try but i have folowing error in 
> spamd.log
>
> rules: failed to run FREEMAIL_REPLYTO test, skipping:
> Tue May 22 10:05:39 2007 [18602] warn:  (Can't locate object method 
> "check_freemail_replyto" via package 
> "Mail::SpamAssassin::PerMsgStatus" at (eval 600) line 1491.
> Tue May 22 10:05:39 2007 [18602] warn: )
>
>

i renamed freemail.pm to FreeMail.pm and now it is working
 
i gues i should finish my Morning Coffe prior posting and testing ;-)

Matthias Häker

Re: Catching and stopping 419 spam

Posted by Matthias Häker <mh...@its-h.de>.

Hi

i would like to give the Plugin a try but i have folowing error in 
spamd.log

rules: failed to run FREEMAIL_REPLYTO test, skipping:
Tue May 22 10:05:39 2007 [18602] warn:  (Can't locate object method "check_freemail_replyto" via package "Mail::SpamAssassin::PerMsgStatus" at (eval 600) line 1491.
Tue May 22 10:05:39 2007 [18602] warn: )

my freemail.cf is

loadplugin Mail::SpamAssassin::Plugin::FreeMail /etc/mail/spamassassin/FreeMail.pm

 header   FREEMAIL_REPLYTO eval:check_freemail_replyto()
 describe FREEMAIL_REPLYTO Different freemail address found in Reply-To or Body than From
 score    FREEMAIL_REPLYTO 2



????


Matthias Häker

Re: Catching and stopping 419 spam

Posted by Henrik Krohns <he...@hege.li>.

On Mon, Apr 30, 2007 at 12:41:44PM +0300, Henrik Krohns wrote:
> On Sun, Apr 29, 2007 at 09:52:39PM -0700, Marc Perkel wrote:
> > OK - I did this with Exim rules but the same trick could be used in SA. 
> > I figured out a trick that catches 419 spam with amazing accuracy.
> > 
> > ...
> > So - who uses one freemail address with a reply-to of another? 419 
> > spammers. So if you make a list of domains that are popular freemail 
> > vendors used by spammers and if both the from and reply-to addresses are 
> > in this list and they are different, it's a 419 spammer.
> > 
> > ...
> > Anyhow - I figure this trick would be easy to code up for SA and someone 
> > should try it.
> 
> Good idea. I made a simple plugin for testing..
> 
> http://sa.hege.li/FreeMail.pm

I updated this with a large default freemail list. No need to define anything
manually anymore, unless you have something that's not in the list.

It also checks addresses found in message body. Except when there are more
than 2 found or "foo@bar.net Wrote:" format, to reduce false positives.

Maybe someone could do a mass check, I'm too lazy to set it up..

Cheers,
Henrik

Re: Catching and stopping 419 spam

Posted by Henrik Krohns <he...@hege.li>.

On Mon, Apr 30, 2007 at 01:08:49PM -0700, Bret Miller wrote:
> > On Sun, Apr 29, 2007 at 09:52:39PM -0700, Marc Perkel wrote:
> > > OK - I did this with Exim rules but the same trick could be
> > used in SA.
> > > I figured out a trick that catches 419 spam with amazing accuracy.
> > >
> > > ...
> > > So - who uses one freemail address with a reply-to of another? 419
> > > spammers. So if you make a list of domains that are popular
> > freemail
> > > vendors used by spammers and if both the from and reply-to
> > addresses are
> > > in this list and they are different, it's a 419 spammer.
> > >
> > > ...
> > > Anyhow - I figure this trick would be easy to code up for
> > SA and someone
> > > should try it.
> >
> > Good idea. I made a simple plugin for testing..
> >
> > http://sa.hege.li/FreeMail.pm
> 
> So far, it's only hitting on some "better deal" insurance messages that
> use tripod-mail.com.

It does hit many 419 mails here (especially yahoo.co.?? and excite.com). But
not really any which wouldn't been over the kill level already.

Cheers,
Henrik

RE: Catching and stopping 419 spam

Posted by Bret Miller <br...@wcg.org>.

> On Sun, Apr 29, 2007 at 09:52:39PM -0700, Marc Perkel wrote:
> > OK - I did this with Exim rules but the same trick could be 
> used in SA. 
> > I figured out a trick that catches 419 spam with amazing accuracy.
> > 
> > ...
> > So - who uses one freemail address with a reply-to of another? 419 
> > spammers. So if you make a list of domains that are popular 
> freemail 
> > vendors used by spammers and if both the from and reply-to 
> addresses are 
> > in this list and they are different, it's a 419 spammer.
> > 
> > ...
> > Anyhow - I figure this trick would be easy to code up for 
> SA and someone 
> > should try it.
> 
> Good idea. I made a simple plugin for testing..
> 
> http://sa.hege.li/FreeMail.pm

So far, it's only hitting on some "better deal" insurance messages that
use tripod-mail.com. To me, it looks like Tripod uses different from and
reply-to addresses with the reply-to being a sequencial number, perhaps
for threading the messages. Both the reply-to and from addresses are
tripod-mail.com. The reply-to and return-path addresses are different,
but use the same sequencial number in them, and the errors-to and from
are different and do not use the number. That is, 4 from/reply addresses
on each message.

Of course, it's spam anyway, but not really the type we're trying to
catch with this technique.

Bret

Re: Catching and stopping 419 spam

Posted by Henrik Krohns <he...@hege.li>.

On Sun, Apr 29, 2007 at 09:52:39PM -0700, Marc Perkel wrote:
> OK - I did this with Exim rules but the same trick could be used in SA. 
> I figured out a trick that catches 419 spam with amazing accuracy.
> 
> ...
> So - who uses one freemail address with a reply-to of another? 419 
> spammers. So if you make a list of domains that are popular freemail 
> vendors used by spammers and if both the from and reply-to addresses are 
> in this list and they are different, it's a 419 spammer.
> 
> ...
> Anyhow - I figure this trick would be easy to code up for SA and someone 
> should try it.

Good idea. I made a simple plugin for testing..

http://sa.hege.li/FreeMail.pm

Cheers,
Henrik