You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Andrea <ml...@vp44.net> on 2013/07/20 07:35:23 UTC
Blocking new spam wave
Hi all.
Since a few days ago I'm being buried under spam messages that slip through
my amavis/SA setup.
The messages all look alike: plaintext with random junk + URL in the body.
Pastebin with a few examples here: http://g2z.me/ed64d
I've tried running a sa-update but I don't have enough samples (yet). The
thing that bothers me is that all the messages have been classified as HAM
by the auto learn (which I have now disabled).
What could be an effective rule/ruleset to block emails like this?
Thanks,
Andrea
Re: Blocking new spam wave
Posted by Bowie Bailey <Bo...@BUC.com>.
On 7/20/2013 1:35 AM, Andrea wrote:
> Hi all.
>
> Since a few days ago I'm being buried under spam messages that slip
> through my amavis/SA setup.
> The messages all look alike: plaintext with random junk + URL in the body.
> Pastebin with a few examples here: http://g2z.me/ed64d
>
> I've tried running a sa-update but I don't have enough samples
> (yet). The thing that bothers me is that all the messages have been
> classified as HAM by the auto learn (which I have now disabled).
> What could be an effective rule/ruleset to block emails like this?
I assume you meant to say "sa-learn" rather than "sa-update"?
The main problem that I see with the scoring is that it is hitting on
BAYES_00. This may have been caused by auto-learn. You need to
manually learn these as spam using sa-learn to couteract that.
--
Bowie
Re: Blocking new spam wave
Posted by Neil Schwartzman <ne...@cauce.org>.
On Jul 19, 2013, at 10:35 PM, Andrea <ml...@vp44.net> wrote:
> Hi all.
>
> Since a few days ago I'm being buried under spam messages that slip through my amavis/SA setup.
> The messages all look alike: plaintext with random junk + URL in the body.
> Pastebin with a few examples here: http://g2z.me/ed64d
>
> I've tried running a sa-update but I don't have enough samples (yet). The thing that bothers me is that all the messages have been classified as HAM by the auto learn (which I have now disabled).
> What could be an effective rule/ruleset to block emails like this?
The emitting IPs appear to be on some fairly prominent blacklists :
65.20.0.50 http://multirbl.valli.org/lookup/65.20.0.50.html Blacklisted: 10 Brownlisted: 0 Yellowlisted: 0 Whitelisted: 0
210.188.175.148 http://multirbl.valli.org/lookup/210.188.175.148.html Blacklisted: 14 Brownlisted: 0 Yellowlisted: 0 Whitelisted: 0
217.16.6.131 http://multirbl.valli.org/lookup/217.16.6.131.html Blacklisted: 17 Brownlisted: 0 Yellowlisted: 0 Whitelisted: 0
The problem, or at least part of it, is that the payloads are all redirects via compromised legitimate sites on hosting companies
http://prembhatiatrust . com/public-sex.html?cuzahetysu
http://auto-atendimentos . info/algerie.html?japu
http://chapcanhuocmo . vn./springbreak.html
prembhatiatrust. com | Creation Date: 23-apr-2002 | 74.208.211.99
auto-atendimentos. info | Created On:30-Mar-2013 11:25:09 UTC | 173.192.200.207
chapcanhuocmo. vn | Ngày đăng ký: 04-04-2011 | 222.255.29.22
for those who care, the ultimate payloads are:
mega-hot-sites . com
hot-hot-sites . com
lovely-sites . com
all sitting on 213.183.59.30 (anders. ru)
which has a couple NS SBLed, which cover all of the payloads (1):
ns1.eliteadultsites. com 213.183.59.30 SBL
ns2.eliteadultsites. com 213.183.59.30 SBL
Passive DNS for 213.183.59.30_32
Records found: 31 (moved & 404 elided)
lovely-sites. com 213.183.59.30
www.lovely-sites. com 213.183.59.30
pretty-sites. com 213.183.59.30
www.pretty-sites. com 213.183.59.30
mail.pretty-sites. com 213.183.59.30
hot-hot-sites. com 213.183.59.30
www.hot-hot-sites. com 213.183.59.30
fineadultvideo. com 213.183.59.30
www.fineadultvideo. com 213.183.59.30
mega-hot-sites. com 213.183.59.30
www.mega-hot-sites. com 213.183.59.30
mail.mega-hot-sites. com 213.183.59.30
cool-cool-sites. com 213.183.59.30
eliteadultsites. com 213.183.59.30
ns1.eliteadultsites. com 213.183.59.30
ns2.eliteadultsites. com 213.183.59.30
www.eliteadultsites. com 213.183.59.30
mail.eliteadultsites. com 213.183.59.30
right-adult-sites. com 213.183.59.30
www.right-adult-sites. com 213.183.59.30
top-quality-sites. com 213.183.59.30
www.top-quality-sites. com 213.183.59.30
(1)
Domain Name: COOL-COOL-SITES . com
Registrar: BIZCN . com, INC.
