You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Marc Perkel <ma...@perkel.com> on 2007/04/30 06:52:39 UTC
Catching and stopping 419 spam
OK - I did this with Exim rules but the same trick could be used in SA.
I figured out a trick that catches 419 spam with amazing accuracy.
419 spammers generally use Yahoo, Hotmail, Gmail, and other popular free
mailers. And they generally have different from and reply-to addresses.
And both the from and reply-to are popular free mail sites. For example
the sender is spammer@yahoo.co.jp and the reply-to is hotmail.com.
The idea is they get busted for sending spam but not receiving the
replies. So as the sending accounts get shut down the receiving accounts
are still intact. So they just create a new sending account and continue.
So - who uses one freemail address with a reply-to of another? 419
spammers. So if you make a list of domains that are popular freemail
vendors used by spammers and if both the from and reply-to addresses are
in this list and they are different, it's a 419 spammer.
And - after detecting these spams I forward the email in real time to
abuse@ for both the from and the reply-to domains. My hope is that when
the big boys get these they can shut these spammers down.
I'm thinking if a lot of people start using this kind of automated
reporting and say yahoo starts seeing a lot of complaint on a single
address they could automatically shut down both accounts. Here's my Exim
code.
Anyhow - I figure this trick would be easy to code up for SA and someone
should try it.
warn message = X-Freemail-From: ${domain:$h_From:}
condition = ${if
match_domain{${domain:$h_From:}}{dbm;/etc/exim/run/freemaildomains.db}}
warn message = X-Freemail-Reply-to: ${domain:$h_Reply-to:}
condition = ${if
match_domain{${domain:$h_Reply-to:}}{dbm;/etc/exim/run/freemaildomains.db}}
drop condition = ${if
match_domain{${domain:$h_Reply-to:}}{dbm;/etc/exim/run/freemaildomains.db}}
condition = ${if
match_domain{${domain:$h_From:}}{dbm;/etc/exim/run/freemaildomains.db}}
!condition = ${if
eqi{${local_part:$h_From:}@${domain:$h_From:}}{${local_part:$h_Reply-to:}@${domain:$h_Reply-to:}}}
message = X-Spam-feed: 419
message = spamsave - 419scam - Reply-to domain does not match From
domain - R=$h_Reply-to: F=$h_From:
# Exim Filter
if $h_X-Spam-Class: contains "SPAM-HIGH-VERY"
then
if "$h_X-Freemail-From:" is not ""
then
unseen deliver abuse@$h_X-Freemail-From:
endif
if "$h_X-Freemail-Reply-to:" is not ""
then
unseen deliver abuse@$h_X-Freemail-Reply-to:
endif
endif
Re: Catching and stopping 419 spam
Posted by Marc Perkel <ma...@perkel.com>.
oh - and - here's my freemail list
aim.com
aol.co.uk
aol.com
bellsouth.net
comcast.net
compuserve.com
cox.net
excite.com
excite.co.uk
fastmail.com
gci.net
gmail.com
google.com
hotmail.co.uk
hotmail.com
hotmail.fr
hotpop.com
juno.com
lycos.com
mail.com
msn.com
myspace.com
myway.com
sbcglobal.com
sify.com
terra.com
tripod-mail.com
uymail.com
walla.com
web.de
yahoo.ca
yahoo.co.au
yahoo.co.in
yahoo.co.jp
yahoo.co.uk
yahoo.com
yahoo.com.cn
yahoo.com.hk
yahoo.de
yahoo.es
yahoo.fr
yahoo.it
yahoo.mx
yahoo.ru
yahoo.tw
Re: Catching and stopping 419 spam
Posted by Chris Edwards <ch...@eng.gla.ac.uk>.
On Sun, 29 Apr 2007, Marc Perkel wrote:
| And - after detecting these spams I forward the email in real time to abuse@
| for both the from and the reply-to domains. My hope is that when the big boys
| get these they can shut these spammers down.
Take care - in particular for sending to abuse@ for the "from" domain, as
many of these will be forgeries.
Re: Catching and stopping 419 spam
Posted by Henrik Krohns <he...@hege.li>.
On Tue, May 22, 2007 at 10:36:20AM +0300, Henrik Krohns wrote:
> On Mon, Apr 30, 2007 at 12:41:44PM +0300, Henrik Krohns wrote:
> > On Sun, Apr 29, 2007 at 09:52:39PM -0700, Marc Perkel wrote:
> > > OK - I did this with Exim rules but the same trick could be used in SA.
> > > I figured out a trick that catches 419 spam with amazing accuracy.
> > >
> > > ...
> > > So - who uses one freemail address with a reply-to of another? 419
> > > spammers. So if you make a list of domains that are popular freemail
> > > vendors used by spammers and if both the from and reply-to addresses are
> > > in this list and they are different, it's a 419 spammer.
