Jump to content
Sign in to follow this  
Lodewijk

[Resolved] Receiving 50 Malware E-mails A Day

Recommended Posts

Rather than fight your ISP's filters sign up for a free Gmail account and use their SMTP server to send your reports, lots of MailWasher users are doing that now with good results.

Share this post


Link to post
Share on other sites
I just put my email address in the "Safe sendershttp://forum.spamcop.net/forums/index.php?showtopic=11910&st=40&gopid=78448entry78448" field of my ISP -Alice- mailhost and now sending a mail to myself it no longer ends up in its spam box, even when I have its spam filter on.

Don't do this spammers have your email address which will allow them to infect your in-box

Just get a Gmail account they are free, good, powerful and easy to throwaway if you want

Also go through my signature and check your own computer

(click, "continue to Symantec security check" then "Security Scan")

Share this post


Link to post
Share on other sites

There has been a tremendous increase in the malware containing spam in the last couple of weeks, I am getting as many as 200-500 a day, they swich from UPS to mail delivery attempts to credit card being charge and all contain malware disguised as attached document. They are far exceeding pill and watches spam which at the same time have dropped significantly. Seems like spammer are on a rampage attack to infect computers. It's beyond me why they think sending 100s of this junk will be more effective than justa few. I report these manually one by one since most get trapped in a malware filter and defanged of the malicious content but that folder does not allow forwarding in bulk. Reposrting 100s a day one by one is a tedious process but it seems some ISPs have taken note of this already. Unfortunately you cannot hope the same from Ukranian and Korean ISPs so I will have to ride this tide out as annoying as it is at the moment.

Share this post


Link to post
Share on other sites
There has been a tremendous increase in the malware containing spam in the last couple of weeks, I am getting as many as 200-500 a day,

This from Mail servers? If not Greylisting is what you need.

You can add a filter to MailWasher a blocklist (Settings, "Origin of spam")

Click Button "Add"

in"Name Box" put Quorum.to

in "Doman box" put, list.quorum.to

"Adjust Server order" to Number one position

It becomes a Greylisting without the delay (if it don't work for you easily deleted)

This is a new "DNS block list" (DNSBL} that will get better with use. It blocks non-Mail servers.

It works by a "Challenge system" were only once sends a email to a non-listed mail servers (which will be initially blocked) The owners of that mail server (if they check email) will click a link in email sent to unblock it where it will stay unblocked.

I get emails from DVDfab which was first blocked but unblocked in as little as a hour and has remained unblocked. Expect at first a lot of "False Positives" but after a short time works well in my experience/ The more use the better it will get

Share this post


Link to post
Share on other sites
Rather than fight your ISP's filters sign up for a free Gmail account and use their SMTP server to send your reports, lots of MailWasher users are doing that now with good results.

Thank you.

But that would mean a brand new email address, so I won't get much -if any- spam for probably quite some time. (If I understand this well.)

Since I am in contact with my ISP about this issue, for now I prefer to wait and see what they might do about it. It would be best if they will start allowing sending spam reports to SpamCop.

Share this post


Link to post
Share on other sites
Don't do this spammers have your email address which will allow them to infect your in-box

Just get a Gmail account they are free, good, powerful and easy to throwaway if you want

Also go through my signature and check your own computer

(click, "continue to Symantec security check" then "Security Scan")

Thanks.

But is it not true that as long as I don't open any attachments, spammers can't infect my in-box?

Of course since I have my ISP's spamfilter off -to get all the spam in MW- I might as well delete my own address from its 'Safe sender' list. Which I will do.

In the mean time I am not deleting any spam from MW -saving it up- to be send to SC in case my ISP decides to allow it.

(I was mistaken about my mailhost requiring authentication, so I disabled it in MW.)

About the Gmail account, see my above post.

I'll do the Symantec security check. Thank you for reminding me. I have used it in the past, and it found no weakness then.

Since I have never opened any of the malware attachments, and yesterday scanned with Avira, SAS Pro, MBAM free, Hitman Pro free, and the free online F-Secure scanner -none of which found anything- I feel pretty sure my notebook is not infected.

