Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: SpamAssassin: users

Spam messages with no payload

 

 

SpamAssassin users RSS feed   Index | Next | Previous | View Threaded


neon+Sp at neonjs

Feb 18, 2012, 4:55 PM

Post #1 of 10 (707 views)
Permalink
Spam messages with no payload

I'm convinced that spammers are using me as a guinea pig.

I'm getting hit pretty hard by just a few determined spammers at the moment
who seem to vary their spam signature every day or so (they sent out through
thousands of free accounts at free email providers, so can't use client
DNSBL). But every now and again, I'll get a spam from them that follows
pretty much the same pattern as everything else, except that the vital
ingredient - the link to their spam site or any mention of what they are
promoting - is not there. Just the formatting and the random words. And
these mails get right through my spam filter.

It's as if they are just sending out a test run when they come up with a new
pattern, to see if it increases their bounce rate or something.

BAYES_99 often hits on them, but I don't want to reject email just because
it hits BAYES_99. The thing is, it's difficult to classify these emails
even manually as spam or not spam, so it'd be hard to come up with rules to
filter them. They are once-off, so they're not "bulk" per se - and they are
not promoting the spammer - they are just random words. But they are, of
course, still spam to me because they are noise I didn't request.
--
View this message in context: http://old.nabble.com/Spam-messages-with-no-payload-tp33350242p33350242.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.


jeremy at fluxlabs

Feb 18, 2012, 5:36 PM

Post #2 of 10 (660 views)
Permalink
Re: Spam messages with no payload [In reply to]

Can you pastebin some sample messages + headers ?

--
Jeremy McSpadden
Flux Labs, Inc
http://www.fluxlabs.net <http://www.fluxlabs.net/>
Endless Solutions
Office : 850-588-4626
Cell : 850-890-2543
Fax : 850-254-2955






On 2/18/12 6:55 PM, "neon_overload" <neon+Sp [at] neonjs> wrote:

>
>I'm convinced that spammers are using me as a guinea pig.
>
>I'm getting hit pretty hard by just a few determined spammers at the
>moment
>who seem to vary their spam signature every day or so (they sent out
>through
>thousands of free accounts at free email providers, so can't use client
>DNSBL). But every now and again, I'll get a spam from them that follows
>pretty much the same pattern as everything else, except that the vital
>ingredient - the link to their spam site or any mention of what they are
>promoting - is not there. Just the formatting and the random words. And
>these mails get right through my spam filter.
>
>It's as if they are just sending out a test run when they come up with a
>new
>pattern, to see if it increases their bounce rate or something.
>
>BAYES_99 often hits on them, but I don't want to reject email just because
>it hits BAYES_99. The thing is, it's difficult to classify these emails
>even manually as spam or not spam, so it'd be hard to come up with rules
>to
>filter them. They are once-off, so they're not "bulk" per se - and they
>are
>not promoting the spammer - they are just random words. But they are, of
>course, still spam to me because they are noise I didn't request.
>--
>View this message in context:
>http://old.nabble.com/Spam-messages-with-no-payload-tp33350242p33350242.ht
>ml
>Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
>
>


neon+Sp at neonjs

Feb 18, 2012, 9:14 PM

Post #3 of 10 (663 views)
Permalink
Re: Spam messages with no payload [In reply to]

Here is one example from this morning

http://pastebin.com/xxJut9wb

And after decoding that base64 attachment:

http://pastebin.com/BApWfSfd

Normally, there is a link or redirect to the spammer's site but this is one
of the ones that is missing that, it has all the same formatting and the
filler text but no payload so it is a pointless spam (unless there is some
other reason for it, like testing bounce rates).
--
View this message in context: http://old.nabble.com/Spam-messages-with-no-payload-tp33350242p33350641.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.


me at junc

Feb 18, 2012, 9:58 PM

Post #4 of 10 (659 views)
Permalink
Re: Spam messages with no payload [In reply to]

Den 2012-02-19 06:14, neon_overload skrev:

> http://pastebin.com/xxJut9wb
> http://pastebin.com/BApWfSfd

invalid messageid and html attachment when there exists html body


neon+Sp at neonjs

Feb 18, 2012, 11:01 PM

Post #5 of 10 (656 views)
Permalink
Re: Spam messages with no payload [In reply to]

Benny Pedersen wrote:
>
>
> invalid messageid and html attachment when there exists html body
>
>

Thanks for looking at that for me.