> > >
> > > ...
> > > Anyhow - I figure this trick would be easy to code up for SA and someone
> > > should try it.
> >
> > Good idea. I made a simple plugin for testing..
> >
> > http://sa.hege.li/FreeMail.pm
>
> I updated this with a large default freemail list. No need to define anything
> manually anymore, unless you have something that's not in the list.
>
> It also checks addresses found in message body. Except when there are more
> than 2 found or "foo@bar.net Wrote:" format, to reduce false positives.
>
> Maybe someone could do a mass check, I'm too lazy to set it up..
Tiny update again, emails with underscores in body could create some FPs..
Cheers,
Henrik
Re: Catching and stopping 419 spam
Posted by Henrik Krohns <he...@hege.li>.
On Thu, May 24, 2007 at 09:51:07AM -0500, Mike Grau wrote:
>
> >I'd like to see other people's states as well. I'm using it to block and
> >my 419 spam is almost completely gone. But I'm wondering what other
> >people's experiences are.
> >
>
> FPs here on emails that have been forwarded and have email addresses in
> the message body. These have all been from cox.net which is listed in
> FreeMail.pm. cox.net does not offer free email; you have to be a cox
> customer.
Ok thanks, removed that..
-hk
Re: Catching and stopping 419 spam
Posted by Mike Grau <m....@kcc.state.ks.us>.
> I'd like to see other people's states as well. I'm using it to block and
> my 419 spam is almost completely gone. But I'm wondering what other
> people's experiences are.
>
FPs here on emails that have been forwarded and have email addresses in
the message body. These have all been from cox.net which is listed in
FreeMail.pm. cox.net does not offer free email; you have to be a cox
customer.
-- Mike G
Re: Catching and stopping 419 spam
Posted by Marc Perkel <ma...@perkel.com>.
Henrik Krohns wrote:
> On Mon, Apr 30, 2007 at 12:41:44PM +0300, Henrik Krohns wrote:
>
>> On Sun, Apr 29, 2007 at 09:52:39PM -0700, Marc Perkel wrote:
>>
>>> OK - I did this with Exim rules but the same trick could be used in SA.
>>> I figured out a trick that catches 419 spam with amazing accuracy.
>>>
>>> ...
>>> So - who uses one freemail address with a reply-to of another? 419
>>> spammers. So if you make a list of domains that are popular freemail
>>> vendors used by spammers and if both the from and reply-to addresses are
>>> in this list and they are different, it's a 419 spammer.
>>>
>>> ...
>>> Anyhow - I figure this trick would be easy to code up for SA and someone
>>> should try it.
>>>
>> Good idea. I made a simple plugin for testing..
>>
>> http://sa.hege.li/FreeMail.pm
>>
>
> I updated this with a large default freemail list. No need to define anything
> manually anymore, unless you have something that's not in the list.
>
> It also checks addresses found in message body. Except when there are more
> than 2 found or "foo@bar.net Wrote:" format, to reduce false positives.
>
> Maybe someone could do a mass check, I'm too lazy to set it up..
>
> Cheers,
> Henrik
>
>
I'd like to see other people's states as well. I'm using it to block and
my 419 spam is almost completely gone. But I'm wondering what other
people's experiences are.
Re: Catching and stopping 419 spam
Posted by Matthias Häker <mh...@its-h.de>.
Matthias Häker schrieb:
> Hi
>
> i would like to give the Plugin a try but i have folowing error in
> spamd.log
>
> rules: failed to run FREEMAIL_REPLYTO test, skipping:
> Tue May 22 10:05:39 2007 [18602] warn: (Can't locate object method
> "check_freemail_replyto" via package
> "Mail::SpamAssassin::PerMsgStatus" at (eval 600) line 1491.
> Tue May 22 10:05:39 2007 [18602] warn: )
>
>
i renamed freemail.pm to FreeMail.pm and now it is working
i gues i should finish my Morning Coffe prior posting and testing ;-)
Matthias Häker
Re: Catching and stopping 419 spam
Posted by Matthias Häker <mh...@its-h.de>.
Hi
i would like to give the Plugin a try but i have folowing error in
spamd.log
rules: failed to run FREEMAIL_REPLYTO test, skipping:
Tue May 22 10:05:39 2007 [18602] warn: (Can't locate object method "check_freemail_replyto" via package "Mail::SpamAssassin::PerMsgStatus" at (eval 600) line 1491.
Tue May 22 10:05:39 2007 [18602] warn: )
my freemail.cf is
loadplugin Mail::SpamAssassin::Plugin::FreeMail /etc/mail/spamassassin/FreeMail.pm
header FREEMAIL_REPLYTO eval:check_freemail_replyto()
describe FREEMAIL_REPLYTO Different freemail address found in Reply-To or Body than From
score FREEMAIL_REPLYTO 2
????
