You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Kenneth Porter <sh...@sewingwitch.com> on 2008/10/19 04:41:13 UTC
Windows Live Spaces spam
I'm seeing a lot of spam today with a throwaway URI from Windows Live
Spaces (spaces.live.com subdomain). I'm considering adding a rule to my
personal server to just drop all mail with WLS links. Is this likely to be
a temporary problem? Does anyone use WLS?
Re: Windows Live Spaces spam
Posted by Ned Slider <ne...@unixmail.co.uk>.
Joseph Brennan wrote:
>
>
>> Perhaps someone else could grep their spaces.live.com spam for hits
>> against X-Mailer: Mediacomm Communicator to confirm.
>>
>
> In our user reports for the past 72 hours,
>
> 44 matched spaces.live.com
> 12 matched mediacomm communicator
>
> All of the 12 mediacomm communicator also matched spaces.live.com.
> Is this a spam product?
>
> The non-mediacomm ones are pretty varied. I see a few that have
> "Received: (from tomcat@localhost)" as if the origins are compromised
> web servers. Others claim to be sent by "Microsoft Outlook Express"
> various version numbers. Some are from hotmail. One from Yahoo.
> Looks like time to give /spaces\.live\.com/ points by itself.
>
Thanks :)
Looking back a little further (over the last week) I see quite a few
hits against Mediacomm Communicator (from before the recent
spaces.live.com spree), all of which also contain "Received: (from
tomcat@localhost)". I don't see any ham containing either.
Re: Windows Live Spaces spam
Posted by Joseph Brennan <br...@columbia.edu>.
> Perhaps someone else could grep their spaces.live.com spam for hits
> against X-Mailer: Mediacomm Communicator to confirm.
>
In our user reports for the past 72 hours,
44 matched spaces.live.com
12 matched mediacomm communicator
All of the 12 mediacomm communicator also matched spaces.live.com.
Is this a spam product?
The non-mediacomm ones are pretty varied. I see a few that have
"Received: (from tomcat@localhost)" as if the origins are compromised
web servers. Others claim to be sent by "Microsoft Outlook Express"
various version numbers. Some are from hotmail. One from Yahoo.
Looks like time to give /spaces\.live\.com/ points by itself.
Maybe one spam gang uses mediacomm communicator, but word is getting
out about spaces.live.com being friendly.
Joseph Brennan
Columbia University Information Technology
Re: Windows Live Spaces spam
Posted by Ned Slider <ne...@unixmail.co.uk>.
Daryl C. W. O'Shea wrote:
> On 18/10/2008 10:41 PM, Kenneth Porter wrote:
>> I'm seeing a lot of spam today with a throwaway URI from Windows Live
>> Spaces (spaces.live.com subdomain). I'm considering adding a rule to my
>> personal server to just drop all mail with WLS links. Is this likely to
>> be a temporary problem? Does anyone use WLS?
>
> I haven't looked into whether "real people" would have Live Spaces
> sub-domains that look like the ones in the spams. There aren't any in
> our ham corpus though...
>
> http://ruleqa.spamassassin.org/20081017-r705513-n/DOS_LIVE_SPACES_CID/detail
>
> uri DOS_LIVE_SPACES_CID /^http:\/\/cid-.{10,20}\.spaces\.live\.com\/$/
>
>
> Daryl
>
>
>
All the spam I've seen in the last day or two containing spaces.live.com
URIs have also been sent from X-Mailer: Mediacomm Communicator 1.x
So I'd suggest a meta rule also matching "X-Mailer: Mediacomm
Communicator" and score it high enough to trigger a spam detection.
Something like the following:
header LOCAL_MEDIACOMM_MUA X-Mailer =~ /Mediacomm Communicator/
score LOCAL_MEDIACOMM_MUA 0.1
describe LOCAL_MEDIACOMM_MUA Sent from Mediacomm Communicator MUA
uri LOCAL_URI_SPACES_LIVE /spaces\.live\.com/
score LOCAL_URI_SPACES_LIVE 0.1
describe LOCAL_URI_SPACES_LIVE contains link to spaces.live.com
meta LOCAL_SPACES_MEDIACOMM (LOCAL_URI_SPACES_LIVE &&
LOCAL_MEDIACOMM_MUA)
score LOCAL_SPACES_MEDIACOMM 4
describe LOCAL_SPACES_MEDIACOMM contains link to
spaces.live.com and Mediacomm MUA
Perhaps someone else could grep their spaces.live.com spam for hits
against X-Mailer: Mediacomm Communicator to confirm.
Re: Windows Live Spaces spam
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
On 18/10/2008 10:41 PM, Kenneth Porter wrote:
> I'm seeing a lot of spam today with a throwaway URI from Windows Live
> Spaces (spaces.live.com subdomain). I'm considering adding a rule to my
> personal server to just drop all mail with WLS links. Is this likely to
> be a temporary problem? Does anyone use WLS?
I haven't looked into whether "real people" would have Live Spaces
sub-domains that look like the ones in the spams. There aren't any in
our ham corpus though...
http://ruleqa.spamassassin.org/20081017-r705513-n/DOS_LIVE_SPACES_CID/detail
uri DOS_LIVE_SPACES_CID /^http:\/\/cid-.{10,20}\.spaces\.live\.com\/$/
Daryl