You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by David B Funk <db...@engineering.uiowa.edu> on 2005/05/15 07:29:39 UTC
Bombarded by German political spam
Tonight our site is being bombarded by German political spam or
Joe-jobbed bounce fall-out. So far it appears to all be coming
from trojaned PCs. Other than the specific URLs in the messages
havn't found any easily identified parts to create rules for.
anybody else seeing this?
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
Re: Bombarded by German political spam
Posted by Loren Wilton <lw...@earthlink.net>.
> Did this suddendly stop today for anyone else and now your just dealing
> with the NDR's?
Actually it suddenly *started* for me today. Before that only one stupid
zombie somplace thought I was in Germany. Now they all seem to.
And the faked sender names all start with the letter "J".
Loren
Re: Bombarded by German political spam
Posted by Tim B <mo...@optonline.net>.
David B Funk wrote:
> Tonight our site is being bombarded by German political spam or
> Joe-jobbed bounce fall-out. So far it appears to all be coming
> from trojaned PCs. Other than the specific URLs in the messages
> havn't found any easily identified parts to create rules for.
>
> anybody else seeing this?
>
Did this suddendly stop today for anyone else and now your just dealing
with the NDR's?
Re: Bombarded by German political spam
Posted by Maurice Lucas <ms...@taos-it.nl>.
Hello,
I didn't read this discussion but did found a link on the clamav mailinglist
which I want to share before reading 300 emails ;)
http://weir.dattitu.de/archives/9-Filtering-Sober-P.html
Met vriendelijke groet,
Maurice Lucas
TAOS-IT
----- Original Message -----
From: "Christian Recktenwald" <sp...@citecs.de>
To: "Raymond Dijkxhoorn" <ra...@prolocation.net>
Cc: "Bart Schaefer" <ba...@gmail.com>;
<us...@spamassassin.apache.org>
Sent: Monday, May 16, 2005 4:11 PM
Subject: Re: Bombarded by German political spam
> On Sun, May 15, 2005 at 05:10:12PM +0200, Raymond Dijkxhoorn wrote:
>> Hi!
>>
>> >>http://mailscanner.prolocation.net/german.cf
>>
>> >You've got a bit of duplication in there (rules 02 and 22 are the
>> >same, as are 04 and 26).
>>
>> I'll clean them, thanks! v0.2 there in a few :)
>
> http://www.citecs.de/99_sober.cf
>
> took subject lines from abobe
> - score per subj is 1.0
> - put content patterns (3 missing, got no sample) into it with score 8.0
> - the often seen "Lese selbst" is scored 4
>
> Greetinx, Chris
>
> --
> Christian Recktenwald : :
> citecs GmbH : spamassassin-talk-dist@citecs.de
> Unternehmensberatung fuer : voice +49 711 601 2090 : Boeblinger Strasse
> 189
> EDV und Telekommunikation : fax +49 711 601 2092 : D-70199 Stuttgart
>
Re: Bombarded by German political spam
Posted by Eddy Beliveau <ed...@hec.ca>.
Many thanks for this rule (99_sober.cf)
It rocks :-)
Thanks again
Eddy
----- Original Message -----
Subject: Re: Bombarded by German political spam
> On Sun, May 15, 2005 at 05:10:12PM +0200, Raymond Dijkxhoorn wrote:
>> Hi!
>>
>> >>http://mailscanner.prolocation.net/german.cf
>>
>> >You've got a bit of duplication in there (rules 02 and 22 are the
>> >same, as are 04 and 26).
>>
>> I'll clean them, thanks! v0.2 there in a few :)
>
> http://www.citecs.de/99_sober.cf
>
> took subject lines from abobe
> - score per subj is 1.0
> - put content patterns (3 missing, got no sample) into it with score 8.0
> - the often seen "Lese selbst" is scored 4
Re: Bombarded by German political spam
Posted by Christian Recktenwald <sp...@citecs.de>.
On Mon, May 16, 2005 at 02:05:09PM -0400, Elizabeth Schwartz wrote:
> Thanks, just put it in!
>
> > http://www.citecs.de/99_sober.cf
>
> > - the often seen "Lese selbst" is scored 4
>
> Just curious, what's that mean to the spammers? google translates it
> as "vintage"
It means "read by yourself".
--
Christian Recktenwald : :
citecs GmbH : spamassassin-talk-dist@citecs.de
Unternehmensberatung fuer : voice +49 711 601 2090 : Boeblinger Strasse 189
EDV und Telekommunikation : fax +49 711 601 2092 : D-70199 Stuttgart
Re: Bombarded by German political spam
Posted by Elizabeth Schwartz <be...@gmail.com>.
Thanks, just put it in!
> http://www.citecs.de/99_sober.cf
> - the often seen "Lese selbst" is scored 4
Just curious, what's that mean to the spammers? google translates it
as "vintage"
Re: Bombarded by German political spam
Posted by Christian Recktenwald <sp...@citecs.de>.
On Sun, May 15, 2005 at 05:10:12PM +0200, Raymond Dijkxhoorn wrote:
> Hi!
>
> >>http://mailscanner.prolocation.net/german.cf
>
> >You've got a bit of duplication in there (rules 02 and 22 are the
> >same, as are 04 and 26).
>
> I'll clean them, thanks! v0.2 there in a few :)
http://www.citecs.de/99_sober.cf
took subject lines from abobe
- score per subj is 1.0
- put content patterns (3 missing, got no sample) into it with score 8.0
- the often seen "Lese selbst" is scored 4
Greetinx, Chris
--
Christian Recktenwald : :
citecs GmbH : spamassassin-talk-dist@citecs.de
Unternehmensberatung fuer : voice +49 711 601 2090 : Boeblinger Strasse 189
EDV und Telekommunikation : fax +49 711 601 2092 : D-70199 Stuttgart
Re: Bombarded by German political spam
Posted by Raymond Dijkxhoorn <ra...@prolocation.net>.
