Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: SpamAssassin: users

facebook Spam Question

  

 
SpamAssassin users RSS feed   Index | Next | Previous | View Threaded


twofers at yahoo

Nov 7, 2009, 4:44 AM

Post #1 of 7 (221 views)
Permalink
facebook Spam Question
This may not be an exact Spamassassin type question, but something happened to me recently concerning spam and I am hoping to get some feedback and thoughts about it.

I have 3 websites on a VPS and with that several related email addresses. help@, support@, etc; I also have a customer that I host on my VPS, we do business together and I am the webmaster of his site. He has two email addresses, his@ and admin[at].

Neither I, nor my customer has ever had a facebook or twitter account. He was recently attending a business convention and he said several of his customers suggested he get a facebook and twitter account for business reasons. So he asked me and I created him both a facebook and twitter account and in the process I also created myself one of each. I used his business email address his@ and I used my personal ISP email address on embarqmail.com.

Within a day after creating those accounts, both of us start receiving between 3 and 5 virused spam emails a day related to facebook. Virus attachment emails, "Your password to facebook has been updated for security reasons, open the attachment to see your new password", "your facebook profile has been updated, open the attachment...", etc. "Open the zip file and double click on ?????.exe to....". We have been receiving them for days now, since last Sunday.

We never have in the past ever received any facebook type spam emails. Especially like this. Either one of us. I also monitor his business email address, for customer complaints, suggestions, orders and we never before have received anything related to facebook.

A surprising thing is, I am also receiving between 3 and 5 daily emails via my other 3 websites email addresses. These addresses are not even related to the new facebook accounts other than they are part of the VPS hosting the websites. I don't know if that's a considerable relationship?

It could very well be coincidence I suppose, that we created those facebook accounts and almost immediately started receiving virus spam, but I really do not think so, based on our history. It seems too coincidental and it is affecting about 10 non-related email addresses also. I think something else is happening, although I do not know what to consider as I am not as knowledgeable about this as you are.

What could be going on here? Any ideas? Is it coincidence?

Thanks for any help.

Wes


ilikeuce at bornefeld-ettmann

Nov 7, 2009, 6:20 AM

Post #2 of 7 (209 views)
Permalink
Re: facebook Spam Question [In reply to]
Hi,

AFAIK this is just coincidence. I don't have any accounts on such
platforms but I also receive mails for passwort requests for Facebook,
MySpace .....

Cheers
Ralph



twofers schrieb:
> This may not be an exact Spamassassin type question, but something happened to me recently concerning spam and I am hoping to get some feedback and thoughts about it.
>
> I have 3 websites on a VPS and with that several related email addresses. help@, support@, etc; I also have a customer that I host on my VPS, we do business together and I am the webmaster of his site. He has two email addresses, his@ and admin[at].
>
> Neither I, nor my customer has ever had a facebook or twitter account. He was recently attending a business convention and he said several of his customers suggested he get a facebook and twitter account for business reasons. So he asked me and I created him both a facebook and twitter account and in the process I also created myself one of each. I used his business email address his@ and I used my personal ISP email address on embarqmail.com.
>
> Within a day after creating those accounts, both of us start receiving between 3 and 5 virused spam emails a day related to facebook. Virus attachment emails, "Your password to facebook has been updated for security reasons, open the attachment to see your new password", "your facebook profile has been updated, open the attachment...", etc. "Open the zip file and double click on ?????.exe to....". We have been receiving them for days now, since last Sunday.
>
> We never have in the past ever received any facebook type spam emails. Especially like this. Either one of us. I also monitor his business email address, for customer complaints, suggestions, orders and we never before have received anything related to facebook.
>
> A surprising thing is, I am also receiving between 3 and 5 daily emails via my other 3 websites email addresses. These addresses are not even related to the new facebook accounts other than they are part of the VPS hosting the websites. I don't know if that's a considerable relationship?
>
> It could very well be coincidence I suppose, that we created those facebook accounts and almost immediately started receiving virus spam, but I really do not think so, based on our history. It seems too coincidental and it is affecting about 10 non-related email addresses also. I think something else is happening, although I do not know what to consider as I am not as knowledgeable about this as you are.
>
> What could be going on here? Any ideas? Is it coincidence?
>
> Thanks for any help.
>
> Wes
>
>
>
>


sa_chip at IowaHoneypot

Nov 8, 2009, 2:39 AM

Post #3 of 7 (197 views)
Permalink
Re: facebook Spam Question [In reply to]
twofers wrote:
>What could be going on here? Any ideas? Is it coincidence?

TwoFers, did these start after mid-afternoon (1600 Eastern time)
of Oct 26? If so, this is PURE coincidence. :)

I checked four of my domains, including one which (by policy) has
NEVER received any authentic Facebook/Twitter stuff, and ALL
started receiving significant quantities (1.9% to 2.8% of total
post-gateway-RBL spam) with the first appearing between 1601 and
1630.

