Yeah this is a definite candidate for SURBL. This is the Huntsville-consulting spam gang: http://www.spamhaus.org/SBL/sbl.lasso?query=SBL20528
353+ domains diretly linked. This is going to be the next trend. The final destination of this pron spam was throatstuffers . com, but it used a throw away domain of marlacell . com as a forwarder. Not directly either. That domain simply hosted a mirrored page of throatstuffers . com.
We are seeing an increase in throw away domains being used to reroute to other domains that will NEVER show up directly in a spam. All in attempts to get passed SURBL. No biggy, the more pople that submit and manage SURBL the faster they get added.
However there has been discussion on blocking the final destinations via web proxy's and host files. I think we will begin to see an increase in companies blocking these IPs or domains at the firewall or proxy server.
Its actually helping some antispammers. We are able to tie more spammers together thru looking at who is trying to get passed SURBL thru throw away domains. Some of the small guys are only rogues of the bigger ones. We got people watching spammers six ways from Sunday. Funny how much they don't realise we know ;)
--Chris
-----Original Message----- From: Smart,Dan [mailto:SmartD@VMCMAIL.com] Sent: Wednesday, December 01, 2004 4:57 PM To: spamassassin-users@incubator.apache.org Subject: RE: Image Composition Analysis
Attached is the spam that got through. I changed the porn URL to not offend. It's a little mangled as it was forwarded by the user via Outlook, and tags got mangled by my Sanitizer.
I capture the headers of all files, and here is what they look like. The bayes = 0 is what got this through.
<<Dan>>
======================================== From filter Wed Nov 3 01:29:14 2004 Return-Path: Bebeskbs@kmanus.com Received: from great.amberalist.com (great.amberalist.com [209.200.9.222]) by dalton.vul.com (Vulcan E-mail Relay) with SMTP id 56BD89BB2C for xxxxxxx@vmcmail.com; Wed, 3 Nov 2004 01:29:14 -0600 (CST) Received: from mail pickup service by kmanus.com with Microsoft SMTPSVC; Wed, 3 Nov 2004 14:17:54 -0800 Received: from 194.3.74.35 by by7fd.bay7.kmanus.com with HTTP; Wed, 3 Nov 2004 14:17:54 GMT X-Originating-IP: [194.3.74.35] X-Originating-Email: [Bebeskbs@kmanus.com] X-Sender: Bebeskbs@kmanus.com From: Bebe Bebeskbs@kmanus.com To: XXXXX XXXXXXX@vmcmail.com Subject: re: our appreciation Date: 3 Nov 2004 14:17:54 -0500 Mime-Version: 1.0 Content-type: text/html Message-ID: SR0-81197F1166274AB5A8701DBB47173D6E@kmanus.com X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11) on dalton.vul.com X-Spam-DCC: : dalton 1182; Body=1 Fuz1=1 Fuz2=1 X-Spam-AWL: Auto_Whitelist= X-Spam-Status: No, hits=1.7 required=6.5 tests=BAYES_00,CP_RANDOMWORD_10, HTML_MESSAGE,MIME_HTML_NO_CHARSET,MIME_HTML_ONLY,OB_URI_RBL, RCVD_IN_SBL,SARE_HTML_FSIZE_1ALL,WS_URI_RBL autolearn=no version=2.64 X-Spam-Level: * Status: RO X-Status: X-Keywords: X-UID: 1219
====================================== <<Dan>>
-----Original Message----- From: John Andersen [mailto:jsa@pen.homeip.net] Sent: Wednesday, December 01, 2004 2:45 AM To: spamassassin-users@incubator.apache.org Subject: Re: Image Composition Analysis
On Tuesday 30 November 2004 01:27 pm, Smart,Dan wrote:
Catching image only E-mail with pornographic images is
really difficult.
My users are offended when they get one, and wonder how I
could not
catch it. Explaining that the document was text, filled
with bayes
poison, and the one porn image with no porn words in the document doesn't seem to have much of an impression on them.
Open the image with a text editor and challenge them to determine if it is spam or not.
Really, people this dumb should not be turned loose on the internet.
-- _____________________________________ John Andersen