sophisticated spam
I think it's worth taking more of a positive stance towards spam again. There is a new influx of local spam and I expect I'll have to be at a police station if I'm really going to make a difference soon. In the meantime a spam message I've been getting over the past few months has got me a little stumped and I'm writing for some help.
The following is cannot be caught in my greylisting as it's a forward from another mail server. I subscribe to a few lists and forwarding addresses and this one is chair at isoc.org.za. So now, I hope to be able to write a spamassisin rule. This must keeping a few people busy because although I've been seeing this for many months the latest version of the spamassasin rules don't grab it. I guess thats because it's pretty smart. In the past 48 hours more than five arrived for me...
Subject is always different:
Re: Mhedications more Of fr
Re: Medigcations You c an ride it
Re: Medmications Good f or your life
Re: Mednications Chil l up your life
Re: Pharmraceutical 70% for you
Re: Mredications S pecial
And although the content looks more similar..
The source looks surprizingly different. Ok this is only the stuff seen by text only clients although the content seems to have some key words. Look below to see the html...
-----------------------snip---------------------------------
This is a multi-part message in MIME format.
------=_NextPart_000_0049_01C5C08E.FB10D300
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
ALCVPXVMUC
meIAraIele
bvALonArtl
iiLIpaGi=
re
etIUexRdab
nraSMcia Aiamrex
$1$3 $3 =
.21.75 .33 =
http://www.embassspok=
esm.com thousands of spectators, the whole staff of the Variety, and finally =
plumbers.
-----------------------snip---------------------------------
This is a multi-part message in MIME format.
------=_NextPart_000_004A_01C5C0C6.632EDB80
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
AVPXLCVMCU=
mIraeIAe=
el
bAonvALr=
lt
iGpaiLIier
eRextIUdba
nAcia raSMia=
rexm
$3 $1$3 =
.33 .21.75 =
http://www.laofficiame.com=
Peredelkino, a writers village near Moscow where many writers were and, to =
tell the truth, there was no need for that. There was nothing
-----------------------snip---------------------------------
This is a multi-part message in MIME format.
------=_NextPart_000_0049_01C5C08E.FB10D300
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
ALCVPXVMUC
meIAraIele
bvALonArtl
iiLIpaGi=
re
etIUexRdab
nraSMcia Aiamrex
$1$3 $3 =
.21.75 .33 =
http://www.embassspok=
esm.com thousands of spectators, the whole staff of the Variety, and finally =
plumbers.
-----------------------snip---------------------------------
This is a multi-part message in MIME format.
------=_NextPart_000_0028_01C5C137.93629280
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
AUPVLXVCCM
mlrIeaAIee
btoAvnLAlr
irpGiaILe=
i
eaeRtxUIbd
nmciaAra MS=
rexia
$3 $3$1
.33 .75.21 =
http://www.bardwinow.com the whole of hateful Yershalaim, with its hanging =
bridges, fortresses, and, It must be said that this apartment - no.50 - had =
long had, if not a
-----------------------snip---------------------------------
And this is the html (which is the part that most see, very interestingly done, I cannot seem to find any 'rules'..):
------=_NextPart_000_004A_01C5C0C6.632EDB80
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; charset=3Dus-ascii">
<META content=3D"MSHTML 6.00.2800.1106" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DCourier>
<DIV style=3D"FLOAT: left;">A<BR>V<BR>P<BR>X<BR>L<BR>C<BR>V<BR>M<BR>C<BR>U=
</DIV>
<DIV style=3D"FLOAT: left;">m<BR>I<BR>r<BR>a<BR>e<BR>I<BR>A<BR>e<BR>=
e<BR>l</DIV>
<DIV style=3D"FLOAT: left;">b<BR>A<BR>o<BR>n<BR>v<BR>A<BR>L<BR>r<BR>=
l<BR>t</DIV>
<DIV style=3D"FLOAT: left;">i<BR>G<BR>p<BR>a<BR>i<BR>L<BR>I<BR>i<BR=
>e<BR>r</DIV>
<DIV style=3D"FLOAT: left;">e<BR>R<BR>e<BR>x<BR>t<BR>I<BR>U<BR>d<BR>b<BR=
>a</DIV>
<DIV style=3D"FLOAT: left;">n<BR>A<BR>cia<BR> <BR>ra<BR>S<BR>M<BR>ia<BR>=
rex<BR>m</DIV>
<DIV style=3D"FLOAT: left;"> <BR>$3<BR><BR> <BR><BR>$1<BR>$3<BR><BR><BR> =
</DIV>
<DIV style=3D"FLOAT: left;"> <BR>.33<BR><BR> <BR> <BR>.21<BR>.75<BR> <BR><BR> =
</DIV>
<DIV style=3D"CLEAR: both"> </DIV>
<DIV><A href=3D"http://www.laofficiame.com">http://www.laofficiame.com=
</A></DIV></FONT></DIV></BODY></HTML>
The following is cannot be caught in my greylisting as it's a forward from another mail server. I subscribe to a few lists and forwarding addresses and this one is chair at isoc.org.za. So now, I hope to be able to write a spamassisin rule. This must keeping a few people busy because although I've been seeing this for many months the latest version of the spamassasin rules don't grab it. I guess thats because it's pretty smart. In the past 48 hours more than five arrived for me...
Subject is always different:
Re: Mhedications more Of fr
Re: Medigcations You c an ride it
Re: Medmications Good f or your life
Re: Mednications Chil l up your life
Re: Pharmraceutical 70% for you
Re: Mredications S pecial
And although the content looks more similar..