That's based on all emails (regardless of score) which survived
gateway RBL checks.

There are two campaigns: one with a viral attachment, one with a
click-thru with Facebook as the subhost (most of those are being
caught by Uribl and/or Surbl).


What's neither coincidence NOR acceptable is that ANY of these are
getting thru. They're trivially easy to kill, and SA has the tools
to do so.

Facebook does the Right Thing and publishes an SPF record, which is
extremely easy (i.e. cheap) to test & SELECTIVELY block on.

Another option (if you'd rather not mess with SPF) is to just add
some simple manual rules which high score anything with:
1. Facebook's domain in the From header and NOT in the SMTP Sender
2. Facebook's domain in the From header and NOT from its known IPs

Either of those rules would catch 100% of these spams.

I get the vague impression you're probably using a stock control
panel installation of SpamAssassin, in which case you're probably
seeing only a mid-80% killrate. SA is an extremely powerful tool,
but the "stock" installs (typical of most webhosts) is crippled.

SpamAssassin is meant to be tuned to YOUR unique email ecology, not
left at generic settings.

If you invest sufficient time to build a Ham corpus, and analyze
ALL your missed spam on a regular basis, you'll quickly be able to
tune things so the "easy" spams are taken care of. Maintenance
time will drop off quickly, as your skill level increases.

Only about 2% (or less) of all spam poses any kind of challenge.
Um, most of the time. :)


Ugh. I just checked Twitter, and no SPF record. :(
Their DNS MX records are funky, all having Google hostnames, which
is weird since they definitely _DO_ use their own servers (based on
one of my Ham corpora).

If you decide to add a manual IP-range rule for Facebook, I
recommend you also add one for Twitter. I've only seen a tiny
trickle of viral stuff forged as coming from them, but they're
a logical target. Pre-emptive first strike... with spam, there's
no reason not to. :)

Good luck!
- "Chip"


richard at buzzhost

Nov 8, 2009, 2:44 AM

Post #4 of 7 (197 views)
Permalink
Re: facebook Spam Question [In reply to]
On Sun, 2009-11-08 at 10:39 +0000, Chip M. wrote:
>
> Ugh. I just checked Twitter, and no SPF record. :(

No?

What's this?

;; ANSWER SECTION:
twitter.com. 600 IN TXT "v=spf1 ip4:128.121.145.168
ip4:128.121.146.128/27 mx ptr a:postmaster.twitter.com
mx:one.textdrive.com include:cmail1.com include:aspmx.googlemail.com
include:support.zendesk.com -all"


me at junc

Nov 8, 2009, 3:45 AM

Post #5 of 7 (197 views)
Permalink
Re: facebook Spam Question [In reply to]
On søn 08 nov 2009 11:44:05 CET, "richard[at]buzzhost.co.uk" wrote
> On Sun, 2009-11-08 at 10:39 +0000, Chip M. wrote:
>> Ugh. I just checked Twitter, and no SPF record. :(
> No?

twitter might use another domain for signup ?, no :)

same as facebook.com does not use this domain for signup emails

facebook use spf and dkim, if one likes to verify its sent from them

--
xpoint


kremels at kreme

Nov 8, 2009, 9:44 AM

Post #6 of 7 (189 views)
Permalink
Re: facebook Spam Question [In reply to]
On 8-Nov-2009, at 03:39, Chip M. wrote:
> TwoFers, did these start after mid-afternoon (1600 Eastern time)
> of Oct 26? If so, this is PURE coincidence. :)
>
> I checked four of my domains, including one which (by policy) has
> NEVER received any authentic Facebook/Twitter stuff, and ALL
> started receiving significant quantities (1.9% to 2.8% of total
> post-gateway-RBL spam) with the first appearing between 1601 and
> 1630.


Oh yeah, I got a slew of those as well.

--
"Your stepmom is cute"
"Shut up, Ted"
"Remember when she was a senior and we were freshmen?"
"Shut up Ted!"


twofers at yahoo

Nov 9, 2009, 7:51 AM

Post #7 of 7 (174 views)
Permalink
facebook Spam Question [In reply to]
Thanks everyone for the facebook feedback.
 
Indeed this did happen and begin after Oct 26th. I believe our registration began closer to Nov 1st.
 
It's relieving that this appears to be coincidence and is not a local virus, keylogger, undetected VPS break in, etc.
 
My spamassassin is set up as a pretty generic install, although I do edit the config to add rules. I do not necessarily need to focus intensly on spam elimination, I am pretty much my only customer.
 
Thank you for the help.

SpamAssassin users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact lists@gossamer-threads.com
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.