Share this post


Link to post
Share on other sites

I just received an answer to my question from the SP administrator:

Question:

"All of the fake USP, USPS, DHL, and FedEx mails I reported to SP -the one day I had a paid account- contained malware attachments according to Avira AV. And the current batch of fake 'Western Union' emails does too.

Can I still report them to SP?"

Answer:

"Yes, you can use our service to report them."

- Don D'Minion - SpamCop Admin -

- service[at]admin.spamcop.net -

Great!

Share this post


Link to post
Share on other sites
Don't do this spammers have your email address which will allow them to infect your in-box

Just get a Gmail account they are free, good, powerful and easy to throwaway if you want

Actually this is the other way around. In order to get to gmail, you need to allow your browser to run all kinds of active scripting. That means an attachment or jscript or other attacking techniques attached or integrated with emails must be filtered via the browser first because gmail won't work without active scripting enabled. I won't use gmail for anything serious.

And downloading malware into your computer has no effect unless you run it in someway (via browser or execute it as a program etc).

Share this post


Link to post
Share on other sites
Actually this is the other way around. In order to get to gmail, you need to allow your browser to run all kinds of active scripting. That means an attachment or jscript or other attacking techniques attached or integrated with emails must be filtered via the browser first because gmail won't work without active scripting enabled. I won't use gmail for anything serious.

And downloading malware into your computer has no effect unless you run it in someway (via browser or execute it as a program etc).

Interesting you think Google would have malware on their site?

I always run my browsers at their default security setting with no security problem ever?

Security Essentials pick up any threatening sites straight away

Malware of course won't do anything until executed. The trick is getting one to execute it. Fact is a lot do.

Often opening a HTML email will do just this (my email is text only)

Share this post


Link to post
Share on other sites
Interesting you think Google would have malware on their site?

Everything is possible but I said its the incoming emails that contain the attachments. The weakness is you open up scripting in order to use gmail.

I always run my browsers at their default security setting with no security problem ever?

Maybe you don't browse too many sites. Even with the most effective av you still run the risk of getting malware.

Security Essentials pick up any threatening sites straight away

If they're so immune why you think they make all these security updates every other day. Browsers and O/Ses

Malware of course won't do anything until executed. The trick is getting one to execute it. Fact is a lot do.

Often opening a HTML email will do just this (my email is text only)

Opening an HTML email in the browser with scripting disabled will do nothing. But when you open it in gmail scripting has to be on.

Share this post


Link to post
Share on other sites
Opening an HTML email in the browser with scripting disabled will do nothing. But when you open it in gmail scripting has to be on.

In my Opera browser's integrated email program I can set it to render incoming emails either in HTML or 'Flat text' (I translate from Dutch. Don't know the English term.)

Is this 'Flat text' what you mean by it being safer and not having scripting on?

I usually don't open email that looks as coming from a to me unknown sender, and my Opera mail program has an excellent nose for spotting spam and putting it in the spam box. Plus my Avira has so far put all mail with malware attachments in quarantine. I don't know if it would also spot malware emails that would infect one's machine by just opening them. I didn't know that could happen. I thought only opening virus attachments could do that.

Share this post


Link to post
Share on other sites
Everything is possible but I said its the incoming emails that contain the attachments. The weakness is you open up scripting in order to use gmail

Gmail for starters accuratly separate spam from ham, with the occasional spam going to your inbox. When or if you open this, Gmail disable outside links by default, until you enable them for that emai.

Maybe you don't browse too many sites. Even with the most effective av you still run the risk of getting malware.

I use around 14 gig a month going to different sites. Can't get to paranoid about it or the Web/internet becomes unproductive. One has to keep defenses up (read my sig). I have hit sites where my Virus protection warns it being untrusted or possible malware

If they're so immune why you think they make all these security updates every other day.

