Hi
I have been bugged a lot by embedded image spams recently, although some
of these spams got trapped due URI checks, some managed to pass as well
as the url wasn't yet blocked in the SURBLs.
I probably found something tht i wanted to share with u guys and try and
see if we can trap those spams further on the basis of tht. I have
classified those embedded image spams into two classes. Class 1 of image
of fulllist of viagra and other meds and Class 2 of image of one liner
information on cheap softwares or viagra. I was thinking of if possibly
we can understand a common pattern and try and make a ruleset on top of
tht so tht we dont have to wait for updates at URIbl, then it would be
really some thing good. These image only spams apparently have a prob
tht we can trap on :). The loophole is in most of the cases the message
id of the mail and the content id or cid of the embedded image is
exactly same.
For e.g.
Message-ID: <1066724820.2422(a)boschkitchencentre.com>
Content-ID: <1066724820.2422(a)boschkitchencentre.com>
some variations also had something like this
Message-ID: <1064962549.5961(a)cal.cybersurf.net>
Content-ID: <sivjxu_onzvh_dzdohvo>
But thts applicable to class1 of the spams and in class 2 which are
just images containing oneliners has some variations. In some cases the
content id is smartly tampered but again there is a loophole and here is
an example of tht
Message-ID: <525F074E3524$72BF31B3$02605c3b(a)comcast.net>
Content-ID: <e102605c3b(a)comcast.net>
the message id and the content id both contain the domain name of the
sending server. And a valid mail that had embedded image in it but was
sent from outlook had details something like this
From Outlook
Message-ID: <002101c55c2f$b3f540a0$bdc809c0@cg>
Content-ID: <image001.jpg(a)01C55C5D.CB204210>
Frankly I haven't seen how content id appears when images are embedded
using other valid email clients like netscape or thunderbird. But if we
compare the above set of patterns, what appears is tht if a image is
embedded using a client like outlook then "@" appears in the content id
of the attachment but the latter part of @ is not the domain name, but
has the name of the attachment itself and the messageid is different
from the content id, whereas incase of the spammers content ids that
appear are either exactly same to tht of the message id, or doesnt have
a @ or has the domain name of the server as a latter part of the @ in
content id.
So my question is can we have rulesets in spamassassin that can compare
the sending host domain with the latter part of @ of content id or look
for @ in the content id.
Any suggestions ? comments ?
--
Regards,
Rakesh B. Pal
Project Leader
Emergic CleanMail Team.
Netcore Solutions Pvt. Ltd.
========================================================
Success is how high you reach after you hit the bottom.
========================================================
----------------------------------------------------------
Netcore Solutions Pvt. Ltd.
Website: http://www.netcore.co.in
Spamtraps: http://cleanmail.netcore.co.in/directory.html
----------------------------------------------------------
>...
>Give this a try:
>
>> http://openrbl.org/
>
>
>It worked for me this morning.
>
>Dan Zachary
>
>
>>(BTW my favorite rbl checker openrbl.org seems gone. :-( )
>>...
Worked last night, but not now. The domain is in good standing,
as is the "feeder" domain orbl.net. But the DNS records show a change as
of yesterday (serial number date encoding method vs. the seconds since epoch
that SURBL uses), and the 'A' record is gone. Most of the listed name
servers seem down also.
They alway had a problem with timeouts, but I used them a lot too.
Current DNS appended (note the use of an unlisted name server to get anything).
