[SURBL-Discuss] RFC: Adding SpamBouncer phishing data to ph.surbl.org

Steven Champeon schampeo at hesketh.com
Tue Aug 2 19:58:16 CEST 2005


on Tue, Aug 02, 2005 at 12:13:41AM -0700, Steve Sobol wrote:
> Jeff Chan wrote:
> >Catherine Hampton of SpamBouncer (welcome to the SURBL Discuss
> >list Catherine!) is kindly making available her carefully checked
> >phishing domains and IPs for our inclusion in the SURBL phishing
> >list.  They're not currently added to ph.surbl.org, but the hooks
> >are in place to make it live after some discussion here.
> 
> Outstanding. I get a ton of phishes. The SURBL checks I already use 
> (primarily the SpamCop and Spamhaus SBL/XBL checks IIRC) catch most of the 
> other crap I get.
> 
> The other thing I'd love to figure out is how to reliably tag all the 419 
> scams I tend to receive.

Oh, 419/aff stuff is easy. It's all so consistent. It's one of the only
content-oriented procmail rules I use:

# 419
:0 B
* (I am|My name is) ((D|M)(R|r)s?\.|the manager|barrister|Engr|Tony|Emmanuel|Prince)
{ SPAM419=yes }

:0 B
* You may be surprised to receive this letter from me
{ SPAM419=yes }

:0 B
* (My name is SENATOR|Our present situation have made us to send you|With great pleasure I,|We are pleased to inform you|Congratulations to you as we|This is to inform you of the release|next-of-kin|next of kin|urgent response|urgent reply|compliments of the day)
{ SPAM419=yes }

:0
* (LOTTERY PROMOTION|LOTTO|drew the lucky numbers|international winner)
{ SPAM419=yes }

Then later on:

:0 f
* SPAM419 ?? yes
| formail -A"X-Confirmed-Spam: $MSG419"

Caught about 69 of 115 AFF/419 spams that made it through my filters; on
another box with a worse problem it caught 808 of 2220. So, not great,
but better than nothing. And to be fair, I have 419 scams from before
I added the procmail recipe, so I am not sure about the distribution
of the successes. I don't remember getting a 419 scam lately that wasn't
tagged, though.

Also, be sure you're checking for "helimore" patterns - one of the
ratware packages they use generates a random HELO a la:

(123|2mails|ab[0-9]+c|abc|adplist|afzhg|ameinfo|azhg|bol|caramail|cookbe|coolde|coolgoose|coolre|coxlde|csiitb|cta|di\-ve|dontbleftout|dontmissthis|emailwinnersclub|emarketmail|emzitd|emztd|eurosom|fastermail|fe[0-9]+son|fredrickanderson|fsmail|fubared|gawab|galmail|healthinsurance|helimore|hellrimore|heloimoex|heloimore|heythere|hotmail|imel|indxi|internationallotto|joininonit|juno|justice|laposte|latinmail|lawyer|lchost|libero|localhst|loclhst|lottery|lycos|madrid|madridspain|mail2world|mmail|mrson|msn|mxcson|netsape|netscae|netscpe|netscape|n2now|navar|nst2now|nut2now|ok|okey|okgy|okzy|omonmail|onemails|once|onmo|onmp|personal|phatomemail|qfgf|rdxx|rediffmail|rmk|sender|simbamail|sina|slickwebs|softice|somyingdd|spain|spinfinder|survey-pay|taylorsfamily|tellx|telstra|test|thaiservice|tiscali|tom|totalmail|twomails|visitmail|voila|vtomo|web\-mail|whipmail|winning|wwinf|yahoo|yehey|z6|zwallet)[0-9]+\.(biz|com)

A newer variant generates the HELO from the sender From: address, a la

# From: Income 4You <income4u at pc4me.us>
# HELO: pc4me893.com

The second-level domain part in the From: is prepended to a random numeric
and then .com; that's a very reliable test as well. (Though not limited to
419/AFF scams - I've seen other spammers use it, too).

I use a geographic crossreference (IP netblock to ISO country code) and
check the Received: and X-Originating-IP: headers for the injection point
and refuse if the point of origin is one of:

(africa|AR|BF|BG|BJ|BW|CI|CY|DK|ES|GH|IL|KE|KR|LB|LV|ML|MR|MY|NG|NL|RW|SN|TG|ZA|ZW)

...where 'africa' refers to a few blocks registered to US firms that
proxy mail out of Africa (africaonline.com, IIRC).

Finally, I simply block a whole slew of hosts (mostly European freemail
providers) whose headers don't include the injection point. 340 of them
at last count. And 296 "legit" hosts are marked as "419 sources", so I
quarantine any mail from them. 63 of those are hotmail.com hosts...

Oh, and I'm testing a rule that will refuse mail from hotmail.com hosts
that think the point of injection was a hotmail IP (brokenness that an
inside source has confirmed is broken but won't be fixed any time soon).
IIRC, all of this mail comes in via some NAT interface or something, but
I'm light on details. 

-- 
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com
antispam news, solutions for sendmail, exim, postfix: http://enemieslist.com/


More information about the Discuss mailing list