Hi!
>> http://mailscanner.prolocation.net/german.cf
> You've got a bit of duplication in there (rules 02 and 22 are the
> same, as are 04 and 26).
I'll clean them, thanks! v0.2 there in a few :)
Bye,
Raymond.
Re: Bombarded by German political spam
Posted by Bart Schaefer <ba...@gmail.com>.
On 5/15/05, Raymond Dijkxhoorn <ra...@prolocation.net> wrote:
>
> http://mailscanner.prolocation.net/german.cf
You've got a bit of duplication in there (rules 02 and 22 are the
same, as are 04 and 26).
Re: Bombarded by German political spam
Posted by Loren Wilton <lw...@earthlink.net>.
> Do i copy and paste the contents of german.cf into my local.cf or just
> download the german.cf into /etc/mail/spamassassin ?
Either one. SA will load all files ending in *.cf in alphabetical order by
file name.
Simplest to just drop the new file into the directory.
Remember to restart spamd, if using.
Loren
Re: Bombarded by German political spam
Posted by Vinayak Royadu <vi...@deeproot.co.in>.
On Sat, 2005-05-21 at 14:09, List wrote:
> ----- Original Message -----
> From: "Raymond Dijkxhoorn" <ra...@prolocation.net>
> To: "wolfgang" <me...@gmx.net>
> Cc: <us...@spamassassin.apache.org>
> Sent: Sunday, May 15, 2005 9:31 PM
> Subject: Re: Bombarded by German political spam
>
>
> > Hi!
> >
> >>> it uses a score of 8 and /i - anyway, it might save you some effort ;)
> >
> >> Just finished my ruleset also... grin. the one there has 27 so its
> >> missing 5. I also dont uinderstand why it used the meta tags in that
> >> one... Its combining nothing in fact... strange.
> >
> > I put my one online also:
> >
> > http://mailscanner.prolocation.net/german.cf
> >
> > Its nothing fancy, but it works.
> >
> > Have it online for like 15 minutes now:
> >
> > [root@fallback hosts]# grep GSPAM vmx*/current | wc -l
> > 1797
> >
> > Allmost 1800 hits.
> >
> > Have fun,
> > Raymond.
>
>
> Do i copy and paste the contents of german.cf into my local.cf or just
> download the german.cf into /etc/mail/spamassassin ?
>
You can do either of them (then restart spamd) though I prefer keeping
german.cf as seperate file.
With regards,
Vinayak
> Thanks
>
>
Re: Bombarded by German political spam
Posted by List <li...@nchost.net>.
----- Original Message -----
From: "Raymond Dijkxhoorn" <ra...@prolocation.net>
To: "wolfgang" <me...@gmx.net>
Cc: <us...@spamassassin.apache.org>
Sent: Sunday, May 15, 2005 9:31 PM
Subject: Re: Bombarded by German political spam
> Hi!
>
>>> it uses a score of 8 and /i - anyway, it might save you some effort ;)
>
>> Just finished my ruleset also... grin. the one there has 27 so its
>> missing 5. I also dont uinderstand why it used the meta tags in that
>> one... Its combining nothing in fact... strange.
>
> I put my one online also:
>
> http://mailscanner.prolocation.net/german.cf
>
> Its nothing fancy, but it works.
>
> Have it online for like 15 minutes now:
>
> [root@fallback hosts]# grep GSPAM vmx*/current | wc -l
> 1797
>
> Allmost 1800 hits.
>
> Have fun,
> Raymond.
Do i copy and paste the contents of german.cf into my local.cf or just
download the german.cf into /etc/mail/spamassassin ?
Thanks
Re: Bombarded by German political spam
Posted by Raymond Dijkxhoorn <ra...@prolocation.net>.
Hi!
>> it uses a score of 8 and /i - anyway, it might save you some effort ;)
> Just finished my ruleset also... grin. the one there has 27 so its missing 5.
> I also dont uinderstand why it used the meta tags in that one... Its
> combining nothing in fact... strange.
I put my one online also:
http://mailscanner.prolocation.net/german.cf
Its nothing fancy, but it works.
Have it online for like 15 minutes now:
[root@fallback hosts]# grep GSPAM vmx*/current | wc -l
1797
Allmost 1800 hits.
Have fun,
Raymond.
Re: Bombarded by German political spam
Posted by Raymond Dijkxhoorn <ra...@prolocation.net>.
Hi!
>> Subject: Vorbildliche Aktion
>> Subject: 60 Jahre Befreiung: Wer feiert mit?
>>
>> anyone care to make a small ruleset to score them up?
>
> someone posted one at
> http://www.file-upload.net/15.05.05/5_x4st.cf
>
> it uses a score of 8 and /i - anyway, it might save you some effort ;)
Just finished my ruleset also... grin. the one there has 27 so its missing
5. I also dont uinderstand why it used the meta tags in that one... Its
combining nothing in fact... strange.
Bye,
Raymond.
Re: Bombarded by German political spam
Posted by wolfgang <me...@gmx.net>.
In an older episode (Sunday 15 May 2005 12:44), Raymond Dijkxhoorn wrote:
> Hi!
>
> >> Anyone has a full list of subjects yet, time to do some SA magic... ;)
>
> > I have quite a few, here is the subjects list:
> >
> > Subject: 4,8 Mill. Osteuropaeer durch Fischer-Volmer Erlass
> > Subject: Auf Streife durch den Berliner Wedding
> > Subject: Auslaender bevorzugt
> > Subject: Auslaenderpolitik
> > Subject: DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA
> > Subject: Deutsche werden kuenftig beim Arzt abgezockt
> > Subject: Du wirst zum Sklaven gemacht!!!
