Jump to content

This particular spam won't stop

Carl-L

By Carl-L
in SpamCop Lounge

Recommended Posts

j_dxn Newbie

j_dxn

Posted
Posted

I had this problem with our mail server, we were getting loads of these ed-meds/ed-drugs and spamassassin wasn't picking them up. I tried filtering using the base64 strings, but it wasn't taking any notice of the rules (currently using MailScanner/Sendmail/Spamassassin setup to pick up the spam, so far doing an excellent job (well apart from these particular spam emails!)).

The only solution I could come up with was to create a virus signature for these images (the ed-drugs and ed-meds gif files and their variations) and use that with Clamav.

Since setting it up it's picked them up quite successfully, if they bring out any new gifs and I now know what to do. It is a bit convoluted, but it works.

I used this guide : http://www.antionline.com/attachment.php?postid=798589

I only used the first couple of lines in the hex editor to generate the signature.

Link to comment
Share on other sites
sdlawrence Newbie

sdlawrence

Posted
Posted
I used this guide : http://www.antionline.com/attachment.php?postid=798589

I only used the first couple of lines in the hex editor to generate the signature.

28620[/snapback]

Your link shows a red X. Could you edit the post? All I do is view the source of the message, and copy the first several characters of the embedded graphic. That becomes a filtering word (signature) - works like a charm! Is there any reason why the method I list above (e.g., just input that code/signature as text) wouldn't be as effective as generating a hex signature?

Link to comment
Share on other sites
Jeff G. T-shirt wearing out

Jeff G.

Posted
Posted
Your link shows a red X. Could you edit the post?

28635[/snapback]

It's a PDF that Adobe Reader 6.0.3 for Windows can read in a Firefox 1.0.4 window.
Link to comment
Share on other sites
ddliles Newbie

ddliles

Posted
Posted

I only had silence for about 24 hours. Ed meds are back, and this time without the coding. What can be done now to stop these messages? I am so fed up with getting these it's not even funny. I want them stopped!!!

Thanks,

Denise

Link to comment
Share on other sites
turetzsr What Life?

turetzsr

Posted
Posted
I only had silence for about 24 hours.  Ed meds are back, and this time without the coding.  What can be done now to stop these messages?  I am so fed up with getting these it's not even funny.  I want them stopped!!!

Thanks,

Denise

28694[/snapback]

...You ask a question the answer to which is VERY involved. The easy answer is to ask your e-mail provider to change your e-mail address. This will stop the spam until you do whatever it was you did to get your current e-mail address listed somewhere that spammers could get to it.
Link to comment
Share on other sites
Jeff G. T-shirt wearing out

Jeff G.

Posted
Posted

Denise, another option is to protect your current account with better filtering, using the SpamCop Email System or another filtering solution.

Link to comment
Share on other sites
ddliles Newbie

ddliles

Posted
Posted

Yes, I know it would be easy to just change email addresses, but we can't do that until after a special event takes place that my husband is in the midst of planning. He doesn't want to fool with changing email addresses right now.

I guess I will have to look into the Spamcop Email system that someone mentioned. I'm with BellSouth and they do some filtering. I also have MailWasher. What more do I need? I report every spam message to BellSouth, but they have been totally unable to stop ed meds.

Thanks to you both for responding to my post.

--Denise

Link to comment
Share on other sites
ddliles Newbie

ddliles

Posted
Posted

Ok, I have added the DNS blacklists to Mailwasher. Three of them couldn't be used because Mailwasher said the domain is not formed well. These are the ones:

sbl.spamhaus.org www.spamhaus.org/sbl/

korea.services.net

cbl.abuseat.org

Are there other addresses available for these that Mailwasher will accept? And is this the only list and does it have all of the DNS blacklists currently available?

--Denise

Link to comment
Share on other sites
Jeff G. T-shirt wearing out

Jeff G.

Posted
Posted
domain is not formed well ...

sbl.spamhaus.org        www.spamhaus.org/sbl/

28768[/snapback]

That shouldn't be happening. Did you try "sbl.spamhaus.org" without spaces or quotes, for example?
Are there other addresses available for these that Mailwasher will accept?

28768[/snapback]

Sorry, I don't think so.
And is this the only list and does it have all of the DNS blacklists currently available?

28768[/snapback]

It is the only list that JT approves of. There are 154 currently listed on DECLUDE and I'd suggest only the ones there with A, Free, and OK checked.
Link to comment
Share on other sites
ddliles Newbie

ddliles

Posted
Posted
That shouldn't be happening.  Did you try "sbl.spamhaus.org" without spaces or quotes, for example?Sorry, I don't think so.It is the only list that JT approves of.  There are 154 currently listed on DECLUDE and I'd suggest only the ones there with A, Free, and OK checked.

28790[/snapback]

Thanks for the information. I may check into that.

For now it has been a quiet 24 hours! I actually went to their website and repeatedly asked them to please remove me from their mailing list. I told them for every message I received, they would get two back asking for my address to be removed. I also told them I would never, ever buy their products.

Their "final" statement, I think, was their ad with a message at the bottom: "So you think your computer is safe and secure" or something like that. That message contained the same last name as the last message I had gotten from a friend! On the same day I got two messages that contained only I'm sure a fake sender's name, no subject and nothing in the body, but had some kind of .zip file attached that I guess they thought I would be stupid enough to open! After that I wrote them two more messages and told them if they would leave me alone, I'd leave them alone. Not a word since. I do hope it's stopped now!

--Denise

Link to comment
Share on other sites
ddliles Newbie

ddliles

Posted
Posted
That shouldn't be happening.  Did you try "sbl.spamhaus.org" without spaces or quotes, for example?Sorry, I don't think so.It is the only list that JT approves of.  There are 154 currently listed on DECLUDE and I'd suggest only the ones there with A, Free, and OK checked.

28790[/snapback]

I tried again and made sure there weren't any spaces, and it took all 3 this time. I guess I had copied and pasted spaces in there! Thanks for the suggestion.

--Denise

Link to comment
Share on other sites
Carl-L Newbie

Carl-L

Posted
  • Author
Posted
If the source(s) of the spam are, indeed, overseas (I am assuming you are in North America), you might consider trying a solution that works well for me: block all email that sources outside North America (based on IP address). I have been doing this for several years now, and it traps/eliminates 70-80 percent of spam.

Obviously, this solution will not work for everyone. In my case, I do not have any legitimate communication with anyone overseas, therefore any email souced from an overseas server is spam. I therefore only receive/filter/report spam from North American servers (about 70 percent of it from Comcast). Since reporting spam to (most) overseas server operators is pointless (few will do anything about it), there is no net loss and such spam as I do report is more likely to be acted on.

I actually block IP ranges rather than individual addresses. Basically, anything registered under APNIC, LACNIC, or RIPE goes into the bit bucket.

27416[/snapback]

They're using hijacked IP addresses, so I can't blacklist them effectively. Once I run them thru SpamCop I've found that China Tien Tong (I believe... I'm working from memory here) is usually buried in there somewhere, and they are sent feedback... although I wonder if they're doing anything about it. They have a US IP suffix (.com)... although they're a China based ISP.

I have blacklisted all overseas suffixed sites, BTW, but that's of no help here.

It just occurs to me that seeing as how the formats are all the same there should be a way to block them based upon a specific phrase.

Link to comment
Share on other sites
Carl-L Newbie

Carl-L

Posted
  • Author
Posted
Gmail (Google mail) now offers a SMTP passworded server accessable from anywhere on the net so anyone with a reasonably up-to-date mail client can do what you do - no need to use webmail and also handy when your ISP's standard server is on a blocklist.

27507[/snapback]

That might help.

Link to comment
Share on other sites
Paranoid2000 Member

Paranoid2000

Posted
Posted
I actually went to their website and repeatedly asked them to please remove me from their mailing list.  I told them for every message I received, they would get two back asking for my address to be removed.  I also told them I would never, ever buy their products.

28800[/snapback]

If your intention is to make life difficult then the way to do it is to complain to every service provider related to the website URL - the ISP, the domain registrar, the email provider of the domain contact address and the DNS service provider (this is often the ISP but sometimes a different one is used). Copy the complaint to the website registration contact address also - this needs to be active for the spammer to handle domain administration so it gives you a chance to junk up their inbox.

See this post for more details on doing this. I have noticed limited success (a few days peace and quiet followed by spam for new domains) but it undoubtedly is causing more work for the spammers.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...