Security Essentials is pretty good, new definition's seem to be daily (all automatic). I also do the odd scan scan from one of the many online Virus protection companies. I also have a firewall on

Browsers and O/Ses

Opening an HTML email in the browser with scripting disabled will do nothing. But when you open it in gmail scripting has to be on.

Again Gmail will not immediately link any outside email links/downloads until you give it the OK. I use the Bat Voyager which also will not open links unless you give it the OK. It displays in text only first. Don't want to remove the default security systems of my browser, if you do it becomes unproductive, a problem in itself.

In any case the Google email address that "TheBat" email client gives one. I just POP that account with the odd on-line look to see if the spam filter has caught any and delete old email from it (I leave messages on server till I delete)

Share this post


Link to post
Share on other sites

I just got an email reply from my ISP, asking me for my client number, and a mobile phone number (which I don't have right now, not having used my cell phone for quite some time.) But I answered that they can call me all weekdays until 12:30 and after 5 pm on my home phone.

At least they are interested in solving the difficulties. I also gave them SP's admin. email address, and suggested they contact him, as SP is the best way to stop the spam flow.

Hopefully they can and will put submit addresses to SP on their trusted list. The only variations are the secret codes in the otherwise identical addresses, like (xxx) in: submit.(xxx)[at]spam.spamcop.net

Share this post


Link to post
Share on other sites

Problem solved:

On a hunch I typed "alice.nl smtp"in my browser, and found an Alice user forum where some people had posted that for them only 'out.alice.nl' worked, and others that for them only 'smtp.alice.nl' did the trick'. So I replaced 'out.alice.nl' with 'smtp.alice.nl' in 'SpamCop Reporting' on MW, and now I am reporting spam through MW to SP! B)

Strange that 'out.alice.nl' works in my Opera email program, but only 'smtp.alice.nl' in MW... but who cares, as long as it works. :D

Great!

Thank You All for your encouragement and help!

Share this post


Link to post
Share on other sites
Problem solved:

Thank You All for your encouragement and help!

Thanks for the "wrap-up"

Share this post


Link to post
Share on other sites

I am still wondering about one thing:

Now 99% of the spam I get is of the 'Visa' variety, and contains the same type of malware attachments as the USP, UPSP, DHL, FedEx, Western Union, and Mastercard series I was getting before.

That previous stream has stopped, maybe because I already received the whole series, or because of SP. But it seems logical that the current 'Visa' stream comes from the same source as the previous series, as the messages in the bodies are the same, except for the used fake brand names.

In MW one can enable automatic blacklisting -I have it disabled- and I wonder if by enabling it previously received series would not even show up in MW anymore. Or if they still would, but then always as spam, without undecided ones.

All of the current ones are already marked as spam -I have had MW's 'Learning' on- so if having them blacklisted by MW would still show the previously received ones again -in case the same ones would be send to me again- I might as well leave MW's blacklisting disabled.

But if the ones on MW's blacklist would not appear in MW again, then I couldn't report them to SP anymore using MW.

If that would be the case, is it somehow 'better' to disable MW from blacklisting them, so that in case I would receive the same ones again I can again report them to SP? Or would reporting the exact same ones again to SP not improve anything?

Share this post


Link to post
Share on other sites
But if the ones on MW's blacklist would not appear in MW again, then I couldn't report them to SP anymore using MW.

If that would be the case, is it somehow 'better' to disable MW from blacklisting them, so that in case I would receive the same ones again I can again report them to SP? Or would reporting the exact same ones again to SP not improve anything?

Don't use MW's "Blacklist" I don't?

I Just use Friends"

"Origin of spam"

I use

Check the box

"Check the origin of the email against DNS blacklist servers"

SpamCop "bl.spamcop.net"

Spamhaus "sbl-xbl.spamhaus.org"

Added some of my own

CBL "cbl.abuseat.org"

China "cn.countries.nerd.dk"

Brazil "br.countries.nerd.dk"

AFTER creating friends list

quorum.to "list.quorum.to"

The ONLY "boxes" dotted

are "Display the email" and "On process mail"

This has become offtopic" you should go to

Forum "Suggested Tools and Applications"

suggest Subject MailWasher help (?)