Matthias Häker
Re: Catching and stopping 419 spam
Posted by Henrik Krohns <he...@hege.li>.
On Mon, Apr 30, 2007 at 12:41:44PM +0300, Henrik Krohns wrote:
> On Sun, Apr 29, 2007 at 09:52:39PM -0700, Marc Perkel wrote:
> > OK - I did this with Exim rules but the same trick could be used in SA.
> > I figured out a trick that catches 419 spam with amazing accuracy.
> >
> > ...
> > So - who uses one freemail address with a reply-to of another? 419
> > spammers. So if you make a list of domains that are popular freemail
> > vendors used by spammers and if both the from and reply-to addresses are
> > in this list and they are different, it's a 419 spammer.
> >
> > ...
> > Anyhow - I figure this trick would be easy to code up for SA and someone
> > should try it.
>
> Good idea. I made a simple plugin for testing..
>
> http://sa.hege.li/FreeMail.pm
I updated this with a large default freemail list. No need to define anything
manually anymore, unless you have something that's not in the list.
It also checks addresses found in message body. Except when there are more
than 2 found or "foo@bar.net Wrote:" format, to reduce false positives.
Maybe someone could do a mass check, I'm too lazy to set it up..
Cheers,
Henrik
Re: Catching and stopping 419 spam
Posted by Henrik Krohns <he...@hege.li>.
On Mon, Apr 30, 2007 at 01:08:49PM -0700, Bret Miller wrote:
> > On Sun, Apr 29, 2007 at 09:52:39PM -0700, Marc Perkel wrote:
> > > OK - I did this with Exim rules but the same trick could be
> > used in SA.
> > > I figured out a trick that catches 419 spam with amazing accuracy.
> > >
> > > ...
> > > So - who uses one freemail address with a reply-to of another? 419
> > > spammers. So if you make a list of domains that are popular
> > freemail
> > > vendors used by spammers and if both the from and reply-to
> > addresses are
> > > in this list and they are different, it's a 419 spammer.
> > >
> > > ...
> > > Anyhow - I figure this trick would be easy to code up for
> > SA and someone
> > > should try it.
> >
> > Good idea. I made a simple plugin for testing..
> >
> > http://sa.hege.li/FreeMail.pm
>
> So far, it's only hitting on some "better deal" insurance messages that
> use tripod-mail.com.
It does hit many 419 mails here (especially yahoo.co.?? and excite.com). But
not really any which wouldn't been over the kill level already.
Cheers,
Henrik
RE: Catching and stopping 419 spam
Posted by Bret Miller <br...@wcg.org>.
> On Sun, Apr 29, 2007 at 09:52:39PM -0700, Marc Perkel wrote:
> > OK - I did this with Exim rules but the same trick could be
> used in SA.
> > I figured out a trick that catches 419 spam with amazing accuracy.
> >
> > ...
> > So - who uses one freemail address with a reply-to of another? 419
> > spammers. So if you make a list of domains that are popular
> freemail
> > vendors used by spammers and if both the from and reply-to
> addresses are
> > in this list and they are different, it's a 419 spammer.
> >
> > ...
> > Anyhow - I figure this trick would be easy to code up for
> SA and someone
> > should try it.
>
> Good idea. I made a simple plugin for testing..
>
> http://sa.hege.li/FreeMail.pm
So far, it's only hitting on some "better deal" insurance messages that
use tripod-mail.com. To me, it looks like Tripod uses different from and
reply-to addresses with the reply-to being a sequencial number, perhaps
for threading the messages. Both the reply-to and from addresses are
tripod-mail.com. The reply-to and return-path addresses are different,
but use the same sequencial number in them, and the errors-to and from
are different and do not use the number. That is, 4 from/reply addresses
on each message.
Of course, it's spam anyway, but not really the type we're trying to
catch with this technique.
Bret
Re: Catching and stopping 419 spam
Posted by Henrik Krohns <he...@hege.li>.
On Sun, Apr 29, 2007 at 09:52:39PM -0700, Marc Perkel wrote:
> OK - I did this with Exim rules but the same trick could be used in SA.
> I figured out a trick that catches 419 spam with amazing accuracy.
>
> ...
> So - who uses one freemail address with a reply-to of another? 419
> spammers. So if you make a list of domains that are popular freemail
> vendors used by spammers and if both the from and reply-to addresses are
> in this list and they are different, it's a 419 spammer.
>
> ...
> Anyhow - I figure this trick would be easy to code up for SA and someone
> should try it.
Good idea. I made a simple plugin for testing..
http://sa.hege.li/FreeMail.pm
Cheers,
Henrik