You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Marc Perkel <ma...@perkel.com> on 2006/05/20 04:47:20 UTC
Who wants my spam - seriously!
I'm now capturing 2 separate spam feeds and I want to share it with
anyone who can use it. I'll forward it to you in real time.
First - the spambot feed. This is spam that is mostly spambot generated
targeted at email addresses that never existed. It's 100% spam and I've
added a header that has the IP address of the host that sent it to me.
None of this is forwarded. If you're building an RBL of IPs you'll want
this feed. I think this feed will give you at least 40,000 spams a day.
These are bots NOT listed with Spamhaus because I reject those spams at
connect time.
The second is high scoring SA caught spam of 15 points and up. But it's
not just SA scores. It's modified by hundreds of other tricks I've
developed. This spam is good for harvesting URIs for URIBL lists. It
also includes Phishing spam. I can't say it's 100% but it's better than
99.9% accurate. These spams are high quality in that it's spam that
snuck through other screening meathods I've used.
None of this spam is the really easy to catch stuff. We all can block
the easy stuff.
I hate spam and spammers. I'm already sending one list to a URIBL
provider who is very happy so far. I just started sending the spambot
stuff to another IP RBL provider and they have yet to comment. But - if
anyone else wants some of this I can add you to my list. All I need is
an email address to feed it to.
So - who wants in on this?
Re: Who wants my spam - seriously!
Posted by Andrzej Adam Filip <an...@xl.wp.pl>.
"Kai Schaetzl" <ma...@conactive.com> writes:
> Andrzej Adam Filip wrote on Sat, 20 May 2006 12:58:15 +0200:
>
>> Have you considered using "spamassassin -r" to report the spam to:
>
> Well, he says that at least one of his "feeds" isn't 100% spam. So I very
> much hope if he starts doing this that he cleans that feed to 100% ;-)
Personally I use "spamassassin -r" to report messages "classified as
spam" *after* (very short) personal inspection (1-3s per message).
[ move (drag & drop) between IMAP folders ]
--
[pl2en Andrew] Andrzej Adam Filip : anfi@priv.onet.pl : anfi@xl.wp.pl
http://anfi.homeunix.net/ http://www.linkedin.com/in/andfil
Re: Who wants my spam - seriously!
Posted by Marc Perkel <ma...@perkel.com>.
Kai Schaetzl wrote:
> Andrzej Adam Filip wrote on Sat, 20 May 2006 12:58:15 +0200:
>
>
>> Have you considered using "spamassassin -r" to report the spam to:
>>
>
> Well, he says that at least one of his "feeds" isn't 100% spam. So I very
> much hope if he starts doing this that he cleans that feed to 100% ;-)
>
> Kai
>
>
I've ade arrangements with Spamcop to take one of my feeds. I just
turned it on last night and waiting for feedback. What I need to do is
contact someone at Spamhaus to take that feed to because it's spamers
that are not on their lists.
Re: Who wants my spam - seriously!
Posted by Kai Schaetzl <ma...@conactive.com>.
Andrzej Adam Filip wrote on Sat, 20 May 2006 12:58:15 +0200:
> Have you considered using "spamassassin -r" to report the spam to:
Well, he says that at least one of his "feeds" isn't 100% spam. So I very
much hope if he starts doing this that he cleans that feed to 100% ;-)
Kai
--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
Re: Who wants my spam - seriously!
Posted by qqqq <qq...@usermail.com>.
>>I've already made an arrangement with Spamcop to forward the spam directly to an account they set
up for me. >>I've sent them over 100,000 spams and they seem to like what they see. I'm told it will
be a live feed sometime later today.
>>These are the kinds of people who I want to feed spam to. People who can extract the right info
and add it to popular block lists.
Here is my current SpamCop count. I will let you know if your feed pushes these numbers up.