> > Subject: Graeberschaendung auf bundesdeutsche Anordnung
> > Subject: Hier sind wir Lehrer die einzigen Auslaender
> > Subject: Paranoider Deutschenmoerder kommt in Psychiatrie
> > Subject: Tuerkei in die EU
> > Subject: Verbrechen der deutschen Frau
>
> Two more:
>
> Subject: Vorbildliche Aktion
> Subject: 60 Jahre Befreiung: Wer feiert mit?
>
> anyone care to make a small ruleset to score them up?
someone posted one at
http://www.file-upload.net/15.05.05/5_x4st.cf
it uses a score of 8 and /i - anyway, it might save you some effort ;)
cheers,
wolfgang
Re: Bombarded by German political spam
Posted by Patrick von der Hagen <pa...@wudika.de>.
Raymond Dijkxhoorn wrote:
[...]
>> This is the complete list so far:
[...]
Subject: Multi-Kulturell = Multi-Kriminell
--
CU,
Patrick.
Re: Bombarded by German political spam
Posted by Bob Proulx <bo...@proulx.com>.
Anton Krall wrote:
> Any SA rules out there that can catch the german spam mails?
I am only needing to filter on the subjects I quoted because Mailman
has no other option and the mailing list is not using spamassassin.
Simply filtering on the subject is not a great method. But since I am
stuck with Mailman (I don't control the site or the mailing list) then
that is the best I can do.
I am not having any trouble with spamassassin and these messages
because the bayes engine has trained up on these messages and all of
them are getting tagged with BAYES_99 now. So SA is keeping them
tagged and out of my main mailbox without any trouble. It's working
great.
Bob
Re: Bombarded by German political spam
Posted by wolfgang <me...@gmx.net>.
In an older episode (Monday 16 May 2005 16:53), Elizabeth Schwartz wrote:
> Does anyone have any good generic german spam filter rulesets?
> We have
> some legitimate German users, so I don't want to start blacklisting,
> and I worry that filtering one specific header at a time is a lost
> cause...
one subject based ruleset was posted here:
In an older episode (Sunday 15 May 2005 15:31), Raymond Dijkxhoorn wrote:
<snip>
> I put my one online also:
>
> http://mailscanner.prolocation.net/german.cf
<snip>
there is one online that is based on the typical message-ids used by that
current virus based spam wave and on a few additonal indicators from those
mails. i find it a bit risky - anyway, here is the URL:
http://weir.dattitu.de/archives/9-Filtering-Sober-P.html
regards,
wolfgang
Re: Bombarded by German political spam
Posted by sargon <sa...@lordsargon.com>.
On Monday, 16-May-2005 09:53, Elizabeth Schwartz wrote:
> Does anyone have any good generic german spam filter rulesets? We
> have some legitimate German users, so I don't want to start
> blacklisting, and I worry that filtering one specific header at a
> time is a lost cause...
This link showed up at the Internet Storm Center earlier today. It is
aimed specifically at the German political spam.
YMMV....
http://weir.dattitu.de/archives/9-Filtering-Sober-P.html
Re: Bombarded by German political spam
Posted by Elizabeth Schwartz <be...@gmail.com>.
Does anyone have any good generic german spam filter rulesets? We have
some legitimate German users, so I don't want to start blacklisting,
and I worry that filtering one specific header at a time is a lost
cause...
thanks Betsy
Re: Bombarded by German political spam
Posted by Nick Leverton <nj...@leverton.org>.
On Sun, May 15, 2005 at 10:59:40PM -0600, Bob Proulx wrote:
> The list I have collected is slightly different than yours.
>
....snips....
> Subject: Ihre Anfrage an Amazon.de
"Your question to amazon.de" - are you sure that's a spam subject ?
Nick
RE: Bombarded by German political spam
Posted by Anton Krall <ak...@intruder.com.mx>.
Any SA rules out there that can catch the german spam mails?
|-----Original Message-----
|From: Bob Proulx [mailto:bob@proulx.com]
|Sent: Lunes, 16 de Mayo de 2005 12:00 a.m.
|To: users@spamassassin.apache.org
|Subject: Re: Bombarded by German political spam
|
|Raymond Dijkxhoorn wrote:
|> This is the complete list so far:
|
|I am helping to manage a mailing list with mailman and the
|interface there is pretty restrictive and there is no spam
|filtering such as SA under it so no SURBL either. Slightly
|off topic for the SA list. But I found in the interface
|[subscription rules], [spam filters], [spam filter rule], then
|paste these into the spam filter rule with a discard action.
|
|The list I have collected is slightly different than yours.
|
|Subject: 4,8 Mill. Osteuropaeer durch Fischer-Volmer Erlass
|Subject: 60 Jahre Befreiung: Wer feiert mit?
|Subject: Armenian Genocide Plagues Ankara 90 Years On
|Subject: Auf Streife durch den Berliner Wedding
|Subject: Augen auf
|Subject: Auslaender bevorzugt
|Subject: Auslaenderpolitik
|Subject: Blutige Selbstjustiz
|Subject: Deutsche Buerger trauen sich nicht ...
|Subject: Deutsche werden kuenftig beim Arzt abgezockt
|Subject: Dresden 1945
|Subject: Dresden Bombing Is To Be Regretted Enormously
|Subject: Du wirst ausspioniert ....!
|Subject: Du wirst zum Sklaven gemacht!!!
|Subject: Gegen das Vergessen
|Subject: Graeberschaendung auf bundesdeutsche Anordnung
|Subject: Hier sind wir Lehrer die einzigen Auslaender
|Subject: Ihre Anfrage an Amazon.de
|Subject: Massenhafter Steuerbetrug durch auslaendische Arbeitnehmer
|Subject: Multi-Kulturell = Multi-Kriminell
|Subject: Paranoider Deutschenmoerder kommt in Psychiatrie
|Subject: S.O.S. Kiez! Polizei schlaegt Alarm
|Subject: Schily ueber Deutschland
|Subject: The Whore Lived Like a German
|Subject: Transparenz ist das Mindeste
|Subject: Trotz Stellenabbau
|Subject: Tuerkei in die EU
|Subject: Turkish Tabloid Enrages Germany with Nazi Comparisons
|Subject: Verbrechen der deutschen Frau
|Subject: Volk wird nur zum zahlen gebraucht!
