You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Alex <my...@gmail.com> on 2018/02/21 16:43:59 UTC
oxy/diabetes/cbd/big pharma spam
Hi all,
Over the past few weeks I've noticed a few different campaigns that
are using the same overall template, but continue to not hit bayes99
or really any other significant rules. I'm assuming this is some sort
of botnet?
https://pastebin.com/Q9w1p2ht
https://pastebin.com/rKvKYmhY
https://pastebin.com/2VpVVA4A
The last two are more than a week old, so I suspect it's already being
blocked by RBL, but ideas for a more general way to block these before
they hit the RBLs would be appreciated.
Re: oxy/diabetes/cbd/big pharma spam
Posted by Joseph Brennan <br...@columbia.edu>.
>> header BOGUS_MIME_VERSION
So the secret is out. We are blocking as many as 40,000 a day. I
tested it for a few days, at a million messages a day, and nothing
else matches that error. It's a killer rule here.
The spam itself is very low scoring otherwise. Score for /shark.tank/i
matches a lot of this spam but not all. The domain names used are
domains of small companies that have nothing to do with the spam. The
spammer has been evading spamhaus honeypots remarkably well.
The source is not a botnet of end user hosts. I don't know what to
call this method. The spammer gets use of about two dozen servers from
a hosting company and blasts from them for a few days, and then jumps
to another hosting company. Blocking by IP is not effective for long
although the IP blocks that have been used are probably a nice
collection of easily abused providers. Since January 23 we have seen
hosts in these blocks, below. Yesterday was 23.95.197 and 104.234.218.
Joseph Brennan
Columbia University I T
23.94.138
23.94.165
23.95.197
23.95.200
45.65.16
46.102.117
46.166.186
63.143.38
64.186.14
66.70.254
67.214.188
69.195.136
74.63.251
74.80.147
76.164.198
84.247.12
85.17.31
104.160.179
104.234.218
107.175
128.201.32
128.201.33
128.201.34
149.56.7
158.69.128
173.198.192
173.199.178
192.140.20
192.140.21
192.140.23
198.23.197
209.240.101
209.240.99
216.245.210
Re: oxy/diabetes/cbd/big pharma spam
Posted by RW <rw...@googlemail.com>.
On Wed, 21 Feb 2018 11:43:59 -0500
Alex wrote:
> Hi all,
>
> Over the past few weeks I've noticed a few different campaigns that
> are using the same overall template, but continue to not hit bayes99
> or really any other significant rules. I'm assuming this is some sort
> of botnet?
>
> https://pastebin.com/Q9w1p2ht
> https://pastebin.com/rKvKYmhY
> https://pastebin.com/2VpVVA4A
>
> The last two are more than a week old, so I suspect it's already being
> blocked by RBL, but ideas for a more general way to block these before
> they hit the RBLs would be appreciated.
This might help a bit
header BOGUS_MIME_VERSION MIME-Version =~ /^(?!\s*1\.0).+/
Scoring words like "Anxiety" in the display name
From: Treat Anxiety <tr...@tnnnursery.com>
looks promising.