RANK RULE NAME COUNT %OFRULES %OFMAIL %OFSPAM %OFHAM
12 RCVD_IN_BL_SPAMCOP_NET 44928 1.89 7.51 19.60 1.40
QQQQ
Re: Who wants my spam - seriously!
Posted by Andrzej Adam Filip <an...@xl.wp.pl>.
Marc Perkel <ma...@perkel.com> writes:
> [...]
> I've already made an arrangement with Spamcop to forward the spam
> directly to an account they set up for me. I've sent them over 100,000
> spams and they seem to like what they see. I'm told it will be a live
> feed sometime later today.
>
> These are the kinds of people who I want to feed spam to. People who
> can extract the right info and add it to popular block lists.
0) The script I posted is for "personal spam" [< 100/day].
It makes spamcop send netmasters notifications without any *special*
arrangements with spamcop
1) Could you show us moment when you feed was accepted on the charts
below?
http://www.spamcop.net/spamgraph.shtml?spamweek
http://www.spamcop.net/spamgraph.shtml?spammonth
--
[pl2en Andrew] Andrzej Adam Filip : anfi@priv.onet.pl : anfi@xl.wp.pl
http://anfi.homeunix.net/ http://www.linkedin.com/in/andfil
Re: Who wants my spam - seriously!
Posted by Marc Perkel <ma...@perkel.com>.
Andrzej Adam Filip wrote:
> Michael Monnerie <mi...@it-management.at> writes:
>
>
>> On Samstag, 20. Mai 2006 12:58 Andrzej Adam Filip wrote:
>>
>>> You can use *separate* script to make spamcop.net send LARTs
>>> (munged or unmunged).
>>> e.g. http://anfi.homeunix.net/perl/spamcop-ack.pl or "previous art"
>>> mentioned in previous thread about spamcop-ack.pl
>>>
>> How do I create that cookies file from konqueror for your script? Which
>> format does it need?
>>
>
> I have designed the script to do spamcop login but if you prefere
> another way below please find the hints:
>
> 0) You can use http://www.spamcop.net/mcgi?action=loginform to get
> cookie valid for "1 year"/"1 month"/"1 week"/...
>
> 1) How to extract cookie from browser
>
> *In firefox case*:
> menu Edit/Preferences; tab Privacy/Cookies; Button "View Cookies"
>
> *In konqueror case*
> menu Settings/"Configure konqueror"; section "Cookies"; tab "management"
>
> 2) Cookie file format used by the perl script "by example"
>
> <cookie_file_sample lines="2">
> #LWP-Cookies-1.0
> Set-Cookie3: code=XXXXXXXXXXXXXXXX; path="/"; domain=www.spamcop.net; path_spec; expires="2006-05-22 21:17:40Z"; version=0
> </cookie_file_sample>
>
I've already made an arrangement with Spamcop to forward the spam
directly to an account they set up for me. I've sent them over 100,000
spams and they seem to like what they see. I'm told it will be a live
feed sometime later today.
These are the kinds of people who I want to feed spam to. People who can
extract the right info and add it to popular block lists.
Re: Who wants my spam - seriously!
Posted by Andrzej Adam Filip <an...@xl.wp.pl>.
Michael Monnerie <mi...@it-management.at> writes:
> On Samstag, 20. Mai 2006 12:58 Andrzej Adam Filip wrote:
>> You can use *separate* script to make spamcop.net send LARTs
>> (munged or unmunged).
>> e.g. http://anfi.homeunix.net/perl/spamcop-ack.pl or "previous art"
>> mentioned in previous thread about spamcop-ack.pl
>
> How do I create that cookies file from konqueror for your script? Which
> format does it need?
I have designed the script to do spamcop login but if you prefere
another way below please find the hints:
0) You can use http://www.spamcop.net/mcgi?action=loginform to get
cookie valid for "1 year"/"1 month"/"1 week"/...
