Spam flooding recent days

Hello,

I've noticed a huge increase of spam rate in past 2-3 weeks. Most of it
are messages with some quite normal Subject:, often (but not neccesarily)
referring to some fake event (i.e. some politician stabbed to death) and
there's only a link, sometimes together with a single sentence, in the
body. How to fight this? Bayes doesn't catch this much, perhaps because
these messages contain few text.

I don't have example of a message of exactly this kind at this moment, but
this one below is similar. Well, it does catch DRUGS_ERECTILE, so it's an
easier case, but most of these spams don't refer to viagra and usually
scores BAYES_50 (max) and nothing more.

X-Spam-Level: ***
X-Spam-Status: No, score=3.6 required=3.9 tests=BAYES_50,DRUGS_ERECTILE,
     HTML_MESSAGE autolearn=no version=3.2.5
[...]
Received: from 190-95-40-158.bk18-dsl.surnet.cl
(190-95-40-158.bk18-dsl.surnet.cl [190.95.40.158])
     by xxxxxxxx (8.12.8/8.12.8) with SMTP id m6LH0TnX015727
     for <michalj@xxxxxxxxxxxxx>; Mon, 21 Jul 2008 19:00:29 +0200
Message-ID: <6AB62D6CDA3697D208CCF8968D13911D@...>
From: "World Pharmacy -A22 " <{WORLDPHARMACY}@...>
Subject: Sale on all items.. viagra for $1
Date: Mon, 21 Jul 2008 17:00:32 GMT
MIME-Version: 1.0
Content-Type: multipart/alternative;
     boundary="-------=_NextPart_191_031A_0000040D.00007EC0"
X-Priority: 3
X-MSMail-Priority: Normal
X-MimeOLE: Microsoft MimeOLE V6.00.2900.2527

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
<body>
<h2>
<a href="http://www.geocities.com/bettyaphdjnx/"> see site </a></h2>

</body></html>

On Mon, 21 Jul 2008, [ISO-8859-2] Micha? J?czalik wrote:

First thing, do you have network tests turned off? That IP address
hit 5 different DNSBL lists here, some of which we use at the SMTP
level so that message would not even made it in our front door. ;)
(I realize that it might not have been listed earlier today).

Install the BOTNET plugin, it will add points to those PC-on-DSL/CABLE
clients, even before they get listed in DNSBLs.

I'm guessing that the kind of message you are referring to looks more
like:

  Date: Mon, 21 Jul 2008 11:49:04 +0200
  From: Froskary <Froskary-orkworth@...>
  To: YYYYYY@...
  Subject: CNN Wire: Obama arrives in Iraq

  B-52 bomber crashes off island of Guam
  http://pelledilunaaXXXXX.it/begin.html

These are not strictly speaking spam, they're actually trojan
bot messages attempting to get people to download a trojan
onto their PCs. (If you are foolish enough to read that message
on a PC and click on that link, you are pOwn3d.)

Those things seem to regularly hit BOTNET, DNSBLs like Spamhaus &
abuseat-CBL, and the URLs tend to get listed in SURBL/URIBL.


--
Dave Funk                                  University of Iowa
<dbfunk (at) engineering.uiowa.edu>        College of Engineering
319/335-5751   FAX: 319/384-0549           1256 Seamans Center
Sys_admin/Postmaster/cell_admin            Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{

On Mon, 2008-07-21 at 22:50 +0200, Michał Jęczalik wrote:
> Hello,
>
> I've noticed a huge increase of spam rate in past 2-3 weeks. Most of it
> are messages with some quite normal Subject:, often (but not neccesarily)
> referring to some fake event (i.e. some politician stabbed to death) and
> there's only a link, sometimes together with a single sentence, in the
> body.

This sounds like ratware spreading phishes to me. Well, based on the
vague and fuzzy description, anyway. Nicely caught by ClamAV with
SaneSecurity phish sigs, and never even being processed by SA here.

I personally don't really see them as spam, though, but malware
distribution mail. Hence the dropping with ClamAV. ;)

However, they seem to be generated by the very same software. In every
backscatter wave, I do see a lot of these, too. Also, by pure collateral
coincidence (I was investigating low-scoring spam), I might be cooking
up a rule that does hit on these. Needs some more investigation the next
days, though.


> How to fight this? Bayes doesn't catch this much, perhaps because
> these messages contain few text.

See above, maybe. Other than that -- no example, no hint how to stop
them.


> I don't have example of a message of exactly this kind at this moment, but
> this one below is similar. Well, it does catch DRUGS_ERECTILE, so it's an
> easier case, but most of these spams don't refer to viagra and usually
> scores BAYES_50 (max) and nothing more.

This example seems to be unrelated to the one described initially, IMHO.
It is a real spam, selling drugs.

  guenther


--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

It's called "tabloid spam".

http://redtape.msnbc.com/2008/07/no-presidential.html#posts