Actualy all of our anti-spam-behauviors get distracted by a very complex way of generating spam. I took a analyses of the spam that comes by our grey-listing and spamassassin filters.
The following mail is the example of this blogentry.
—-
Ok, here comes the usual stuff
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; format=flowed; charset="windows-1252"; reply-type=original
Date: Wed, 30 May 2007 13:39:04 +0700 [08:39:04 CEST]
Delivered-To: mymail@mydomain.tv
From: "vivaciously" <isy@danbeeinv.co m>
MIME-Version: 1.0
Message-ID: <001f01c7a285$375b7840$776e72c7@guwjc>
Received: by xx.xxx.xx (Postfix, from userid 8) id A8F3BA3785; Wed, 30 May 2007 08:39:28 +0200 (CEST)
from localhost (localhost [127.0.0.1]) by xx.xxx.xx (Postfix) with ESMTP id 0B9E9A388D for <mymail@mydomain.tv>; Wed, 30 May 2007 08:39:23 +0200 (CEST)
from xx.xxx.xx ([127.0.0.1]) by localhost (xx.xxx.xx [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 12365-10 for <mymail@mydomain.tv>; Wed, 30 May 2007 08:39:19 +0200 (CEST)
from cojn (unknown [203.156.69.111]) by xx.xxx.xx (Postfix) with SMTP id E159CA3785 for <mymail@mydomain.tv>; Wed, 30 May 2007 08:39:12 +0200 (CEST)
from [199.114.110.119] (helo=guwjc) by cojn with smtp (Exim 4.62 (FreeBSD)) id 1I/%0-0004TE-NH; Wed, 30 May 2007 13:43:27 +0700
Return-Path: <isy@danbeeinv.com>
Subject: I once was a big fan of Bill O'Reilly.
To: <mymail@mydomain.tv>
<blockquote>As you can see here the greylisting has been passed. My analyses of other spam mail results that spammails usualy are in a very fix range from 602second to 620seconds - so exactly 10 Minutes after the first try. I suppose that the highjacked machines are all infected by more or less the same Trojan and the same config for a retry.</blockquote>
X-Greylist: delayed 612 seconds by postgrey-1.24 at elbarto; Wed, 30 May 2007 08:39:12 CEST
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1409
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
X-Priority: 3
<blockquote>Spamassassin gets a score for this mail a bit below of 7 - while we never had tweeked the standard config, i suppose that it will pass many others with about the same points.</blockquote>
X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on elbarto.betaversion.net
X-Spam-Level: ******
X-Spam-Status: No, score=6.5 required=7.0 tests=BAYES_99,RCVD_IN_DSBL autolearn=no version=3.1.1
X-Virus-Scanned: by amavisd-new-20030616-p10 at elbarto.betaversion.net
<blockquote>O'right this is the actual usual start in the new mails - usually a promotion for a penny stock. This information is quite correct. Don't be silly and buy this - your supporting just criminals by doing this...</blockquote>
MITTWOCH 30. MAI STARTET DIE HAUSSE!
Firma: TALKTECH TELEMEDIA (OYQ.F)
Kurzel: WKN: 278-104 (OYQ.F)
ISIN: US8742781045
Preis: 0.81 (+50% in 1 tag)
3T Prognose: 3
<blockquote>And from here it comes a bit random - but when you have a closer look on a complete sentence and put into google, you will see that every sentence is from http://journal.aol.com. In specialy from this example... So when i'm thinking of how the spammers compound their mails, i think, they choose one or more random RSS-Feeds and concatenate from the contents of this sentences as "bullshit"-content into their spammails. This results in very indiviual spam-mails. Without any more effort it gona be hard to make a filter that recognize this bullshit.</blockquote>
The drug seems to activate a gene of self destruction. I have never been
a fan of rap music but have dug the charisma of a few artists.
It is disturbing that every channel plays this event over and over all
day long.
There is no effective treatment to offer them. Are they sorry about how
they feel or are they just sorry they said it knowing they may lose
there job, respect etc. is the greatest consumer of cocaine, opioid
products, and alcohol on the planet. No one is safe around them. Today
was not a bad day as far as the types of cases seen. Medications such as
Clonidine and Tenex can help with the hyperactivity in kids and are
relatively safe and usually well tolerated.
I couldn't help but laugh. I will agree with the general idea that it is
problematic.
They represent themselves, not CNBC or CBS. The controversy and outrage
then become difficult to avoid. I do not feel this way about those with
primary mental illnesses or even alcohol dependence that is not
complicated with polysubstance abuse.
On several occasions there would be a severely mentally ill inmate I was
asked to see after several days or weeks of laying on the jail room
floor without treatment.
The key is learning to control the condition instead of being controlled
by it. There is no line for black comedians, but in their favor, it's
understood they are just comedians.
Many whites become confused when observing some of the things black
entertainers get away with on stage.
almost the whole family is addicted to meth. Much of the time reality
does tend to suck.
Girls usually show a tendency to be less hyperactive than boys.
