Mailing List Archive: SpamAssassin: users

Blocking new spam wave

Index | Next | Previous | View Threaded

mls at vp44

Jul 19, 2013, 10:35 PM

Post #1 of 5 (152 views)
Permalink

Blocking new spam wave

Hi all.

Since a few days ago I'm being buried under spam messages that slip through
my amavis/SA setup.
The messages all look alike: plaintext with random junk + URL in the body.
Pastebin with a few examples here: http://g2z.me/ed64d

I've tried running a sa-update but I don't have enough samples (yet). The
thing that bothers me is that all the messages have been classified as HAM
by the auto learn (which I have now disabled).
What could be an effective rule/ruleset to block emails like this?

Thanks,

Andrea

neil at cauce

Jul 20, 2013, 8:21 AM

Post #2 of 5 (141 views)
Permalink

Re: Blocking new spam wave [In reply to]

On Jul 19, 2013, at 10:35 PM, Andrea <mls [at] vp44> wrote:

> Hi all.
>
> Since a few days ago I'm being buried under spam messages that slip through my amavis/SA setup.
> The messages all look alike: plaintext with random junk + URL in the body.
> Pastebin with a few examples here: http://g2z.me/ed64d
>
> I've tried running a sa-update but I don't have enough samples (yet). The thing that bothers me is that all the messages have been classified as HAM by the auto learn (which I have now disabled).
> What could be an effective rule/ruleset to block emails like this?

The emitting IPs appear to be on some fairly prominent blacklists :

65.20.0.50 http://multirbl.valli.org/lookup/65.20.0.50.html Blacklisted: 10 Brownlisted: 0 Yellowlisted: 0 Whitelisted: 0
210.188.175.148 http://multirbl.valli.org/lookup/210.188.175.148.html Blacklisted: 14 Brownlisted: 0 Yellowlisted: 0 Whitelisted: 0
217.16.6.131 http://multirbl.valli.org/lookup/217.16.6.131.html Blacklisted: 17 Brownlisted: 0 Yellowlisted: 0 Whitelisted: 0

The problem, or at least part of it, is that the payloads are all redirects via compromised legitimate sites on hosting companies

http://prembhatiatrust . com/public-sex.html?cuzahetysu
http://auto-atendimentos . info/algerie.html?japu
http://chapcanhuocmo . vn./springbreak.html

prembhatiatrust. com | Creation Date: 23-apr-2002 | 74.208.211.99
auto-atendimentos. info | Created On:30-Mar-2013 11:25:09 UTC | 173.192.200.207
chapcanhuocmo. vn | Ngày đăng ký: 04-04-2011 | 222.255.29.22

for those who care, the ultimate payloads are:

mega-hot-sites . com
hot-hot-sites . com
lovely-sites . com

all sitting on 213.183.59.30 (anders. ru)

which has a couple NS SBLed, which cover all of the payloads (1):

ns1.eliteadultsites. com 213.183.59.30 SBL
ns2.eliteadultsites. com 213.183.59.30 SBL

Passive DNS for 213.183.59.30_32

Records found: 31 (moved & 404 elided)

lovely-sites. com 213.183.59.30
www.lovely-sites. com 213.183.59.30
pretty-sites. com 213.183.59.30
www.pretty-sites. com 213.183.59.30
mail.pretty-sites. com 213.183.59.30
hot-hot-sites. com 213.183.59.30
www.hot-hot-sites. com 213.183.59.30
fineadultvideo. com 213.183.59.30
www.fineadultvideo. com 213.183.59.30
mega-hot-sites. com 213.183.59.30
www.mega-hot-sites. com 213.183.59.30
mail.mega-hot-sites. com 213.183.59.30
cool-cool-sites. com 213.183.59.30
eliteadultsites. com 213.183.59.30
ns1.eliteadultsites. com 213.183.59.30
ns2.eliteadultsites. com 213.183.59.30
www.eliteadultsites. com 213.183.59.30
mail.eliteadultsites. com 213.183.59.30
right-adult-sites. com 213.183.59.30
www.right-adult-sites. com 213.183.59.30
top-quality-sites. com 213.183.59.30
www.top-quality-sites. com 213.183.59.30