|Subject: Vorbildliche Aktion
|
|Bob
|
|> Subject: 4,8 Mill. Osteuropaeer durch Fischer-Volmer Erlass
|> Subject: Auf Streife durch den Berliner Wedding
|> Subject: Auslaender bevorzugt
|> Subject: Auslaenderpolitik
|> Subject: Deutsche werden kuenftig beim Arzt abgezockt
|> Subject: Du wirst zum Sklaven gemacht!!!
|> Subject: Graeberschaendung auf bundesdeutsche Anordnung
|> Subject: Hier sind wir Lehrer die einzigen Auslaender
|> Subject: Paranoider Deutschenmoerder kommt in Psychiatrie
|> Subject: Tuerkei in die EU
|> Subject: Verbrechen der deutschen Frau
|> Subject: Vorbildliche Aktion
|> Subject: 60 Jahre Befreiung: Wer feiert mit?
|> Subject: Multi-Kulturell = Multi-Kriminell
|> Subject: Turkish Tabloid Enrages Germany with Nazi Comparisons
|> Subject: Blutige Selbstjustiz
|> Subject: Dresden 1945
|> Subject: Du wirst ausspioniert ....!
|> Subject: Armenian Genocide Plagues Ankara 90 Years On
|> Subject: Augen auf
|> Subject: Trotz Stellenabbau
|> Subject: Volk wird nur zum zahlen gebraucht!
|> Subject: Transparenz ist das Mindeste
|> Subject: The Whore Lived Like a German
|> Subject: Massenhafter Steuerbetrug durch auslaendische Arbeitnehmer
|> Subject: Schily ueber Deutschland
|> Subject: Deutsche Buerger trauen sich nicht ...
|> Subject: Graeberschaendung auf bundesdeutsche Anordnung
|> Subject: S.O.S. Kiez! Polizei schlaegt Alarm
|
Re: Bombarded by German political spam
Posted by Bob Proulx <bo...@proulx.com>.
Raymond Dijkxhoorn wrote:
> This is the complete list so far:
I am helping to manage a mailing list with mailman and the interface
there is pretty restrictive and there is no spam filtering such as SA
under it so no SURBL either. Slightly off topic for the SA list. But
I found in the interface [subscription rules], [spam filters], [spam
filter rule], then paste these into the spam filter rule with a
discard action.
The list I have collected is slightly different than yours.
Subject: 4,8 Mill. Osteuropaeer durch Fischer-Volmer Erlass
Subject: 60 Jahre Befreiung: Wer feiert mit?
Subject: Armenian Genocide Plagues Ankara 90 Years On
Subject: Auf Streife durch den Berliner Wedding
Subject: Augen auf
Subject: Auslaender bevorzugt
Subject: Auslaenderpolitik
Subject: Blutige Selbstjustiz
Subject: Deutsche Buerger trauen sich nicht ...
Subject: Deutsche werden kuenftig beim Arzt abgezockt
Subject: Dresden 1945
Subject: Dresden Bombing Is To Be Regretted Enormously
Subject: Du wirst ausspioniert ....!
Subject: Du wirst zum Sklaven gemacht!!!
Subject: Gegen das Vergessen
Subject: Graeberschaendung auf bundesdeutsche Anordnung
Subject: Hier sind wir Lehrer die einzigen Auslaender
Subject: Ihre Anfrage an Amazon.de
Subject: Massenhafter Steuerbetrug durch auslaendische Arbeitnehmer
Subject: Multi-Kulturell = Multi-Kriminell
Subject: Paranoider Deutschenmoerder kommt in Psychiatrie
Subject: S.O.S. Kiez! Polizei schlaegt Alarm
Subject: Schily ueber Deutschland
Subject: The Whore Lived Like a German
Subject: Transparenz ist das Mindeste
Subject: Trotz Stellenabbau
Subject: Tuerkei in die EU
Subject: Turkish Tabloid Enrages Germany with Nazi Comparisons
Subject: Verbrechen der deutschen Frau
Subject: Volk wird nur zum zahlen gebraucht!
Subject: Vorbildliche Aktion
Bob
> Subject: 4,8 Mill. Osteuropaeer durch Fischer-Volmer Erlass
> Subject: Auf Streife durch den Berliner Wedding
> Subject: Auslaender bevorzugt
> Subject: Auslaenderpolitik
> Subject: Deutsche werden kuenftig beim Arzt abgezockt
> Subject: Du wirst zum Sklaven gemacht!!!
> Subject: Graeberschaendung auf bundesdeutsche Anordnung
> Subject: Hier sind wir Lehrer die einzigen Auslaender
> Subject: Paranoider Deutschenmoerder kommt in Psychiatrie
> Subject: Tuerkei in die EU
> Subject: Verbrechen der deutschen Frau
> Subject: Vorbildliche Aktion
> Subject: 60 Jahre Befreiung: Wer feiert mit?
> Subject: Multi-Kulturell = Multi-Kriminell
> Subject: Turkish Tabloid Enrages Germany with Nazi Comparisons
> Subject: Blutige Selbstjustiz
> Subject: Dresden 1945
> Subject: Du wirst ausspioniert ....!
> Subject: Armenian Genocide Plagues Ankara 90 Years On
> Subject: Augen auf
> Subject: Trotz Stellenabbau
> Subject: Volk wird nur zum zahlen gebraucht!
> Subject: Transparenz ist das Mindeste
> Subject: The Whore Lived Like a German
> Subject: Massenhafter Steuerbetrug durch auslaendische Arbeitnehmer
> Subject: Schily ueber Deutschland
> Subject: Deutsche Buerger trauen sich nicht ...
> Subject: Graeberschaendung auf bundesdeutsche Anordnung
> Subject: S.O.S. Kiez! Polizei schlaegt Alarm
Re: Bombarded by German political spam
Posted by Raymond Dijkxhoorn <ra...@prolocation.net>.
Hi!
>>> I have quite a few, here is the subjects list:
>>>
>>> Subject: 4,8 Mill. Osteuropaeer durch Fischer-Volmer Erlass
>>> Subject: Auf Streife durch den Berliner Wedding
>>> Subject: Auslaender bevorzugt
>>> Subject: Auslaenderpolitik
<cut>
This is the complete list so far:
Subject: 4,8 Mill. Osteuropaeer durch Fischer-Volmer Erlass
Subject: Auf Streife durch den Berliner Wedding
Subject: Auslaender bevorzugt
Subject: Auslaenderpolitik
Subject: Deutsche werden kuenftig beim Arzt abgezockt
Subject: Du wirst zum Sklaven gemacht!!!
Subject: Graeberschaendung auf bundesdeutsche Anordnung
Subject: Hier sind wir Lehrer die einzigen Auslaender
Subject: Paranoider Deutschenmoerder kommt in Psychiatrie
Subject: Tuerkei in die EU
Subject: Verbrechen der deutschen Frau
Subject: Vorbildliche Aktion
Subject: 60 Jahre Befreiung: Wer feiert mit?
Subject: Multi-Kulturell = Multi-Kriminell
Subject: Turkish Tabloid Enrages Germany with Nazi Comparisons
Subject: Blutige Selbstjustiz
Subject: Dresden 1945
Subject: Du wirst ausspioniert ....!
Subject: Armenian Genocide Plagues Ankara 90 Years On
Subject: Augen auf
Subject: Trotz Stellenabbau
Subject: Volk wird nur zum zahlen gebraucht!
Subject: Transparenz ist das Mindeste
Subject: The Whore Lived Like a German
Subject: Massenhafter Steuerbetrug durch auslaendische Arbeitnehmer
Subject: Schily ueber Deutschland
Subject: Deutsche Buerger trauen sich nicht ...
Subject: Graeberschaendung auf bundesdeutsche Anordnung
Subject: S.O.S. Kiez! Polizei schlaegt Alarm
Bye,
Raymond
Re: Bombarded by German political spam
Posted by Alex Broens <sa...@alexb.ch>.
wolfgang wrote:
> In an older episode (Sunday 15 May 2005 12:44), Raymond Dijkxhoorn wrote:
>
>>Hi!
>>
>>
>>>>Anyone has a full list of subjects yet, time to do some SA magic... ;)
>>
>>>I have quite a few, here is the subjects list:
>>>
>>>Subject: 4,8 Mill. Osteuropaeer durch Fischer-Volmer Erlass
>>>Subject: Auf Streife durch den Berliner Wedding
>>>Subject: Auslaender bevorzugt
>>>Subject: Auslaenderpolitik
>>>Subject: DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA
>>>Subject: Deutsche werden kuenftig beim Arzt abgezockt
>>>Subject: Du wirst zum Sklaven gemacht!!!
>>>Subject: Graeberschaendung auf bundesdeutsche Anordnung
>>>Subject: Hier sind wir Lehrer die einzigen Auslaender
>>>Subject: Paranoider Deutschenmoerder kommt in Psychiatrie
>>>Subject: Tuerkei in die EU
>>>Subject: Verbrechen der deutschen Frau
>>
>>Two more:
>>
>>Subject: Vorbildliche Aktion
>>Subject: 60 Jahre Befreiung: Wer feiert mit?
>
>
> one more:
> Subject: Augen auf
>
> I noticed that the WS URIBL does by now recognize various of the URIs in those
> mails, and a rule like
> # whois.rfc-ignorant.org URIBL http://www.rfc-ignorant.org/
> urirhssub URIBL_RFCI_WHOIS whois.rfc-ignorant.org. A 5
> body URIBL_RFCI_WHOIS eval:check_uridnsbl('URIBL_RFCI_WHOIS')
> describe URIBL_RFCI_WHOIS URL listed at rfc-ignorant.org (whois)
> tflags URIBL_RFCI_WHOIS net
> also works well here:
>
> 1.0 URIBL_RFCI_WHOIS URL listed at rfc-ignorant.org (whois)
> [URIs: pro-koeln-online.de jungefreiheit.de]
> [g-d-f.de bewaeltigen.de kopfmord.de]
> [buergerbewegungen.de wk-institut.de]
> [das-gibts-doch-nicht.de un-nachrichten.de]
> [rocknord.de]
>
And may cause LOTS of false positives as well
Sun 2005-05-15 13:42:18: * 1.0 URIBL_RFCI_WHOIS URL listed at
rfc-ignorant.org (whois)
Sun 2005-05-15 13:42:18: * [URIs: spiegel.de npd.de taz.de]
FP: spiegel.de & taz.de
Sun 2005-05-15 13:42:44: * 1.0 URIBL_RFCI_WHOIS URL listed at
rfc-ignorant.org (whois)
Sun 2005-05-15 13:42:44: * [URIs: libasoli.de zdf.de]
FP: zdf.de
h2h
Alex
Re: Bombarded by German political spam
Posted by wolfgang <me...@gmx.net>.
In an older episode (Sunday 15 May 2005 12:44), Raymond Dijkxhoorn wrote:
> Hi!
>
> >> Anyone has a full list of subjects yet, time to do some SA magic... ;)
>
> > I have quite a few, here is the subjects list:
> >
> > Subject: 4,8 Mill. Osteuropaeer durch Fischer-Volmer Erlass
> > Subject: Auf Streife durch den Berliner Wedding
> > Subject: Auslaender bevorzugt
> > Subject: Auslaenderpolitik
> > Subject: DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA
> > Subject: Deutsche werden kuenftig beim Arzt abgezockt
> > Subject: Du wirst zum Sklaven gemacht!!!