1) How to extract cookie from browser
*In firefox case*:
menu Edit/Preferences; tab Privacy/Cookies; Button "View Cookies"
*In konqueror case*
menu Settings/"Configure konqueror"; section "Cookies"; tab "management"
2) Cookie file format used by the perl script "by example"
<cookie_file_sample lines="2">
#LWP-Cookies-1.0
Set-Cookie3: code=XXXXXXXXXXXXXXXX; path="/"; domain=www.spamcop.net; path_spec; expires="2006-05-22 21:17:40Z"; version=0
</cookie_file_sample>
--
[pl2en Andrew] Andrzej Adam Filip : anfi@priv.onet.pl : anfi@xl.wp.pl
http://anfi.homeunix.net/ http://www.linkedin.com/in/andfil
Re: Who wants my spam - seriously!
Posted by Michael Monnerie <mi...@it-management.at>.
On Samstag, 20. Mai 2006 12:58 Andrzej Adam Filip wrote:
> You can use *separate* script to make spamcop.net send LARTs
> (munged or unmunged).
> e.g. http://anfi.homeunix.net/perl/spamcop-ack.pl or "previous art"
> mentioned in previous thread about spamcop-ack.pl
How do I create that cookies file from konqueror for your script? Which
format does it need?
mfg zmi
--
// Michael Monnerie, Ing.BSc ----- http://it-management.at
// Tel: 0660/4156531 .network.your.ideas.
// PGP Key: "lynx -source http://zmi.at/zmi3.asc | gpg --import"
// Fingerprint: 44A3 C1EC B71E C71A B4C2 9AA6 C818 847C 55CB A4EE
// Keyserver: www.keyserver.net Key-ID: 0x55CBA4EE
Re: Who wants my spam - seriously!
Posted by Andrzej Adam Filip <an...@xl.wp.pl>.
Marc Perkel <ma...@perkel.com> writes:
> I'm now capturing 2 separate spam feeds and I want to share it with
> anyone who can use it. I'll forward it to you in real time.
>
> First - the spambot feed. This is spam that is mostly spambot
> generated targeted at email addresses that never existed. It's 100%
> spam and I've added a header that has the IP address of the host that
> sent it to me. None of this is forwarded. If you're building an RBL of
> IPs you'll want this feed. I think this feed will give you at least
> 40,000 spams a day. These are bots NOT listed with Spamhaus because I
> reject those spams at connect time.
>
> The second is high scoring SA caught spam of 15 points and up. But
> it's not just SA scores. It's modified by hundreds of other tricks
> I've developed. This spam is good for harvesting URIs for URIBL
> lists. It also includes Phishing spam. I can't say it's 100% but it's
> better than 99.9% accurate. These spams are high quality in that it's
> spam that snuck through other screening meathods I've used.
>
> None of this spam is the really easy to catch stuff. We all can block
> the easy stuff.
>
> I hate spam and spammers. I'm already sending one list to a URIBL
> provider who is very happy so far. I just started sending the spambot
> stuff to another IP RBL provider and they have yet to comment. But -
> if anyone else wants some of this I can add you to my list. All I need
> is an email address to feed it to.
>
> So - who wants in on this?
Have you considered using "spamassassin -r" to report the spam to:
* dcc
* pyzor
* razor
* spamcop.net
You can use *separate* script to make spamcop.net send LARTs
(munged or unmunged).
e.g. http://anfi.homeunix.net/perl/spamcop-ack.pl or "previous art"
mentioned in previous thread about spamcop-ack.pl
--
[pl2en Andrew] Andrzej Adam Filip : anfi@priv.onet.pl : anfi@xl.wp.pl
http://anfi.homeunix.net/ http://www.linkedin.com/in/andfil
Re: Who wants my spam - seriously! - Part 2
Posted by Marc Perkel <ma...@perkel.com>.
Marc Perkel wrote:
> I'm now capturing 2 separate spam feeds and I want to share it with
> anyone who can use it. I'll forward it to you in real time.
