You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Jason Haar <Ja...@trimble.co.nz> on 2010/08/16 22:05:25 UTC
short pharma spam shoots straight through
Hi there
For the past few weeks we've experienced a large increase in missed
spam. It's Pharma-related, one sentence plus a link.
The interesting features are:
* every Subject line is different. They're aren't Bayes-busters either -
all Pharma related - but shall we say "innovative" in their use of
English. I do mean every one is different too. I can see one get
through, and if I search for the Subject line in the logs, I see that it
was sent to only one person! This is a level of sophistication I haven't
seen/noticed before
* the single sentence sometimes refers to Pharma - sometimes not
* obviously the SA RBL/SURBL tests don't pick these
If one gets through and I wait 10-20 minutes and re-run it, it typically
increases it's score from 2/5 to >10/5 - so graylisting would definitely
help. But we don't "do" graylisting.
There's really not much to chew on with these messages. How are others
dealing with them? Here's an example - it's already been picked up by
network tests - but it demonstrates the format
http://pastebin.com/W6wXq4RX
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: short pharma spam shoots straight through
Posted by Benny Pedersen <me...@junc.org>.
On man 16 aug 2010 22:05:25 CEST, Jason Haar wrote
> http://pastebin.com/W6wXq4RX
match on ru tld with a score of 10
and then whitelist specifik ru domains that does not spam with a score of -10
that will neotralize scores for ham from ru domains
there was a spam that included the words "my new email address" but
this is stopped now with freemail plugin :)
this one is just see my new ru domain :)
--
xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: short pharma spam shoots straight through
Posted by Rob McEwen <ro...@invaluement.com>.
Jason Haar wrote:
> On 08/17/2010 01:04 PM, John Hardin wrote:
>
>> You might consider implementing spamhaus zen as an MTA-level hard
>> reject DNSBL (I do that, maybe that's why I don't see any pharma
>> spam?) - many admins trust it enough to do that, and the sample you
>> posted hit on the abuseat CBL, which is a zen feed.
>>
> As per my initial email, none of the RBLs hit the message when they get
> in. More precisely:<SNIP>
Jason,
Actually, for the sample you posted, ivmURI had the domain name in the
clickable link blacklisted a whole two days BEFORE that spam was sent to
you. Likewise, the IP was already in the ivmSIP/24 blacklist for MANY
days prior to this... and probably BEFORE this IP was ever used for
sending spam. (In fact, ivmSIP/24 WILL block many "zero day" spams, but
without the FPs typically associated with most other /24 blacklists)
But, then again, I'm obviously biased towards the invaluement lists.
Therefore, for a better non-biased evaluation, take the ones which you
keep missing and, extremely soon after they are missed... go to
http://multirbl.valli.org
<visitors?site_id=42154&date=2010-08-16&domain=multirbl.valli.org> and
check both the sending IP, and any suspicious domains in the clickable
links (I'd have suggested mxtoolbox or dnsstuff... but I know that
multirbl.valli.org
<visitors?site_id=42154&date=2010-08-16&domain=multirbl.valli.org> will
allow for checking the URI in the clickable link against URI blacklists,
in addition to the sending IP)
If you can do that check literally seconds after your spam filter missed
the spam, then you'll likely see which blacklists you aren't using would
have blocked it. Of course, some lists might have the item listed, but
are of little value due to such lists blocking too much legit mail. So
ignore those! But any extreme-low-FP DNSBL that listed those missed
spams prior to you receiving the spam should prove VERY worthy of your
attention!
If the others spams are like your example spam, you should see
invaluement coming up over and over... and you might also see one or two
other freely available, non-commercial DNSBLs come up as well that might
help you (at no cost!), too!
--
Rob McEwen
http://dnsbl.invaluement.com/
rob@invaluement.com
+1 (478) 475-9032
Re: short pharma spam shoots straight through
Posted by Jason Haar <Ja...@trimble.co.nz>.
On 08/17/2010 01:04 PM, John Hardin wrote:
>
> You might consider implementing spamhaus zen as an MTA-level hard
> reject DNSBL (I do that, maybe that's why I don't see any pharma
> spam?) - many admins trust it enough to do that, and the sample you
> posted hit on the abuseat CBL, which is a zen feed.
