LogSat Software

Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic

   I had to put special keyword filters in for just one spam sender, it is using a technique that seems to bypass all standard filters.
Maybe more experienced spamfighters than me can take a look and get an "AHA erlebnis' :)
here is what the mail msg looks like after it was caught by a keyword filter.

Note that it is specifically targeting the postmaster mailbox (mine ^%$#&$^%$ ), and in outlook looks as if i have sent myself an email... Unless my setup here is in error i think this particular spammer deserves some extra attention for all of our sake's.

  Fri, 11 Nov 2005 13:42:15 +0400
Received: from farpomader5 (infantryman64.252.208.0)
          by werbe-rusch.de  (nbz275) with SMTP
          id <824171on267a>
          (Authid: JeannieDowns);
          Fri, 11 Nov 2005 06:44:15 -0300
From: "postmaster@ourdomain.nl" <postmaster@ourdomain.nl>
To: "'postmaster@ourdomain.nl" <postmaster@ourdomain.nl>
Subject: postmaster@ourdomain.nl
Date: Fri, 11 Nov 2005 04:41:15 -0500
Message-ID: <587m2xj0$374es19l0$9ee5xv@becloudf30>
MIME-Version: 1.0
Content-Type: multipart/alternative;
 boundary="--5022375956366480"
X-Server: LogSat Software SMTP Server
X-SF-RX-Return-Path: <postmaster@ourdomain.nl>
X-SF-HELO-Domain: 85-250-94-111.bb.netvision.net.il
----5022375956366480
postmaster@ourdomain.nl is a nonprofit/charity contact email address right?  if so...
WE WILL EMAIL YOUR WEB SITE TO 2,500,00 0PT-IN EMAILS FOR [Free]
http://broadcastemailservices.odo4.meibu.com

----- ---- --- -- -  -
second at our company web site above, read all about details on how our
emailing service works, then send a letter to the postal mailing address 
on our company web site above with your non-profit and/or charity status 
as registered in your country of origin along with your mission statement
enclosed, along with your email address and we will then send you all the
specifications needed on how to receive your non-commercial, non-cost,
non-transactional, non-relationship, charity/non-profit courtesy emailing.
this non-commercial, non-transactional, non-relationship, courtesy emailing 
has an important primary purpose of helping society by assisting nonprofits 
& charities have their non-profit/non-commercial mission statement/special
message sent out to 2.5mil option in emails as a courtesy to help worldwide
in national and global relief efforts for various causes in need of support.
----- ---- --- -- -  -
thanks to the technology of email, here are only a few of the countless
charities & non-profit organizations we have countributed to this year alone:
adventist develop & relief agency international, child help usa, direct 
relief international, doctors without borders, episcopal relief and 
development, international medical corps, mercy corps, operation usa, red 
cross hurricane relief division, red cross washington state chapter, the 
salvation army, among countless others that have requested global assistance.
----- ---- --- -- -  -
if this is not a non-profit/charity contact email address and/or you are not 
interested in our occassional non-commercial, non-transactional, non-cost, 
non-relationship, courtesy emailings we perform for various nonprofits and
charities, delist at: http://broadcastemailservices.odo4.meibu.com/dounsub.php
----5022375956366480--

And another one:

Received: from 61.51.45.125 by mail.ourdomain.nl (LogSat Software SMTP Server) Fri, 11 Nov 2005 06:36:25 +0100
Message-ID: <26117417057727.1a7931cho@aaki.dk >
Received: from 242.232.50.156 by pcjt25-zja7.nsqk40.eon.net.au  with DAV;
 Fri, 11 Nov 2005 05:42:14 -0400
Reply-To: "postmaster@ourdomain.com" <postmaster@ourdomain.com>
From: "postmaster@ourdomain.com" <postmaster@ourdomain.com>
To: <postmaster@ourdomain.com>
Subject: postmaster@ourdomain.com
Date: Fri, 11 Nov 2005 12:42:14 +0300
MIME-Version: 1.0
Content-Type: multipart/alternative;
 boundary="--18956560431480567067"
X-Server: LogSat Software SMTP Server
X-SF-RX-Return-Path: <postmaster@ourdomain.com>
X-SF-HELO-Domain: [our relay ip]
----18956560431480567067
postmaster@ourdomain.com is a nonprofit/charity contact email address right?  if so...
WE WILL EMAIL YOUR WEB SITE TO 2,500,00 0PT-IN EMAILS FOR [Free]
http://broadcastemailservices.odo4.meibu.com

******** Same BS as in previous mail ********

if this is not a non-profit/charity contact email address and/or you are not 
interested in our occassional non-commercial, non-transactional, non-cost, 
non-relationship, courtesy emailings we perform for various nonprofits and
charities, delist at: http://broadcastemailservices.odo4.meibu.com/dounsub.php
----18956560431480567067--
.

