Yeah this is a definite candidate for SURBL. This is the Huntsville-consulting spam gang: http://www.spamhaus.org/SBL/sbl.lasso?query=SBL20528
353+ domains diretly linked. This is going to be the next trend. The final destination of this pron spam was throatstuffers . com, but it used a throw away domain of marlacell . com as a forwarder. Not directly either. That domain simply hosted a mirrored page of throatstuffers . com.
We are seeing an increase in throw away domains being used to reroute to other domains that will NEVER show up directly in a spam. All in attempts to get passed SURBL. No biggy, the more pople that submit and manage SURBL the faster they get added.
However there has been discussion on blocking the final destinations via web proxy's and host files. I think we will begin to see an increase in companies blocking these IPs or domains at the firewall or proxy server.
Its actually helping some antispammers. We are able to tie more spammers together thru looking at who is trying to get passed SURBL thru throw away domains. Some of the small guys are only rogues of the bigger ones. We got people watching spammers six ways from Sunday. Funny how much they don't realise we know ;)
--Chris
-----Original Message----- From: Smart,Dan [mailto:SmartD@VMCMAIL.com] Sent: Wednesday, December 01, 2004 4:57 PM To: spamassassin-users@incubator.apache.org Subject: RE: Image Composition Analysis
Attached is the spam that got through. I changed the porn URL to not offend. It's a little mangled as it was forwarded by the user via Outlook, and tags got mangled by my Sanitizer.
I capture the headers of all files, and here is what they look like. The bayes = 0 is what got this through.
<<Dan>>
======================================== From filter Wed Nov 3 01:29:14 2004 Return-Path: Bebeskbs@kmanus.com Received: from great.amberalist.com (great.amberalist.com [209.200.9.222]) by dalton.vul.com (Vulcan E-mail Relay) with SMTP id 56BD89BB2C for xxxxxxx@vmcmail.com; Wed, 3 Nov 2004 01:29:14 -0600 (CST) Received: from mail pickup service by kmanus.com with Microsoft SMTPSVC; Wed, 3 Nov 2004 14:17:54 -0800 Received: from 194.3.74.35 by by7fd.bay7.kmanus.com with HTTP; Wed, 3 Nov 2004 14:17:54 GMT X-Originating-IP: [194.3.74.35] X-Originating-Email: [Bebeskbs@kmanus.com] X-Sender: Bebeskbs@kmanus.com From: Bebe Bebeskbs@kmanus.com To: XXXXX XXXXXXX@vmcmail.com Subject: re: our appreciation Date: 3 Nov 2004 14:17:54 -0500 Mime-Version: 1.0 Content-type: text/html Message-ID: SR0-81197F1166274AB5A8701DBB47173D6E@kmanus.com X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11) on dalton.vul.com X-Spam-DCC: : dalton 1182; Body=1 Fuz1=1 Fuz2=1 X-Spam-AWL: Auto_Whitelist= X-Spam-Status: No, hits=1.7 required=6.5 tests=BAYES_00,CP_RANDOMWORD_10, HTML_MESSAGE,MIME_HTML_NO_CHARSET,MIME_HTML_ONLY,OB_URI_RBL, RCVD_IN_SBL,SARE_HTML_FSIZE_1ALL,WS_URI_RBL autolearn=no version=2.64 X-Spam-Level: * Status: RO X-Status: X-Keywords: X-UID: 1219
====================================== <<Dan>>
-----Original Message----- From: John Andersen [mailto:jsa@pen.homeip.net] Sent: Wednesday, December 01, 2004 2:45 AM To: spamassassin-users@incubator.apache.org Subject: Re: Image Composition Analysis
On Tuesday 30 November 2004 01:27 pm, Smart,Dan wrote:
Catching image only E-mail with pornographic images is
really difficult.
My users are offended when they get one, and wonder how I
could not
catch it. Explaining that the document was text, filled
with bayes
poison, and the one porn image with no porn words in the document doesn't seem to have much of an impression on them.
Open the image with a text editor and challenge them to determine if it is spam or not.
Really, people this dumb should not be turned loose on the internet.
-- _____________________________________ John Andersen
On Wed, 2004-12-01 at 14:35, Chris Santerre wrote:
We are seeing an increase in throw away domains being used to reroute to other domains that will NEVER show up directly in a spam. All in attempts to get passed SURBL.
I'm going to bring up this idea again, in a slightly different context this time:
Perhaps it would be useful to have a SURBL list that is automatically generated daily from the registrars' notifications of domains that have been recently created. This information is available for free download - I'm pretty sure I posted the location here a while ago.
The definition of "recently" might require some testing to set properly, perhaps a starting point would be one week.
Granted this SURBL would be more subject to FPs than a hand-maintained list, so it should have a correspondingly lower default score. And it wouldn't help too much if spammers don't start using their throwaway domains immediately after registering them.
-- John Hardin Internal Systems Administrator (Seattle) CRS Retail Systems, Inc. 3400 188th Street SW, Suite 185 Lynnwood, WA 98037 voice: (425) 672-1304 fax: (425) 672-0192 email: jhardin@crsretail.com web: http://www.crsretail.com ----------------------------------------------------------------------- If you smash a computer to bits with a mallet, that appears to count as encryption in the state of Nevada. - CRYPTO-GRAM 12/2001 -----------------------------------------------------------------------
On Wednesday, December 1, 2004, 3:25:42 PM, John Hardin wrote:
On Wed, 2004-12-01 at 14:35, Chris Santerre wrote:
We are seeing an increase in throw away domains being used to reroute to other domains that will NEVER show up directly in a spam. All in attempts to get passed SURBL.
I'm going to bring up this idea again, in a slightly different context this time:
Perhaps it would be useful to have a SURBL list that is automatically generated daily from the registrars' notifications of domains that have been recently created. This information is available for free download - I'm pretty sure I posted the location here a while ago.
The definition of "recently" might require some testing to set properly, perhaps a starting point would be one week.
Granted this SURBL would be more subject to FPs than a hand-maintained list, so it should have a correspondingly lower default score. And it wouldn't help too much if spammers don't start using their throwaway domains immediately after registering them.
We still want SURBLs to be lists of domains (and a few IPs) that have actually occurred in spams. A list of all new registrations could perhaps be used as an internal data source, but I think it would have way too many false positives to use alone.
The Outblaze data in ob.surbl.org somewhat fulfills your suggestion since it contains only domains that have been registered within the last 90 days *and which have appeared in a lot of spams lately. It tends to work well.
Jeff C.
-
Chris Santerre -
Jeff Chan -
John Hardin