on Wed, Aug 11, 2004 at 09:01:58AM -0400, Rob McEwen wrote:

I keep getting this "pesky" pron spam which gets past my all my filters (my regex-based linguestic filter, my spamhaus.org RBL filter, and my SURBL filter).

I think that these are getting blocked the next day, but this particular spammer is very aggressive and keeps sending new stuff so I keep getting the new stuff before it gets a chance to get blocked.

I have noticed some patterns in the e-mails. For example, they all have three images stacked vertically. Therefore, I think that I should be able to catch these with the right formulation of rules within my linguistic filter.

You can find the raw contents of my most recent two of these as follows:

http://www.pvsys.com/pn01.txt

http://www.pvsys.com/pn02.txt

1) don't accept mail from hosts with generic rDNS /HELO (e.g. CM-lconC3-160-147.cm.vtr.net) - that'll knock out 70% right away

2) this spamware follows a fairly predictable but randomized pattern:

Received: from %DOMAIN (%REALMXHOSTNAME [%REAL_IP_OF_MXHOST]) by %HELO_OR_RDNS_OF_SENDING_HOST (Postfix) with ESMTP id %RANDOM for <$target>; %DATE Message-ID: <%OUTLOOK_EXPRESS_MSG_ID@%DOMAIN> From: "%WORD %LETTER. %WORD2" <%WORD3@%DOMAIN> To: $target Subject: %RANDOM_SUBJECT_CHOSEN_FROM_LIST Date: %DATE MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="%OUTLOOK_EXPRESS_BOUNDARY" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1409 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 %RANDOM_ANTIVIRUS_HEADER

I'm having some success with some custom sendmail rulesets that use the various unix dictionaries to check %WORD, %WORD2, AND %WORD3. In the past, I've had some luck blocking on forged Received: headers, on From:s that match the pattern in messages sent from hosts with no rDNS, etc. (which only works for me because I block known generic rDNS).

These bastards have been joe'ing three or four of my domains for several months now, so I have a vested interest in seeing them die.

The other way to quarantine this particular spammer is to generate a domain list from this perl script and filter any reference to any of the domains found in it:

#!/usr/bin/perl

my @bits = ("akiana","benoka","bertikas","biscama","bortsimis","enofakel","enomy","fagony","fenium","fikals","frakles","inacalo","indakitos","karantinas","katanataro","kitaros","manics","mipatarios","neynano","nimphos","ownaros","pazda","pikas","pitovshe","poises","polishe","porchma","potkasi","pritkeras","sayara","simptomps","sofikals","sopinas","tronits","valdisimus","xesros"); foreach $front (sort @bits) { foreach $back (sort @bits) { print "$front$back.org\n"; } }

I'm pretty sure this is current. Additions welcome.

Stephen:

The following rule would have caught both of my sample spam messages. Would these catch the other spams you've seen from this spammer... or has he varied this up in other e-mails to prevent this rule (alone) from catching him:

(case sensitive) %LETTER</STRONG></BIG>,<STRONG><BIG>%LETTER</BIG></STRONG>]></FONT>

1) %LETTER = a random letter 2) everything else is literal

Also, I found that that domain script generated 1,300+ domains. I've decided that the added resources of checking each message for this many domains is not worth it based on how many will actually be caught. However, I might integrate this domain list "*namefromlist*.org" as a factor in a compound rule.

Rob McEwen

you find domains in the body (every one I've seen has had only the one) and then check against the list.

Good point.

But I'm using a filter that someone else programmed. They did include a tremendous amount of flexibility via XML config files. However, I don't have direct access to the list of extracted domains and I'm can't do everything as I don't have the source code. Also, I think that much of the filtering rules proceed even if a rule had already caught something... (But I'll have to look into this to be sure). Thanks for the suggestion anyway.

Rob McEwen PowerView Systems rob@PowerViewSystems.com (478) 475-9032