>
As per my initial email, none of the RBLs hit the message when they get
in. More precisely:
1 a "flash" of incoming spam arrives from a range of IP addresses (ie
some botnet)
2 most are caught as they are in RBLs and are blocked/rejected/tagged
3 some come from "Day Zero" IPs and get through with a max score of 2/5
(ie DCC, Bayes, Pyzor, Botnet.cf don't score much)
Users only see "3". It used to be that you could go days without seeing
any spam in your inbox - now due to this specific class of pharma spam,
we are seeing it end up in all inboxes 2-5 times a day per user - and
it's bad stuff that is generating complaints of course. The issue is
that by definition "Day Zero" spam can't be detected by network tests,
and the simple one-line-plus-link content doesn't give enough to score
on via phrase checks (they keep rewriting the sentences).
I was hoping others are seeing it too, and had come up with some magical
way of stopping it of course ;-)
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: short pharma spam shoots straight through
Posted by John Hardin <jh...@impsec.org>.
On Tue, 17 Aug 2010, Jason Haar wrote:
> I didn't give more examples because there is no pattern. I've been
> writing our own rules (based on the Subject or body) for weeks and they
> never trigger as the sentences don't show up again. The ".ru" thing
> isn't an option - those URLs are different too - all over the DNS
> spectrum. Even Bayes doesn't seem to help - as all the sentences are
> different I guess
>
> I was really just expecting to hear "yeah, me too" responses. :-(
Me not. I get buried in 419 spams, don't see _any_ pharma (knocks on
wood^Wformica).
You might consider implementing spamhaus zen as an MTA-level hard reject
DNSBL (I do that, maybe that's why I don't see any pharma spam?) - many
admins trust it enough to do that, and the sample you posted hit on the
abuseat CBL, which is a zen feed.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Gun Control laws aren't enacted to control guns, they are enacted
to control people: catholics (1500s), japanese peasants (1600s),
blacks (1860s), italian immigrants (1911), the irish (1920s),
jews (1930s), blacks (1960s), the poor (always)
-----------------------------------------------------------------------
8 days until the 1931st anniversary of the destruction of Pompeii
Re: short pharma spam shoots straight through
Posted by Benny Pedersen <me...@junc.org>.
On man 16 aug 2010 23:28:00 CEST, Jason Haar wrote
> I was really just expecting to hear "yeah, me too" responses. :-(
me too
why care of new ru domains ?, blacklist the tld and whitelist ones
that do not spam, maybe meta it with sender domain or something that
match on that domain, i newer seen a spam that was pgp signed
--
xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: short pharma spam shoots straight through
Posted by Jason Haar <Ja...@trimble.co.nz>.
On 08/17/2010 08:11 AM, Bowie Bailey wrote:
>
> Since you only give one example, it's hard to find a good pattern to
> match on. If all of them are going to .ru urls, you could write a rule
> for that. The best thing to do is to take a look at several examples
> and try to figure out what they have in common.
>
I didn't give more examples because there is no pattern. I've been
writing our own rules (based on the Subject or body) for weeks and they
never trigger as the sentences don't show up again. The ".ru" thing
isn't an option - those URLs are different too - all over the DNS
spectrum. Even Bayes doesn't seem to help - as all the sentences are
different I guess
I was really just expecting to hear "yeah, me too" responses. :-(
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: short pharma spam shoots straight through
Posted by Bowie Bailey <Bo...@BUC.com>.
On 8/16/2010 4:05 PM, Jason Haar wrote:
> Hi there
>
> For the past few weeks we've experienced a large increase in missed
> spam. It's Pharma-related, one sentence plus a link.
>
> The interesting features are:
>
> * every Subject line is different. They're aren't Bayes-busters either -
> all Pharma related - but shall we say "innovative" in their use of
> English. I do mean every one is different too. I can see one get
> through, and if I search for the Subject line in the logs, I see that it
> was sent to only one person! This is a level of sophistication I haven't
> seen/noticed before
> * the single sentence sometimes refers to Pharma - sometimes not
> * obviously the SA RBL/SURBL tests don't pick these
>
> If one gets through and I wait 10-20 minutes and re-run it, it typically
> increases it's score from 2/5 to >10/5 - so graylisting would definitely
> help. But we don't "do" graylisting.
>
> There's really not much to chew on with these messages. How are others
> dealing with them? Here's an example - it's already been picked up by
> network tests - but it demonstrates the format
>
> http://pastebin.com/W6wXq4RX
Since you only give one example, it's hard to find a good pattern to
match on. If all of them are going to .ru urls, you could write a rule
for that. The best thing to do is to take a look at several examples
and try to figure out what they have in common.
--
Bowie