Edited by Marco

Author	Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic
Marco Members Profile Send Private Message Find Members Posts Add to Buddy List Senior Member Joined: 07 June 2005 Location: Netherlands Status: Offline Points: 137	Post Options Post Reply Quote Marco Report Post Thanks(0) Quote Reply Topic: Some spammer is using weird technique Posted: 11 November 2005 at 6:38am
	I had to put special keyword filters in for just one spam sender, it is using a technique that seems to bypass all standard filters. Maybe more experienced spamfighters than me can take a look and get an "AHA erlebnis' :) here is what the mail msg looks like after it was caught by a keyword filter. Note that it is specifically targeting the postmaster mailbox (mine ^%$#&$^%$ ), and in outlook looks as if i have sent myself an email... Unless my setup here is in error i think this particular spammer deserves some extra attention for all of our sake's. Received: from 85.250.94.111 by mail.ourdomain.nl (LogSat Software SMTP Server) Fri, 11 Nov 2005 06:36:38 +0100 X-Message-Info: OVvBO80dXYBpzHYAbhd3egh085PB845RFHarcKKXfmo Received: from royevuqkr94.inphomatch.com.br (7.74.30.224) by cpp110-ho.cyber.net.pk with Microsoft SMTPSVC(5.0.2195.6824); Fri, 11 Nov 2005 13:42:15 +0400 Received: from farpomader5 (infantryman64.252.208.0) by werbe-rusch.de (nbz275) with SMTP id <824171on267a> (Authid: JeannieDowns); Fri, 11 Nov 2005 06:44:15 -0300 From: "postmaster@ourdomain.nl" <postmaster@ourdomain.nl> To: "'postmaster@ourdomain.nl" <postmaster@ourdomain.nl> Subject: postmaster@ourdomain.nl Date: Fri, 11 Nov 2005 04:41:15 -0500 Message-ID: <587m2xj0$374es19l0$9ee5xv@becloudf30> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="--5022375956366480" X-Server: LogSat Software SMTP Server X-SF-RX-Return-Path: <postmaster@ourdomain.nl> X-SF-HELO-Domain: 85-250-94-111.bb.netvision.net.il ----5022375956366480 postmaster@ourdomain.nl is a nonprofit/charity contact email address right? if so... WE WILL EMAIL YOUR WEB SITE TO 2,500,00 0PT-IN EMAILS FOR [Free] http://broadcastemailservices.odo4.meibu.com ----- ---- --- -- - - second at our company web site above, read all about details on how our emailing service works, then send a letter to the postal mailing address on our company web site above with your non-profit and/or charity status as registered in your country of origin along with your mission statement enclosed, along with your email address and we will then send you all the specifications needed on how to receive your non-commercial, non-cost, non-transactional, non-relationship, charity/non-profit courtesy emailing. this non-commercial, non-transactional, non-relationship, courtesy emailing has an important primary purpose of helping society by assisting nonprofits & charities have their non-profit/non-commercial mission statement/special message sent out to 2.5mil option in emails as a courtesy to help worldwide in national and global relief efforts for various causes in need of support. ----- ---- --- -- - - thanks to the technology of email, here are only a few of the countless charities & non-profit organizations we have countributed to this year alone: adventist develop & relief agency international, child help usa, direct relief international, doctors without borders, episcopal relief and development, international medical corps, mercy corps, operation usa, red cross hurricane relief division, red cross washington state chapter, the salvation army, among countless others that have requested global assistance. ----- ---- --- -- - - if this is not a non-profit/charity contact email address and/or you are not interested in our occassional non-commercial, non-transactional, non-cost, non-relationship, courtesy emailings we perform for various nonprofits and charities, delist at: http://broadcastemailservices.odo4.meibu.com/dounsub.php ----5022375956366480-- And another one: Received: from 61.51.45.125 by mail.ourdomain.nl (LogSat Software SMTP Server) Fri, 11 Nov 2005 06:36:25 +0100 Message-ID: <26117417057727.1a7931cho@aaki.dk > Received: from 242.232.50.156 by pcjt25-zja7.nsqk40.eon.net.au with DAV; Fri, 11 Nov 2005 05:42:14 -0400 Reply-To: "postmaster@ourdomain.com" <postmaster@ourdomain.com> From: "postmaster@ourdomain.com" <postmaster@ourdomain.com> To: <postmaster@ourdomain.com> Subject: postmaster@ourdomain.com Date: Fri, 11 Nov 2005 12:42:14 +0300 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="--18956560431480567067" X-Server: LogSat Software SMTP Server X-SF-RX-Return-Path: <postmaster@ourdomain.com> X-SF-HELO-Domain: [our relay ip] ----18956560431480567067 postmaster@ourdomain.com is a nonprofit/charity contact email address right? if so... WE WILL EMAIL YOUR WEB SITE TO 2,500,00 0PT-IN EMAILS FOR [Free] http://broadcastemailservices.odo4.meibu.com ****** Same BS as in previous mail ****** if this is not a non-profit/charity contact email address and/or you are not interested in our occassional non-commercial, non-transactional, non-cost, non-relationship, courtesy emailings we perform for various nonprofits and charities, delist at: http://broadcastemailservices.odo4.meibu.com/dounsub.php ----18956560431480567067-- . Edited by Marco
	Anyone who is capable of getting himself made president, should on no account be allowed to do the job. D.Adams

