on Tue, Aug 02, 2005 at 12:13:41AM -0700, Steve Sobol wrote:
Jeff Chan wrote:
Catherine Hampton of SpamBouncer (welcome to the SURBL Discuss list Catherine!) is kindly making available her carefully checked phishing domains and IPs for our inclusion in the SURBL phishing list. They're not currently added to ph.surbl.org, but the hooks are in place to make it live after some discussion here.
Outstanding. I get a ton of phishes. The SURBL checks I already use (primarily the SpamCop and Spamhaus SBL/XBL checks IIRC) catch most of the other crap I get.
The other thing I'd love to figure out is how to reliably tag all the 419 scams I tend to receive.
Oh, 419/aff stuff is easy. It's all so consistent. It's one of the only content-oriented procmail rules I use:
# 419 :0 B * (I am|My name is) ((D|M)(R|r)s?.|the manager|barrister|Engr|Tony|Emmanuel|Prince) { SPAM419=yes }
:0 B * You may be surprised to receive this letter from me { SPAM419=yes }
:0 B * (My name is SENATOR|Our present situation have made us to send you|With great pleasure I,|We are pleased to inform you|Congratulations to you as we|This is to inform you of the release|next-of-kin|next of kin|urgent response|urgent reply|compliments of the day) { SPAM419=yes }
:0 * (LOTTERY PROMOTION|LOTTO|drew the lucky numbers|international winner) { SPAM419=yes }
Then later on:
:0 f * SPAM419 ?? yes | formail -A"X-Confirmed-Spam: $MSG419"
Caught about 69 of 115 AFF/419 spams that made it through my filters; on another box with a worse problem it caught 808 of 2220. So, not great, but better than nothing. And to be fair, I have 419 scams from before I added the procmail recipe, so I am not sure about the distribution of the successes. I don't remember getting a 419 scam lately that wasn't tagged, though.
Also, be sure you're checking for "helimore" patterns - one of the ratware packages they use generates a random HELO a la:
(123|2mails|ab[0-9]+c|abc|adplist|afzhg|ameinfo|azhg|bol|caramail|cookbe|coolde|coolgoose|coolre|coxlde|csiitb|cta|di-ve|dontbleftout|dontmissthis|emailwinnersclub|emarketmail|emzitd|emztd|eurosom|fastermail|fe[0-9]+son|fredrickanderson|fsmail|fubared|gawab|galmail|healthinsurance|helimore|hellrimore|heloimoex|heloimore|heythere|hotmail|imel|indxi|internationallotto|joininonit|juno|justice|laposte|latinmail|lawyer|lchost|libero|localhst|loclhst|lottery|lycos|madrid|madridspain|mail2world|mmail|mrson|msn|mxcson|netsape|netscae|netscpe|netscape|n2now|navar|nst2now|nut2now|ok|okey|okgy|okzy|omonmail|onemails|once|onmo|onmp|personal|phatomemail|qfgf|rdxx|rediffmail|rmk|sender|simbamail|sina|slickwebs|softice|somyingdd|spain|spinfinder|survey-pay|taylorsfamily|tellx|telstra|test|thaiservice|tiscali|tom|totalmail|twomails|visitmail|voila|vtomo|web-mail|whipmail|winning|wwinf|yahoo|yehey|z6|zwallet)[0-9]+.(biz|com)
A newer variant generates the HELO from the sender From: address, a la
# From: Income 4You income4u@pc4me.us # HELO: pc4me893.com
The second-level domain part in the From: is prepended to a random numeric and then .com; that's a very reliable test as well. (Though not limited to 419/AFF scams - I've seen other spammers use it, too).
I use a geographic crossreference (IP netblock to ISO country code) and check the Received: and X-Originating-IP: headers for the injection point and refuse if the point of origin is one of:
(africa|AR|BF|BG|BJ|BW|CI|CY|DK|ES|GH|IL|KE|KR|LB|LV|ML|MR|MY|NG|NL|RW|SN|TG|ZA|ZW)
...where 'africa' refers to a few blocks registered to US firms that proxy mail out of Africa (africaonline.com, IIRC).
Finally, I simply block a whole slew of hosts (mostly European freemail providers) whose headers don't include the injection point. 340 of them at last count. And 296 "legit" hosts are marked as "419 sources", so I quarantine any mail from them. 63 of those are hotmail.com hosts...
Oh, and I'm testing a rule that will refuse mail from hotmail.com hosts that think the point of injection was a hotmail IP (brokenness that an inside source has confirmed is broken but won't be fixed any time soon). IIRC, all of this mail comes in via some NAT interface or something, but I'm light on details.