Paul Shupak
track(a)plectere.com
--------------------------------------------------------------------------------
% dig openrbl.org any @y.orbl.net
; <<>> DiG 9.3.0 <<>> openrbl.org any @y.orbl.net
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60077
;; flags: qr aa rd; QUERY: 1, ANSWER: 12, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;openrbl.org. IN ANY
;; ANSWER SECTION:
openrbl.org. 43200 IN NS a.orbl.net.
openrbl.org. 43200 IN NS b.orbl.net.
openrbl.org. 43200 IN NS c.orbl.net.
openrbl.org. 43200 IN NS d.orbl.net.
openrbl.org. 43200 IN NS e.orbl.net.
openrbl.org. 43200 IN NS f.orbl.net.
openrbl.org. 43200 IN NS g.orbl.net.
openrbl.org. 43200 IN NS h.orbl.net.
openrbl.org. 43200 IN NS i.orbl.net.
openrbl.org. 43200 IN NS j.orbl.net.
openrbl.org. 2700 IN MX 999 relay.serv.ch.
openrbl.org. 3600 IN SOA g.orbl.net. openrbl.org. 2005052422 2400 600 2419200 300
;; Query time: 190 msec
;; SERVER: 80.190.246.92#53(y.orbl.net)
;; WHEN: Wed May 25 13:41:00 2005
;; MSG SIZE rcvd: 262
As a job recruiter, I am intimately familiar with posting a job and then
getting hammered with SPAM from companies and recruiting firms.
In the past 5 minutes, I've gotten two. One from BobAJobs-munged.com and
one from http://ad1.geowebsv48a-munged.com/recruiting_service.html.
How would these type of spam's be viewed for addition to SURBL?
Regards,
KAM
> -----Original Message-----
> From: Kevin A. McGrail [mailto:kmcgrail@pccc.com]
> Sent: Tuesday, May 24, 2005 2:55 PM
> To: discuss(a)lists.surbl.org
> Cc: daniel.swartz(a)thoughtworthy.com
> Subject: [SURBL-Discuss] Job Recruiter SPAMmers
>
>
> As a job recruiter, I am intimately familiar with posting a
> job and then
> getting hammered with SPAM from companies and recruiting firms.
>
> In the past 5 minutes, I've gotten two. One from
> BobAJobs-munged.com and
> one from http://ad1.geowebsv48a-munged.com/recruiting_service.html.
>
> How would these type of spam's be viewed for addition to SURBL?
>
> Regards,
> KAM
I add them to black.uribl.com I can't stand these guys. The whole
ihirexxxxxxxxx.com have already been added.
--Chris
> Message: 4
> Date: Mon, 23 May 2005 05:17:31 +0200 (CEST)
> From: Raymond Dijkxhoorn <raymond(a)surbl.org>
> Subject: Re[2]: [SURBL-Discuss] whitelist: accuradio.com
> To: SURBL Discussion list <discuss(a)lists.surbl.org>
> Hi bob,
>>>> Reviewing this week's emails looking for candidates for my SA
>>>> whitelist.cf, I saw that an email from accuradio.com, with a URI to
>>>> www.accuradio.com, had hit URIBL_OB_SURBL. ...
>>
>>>> Submitting the whitelist now.
>>
> Care to share? Perhaps more listed that that we should look into ?
> Bye,
> Raymond.
Sure:
# Domains I personally guarantee do not send spam:
menschel.net
robert.menschel.name
choctaw-crafts.orgxeper.orgxeper.nettempleofset.orgsetian.org
balanone.info
contractorswarehouse.comcwbo.comcwikship.com
# Trusted domains
jeld-wen.compythagoras.orgtrapezoid.org
# domain that looks like it might be spammy, but a user has intentionally flagged email as NOT being spam.
freelanceworkexchange.com
# Added May 22 2005
AccuRadio.com
Bob Menschel
Just a quick note:
Reviewing this week's emails looking for candidates for my SA
whitelist.cf, I saw that an email from accuradio.com, with a URI to
www.accuradio.com, had hit URIBL_OB_SURBL.
I just did a SURBL check, and it's not there now, so I'm guessing it
was a temporary fluke. However, since in three years I've received
emails from accuradio only to the specific email address I supplied
them, not to any other, and have not receiving any emails from anyone
else to that address, I believe this domain worth whitelisting to
avoid future similar events.
Submitting the whitelist now.
Bob Menschel
>...
>
>What about the WDRP spam apparently from them? Is that possibly
>legitimate looking?
