Flutterby™! : Spam

Next unread comment / Catchup all unread comments User Account Info | Logout | XML/Pilot/etc versions | Long version (with comments) | Weblog archives | Site Map | | Browse Topics


2004-03-25 22:10:55.866064+00 by Dan Lyke 11 comments

So every once in a while, when I'm really ultra certain about something, I add an entry to my .procmailrc rules which filter a message to /dev/null. This morning I erased my download log and started fresh. Since this morning, I've received 158 emails. 23 of them have been gotten by these rules. The slimeballs at "bestdailydeal.com" and "moosq.com" seem to be the worst offenders, especially since I've tried unsubscribing from both of them. Lying scum. I'm actually shocked and amazed that those slimeballs don't try to hide any better, but I'm glad that they're so easy to filter.

[ related topics: moron Net Culture ]

comments in ascending chronological order (reverse):

#Comment dns black lists? made: 2004-03-25 23:04:30.524736+00 by: flushy [edit history]

why don't you just set your mail server to use DNSBL ?

I use about 4 of them, and our spam has dropped by about 90%. Over 50% of the messages that connect to the system are SPAM. DNSBL stops them before they even try.. that and a patch that I added to amavis that blocks based on file extentions of attached files.

That patch alone has stopped thousands of virii. It was a patch original for a really new version of amavis, and I just back-ported it to the version of Suse that our server runs.

some stats:

Start:Thu Mar 25 17:25:33 2004
From: Mon Mar  1 00:06:40 2004
To  : Thu Mar 25 17:24:56 2004
553 5.3.0 spam blocked see: http://spamcop.net/bl.shtml : 3330       :  33.7 %
550 5.7.1 message content rejected                      : 2060       :  20.9 %
553 5.3.0 mail from rejected - sorbs                    : 1300       :  13.2 %
553 5.3.0 mail from rejected - njabl                    : 936        :   9.5 %
553 5.3.0 mail from rejected - spamhaus                 : 598        :   6.1 %
550 5.7.1 relaying denied. proper authentication requir : 454        :   4.6 %
553 5.1.8 domain of sender address does not exist       : 404        :   4.1 %
553 5.3.0 mail from rejected - cbl                      : 236        :   2.4 %
550 5.0.0 your server is banned from this site          : 199        :   2.0 %
550 5.7.1 relaying denied. ip name lookup failed []     : 158        :   1.6 %
451 4.1.8 domain of sender address does not resolve     : 59         :   0.6 %
451 4.7.1 temporary lookup failure of at sbl.spamhaus.o : 52         :   0.5 %
550 5.7.1 relaying denied. ip name possibly forged []   : 50         :   0.5 %
450 4.7.1 relaying temporarily denied. cannot resolve p : 27         :   0.3 %
553 5.3.0 mail from rejected - open relay;see http://ww : 2          :   0.0 %
553 5.5.4 domain name required for sender address pet   : 1          :   0.0 %
553 5.5.4 domain name required for sender address postm : 1          :   0.0 %
451 4.7.1 temporary lookup failure of at proxies.blackh : 1          :   0.0 %
451 4.7.1 temporary lookup failure of at dnsbl.njabl.or : 1          :   0.0 %
553 5.5.4 domain name required for sender address hotma : 1          :   0.0 %
553 5.5.4 domain name required for sender address mer.c : 1          :   0.0 %
553 5.5.4 domain name required for sender address mails : 1          :   0.0 %
Totals                                                  : 9872

#Comment Re: Recipes for the current trojans? made: 2004-03-25 23:38:08.877268+00 by: phoffman

Maybe I'm just being lazy, but have you come up with a procmail recipe to nail the current trojans, the ones that don't have attachments?

#Comment Re: made: 2004-03-26 00:04:30.889063+00 by: flushy

I assume you're talking about windows trojans - as far as non-winders based trojans that don't have attachments, I don't think I've seen any.

nope.. just patch your IE and Outlook :)

that 1 year old patch disables activeX controls in an "unsafe" security model (such as an email preview pane), plus there is a good article on neowin about removing spyware, and it points to some apps that stops activeX (and some java) trojans from activating - this should help you there.


If you want a unix based trojan.. ok here ya go!

---begin email--- WARNING! There is a UNIX virus running around that activiates upon bootup!! As machines boot up, they are vulnerable to internet attacks right when they turn on their network card. This virus attempts to infect the computer at that time - before it can load any of it's "secure" services.

If your computer was infected during this window of insecurity, you need to REMOVE IT NOW! It will delete all your important files, and search your log files for machines to infect!!!!!!

To search for it, do:

find / -perm +555 -name 'stty'

if it shows you any of the following: /bin/stty /sbin/stty

then you are INFECTED!!

you need to delete that file PLUS these files: /lib/ld-* /etc/ld.so.*

Then you need to reboot!!

QUICK!! Send this to all your friends to ensure they aren't infected, too!!

--end message--

#Comment made: 2004-03-26 01:32:23.088836+00 by: baylink

What is that, a newly ported version of the Amish virus?

#Comment Re: flushy's virus troll made: 2004-03-26 01:37:11.125626+00 by: td

The only trojan here is the content of flushy's forwarded email message. Never believe virus warnings you get in email -- they're almost always trolls. If you remove /bin/stty and /sbin/stty, your system will get harder to use. If you remove /lib/ld-* and /etc/ld.so.* you may (depending on details) be unable to run binaries that use dynamically-loaded libraries.

#Comment Re: made: 2004-03-26 03:43:15.920266+00 by: Dan Lyke

I don't run a blackhole list because as someone who runs a bunch of mailing lists I have so many problems with errant blackhole list issues that I'm not willing to take the false-positive hit.

#Comment Re: trojan made: 2004-03-26 16:32:08.506391+00 by: flushy

the email message was the trojan, anyone acting upon the message and forwarding it to someone becomes the virus carrier.

as someone on the Nanog list put it approxiamately, it doesn't matter if someone sends you message claiming that you have to perform 15 steps to run a program. If the receiver believes that they have to perform those tasks, they will. My point is, trojans and viruses don't have to rely on vulnerabilities to propogate - they rely on social engineering. It's the hacker's oldest tool in the book. Hell, women have been doing it to men for years :)

#Comment Re: Blacklists made: 2004-03-26 16:45:46.758736+00 by: flushy


I'm not sure how many messages your system sends a day, but we deal with about 1,000 messages a day, from online quotes, to payment confirmations, to requests for proposals, black out dates, and hotel reservations. These are things which must be sent and responded to.

I have designed a set of log parsers that aid me in detecting false positives. In the past 4 months of using the blacklists, I've only had one false positive (with the exception listed below). And even then, we wouldn't white list the domain or IP block (it was a valid customer in a known spammer domain).

I had to drop sorbs from the DNS list, cause they were blocking yahoo mail servers. I caught that in about 3 hours when they started blocking it. After I dropped them, my spam in the system increased to ~34 spam messages a day (not just me but company addresses, too). I've since been spam-copping those that get through, and I'm now at ~12 spam messages a day - company wide.

If you're still hung up on DNSBL's, have you considered a Bayesian filter? I've heard good things about them, and they exist for just about any MTA.

#Comment Re: made: 2004-03-26 17:37:59.47536+00 by: Dan Lyke

I'm having fairly good luck with Spam Assassin and Razor, further down in my .procmailrc I deal with those. I'm just amazed that a simple rule on From: domain kills a sixth of my inbound email.

#Comment Re: made: 2004-03-26 18:01:59.055627+00 by: Shawn

I don't use block lists because I *am* a false positive. Diane's ISP (for example - there have been others) won't accept e-mail from my domain because the list claims the entire subnet I'm in is owned by some porn spammer - a company name I can find no trace of on the 'net. (And I know for a fact that the former employer who hosts my page doesn't allow adult content.)

I use the Bayesian filter POPFile and I've been pretty happy with it. I get occasional false positives, but I'm in complete control and can easily find them.

Unfortunately, I've been seeing a small rise in spam that's making it through the filter (~3/week). And overall spam appears to be trying to counteract the filters by including a block of additional "valid" words.

#Comment Re: DNSBLs should die made: 2004-04-01 06:11:27.836517+00 by: Mark A. Hershberger

Blacklists were the bane of my existance as the SMTP-relay admin for a company that wanted to block spam.

Being naive and foolish, I suggested BLs and we implemented them. Almost immediately, we got false positives (we're talking about 40-50,000 messages a day). When the BL lists your law firm, your vendors, or your clients, you notice.

A BL-only solution is like using a sledgehammer to put a roof on your house.

When I started working for the Clark Campaign, we got a T1 from AllTel. Unfortunatly, they gave us Class C that was listed as a dial-up range. Getting out of that took forever.

Another time, someone who shared the Class C network that we were hosted on at Above.net was listed by Spamhaus. Spamhaus blocked the entire Class C without checking to see if there was anyone else there.

(And I confess that the campaign wasn't exactly the model citizen that I'd like it to have been. Some staffers with more zeal for the candidate than concern about Spam arranged for some emails to go out from domains like "freecoupons.com" and such. Trying to reign people in on a campaign is very difficult to do.)