>
> First - the spambot feed. This is spam that is mostly spambot
> generated targeted at email addresses that never existed. It's 100%
> spam and I've added a header that has the IP address of the host that
> sent it to me. None of this is forwarded. If you're building an RBL of
> IPs you'll want this feed. I think this feed will give you at least
> 40,000 spams a day. These are bots NOT listed with Spamhaus because I
> reject those spams at connect time.
>
> The second is high scoring SA caught spam of 15 points and up. But
> it's not just SA scores. It's modified by hundreds of other tricks
> I've developed. This spam is good for harvesting URIs for URIBL lists.
> It also includes Phishing spam. I can't say it's 100% but it's better
> than 99.9% accurate. These spams are high quality in that it's spam
> that snuck through other screening meathods I've used.
>
> None of this spam is the really easy to catch stuff. We all can block
> the easy stuff.
>
> I hate spam and spammers. I'm already sending one list to a URIBL
> provider who is very happy so far. I just started sending the spambot
> stuff to another IP RBL provider and they have yet to comment. But -
> if anyone else wants some of this I can add you to my list. All I need
> is an email address to feed it to.
>
> So - who wants in on this?
>
>
More details ....
I've had several people contact me about this and I'm currently
forwarding these streams to several destinations. As a result I'm
putting out some extra effort to improve the quality of the spam I'm
providing. I'm still looking for other people who are interested in
this, escpecially if you run or are feeding an RBL list.
First - to answer some questions that people are asking me.
Q) Why two separate streams of spam.
A) Because they are two different kinds of spam. One stream is mostly
spambots and spam suitable for IP based RBLs. The second stream is spam
that scores very high and is suitable for harvestting for URIBL lists.
The second stream is not for IP based RBLs because it includes email
that was forwarded from other account.
Q) Can i just get one or the other and not both. Can you send the
streams to 2 separate email accounts?
A) Yes
Q) Because the strwam is coming from your servers, how do we know what
IP address to RBL?
A) I added a couple extra headers to help you with that:
headers add "X-Sender-Host-Address: $sender_host_address"
headers add "X-Original-helo: $sender_helo_name"
Q) What is the quality of the spam you are sending.
A) The BOT spam for IP address harvesting is 100% accurate. I have
excluded spam that is already listed in Spamhaus, Spamcop, and some
other choice lists so that the IP addresses that they came from are new
and unlisted. This spam comes from sources emailing honeypots, other
email accounts that never existed, and other SMTP type tricks that only
spammers use. All this spam is caught based on behavior and not content.
The second feed may not be 100% accurate but likely exceeds 99.9%
accuracy. It includes Phishing scams, high scoring SA tests, 419 scams,
and other content based tests. Much of the spam caught is email
forwarded from legitimate sources like eff.org or pobox.com and is not
suitable as IP block lists, but is suitable for URIBL, image checksums,
419 email address harvesting, and other content type black lists.
Q) Why don't you just set up you own RBL?
A) I'm thinking about it but would rather work with established RBL
providers who are already trusted.
Q) How much spam can you feed?
A) At the moment the BOT type spam is about 40,000/day. The SA content
based spam is about 10,000/day.
Q) Where do you get your spam from?
A) I run a front end spam filtering service at
http://www.junkemailfilter.com that is currently filtering for about 500
domains. My service was reviewed by PC Magazine writer John C. Dvorak on
This Week in Technology. Here's a link to 8 minutes of audio.
http://www.junkemailfilter.com/dvorak.mp3
Q) What do I have to do to get this spam? Is there a charge?
A) Email me privately about it. All you need to do is create an account
that I can forward the spam to. If you want both streams then I
recommend two separate accounts. You should be someone who is in a
position to feed the results into popular lists that will be used to
help block spam worldwide. I do not charge for this but if you want to
send me money I will accept it.
Q) Aren't you helping your competitors doing this?
A) The most effective spam filtering is community based filtering where
we all work together against a common enemy. The more I give away the
more I get.
So - who wants my spam?