The source looks surprizingly different. Ok this is only the stuff seen by text only clients although the content seems to have some key words. Look below to see the html...
-----------------------snip---------------------------------
This is a multi-part message in MIME format.
------=_NextPart_000_0049_01C5C08E.FB10D300
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
ALCVPXVMUC
meIAraIele
bvALonArtl
iiLIpaGi=
re
etIUexRdab
nraSMcia Aiamrex
$1$3 $3 =
.21.75 .33 =
http://www.embassspok=
esm.com thousands of spectators, the whole staff of the Variety, and finally =
plumbers.
-----------------------snip---------------------------------
This is a multi-part message in MIME format.
------=_NextPart_000_004A_01C5C0C6.632EDB80
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
AVPXLCVMCU=
mIraeIAe=
el
bAonvALr=
lt
iGpaiLIier
eRextIUdba
nAcia raSMia=
rexm
$3 $1$3 =
.33 .21.75 =
http://www.laofficiame.com=
Peredelkino, a writers village near Moscow where many writers were and, to =
tell the truth, there was no need for that. There was nothing
-----------------------snip---------------------------------
This is a multi-part message in MIME format.
------=_NextPart_000_0049_01C5C08E.FB10D300
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
ALCVPXVMUC
meIAraIele
bvALonArtl
iiLIpaGi=
re
etIUexRdab
nraSMcia Aiamrex
$1$3 $3 =
.21.75 .33 =
http://www.embassspok=
esm.com thousands of spectators, the whole staff of the Variety, and finally =
plumbers.
-----------------------snip---------------------------------
This is a multi-part message in MIME format.
------=_NextPart_000_0028_01C5C137.93629280
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
AUPVLXVCCM
mlrIeaAIee
btoAvnLAlr
irpGiaILe=
i
eaeRtxUIbd
nmciaAra MS=
rexia
$3 $3$1
.33 .75.21 =
http://www.bardwinow.com the whole of hateful Yershalaim, with its hanging =
bridges, fortresses, and, It must be said that this apartment - no.50 - had =
long had, if not a
-----------------------snip---------------------------------
And this is the html (which is the part that most see, very interestingly done, I cannot seem to find any 'rules'..):
------=_NextPart_000_004A_01C5C0C6.632EDB80
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; charset=3Dus-ascii">
<META content=3D"MSHTML 6.00.2800.1106" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DCourier>
<DIV style=3D"FLOAT: left;">A<BR>V<BR>P<BR>X<BR>L<BR>C<BR>V<BR>M<BR>C<BR>U=
</DIV>
<DIV style=3D"FLOAT: left;">m<BR>I<BR>r<BR>a<BR>e<BR>I<BR>A<BR>e<BR>=
e<BR>l</DIV>
<DIV style=3D"FLOAT: left;">b<BR>A<BR>o<BR>n<BR>v<BR>A<BR>L<BR>r<BR>=
l<BR>t</DIV>
<DIV style=3D"FLOAT: left;">i<BR>G<BR>p<BR>a<BR>i<BR>L<BR>I<BR>i<BR=
>e<BR>r</DIV>
<DIV style=3D"FLOAT: left;">e<BR>R<BR>e<BR>x<BR>t<BR>I<BR>U<BR>d<BR>b<BR=
>a</DIV>
<DIV style=3D"FLOAT: left;">n<BR>A<BR>cia<BR> <BR>ra<BR>S<BR>M<BR>ia<BR>=
rex<BR>m</DIV>
<DIV style=3D"FLOAT: left;"> <BR>$3<BR><BR> <BR><BR>$1<BR>$3<BR><BR><BR> =
</DIV>
<DIV style=3D"FLOAT: left;"> <BR>.33<BR><BR> <BR> <BR>.21<BR>.75<BR> <BR><BR> =
</DIV>
<DIV style=3D"CLEAR: both"> </DIV>
<DIV><A href=3D"http://www.laofficiame.com">http://www.laofficiame.com=
</A></DIV></FONT></DIV></BODY></HTML>
posted by Alan Levin at 8:52 pm
2 Comments:
Okay, I just worked it out. Actually by accident.. I replied to such a spam sent to a list, and the list based spamassasin tole me:
550--
550-If you believe this message was classified as spam in error,
550-please open a Support Request at the URL below.
550-(Please include this message in any Support Request).
550--
550--
550-Spam Filtering performed by sourceforge.net.
550-See http://spamassassin.org/tag/ for more details.
550-Report problems to http://sf.net/tracker/?func=add&group_id=1&atid=200001
550-0.6 URIBL_SBL Contains an URL listed in the SBL blocklist
550-[URIs: limelad.com]
550-2.0 URIBL_AB_SURBL Contains an URL listed in the AB SURBL
550-blocklist
550-[URIs: limelad.com]
550-2.0 URIBL_OB_SURBL Contains an URL listed in the OB SURBL
550-blocklist
550-[URIs: limelad.com]
550-3.9 URIBL_SC_SURBL Contains an URL listed in the SC SURBL
550-blocklist
550 [URIs: limelad.com]
So it's the link that did it! Filter based on the link URL.
Actually the link is not common, they are constantly changing the links too. Sorry, we haven't yet solved this... I still receive the spam (with serverside regularly updated spamassasin rules, grey listing and junk enabled on apple mail.
Post a Comment
<< Home