Share this post


Link to post
Share on other sites

Thank you.

I also use only the 'Friends' list, and have:

"Check the origin of the email against DNS blacklist servers"

SpamCop "bl.spamcop.net"

Spamhaus "sbl-xbl.spamhaus.org"

And on intuition in 'Recognizing spam' I only have enabled:

"Display the email" and "On process mail".

In 'Recognizing email' I only have: "Display the email".

For further questions I'll go to the appropriate places:

http://www.firetrust.com/en/products/mailw...asked-questions

http://forum.firetrust.com/viewtopic.php?f...05&start=30

Thank you again.

Share this post


Link to post
Share on other sites

I'd also be wary of using the "bounce" feature found in MW and some other software: it's too easy to be labelled as a backscatterer.

Share this post


Link to post
Share on other sites
I'd also be wary of using the "bounce" feature found in MW and some other software: it's too easy to be labelled as a backscatterer.

Thank you. I'm not using the 'bounce' feature, thanks to earlier given warnings to me above and on MW's forum.

But I just saw this message (in red) in a reported spam on my SP report page:

"ISP has indicated spam will cease; ISP resolved this issue sometime after dinsdag 26 juli 2011 23:47:45 +0200"

("dinsdag" is Dutch for "Tuesday")

Great to see one bite the dust... :D

Share this post


Link to post
Share on other sites

Over the last 3 weeks I began receiving some 50 spam a day with malware attachments, and lately up to a 100. I reported all of them over the last few days, spending some 20-25 minutes 3 or 4 times a day on it.

Even this morning I received the usual 30 for the first batch of the day. But this afternoon -after about 5 hours passed- I only received 2 spam! One of the 'Viagra' variety, and one with the message:

"Hallo,

as proimsed chnanglog is attached,

LAN KERN"

Only this last one had a malware attachment.

I wonder what this sudden total ending of that daily stream of DHL, UPS, UPSP, FedEx, Western Union, Visa, MasterCard and Job Opportunities could be due to... maybe the spammers shot their total load...?

Or... (I don't dare think it yet... :rolleyes: )

Share this post


Link to post
Share on other sites
...I wonder what this sudden total ending of that daily stream of DHL, UPS, UPSP, FedEx, Western Union, Visa, MasterCard and Job Opportunities could be due to... maybe the spammers shot their total load...? ...
They come and go for unknowable reasons, Lodewijk. Yes, I would like to think it is because the scum sending them have eventually learned that there is no profit in it and that SC reporting has had something to do with making it unprofitable (it certainly cannot have helped them). Or maybe they accidentally infect their own machines :D.

But these attempts to infect have been around before and I'm fairly sure they'll be back again. The trouble is that the malicious attachments are apparently an easy thing for any budding new spammer to manage and they are trivially altered to defeat most "anti-virus" scanners for a few days or weeks following their first release.

It is a continuing battle. You will find some earlier discussions in these forums if you want to search. But thanks to you and other reporters for your efforts - if no-one tried to stop them they would surely be more successful.

Share this post


Link to post
Share on other sites

Thank you.

Fact is that some 18 1/2 hours have past since my last post, and I have during that period only received 7 spam instead of the usual 70.

Sometimes I hit 'Check Mail' repeatedly in MW and still have a hard time believing that there is not one single spam for me. I have even send 2 test emails to myself to see if I would get them in MW... and I did of course, marked as 'Friend.'

Still getting used to the quiet... B)

Share this post


Link to post
Share on other sites

Some new 'viagra' and 'job offer' spam began to arrive, but after reporting them they also stopped.

But now a daily batch of the UPS, FedEx, and MasterCard with virus attachments has started up again after a few days respite.

I read about the spammers using techniques to 'stay ahead' of SP. But I also read about 'Complainterator.'

I am thinking of using that as well. But I would like to find out more about it on a new thread I'll call "Complainterator + SpamCop":

http://forum.spamcop.net/forums/index.php?showtopic=11946

Edited by Lodewijk

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×