Whois Server: whois.bizcn . com
Referral URL: http://www.bizcn . com
Name Server: NS1.ELITEADULTSITES . com
Name Server: NS2.ELITEADULTSITES . com
Status: clientDeleteProhibited
Status: clientTransferProhibited
Updated Date: 15-jun-2013
Creation Date: 16-nov-2012
Expiration Date: 16-nov-2013
Domain Name: ELITEADULTSITES . com
Registrar: BIZCN . com, INC.
Whois Server: whois.bizcn . com
Referral URL: http://www.bizcn . com
Name Server: NS1.ELITEADULTSITES . com
Name Server: NS2.ELITEADULTSITES . com
Status: clientDeleteProhibited
Status: clientTransferProhibited
Updated Date: 15-jun-2013
Creation Date: 16-oct-2012
Expiration Date: 16-oct-2013
Domain Name: FINEADULTVIDEO . com
Registrar: BIZCN . com, INC.
Whois Server: whois.bizcn . com
Referral URL: http://www.bizcn . com
Name Server: NS1.ELITEADULTSITES . com
Name Server: NS2.ELITEADULTSITES . com
Status: clientDeleteProhibited
Status: clientTransferProhibited
Updated Date: 15-jun-2013
Creation Date: 05-oct-2012
Expiration Date: 05-oct-2013
Domain Name: HOT-HOT-SITES . com
Registrar: BIZCN . com, INC.
Whois Server: whois.bizcn . com
Referral URL: http://www.bizcn . com
Name Server: NS1.ELITEADULTSITES . com
Name Server: NS2.ELITEADULTSITES . com
Status: clientDeleteProhibited
Status: clientTransferProhibited
Updated Date: 15-jun-2013
Creation Date: 13-nov-2012
Expiration Date: 13-nov-2013
Domain Name: LOVELY-SITES . com
Registrar: BIZCN . com, INC.
Whois Server: whois.bizcn . com
Referral URL: http://www.bizcn . com
Name Server: NS1.ELITEADULTSITES . com
Name Server: NS2.ELITEADULTSITES . com
Status: clientDeleteProhibited
Status: clientTransferProhibited
Updated Date: 15-jun-2013
Creation Date: 20-nov-2012
Expiration Date: 20-nov-2013
Domain Name: MEGA-HOT-SITES . com
Registrar: BIZCN . com, INC.
Whois Server: whois.bizcn . com
Referral URL: http://www.bizcn . com
Name Server: NS1.ELITEADULTSITES . com
Name Server: NS2.ELITEADULTSITES . com
Status: clientDeleteProhibited
Status: clientTransferProhibited
Updated Date: 15-jun-2013
Creation Date: 18-oct-2012
Expiration Date: 18-oct-2013
Domain Name: PRETTY-SITES . com
Registrar: BIZCN . com, INC.
Whois Server: whois.bizcn . com
Referral URL: http://www.bizcn . com
Name Server: NS1.ELITEADULTSITES . com
Name Server: NS2.ELITEADULTSITES . com
Status: clientDeleteProhibited
Status: clientTransferProhibited
Updated Date: 15-jun-2013
Creation Date: 30-nov-2012
Expiration Date: 30-nov-2013
Domain Name: RIGHT-ADULT-SITES . com
Registrar: BIZCN . com, INC.
Whois Server: whois.bizcn . com
Referral URL: http://www.bizcn . com
Name Server: NS1.ELITEADULTSITES . com
Name Server: NS2.ELITEADULTSITES . com
Status: clientDeleteProhibited
Status: clientTransferProhibited
Updated Date: 15-jun-2013
Creation Date: 05-nov-2012
Expiration Date: 05-nov-2013
Domain Name: TOP-QUALITY-SITES . com
Registrar: BIZCN . com, INC.
Whois Server: whois.bizcn . com
Referral URL: http://www.bizcn . com
Name Server: NS1.ELITEADULTSITES . com
Name Server: NS2.ELITEADULTSITES . com
Status: clientDeleteProhibited
Status: clientTransferProhibited
Updated Date: 15-jun-2013
Creation Date: 22-nov-2012
Expiration Date: 22-nov-2013