Content-Type: text/plain; format=flowed; charset="windows-1252"; reply-type=original
Date: Wed, 30 May 2007 13:39:04 +0700 [08:39:04 CEST]
Delivered-To: mymail@mydomain.tv
From: "vivaciously" <isy@danbeeinv.co m>
MIME-Version: 1.0
Message-ID: <001f01c7a285$375b7840$776e72c7@guwjc>
Received: by xx.xxx.xx (Postfix, from userid 8) id A8F3BA3785; Wed, 30 May 2007 08:39:28 +0200 (CEST)
from localhost (localhost [127.0.0.1]) by xx.xxx.xx (Postfix) with ESMTP id 0B9E9A388D for <mymail@mydomain.tv>; Wed, 30 May 2007 08:39:23 +0200 (CEST)
from xx.xxx.xx ([127.0.0.1]) by localhost (xx.xxx.xx [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 12365-10 for <mymail@mydomain.tv>; Wed, 30 May 2007 08:39:19 +0200 (CEST)
from cojn (unknown [203.156.69.111]) by xx.xxx.xx (Postfix) with SMTP id E159CA3785 for <mymail@mydomain.tv>; Wed, 30 May 2007 08:39:12 +0200 (CEST)
from [199.114.110.119] (helo=guwjc) by cojn with smtp (Exim 4.62 (FreeBSD)) id 1I/%0-0004TE-NH; Wed, 30 May 2007 13:43:27 +0700
Return-Path: <isy@danbeeinv.com>
Subject: I once was a big fan of Bill O'Reilly.
To: <mymail@mydomain.tv>
<blockquote>As you can see here the greylisting has been passed. My analyses of other spam mail results that spammails usualy are in a very fix range from 602second to 620seconds - so exactly 10 Minutes after the first try. I suppose that the highjacked machines are all infected by more or less the same Trojan and the same config for a retry.</blockquote>
X-Greylist: delayed 612 seconds by postgrey-1.24 at elbarto; Wed, 30 May 2007 08:39:12 CEST
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1409
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
X-Priority: 3
<blockquote>Spamassassin gets a score for this mail a bit below of 7 - while we never had tweeked the standard config, i suppose that it will pass many others with about the same points.</blockquote>
X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on elbarto.betaversion.net
X-Spam-Level: ******
X-Spam-Status: No, score=6.5 required=7.0 tests=BAYES_99,RCVD_IN_DSBL autolearn=no version=3.1.1
X-Virus-Scanned: by amavisd-new-20030616-p10 at elbarto.betaversion.net
<blockquote>O'right this is the actual usual start in the new mails - usually a promotion for a penny stock. This information is quite correct. Don't be silly and buy this - your supporting just criminals by doing this...</blockquote>
MITTWOCH 30. MAI STARTET DIE HAUSSE!
Firma: TALKTECH TELEMEDIA (OYQ.F)
Kurzel: WKN: 278-104 (OYQ.F)
ISIN: US8742781045
Preis: 0.81 (+50% in 1 tag)
3T Prognose: 3
<blockquote>And from here it comes a bit random - but when you have a closer look on a complete sentence and put into google, you will see that every sentence is from http://journal.aol.com. In specialy from this example... So when i'm thinking of how the spammers compound their mails, i think, they choose one or more random RSS-Feeds and concatenate from the contents of this sentences as "bullshit"-content into their spammails. This results in very indiviual spam-mails. Without any more effort it gona be hard to make a filter that recognize this bullshit.</blockquote>
The drug seems to activate a gene of self destruction. I have never been
a fan of rap music but have dug the charisma of a few artists.
It is disturbing that every channel plays this event over and over all
day long.
There is no effective treatment to offer them. Are they sorry about how
they feel or are they just sorry they said it knowing they may lose
there job, respect etc. is the greatest consumer of cocaine, opioid
products, and alcohol on the planet. No one is safe around them. Today
was not a bad day as far as the types of cases seen. Medications such as
Clonidine and Tenex can help with the hyperactivity in kids and are
relatively safe and usually well tolerated.
I couldn't help but laugh. I will agree with the general idea that it is
problematic.
They represent themselves, not CNBC or CBS. The controversy and outrage
then become difficult to avoid. I do not feel this way about those with
primary mental illnesses or even alcohol dependence that is not
complicated with polysubstance abuse.
On several occasions there would be a severely mentally ill inmate I was
asked to see after several days or weeks of laying on the jail room
floor without treatment.
The key is learning to control the condition instead of being controlled
by it. There is no line for black comedians, but in their favor, it's
understood they are just comedians.
Many whites become confused when observing some of the things black
entertainers get away with on stage.
almost the whole family is addicted to meth. Much of the time reality
does tend to suck.
Girls usually show a tendency to be less hyperactive than boys.
—-
Ok, here is my idea for a Spamassassin-Plugin. Lex the sentences as smallest unit. As we are supposing that it the whole body content is out of a RSS-feed it should be indexed by a searchengine. Take two or more sentences and search for it for one or more searchengines. If the whole sentence is found, then it is a copy out of a website/RSS. Retry for number two/X and look if the found website is the same or a different one. If it is a different website push score into spamassassin.
Hi,
this is really an excellent analysis of the current spam. Interestingly, it comes in waves which have their maximum every 40 minutes or so. I can also confirm the very exact retry times (10 minutes) if greylisting is used. For now, I have added a few typical stock-spam words like Kursgewinn, ISIN, WKN to the spam filter which works for now. But automatic detection is going to be tough when the content changes.
I first thought that this spam is sent over legal mail relays until I analyzed the IP addresses. It is now clear that these bots do the retry themselves. Greylisting still does an excellent job against most bots, but this stock spam seems to be the first big exception.
[...] Telemedia Spam). Den genauen Inhalt der Mail hat der Betreiber von Joes Blog veröffentlicht: Pennystock Spam-Analysis and why spamassassin doesn`t get it. Ungewöhnlich im Vergleich zu anderen Aktienspams war zum einen das hohe Mailaufkommen und zum [...]