> > Subject: Graeberschaendung auf bundesdeutsche Anordnung
> > Subject: Hier sind wir Lehrer die einzigen Auslaender
> > Subject: Paranoider Deutschenmoerder kommt in Psychiatrie
> > Subject: Tuerkei in die EU
> > Subject: Verbrechen der deutschen Frau
>
> Two more:
>
> Subject: Vorbildliche Aktion
> Subject: 60 Jahre Befreiung: Wer feiert mit?
one more:
Subject: Augen auf
I noticed that the WS URIBL does by now recognize various of the URIs in those
mails, and a rule like
# whois.rfc-ignorant.org URIBL http://www.rfc-ignorant.org/
urirhssub URIBL_RFCI_WHOIS whois.rfc-ignorant.org. A 5
body URIBL_RFCI_WHOIS eval:check_uridnsbl('URIBL_RFCI_WHOIS')
describe URIBL_RFCI_WHOIS URL listed at rfc-ignorant.org (whois)
tflags URIBL_RFCI_WHOIS net
also works well here:
1.0 URIBL_RFCI_WHOIS URL listed at rfc-ignorant.org (whois)
[URIs: pro-koeln-online.de jungefreiheit.de]
[g-d-f.de bewaeltigen.de kopfmord.de]
[buergerbewegungen.de wk-institut.de]
[das-gibts-doch-nicht.de un-nachrichten.de]
[rocknord.de]
regards,
wolfgang
Re: Bombarded by German political spam
Posted by wolfgang <me...@gmx.net>.
In an older episode (Sunday 15 May 2005 11:55), wolfgang wrote:
oops, this one:
> Subject: DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA
is not part of them ;)
regards,
wolfgang
Re: Bombarded by German political spam
Posted by Raymond Dijkxhoorn <ra...@prolocation.net>.
Hi!
>> Anyone has a full list of subjects yet, time to do some SA magic... ;)
> I have quite a few, here is the subjects list:
>
> Subject: 4,8 Mill. Osteuropaeer durch Fischer-Volmer Erlass
> Subject: Auf Streife durch den Berliner Wedding
> Subject: Auslaender bevorzugt
> Subject: Auslaenderpolitik
> Subject: DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA
> Subject: Deutsche werden kuenftig beim Arzt abgezockt
> Subject: Du wirst zum Sklaven gemacht!!!
> Subject: Graeberschaendung auf bundesdeutsche Anordnung
> Subject: Hier sind wir Lehrer die einzigen Auslaender
> Subject: Paranoider Deutschenmoerder kommt in Psychiatrie
> Subject: Tuerkei in die EU
> Subject: Verbrechen der deutschen Frau
Two more:
Subject: Vorbildliche Aktion
Subject: 60 Jahre Befreiung: Wer feiert mit?
anyone care to make a small ruleset to score them up?
Bye,
Raymond.
Re: Bombarded by German political spam
Posted by wolfgang <me...@gmx.net>.
In an older episode (Sunday 15 May 2005 10:47), Raymond Dijkxhoorn wrote:
> Anyone has a full list of subjects yet, time to do some SA magic... ;)
I have quite a few, here is the subjects list:
Subject: 4,8 Mill. Osteuropaeer durch Fischer-Volmer Erlass
Subject: Auf Streife durch den Berliner Wedding
Subject: Auslaender bevorzugt
Subject: Auslaenderpolitik
Subject: DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA
Subject: Deutsche werden kuenftig beim Arzt abgezockt
Subject: Du wirst zum Sklaven gemacht!!!
Subject: Graeberschaendung auf bundesdeutsche Anordnung
Subject: Hier sind wir Lehrer die einzigen Auslaender
Subject: Paranoider Deutschenmoerder kommt in Psychiatrie
Subject: Tuerkei in die EU
Subject: Verbrechen der deutschen Frau
regards,
wolfgang
Re: Bombarded by German political spam
Posted by Niek <ni...@asbak.coding-slaves.com>.
On 5/15/2005 10:47 AM +0200, Raymond Dijkxhoorn wrote:
> Actually it was to be expected. Remember the same german political spams
> one year ago? The european voting is comming up so i guess they do it
> again now. Brrrr....
Unlike some other countries in the EU, Germany doesn't have a referendum
on the European constitution.
Niek
Re: Bombarded by German political spam
Posted by Loren Wilton <lw...@earthlink.net>.
> I only have one, and you might be better off looking for the urls than the
> subject:
Ok, now I have two. Both from the same machine as it happens, although this
time it claims it is an AOL mail server. Last time it was somethiing else.
Yea, right.
Subject: Paranoider Deutschenmoerder kommt in Psychiatrie
Lese selbst:
http://brandenburg.rz.fhtw-berlin.de/poetschke.html
Re: Bombarded by German political spam
Posted by Loren Wilton <lw...@earthlink.net>.
> Anyone has a full list of subjects yet, time to do some SA magic... ;)
I only have one, and you might be better off looking for the urls than the
subject:
Subject: 4,8 Mill. Osteuropaeer durch Fischer-Volmer Erlass
Lese selbst:
http://www.npd.de/npd_info/deutschland/2005/d0405-13.html
Neue Dokumente:
http://www.rp-online.de/public/article/nachrichten/politik/deutschland/87647
Botschafter in Kiew beschwerte sich noch 2004:
http://www.rp-online.de/public/article/nachrichten/politik/deutschland/85735
Traumziel Deutschland:
http://www.berlinonline.de/berliner-zeitung/archiv/.bin/dump.fcgi/2004/1221/politik/0009/index.html
Kanzler erleichtert Visaverfahren für Golfstaaten:
http://www.spiegel.de/spiegel/vorab/0,1518,349262,00.html
Ohne Deutsch nach Deutschland:
http://www.aufenthaltstitel.de/zuwg/0618.html
Vorbildliche Aktion:
http://www.npd.de/npd_info/deutschland/2004/d1204-24.html
Re: Bombarded by German political spam
Posted by Raymond Dijkxhoorn <ra...@prolocation.net>.
Hi!
> Tonight our site is being bombarded by German political spam or
> Joe-jobbed bounce fall-out. So far it appears to all be coming
> from trojaned PCs. Other than the specific URLs in the messages
> havn't found any easily identified parts to create rules for.
>
> anybody else seeing this?
Actually it was to be expected. Remember the same german political spams
one year ago? The european voting is comming up so i guess they do it
again now. Brrrr....
Anyone has a full list of subjects yet, time to do some SA magic... ;)
Bye,
Raymond.
Re: Bombarded by German political spam
Posted by Loren Wilton <lw...@earthlink.net>.
> anybody else seeing this?
I got one of them, and fortunately only one. Bayes did a good job of
catching it.
Loren
Re: Bombarded by German political spam
Posted by Roman Serbski <me...@gmail.com>.
On 5/15/05, David B Funk <db...@engineering.uiowa.edu> wrote:
> Tonight our site is being bombarded by German political spam or
> Joe-jobbed bounce fall-out. So far it appears to all be coming
> from trojaned PCs. Other than the specific URLs in the messages
> havn't found any easily identified parts to create rules for.
>
> anybody else seeing this?
Yes, we have already received six messages.
Subjects:
Gegen das Vergessen
Graeberschaendung auf bundesdeutsche Anordnung
Multi-Kulturell = Multi-Kriminell
The Whore Lived Like a German
Verbrechen der deutschen Frau
Volk wird nur zum zahlen gebraucht!
URLs inside:
http://www.die-kommenden.net/dk/zeitgeschichte/graeberschaendung.htm
http://www.npd.de/npd_info/meldungen/2005/m0105-19.html
http://service.spiegel.de/cache/international/0,1518,344374,00.html
http://www.jn-bw.de/texte/zeitgeschichte/verbrechen_der_frau.htm
http://www.my-rocknord.de/viewtopic.php?t=1018&sid=3ce6385b1dee88cb02447f566a2da68d
Regards,
Roman
Re: Bombarded by German political spam
Posted by JamesDR <ro...@bellsouth.net>.
Gerald V. Livingston II wrote:
> On Sun, 15 May 2005 18:19:39 +0200 Chr. von Stuckrad wrote:
>
>
>>On Sun, May 15, 2005 at 10:59:12AM -0500, Steven Stern wrote:
>>
>>>I received about 500 on the webmaster account.
>>>
>>>Now we know what "sober" was all about.
>>
>>I see *no* connection to any Virus or Trojan!
>
>
> [SNIP...]
>
>
>>No attachments seem to be sent and our Mail-filter would
>>have 'eaten' anyway all the current Sober-Viruses/Variants.
>>(I'm pretty sure about that, I'm its admin)
>
>
>
> He didn't mean the messages CONTAIN a virus/trojan.
>
> Over the last 2 weeks a new "sober" worm variant was released and infected
> tens of thousands of clueless Windows user machines.
>
> The current wave of political spam is being sent out through those infected
> machines.
>
> <DREAMING>
> It would be really nice if all the ISPs of the world would get together and
> create a comprehensive database of all residential IP address pools
> maintained in dnsbl fashion. Something the owner of an IP block could add to
> or remove from (with encrypted pass protection) *easily* when IP's are
> reassigned. Blocking direct, unauthenticated, SMTP transactions from
> addresses on that list would stop 90% of virus transmission and a large chunk
> of spam as well.
> </DREAMING>
>
> Gerald
>
>
Many already do... I know mine does, along with the local cable co. (I'm
on dsl)
--
Thanks,
JamesDR
Re: Bombarded by German political spam
Posted by "Gerald V. Livingston II" <ge...@sysmatrix.net>.
On Sun, 15 May 2005 18:19:39 +0200 Chr. von Stuckrad wrote:
> On Sun, May 15, 2005 at 10:59:12AM -0500, Steven Stern wrote:
> > I received about 500 on the webmaster account.
> >
> > Now we know what "sober" was all about.
>
> I see *no* connection to any Virus or Trojan!
[SNIP...]
> No attachments seem to be sent and our Mail-filter would
> have 'eaten' anyway all the current Sober-Viruses/Variants.
> (I'm pretty sure about that, I'm its admin)
He didn't mean the messages CONTAIN a virus/trojan.
Over the last 2 weeks a new "sober" worm variant was released and infected
tens of thousands of clueless Windows user machines.
The current wave of political spam is being sent out through those infected
machines.
<DREAMING>
It would be really nice if all the ISPs of the world would get together and
create a comprehensive database of all residential IP address pools
maintained in dnsbl fashion. Something the owner of an IP block could add to
or remove from (with encrypted pass protection) *easily* when IP's are
reassigned. Blocking direct, unauthenticated, SMTP transactions from
addresses on that list would stop 90% of virus transmission and a large chunk
of spam as well.
</DREAMING>
Gerald
Re: Bombarded by German political spam
Posted by Tim B <mo...@optonline.net>.
Chr. von Stuckrad wrote:
> On Sun, May 15, 2005 at 10:59:12AM -0500, Steven Stern wrote:
>
>>I received about 500 on the webmaster account.
>>
>>Now we know what "sober" was all about.
>
>
> I see *no* connection to any Virus or Trojan!
>
> I got about 200 of them into a few accounts and
> seemingly I'm receiving more every few minutes.
>
> BUT I do *not* think it is more than 'Propaganda'!
> It mostly is just one URL of a genuine Article
> of a german Newspaper (only the 'collection' of
> Articles and tendency of subject making it 'political').