Forgive me since I am relatively new to Spamassasin, but why wouldn't it
have built-in rules for this, or are there rules that are just disabled by
default?

It seems it would be easy to do a header rule for the message-id and to do a
meta rule for an HTML body plus an HTML attachment.

Feel free to point me in the right direction.

Cheers,
Thomas Rutter
--
View this message in context: http://old.nabble.com/Spam-messages-with-no-payload-tp33350242p33350779.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.


axb.lists at gmail

Feb 19, 2012, 2:03 AM

Post #6 of 10 (658 views)
Permalink
Re: Spam messages with no payload [In reply to]

On 02/19/2012 06:58 AM, Benny Pedersen wrote:
> Den 2012-02-19 06:14, neon_overload skrev:
>
>> http://pastebin.com/xxJut9wb
>> http://pastebin.com/BApWfSfd
>
> invalid messageid and html attachment when there exists html body

+ freemail sender


Jason_Haar at trimble

Feb 19, 2012, 2:45 PM

Post #7 of 10 (648 views)
Permalink
Re: Spam messages with no payload [In reply to]

I know what you mean - see if anyone can figure out what this one was
about! I think they're just screwing with us :-/

(I mean, do they seriously think people are going to reply "excuse me,
did you mean to send this to me?" and take it from there?)

http://pastebin.com/MCwFrP6C

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


jeremy at fluxlabs

Feb 19, 2012, 2:57 PM

Post #8 of 10 (644 views)
Permalink
Re: Spam messages with no payload [In reply to]

For starters, your using qmail. I know postfix will give you more protection up front with just rbl and certain restrictions that would help quite a bit.

Are you running any rbl or dns checks with qmail?

--
Jeremy McSpadden

On Feb 19, 2012, at 4:46 PM, "Jason Haar" <Jason_Haar [at] trimble> wrote:

> I know what you mean - see if anyone can figure out what this one was
> about! I think they're just screwing with us :-/
>
> (I mean, do they seriously think people are going to reply "excuse me,
> did you mean to send this to me?" and take it from there?)
>
> http://pastebin.com/MCwFrP6C
>
> --
> Cheers
>
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +1 408 481 8171
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>
>


me at junc

Feb 19, 2012, 4:23 PM

Post #9 of 10 (643 views)
Permalink
Re: Spam messages with no payload [In reply to]

Den 2012-02-19 23:45, Jason Haar skrev:
> http://pastebin.com/MCwFrP6C

ip2cc 8.8.8.8

whats is the date of that ?, your clamav is outdated :(


michael.scheidell at secnap

Feb 20, 2012, 4:29 AM

Post #10 of 10 (639 views)
Permalink
Re: Spam messages with no payload [In reply to]

On 2/19/12 5:45 PM, Jason Haar wrote:
> I know what you mean - see if anyone can figure out what this one was
> about! I think they're just screwing with us :-/
>
> (I mean, do they seriously think people are going to reply "excuse me,
> did you mean to send this to me?" and take it from there?)
>
> http://pastebin.com/MCwFrP6C
>
this is a typical 'freight forwarder scam'

they want you to prepay freight to their 'authorized forwarder' who
never accepts the shipment, it gets sent back to you, but you are on the
hook for the original payments, and/ or, you totally lose your shipment
anyway.




--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
>*| *SECNAP Network Security Corporation

* Best Mobile Solutions Product of 2011
* Best Intrusion Prevention Product
* Hot Company Finalist 2011
* Best Email Security Product
* Certified SNORT Integrator

______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.spammertrap.com/
______________________________________________________________________

SpamAssassin users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.