>
>From: "WDRP Compliance" <wdrp(a)name-services.com>
>To: Domains(a)Menschel.net
>
>thetrueslf.com May 25, 2004
> View Contact Data: <http://wdrp.name-services.com/whois.asp?key=FC4464C8F2A>
>
>etc.
>
>Jeff C.
>
>_______________________________________________
>Discuss mailing list
>Discuss(a)lists.surbl.org
>http://lists.surbl.org/mailman/listinfo/discuss
>
I thought I had made clear my beliefs about the "competence" of
eNom's procedures and personnel:-)
Anyway, this is clearly not spam, but a misdirected - yet valid
communication for domain registration data checking. Clearly sent to
the wrong person, but it isn't selling anything - it doesn't even link
to any other page except ICANN's rules about data verification. It is
downright well behaved - no links to their own services, no pleas to
extend the registration period - one of the best I've seen of all that
I've gotten from any registrar I've used. Just in typical fashion, they
sent it to the wrong place:-) Do note that it is also typical eNom in
that it functions by a "negative" option - do nothing and they say they
will assume all the data is good; I suspect that this is *not* acceptable
to ICANN (since if the contact data were false, the notice would likely
be ignored and hence no checking actually performed) - but it fits perfectly
the eNom model of let the customer be responsible for reporting and fixing
all errors.
Most people I've played golf with "cheat" - some knowingly, some
accidentally - I long ago got used to people telling me that I should be
adding penalties to my own score for "mistakes". This is sort of like
the French justice system in reverse (instead of the police having to
prove a defendant is innocent - let the defendant be responsible to show
that he is guilty).
Anyway, just go to the link - No "spam" - innocent, but incompetent.
Paul Shupak
track(a)plectere.com
P.S. Now somebody should check if the data is actually valid for that domain;
It appears that at least there i a technical violation in that the listed fax
line goes unanswered during business hours! I'd even guess that Donovan
Rittenbach doesn't even live there or have that telephone number anymore.
He has at least two other domains at the same address and telephone number.
The telephone number is unlisted (not normal for a business).
> Message: 2
> Date: Mon, 23 May 2005 09:01:36 -0700 (PDT)
> From: List Mail User <track(a)Plectere.com>
> Subject: name-services.com (was: Re: [SURBL-Discuss] whitelist: accuradio.com)
> To: discuss(a)lists.surbl.org
> Cc: jeffc(a)surbl.com, track(a)Plectere.com
> Message-ID: <200505231601.j4NG1aYt025267(a)Plectere.com>
> I've been watching this discussion without speaking up for
> a couple of days now. the domain name-services is very popular with
> spammers (they seem to be lax in throwing them off), but it has *at
> least* 20x as many legitimate customers as "bad guys"; That said, I
> do always double-check when I see it turn up in a domain I'm already
> looking at - It is a good sign if you already have another reason for
> checking a domain, but they themselves are mostly extremely clean. The
> big problem is the domain is operated by eNom for others, and we all
> probably are aware of the standard eNom procedure for complaints (i.e.
> forward it to the spammer and ask him to "fix" it) - this makes them
> look disproportionately bad.
> The domain name-services.com itself doesn't belong on any SURBLs
> (though it does exist within lots of Spamhaus and SPEWS records) or even
> on URIBL's greylist (though maybe SPEWS should L2 them and eNom itself).
> They have far, far too many legitimate customers.
> Just my opinion/experience.
But convincing to me. I've uploaded an update to my blacklist file,
with this domain removed.
Jeff -- by the same reasoning, it should be whitelisted?
Bob Menschel
>...
>
>Hello Jeff,
>
>(sent one copy without attachment, and from not-listed address; that
>copy can be deleted without forwarding to list. sorry)
>
>Monday, May 23, 2005, 3:00:09 AM, you wrote:
>
>JC> Message: 7
>JC> Date: Mon, 23 May 2005 00:57:48 -0700
>JC> From: Jeff Chan <jeffc(a)surbl.org>
>JC> Subject: Re: [SURBL-Discuss] whitelist: accuradio.com
>JC> To: Joseph Burford <josephb(a)gmail.com>
>JC> Cc: SURBL Discussion list <discuss(a)lists.surbl.org>
>JC> Message-ID: <127069243.20050523005748(a)surbl.org>
>JC> Content-Type: text/plain; charset=us-ascii
>
>JC> On Sunday, May 22, 2005, 11:39:05 PM, Joseph Burford wrote:
>>>> Since you say they're whitehats, I'll go ahead and whitelist them in
>>>> SURBLs. Of minor interest one of their nameservers is on SORBS:
>>>>
>>>> 212.118.243.118 dns5.name-services.com
>>>>
>>>> http://www.sorbs.net/lookup.shtml?212.118.243.118
>
>>> name-services.com is used by Register.com / Namebargain.com for their
>>> customer DNS services.
>
>>> Regards,
Hi,
I've been watching this discussion without speaking up for
a couple of days now. the domain name-services is very popular with
spammers (they seem to be lax in throwing them off), but it has *at
least* 20x as many legitimate customers as "bad guys"; That said, I
do always double-check when I see it turn up in a domain I'm already
looking at - It is a good sign if you already have another reason for
checking a domain, but they themselves are mostly extremely clean. The
big problem is the domain is operated by eNom for others, and we all
probably are aware of the standard eNom procedure for complaints (i.e.
forward it to the spammer and ask him to "fix" it) - this makes them
look disproportionately bad.
The domain name-services.com itself doesn't belong on any SURBLs
(though it does exist within lots of Spamhaus and SPEWS records) or even
on URIBL's greylist (though maybe SPEWS should L2 them and eNom itself).
They have far, far too many legitimate customers.
Just my opinion/experience.
Paul Shupak
track(a)plectere.com
Hello Jeff,
(sent one copy without attachment, and from not-listed address; that
copy can be deleted without forwarding to list. sorry)
Monday, May 23, 2005, 3:00:09 AM, you wrote:
JC> Message: 7
JC> Date: Mon, 23 May 2005 00:57:48 -0700
JC> From: Jeff Chan <jeffc(a)surbl.org>
JC> Subject: Re: [SURBL-Discuss] whitelist: accuradio.com
JC> To: Joseph Burford <josephb(a)gmail.com>
JC> Cc: SURBL Discussion list <discuss(a)lists.surbl.org>
JC> Message-ID: <127069243.20050523005748(a)surbl.org>
JC> Content-Type: text/plain; charset=us-ascii
JC> On Sunday, May 22, 2005, 11:39:05 PM, Joseph Burford wrote:
>>> Since you say they're whitehats, I'll go ahead and whitelist them in
>>> SURBLs. Of minor interest one of their nameservers is on SORBS:
>>>
>>> 212.118.243.118 dns5.name-services.com
>>>
>>> http://www.sorbs.net/lookup.shtml?212.118.243.118
>> name-services.com is used by Register.com / Namebargain.com for their
>> customer DNS services.
>> Regards,
>> Joseph
JC> Hmm, then it probably should not be blacklisted:
JC> black-rmenschel-200504:name-services.com
JC> Bob Menschel,
JC> Can you comment further on this listing of yours on sa-blacklist/
JC> ws.surbl.org?
Spam is attached.
I agree that as DNS, name-services.com shouldn't be blocked, nor as
received, since other viable emails come through them.
The only emails I've ever received /from/ name-services.com, and the
only emails I've ever received with URI links to name-services.com,
are like the attached. As far as I know, this is a scam.
I've never done any business with name-services.com, and never looked
at obtaining any of their services.
I don't remember the exact steps I used April 27 to review this, but
searching for their domain I found plenty of evidence of spam/scam,
and no evidence that these people also sent out ham.
If they themselves are a registry, and do send ham to domain
registrants that they haven't already scammed, then yes, I should
remove them from my blacklist file. If they are primarily DNS services
and do not send emails other than spam/scam, then they should remain.
Bob Menschel