>
> No attachments seem to be sent and our Mail-filter would
> have 'eaten' anyway all the current Sober-Viruses/Variants.
> (I'm pretty sure about that, I'm its admin)
>
> Stucki (postmaster at math/inf/mi.fu-berlin.de)
>
Look at your AV logs of those sending sober.p and look at the
connections sending the german political spam. you will start to see a
connection. In fact I'm going through my logs right now finding the
hosts which sent sober.p and starting to block those because they so far
seem to be the main ones sending the political spam
Re: Bombarded by German political spam
Posted by Niek <ni...@asbak.coding-slaves.com>.
On 5/15/2005 6:19 PM +0200, Chr. von Stuckrad wrote:
>>Now we know what "sober" was all about.
>
>
> I see *no* connection to any Virus or Trojan!
Oh, there is a connection. Just like last years sober.g and a German
extermist spamrun.
This spamrun was caused by sober.q which was downloaded by sober.p
Niek
Re: Bombarded by German political spam
Posted by Niek <ni...@asbak.coding-slaves.com>.
On 5/15/2005 6:19 PM +0200, Chr. von Stuckrad wrote:
>>Now we know what "sober" was all about.
>
>
> I see *no* connection to any Virus or Trojan!
Also see:
http://isc.sans.org/
http://www.viruslist.com/en/weblog
Niek
Re: Bombarded by German political spam
Posted by "Chr. von Stuckrad" <st...@mi.fu-berlin.de>.
On Sun, May 15, 2005 at 10:59:12AM -0500, Steven Stern wrote:
> I received about 500 on the webmaster account.
>
> Now we know what "sober" was all about.
I see *no* connection to any Virus or Trojan!
I got about 200 of them into a few accounts and
seemingly I'm receiving more every few minutes.
BUT I do *not* think it is more than 'Propaganda'!
It mostly is just one URL of a genuine Article
of a german Newspaper (only the 'collection' of
Articles and tendency of subject making it 'political').
No attachments seem to be sent and our Mail-filter would
have 'eaten' anyway all the current Sober-Viruses/Variants.
(I'm pretty sure about that, I'm its admin)
Stucki (postmaster at math/inf/mi.fu-berlin.de)
--
Christoph von Stuckrad * * |nickname |<st...@mi.fu-berlin.de> \
Freie Universitaet Berlin |/_*|'stucki' |Tel(days):+49 30 838-75 459|
Mathematik & Informatik EDV |\ *|if online|Tel(else):+49 30 77 39 6600|
Arnimallee 2-6/14195 Berlin * * |on IRCnet|Fax(alle):+49 30 838-75454/
Re: Bombarded by German political spam
Posted by Steven Stern <su...@sterndata.com>.
David B Funk wrote:
> Tonight our site is being bombarded by German political spam or
> Joe-jobbed bounce fall-out. So far it appears to all be coming
> from trojaned PCs. Other than the specific URLs in the messages
> havn't found any easily identified parts to create rules for.
>
> anybody else seeing this?
>
Lots and lots. Around 10AM CDT, it seems that the various RBL and URI
rules are starting to kick in, but some is still leaking through as with
low scores.
I received about 500 on the webmaster account.
Now we know what "sober" was all about.
--
Steve
Re: Bombarded by German political spam
Posted by Alan Premselaar <al...@12inch.com>.
Matias Lopez Bergero wrote:
> David B Funk wrote:
>
>> Tonight our site is being bombarded by German political spam or
>> Joe-jobbed bounce fall-out. So far it appears to all be coming
>> from trojaned PCs. Other than the specific URLs in the messages
>> havn't found any easily identified parts to create rules for.
>>
>> anybody else seeing this?
>
>
> I'm being bombarded to!
>
>
> Matías.
>
>
>
I'm mostly just getting the bogus MAILER-DAEMON bounces from being
joe-jobbed.
I've litterally had 100's of these compared to the 2 or 3 actual spams.
(usually 50+ at a time)
alan
Re: Bombarded by German political spam
Posted by Matias Lopez Bergero <ml...@udesa.edu.ar>.
David B Funk wrote:
> Tonight our site is being bombarded by German political spam or
> Joe-jobbed bounce fall-out. So far it appears to all be coming
> from trojaned PCs. Other than the specific URLs in the messages
> havn't found any easily identified parts to create rules for.
>
> anybody else seeing this?
I'm being bombarded to!
Matías.
Re: Bombarded by German political spam
Posted by Jon Trulson <jo...@radscan.com>.
On Sun, 15 May 2005, David B Funk wrote:
> Tonight our site is being bombarded by German political spam or
> Joe-jobbed bounce fall-out. So far it appears to all be coming
> from trojaned PCs. Other than the specific URLs in the messages
> havn't found any easily identified parts to create rules for.
>
> anybody else seeing this?
>
Absolutely :) Several hundred so far. I wonder whether it is
worth the effort to write rules for these types of things? After feeding
50 or so to Bayes, they are all getting a bayes_99 now (I setup the
bayes_99 score to 5.4 when I upgraded to 3.x).
So far they are being trapped...
--
Jon Trulson mailto:jon@radscan.com
ID: 1A9A2B09, FP: C23F328A721264E7 B6188192EC733962
PGP keys at http://radscan.com/~jon/PGPKeys.txt
#include <std/disclaimer.h>
"I am Nomad." -Nomad
Re: Bombarded by German political spam
Posted by James R <ja...@trusswood.dyndns.org>.
David B Funk wrote:
> Tonight our site is being bombarded by German political spam or
> Joe-jobbed bounce fall-out. So far it appears to all be coming
> from trojaned PCs. Other than the specific URLs in the messages
> havn't found any easily identified parts to create rules for.
>
> anybody else seeing this?
>
Slightly OT, but related none-the-less:
http://www.theregister.co.uk/2005/05/16/sober_spews_spam/
--
Thanks,
James