LogSat Members Profile Send Private Message Find Members Posts Add to Buddy List Admin Group Joined: 25 January 2005 Location: United States Status: Offline Points: 4105	Post Options Post Reply Quote LogSat Report Post Thanks(0) Quote Reply Posted: 11 November 2005 at 4:10pm
	Marco, I just tested sending the email, and it was successfully blocked by the SURBL filter. As you probably already know, SpamFilter will check all hyperlinks in an email against SURBL servers to see if they are blacklisted. If so, the email is rejected. If you don't have the SURBL filter enabled, we strongly recommend you do so, as it's very effective. If the filter was enabled, it is possible that the spam was "fresh", meaning that the SURBL server(s) you are using did not have the spammer's URL (meibu.com in this case) in their database.
	Roberto Franceschetti LogSat Software Spam Filter ISP

Marco Members Profile Send Private Message Find Members Posts Add to Buddy List Senior Member Joined: 07 June 2005 Location: Netherlands Status: Offline Points: 137	Post Options Post Reply Quote Marco Report Post Thanks(0) Quote Reply Posted: 14 November 2005 at 2:59am
	Thanks for your explanation Roberto. It probably was fresh at the time of receipt, SURBL filter is on and usually catches a lot of spams. Isn't there something specific going on with this spam type for us to successfully catch it before even SURBL has it's url registered? It's a matter of time i think before other spammers will adapt this method and surbl will allways be one step behind. Best regards, Marco
	Anyone who is capable of getting himself made president, should on no account be allowed to do the job. D.Adams

LogSat Members Profile Send Private Message Find Members Posts Add to Buddy List Admin Group Joined: 25 January 2005 Location: United States Status: Offline Points: 4105	Post Options Post Reply Quote LogSat Report Post Thanks(0) Quote Reply Posted: 14 November 2005 at 5:09pm
	In the two particular cases you posted above, both emails fake their "from" address to appear as originating from your domain. SpamFilter already has two great filters to catch these. The 1st is the "Reject if From Domain = To Domain". Normally your internal users will send emails within your domain by contacting your main SMTP server, not going thru SpamFilter. If so, then this filter will prevent all emails with senders spoofing your address. The 2nd is the SPF filter. If you configure an SPF record for your domains, and enable the SPF filter in SpamFilter, from then on nobody will be able to fake your domain as a sender. Only IP addresses you approve by entering them in the SPF DNS record will be allowed to send emails.
	Roberto Franceschetti LogSat Software Spam Filter ISP

Kirby Howarth Members Profile Send Private Message Find Members Posts Add to Buddy List Guest Group	Post Options Post Reply Quote Kirby Howarth Thanks(0) Quote Reply Posted: 16 December 2005 at 12:10pm
	Seems to me that most spam that I get comes with links to http:// uk.geocities.com/ If people start blocking this then maybe they as a large company will get some really money invested into stopping this from happening. Hands up for who agrees with them spending money..... my hands touching the sky!!!!

LogSat Software

Site Navigation[Skip]

Spam Filter ISP Support Forum

Some spammer is using weird technique