on Wed, Aug 11, 2004 at 09:01:58AM -0400, Rob McEwen wrote:
I keep getting this "pesky" pron spam which gets past my all my filters (my regex-based linguestic filter, my spamhaus.org RBL filter, and my SURBL filter).
I think that these are getting blocked the next day, but this particular spammer is very aggressive and keeps sending new stuff so I keep getting the new stuff before it gets a chance to get blocked.
I have noticed some patterns in the e-mails. For example, they all have three images stacked vertically. Therefore, I think that I should be able to catch these with the right formulation of rules within my linguistic filter.
You can find the raw contents of my most recent two of these as follows:
1) don't accept mail from hosts with generic rDNS /HELO (e.g. CM-lconC3-160-147.cm.vtr.net) - that'll knock out 70% right away
2) this spamware follows a fairly predictable but randomized pattern:
Received: from %DOMAIN (%REALMXHOSTNAME [%REAL_IP_OF_MXHOST]) by %HELO_OR_RDNS_OF_SENDING_HOST (Postfix) with ESMTP id %RANDOM for <$target>; %DATE Message-ID: <%OUTLOOK_EXPRESS_MSG_ID@%DOMAIN> From: "%WORD %LETTER. %WORD2" <%WORD3@%DOMAIN> To: $target Subject: %RANDOM_SUBJECT_CHOSEN_FROM_LIST Date: %DATE MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="%OUTLOOK_EXPRESS_BOUNDARY" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1409 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 %RANDOM_ANTIVIRUS_HEADER
I'm having some success with some custom sendmail rulesets that use the various unix dictionaries to check %WORD, %WORD2, AND %WORD3. In the past, I've had some luck blocking on forged Received: headers, on From:s that match the pattern in messages sent from hosts with no rDNS, etc. (which only works for me because I block known generic rDNS).
These bastards have been joe'ing three or four of my domains for several months now, so I have a vested interest in seeing them die.
The other way to quarantine this particular spammer is to generate a domain list from this perl script and filter any reference to any of the domains found in it:
#!/usr/bin/perl
my @bits = ("akiana","benoka","bertikas","biscama","bortsimis","enofakel","enomy","fagony","fenium","fikals","frakles","inacalo","indakitos","karantinas","katanataro","kitaros","manics","mipatarios","neynano","nimphos","ownaros","pazda","pikas","pitovshe","poises","polishe","porchma","potkasi","pritkeras","sayara","simptomps","sofikals","sopinas","tronits","valdisimus","xesros"); foreach $front (sort @bits) { foreach $back (sort @bits) { print "$front$back.org\n"; } }
I'm pretty sure this is current. Additions welcome.