(1)
Domain Name: COOL-COOL-SITES . com
Registrar: BIZCN . com, INC.
Whois Server: whois.bizcn . com
Referral URL: http://www.bizcn . com
Name Server: NS1.ELITEADULTSITES . com
Name Server: NS2.ELITEADULTSITES . com
Status: clientDeleteProhibited
Status: clientTransferProhibited
Updated Date: 15-jun-2013
Creation Date: 16-nov-2012
Expiration Date: 16-nov-2013

Domain Name: ELITEADULTSITES . com
Registrar: BIZCN . com, INC.
Whois Server: whois.bizcn . com
Referral URL: http://www.bizcn . com
Name Server: NS1.ELITEADULTSITES . com
Name Server: NS2.ELITEADULTSITES . com
Status: clientDeleteProhibited
Status: clientTransferProhibited
Updated Date: 15-jun-2013
Creation Date: 16-oct-2012
Expiration Date: 16-oct-2013

Domain Name: FINEADULTVIDEO . com
Registrar: BIZCN . com, INC.
Whois Server: whois.bizcn . com
Referral URL: http://www.bizcn . com
Name Server: NS1.ELITEADULTSITES . com
Name Server: NS2.ELITEADULTSITES . com
Status: clientDeleteProhibited
Status: clientTransferProhibited
Updated Date: 15-jun-2013
Creation Date: 05-oct-2012
Expiration Date: 05-oct-2013

Domain Name: HOT-HOT-SITES . com
Registrar: BIZCN . com, INC.
Whois Server: whois.bizcn . com
Referral URL: http://www.bizcn . com
Name Server: NS1.ELITEADULTSITES . com
Name Server: NS2.ELITEADULTSITES . com
Status: clientDeleteProhibited
Status: clientTransferProhibited
Updated Date: 15-jun-2013
Creation Date: 13-nov-2012
Expiration Date: 13-nov-2013

Domain Name: LOVELY-SITES . com
Registrar: BIZCN . com, INC.
Whois Server: whois.bizcn . com
Referral URL: http://www.bizcn . com
Name Server: NS1.ELITEADULTSITES . com
Name Server: NS2.ELITEADULTSITES . com
Status: clientDeleteProhibited
Status: clientTransferProhibited
Updated Date: 15-jun-2013
Creation Date: 20-nov-2012
Expiration Date: 20-nov-2013

Domain Name: MEGA-HOT-SITES . com
Registrar: BIZCN . com, INC.
Whois Server: whois.bizcn . com
Referral URL: http://www.bizcn . com
Name Server: NS1.ELITEADULTSITES . com
Name Server: NS2.ELITEADULTSITES . com
Status: clientDeleteProhibited
Status: clientTransferProhibited
Updated Date: 15-jun-2013
Creation Date: 18-oct-2012
Expiration Date: 18-oct-2013

Domain Name: PRETTY-SITES . com
Registrar: BIZCN . com, INC.
Whois Server: whois.bizcn . com
Referral URL: http://www.bizcn . com
Name Server: NS1.ELITEADULTSITES . com
Name Server: NS2.ELITEADULTSITES . com
Status: clientDeleteProhibited
Status: clientTransferProhibited
Updated Date: 15-jun-2013
Creation Date: 30-nov-2012
Expiration Date: 30-nov-2013

Domain Name: RIGHT-ADULT-SITES . com
Registrar: BIZCN . com, INC.
Whois Server: whois.bizcn . com
Referral URL: http://www.bizcn . com
Name Server: NS1.ELITEADULTSITES . com
Name Server: NS2.ELITEADULTSITES . com
Status: clientDeleteProhibited
Status: clientTransferProhibited
Updated Date: 15-jun-2013
Creation Date: 05-nov-2012
Expiration Date: 05-nov-2013

Domain Name: TOP-QUALITY-SITES . com
Registrar: BIZCN . com, INC.
Whois Server: whois.bizcn . com
Referral URL: http://www.bizcn . com
Name Server: NS1.ELITEADULTSITES . com
Name Server: NS2.ELITEADULTSITES . com
Status: clientDeleteProhibited
Status: clientTransferProhibited
Updated Date: 15-jun-2013
Creation Date: 22-nov-2012
Expiration Date: 22-nov-2013

mls at vp44

Jul 21, 2013, 7:33 AM

Post #3 of 5 (131 views)
Permalink

Re: Re: Blocking new spam wave [In reply to]

On 7/20/13 9:20 AM, "Christian Recktenwald" <satalk-dist [at] citecs> wrote:

>On Sat, Jul 20, 2013 at 07:35:23AM +0200, Andrea wrote:
>> Hi all.
>>
>> Since a few days ago I'm being buried under spam messages that slip
>>through
>> my amavis/SA setup.
>> The messages all look alike: plaintext with random junk + URL in the
>>body.
>> Pastebin with a few examples here: http://g2z.me/ed64d
>

Thank you for the tips.
I have a few further questions:

>- TZ in Date: -0700
>- short message (up to 110 chars)
>- containing a url

How much would you score these three?
(btw I noticed several messages have a date in the future between 6 and 12
hours so I've increased that)

>- url with uri 17..27 chars
>- url results in some meta REFRESH
>- the refresh refers to some domain .*-sites.com
>- the domain names resolve to 213.183.59.30
>- the refresh redirects to another meta REFRESH, which is unique

How can I implement these? Especially how can SA know that the URL
refreshes to a different page..

Andrea

martin at gregorie

Jul 21, 2013, 8:56 AM

Post #4 of 5 (131 views)
Permalink

Re: Re: Blocking new spam wave [In reply to]

On Sun, 2013-07-21 at 16:33 +0200, Andrea wrote:
>
> On 7/20/13 9:20 AM, "Christian Recktenwald" <satalk-dist [at] citecs> wrote:
>
> >On Sat, Jul 20, 2013 at 07:35:23AM +0200, Andrea wrote:
> >> Hi all.
> >>
> >> Since a few days ago I'm being buried under spam messages that slip
> >>through
> >> my amavis/SA setup.
> >> The messages all look alike: plaintext with random junk + URL in the
> >>body.
> >> Pastebin with a few examples here: http://g2z.me/ed64d
> >
>
> Thank you for the tips.
> I have a few further questions:
>
> >- TZ in Date: -0700
>
This is pretty common: you'd expect that since it is a rather irregular
slice through North America that includes Edmonton and Denver.

> >- short message (up to 110 chars)
>
Common enough, typically "Get a load of this: http://some.url.or/other.

> >- containing a url
>
or possibly just a URL and nothing else.

> How much would you score these three?
>
Not very highly either, separately or in combination. However, if
there's a known issue with the the URL content, e.g. its TLD is .pw, the
sender or recipient addressed you may score it more highly, e.g. if the
recipient address is one that you never publish or use directly.

> (btw I noticed several messages have a date in the future between 6 and 12
> hours so I've increased that)
>
Might be reasonable: any date that could result from a misconfigured
timezone and/or an incorrectly set clock is not necessarily suspicious.

> >- url with uri 17..27 chars
>
Why would that be suspicious? My normal URL is 22 characters without the
"http://" prefix. If you're trying to catch URLs generated by some
spambot it would be better to look for patterns in the names it
generates rather than deciding that some arbitrary length range is
suspicious.

> >- url results in some meta REFRESH
> >- the refresh refers to some domain .*-sites.com
>
They claim to have been in the web hosting business since 1996. What
have you got against them?

> >- the domain names resolve to 213.183.59.30
> >- the refresh redirects to another meta REFRESH, which is unique
>
Resolves to an IP belonging Anders Telecom in Moscow and seems to have
an unconfigured copy of Apache on it. No reverse DNS configured, though.
What do you think it is - a bot herder?

> How can I implement these?
>
Write a set of subrules, one for each of those clauses and combine them
into one or more very specific scoring rules by using meta-rules.

> Especially how can SA know that the URL
> refreshes to a different page..
>
It can't because it just recognises the URL without ever attempting to
access it.

Martin

Bowie_Bailey at BUC

Jul 22, 2013, 6:57 AM

Post #5 of 5 (114 views)
Permalink

Re: Blocking new spam wave [In reply to]

On 7/20/2013 1:35 AM, Andrea wrote:
> Hi all.
>
> Since a few days ago I'm being buried under spam messages that slip
> through my amavis/SA setup.
> The messages all look alike: plaintext with random junk + URL in the body.
> Pastebin with a few examples here: http://g2z.me/ed64d
>
> I've tried running a sa-update but I don't have enough samples
> (yet). The thing that bothers me is that all the messages have been
> classified as HAM by the auto learn (which I have now disabled).
> What could be an effective rule/ruleset to block emails like this?

I assume you meant to say "sa-learn" rather than "sa-update"?

The main problem that I see with the scoring is that it is hitting on
BAYES_00. This may have been caused by auto-learn. You need to
manually learn these as spam using sa-learn to couteract that.

--
Bowie

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads