Sign in to follow this  
Followers 0
ViRGE

Stopping This Damned PDF Stock Spam

18 posts in this topic

I'm sure by now a lot of people here have seen it, and I'm at my wit's end now that the volume is so high and the Spamcop filters catch so little(24 made it through in the last 8 hours). Does anyone have some suggestions for stopping this, other than blocking PDFs entirely?

Share this post


Link to post
Share on other sites

Nothing useful yet, we've been seeing tons of this in the last few weeks as well. Hopefully as we keep reporting them, they'll get listed and slow down some.

Share this post


Link to post
Share on other sites

Both of mine received since 16-jul-2007, ended up in SpamCop's Held Mail folder with X-SpamCop-Disposition: Blocked cbl.abuseat.org

I don't know how it is that your account is able to filter emails whose sending IP is blacklisted in cbl.abuseat.org and mine is not. I am still frequently getting email coming into my inbox that is identified as being on one of the blacklists I have enabled when I manually report it. None of the emails are whitelisted, and SA usually assigns a score of 0.0 to these spams w/ PDF attachments.

Share this post


Link to post
Share on other sites
I don't know how it is that your account is able to filter emails whose sending IP is blacklisted in cbl.abuseat.org and mine is not.
I doubt that's the case, unless you don't have the CBL selected in your filtering blacklist options. It's more likely that Steven's "spam exposure profile" is different (lower) than yours, which has been the case when Steven and I have made comparisons in the past.

I am still frequently getting email coming into my inbox that is identified as being on one of the blacklists I have enabled when I manually report it.
That's usually a case of lag time between the listings on those BLs and SpamCop's cache of the BL info. A while back, I removed the CBL and DSBL from my options due to excessive false positives. I think I'll try turning them back on and see what happens.

DT

Edited by DavidT

Share this post


Link to post
Share on other sites
I doubt that's the case, unless you don't have the CBL selected in your filtering blacklist options. It's more likely that Steven's "spam exposure profile" is different (lower) than yours, which has been the case when Steven and I have made comparisons in the past.

See my post here for examples of this happening in my account. Even IPs listed on SpamCop's BL got through. Although the majority of UCEs are caught and moved to my Held mail folder, they are 99% of the time caught by SA.

http://img59.imageshack.us/my.php?image=sp...ocklistsdu4.jpg

Notice that I have both CBL and XBL enabled, even though XBL is supposed to pull results from the CBL.

A while back, I removed the CBL and DSBL from my options due to excessive false positives. I think I'll try turning them back on and see what happens.

Unfortunately for me, the opposite is true.

Moderator Edit: image tags removed .... pop-ups, attempted Flash installation, etc. .. absolutely no need to 'forcr' this on anyone/everyone that looks at this Topic ..... only folks that 'want' to go take a look can now click on the link to take a peek the the configuration settings depicted.

Excess vertical whitespace removed.

Edited by Wazoo

Share this post


Link to post
Share on other sites

Nothing said about Dispostion line data.

Nothing said about any whitelisting.

No specific Tracking URLs in this Topic.

Asked elsewhere .... was there any 'experimentation' done with the Beta WebMail application? Settings under that interface/account and the 'regular' interface/account may not match, also putting things into a mish-mash as far as actual operation ....

Share this post


Link to post
Share on other sites

Moderator Edit: image tags removed .... pop-ups, attempted Flash installation, etc. .. absolutely no need to 'forcr' this on anyone/everyone that looks at this Topic ..... only folks that 'want' to go take a look can now click on the link to take a peek the the configuration settings depicted.

Excess vertical whitespace removed.

I apologize if the link to the thumbnail attempted to do anything malicious. I, like users of most modern browsers, do not see any of that thanks to the default settings to block that. The reason I linked to the thumbnail is simply to allow the users to choose if they want to see the full sized image or not w/o having it load the ~100kb image when viewing this topic.

But, again, I apologize if this inconvenienced anyone. I would recommend using that everyone run Firefox with the NoScript (which blocks java scri_pt, flash, XSS and other potentially malicious code) and AdBlock Plus extensions (just to name a few) or Opera.

...

Are you asking me to post this info or the thread starter? For the sake of hopefully helping resolve my situation, I will answer the questions you've posted. I will refer back to the post I linked to above and the reports I filed where the spams that made it into my inbox, but were on listed on one of the blacklists I have selected. These are not the PDF spams the OP was referring to, however, but I have gotten those and I have seen many instances where the sender IP was in a blacklist. If necessary, I can post other data on past spams that made it into my inbox and were listed in one of the blacklists (or even future ones).

Nothing said about Dispostion line data.

Email 1 No disposition line. Sending IP listed in XBL and SORBS.

Email 2 No disposition line. Sending IP listed in SpamCop BL and SORBS.

Nothing said about any whitelisting.

None of the emails are whitelisted

No specific Tracking URLs in this Topic.

I can post tracking URLs for spam attached w/ PDF where sender IP is listed in one of the blacklists if required.

Asked elsewhere .... was there any 'experimentation' done with the Beta WebMail application? Settings under that interface/account and the 'regular' interface/account may not match, also putting things into a mish-mash as far as actual operation ....

I am currently using Webmail Beta, although what type of experimentation or settings change would have this type of effect I am not aware of. All blacklists are enabled, SA is set to 5. Blockists and whitelists are configured, but as there is no disposition lines indicating that the sending email addresses are listed on either that would not be the case. No filters are set to move any mail out of Held Mail for any reason and no other settings I am familiar with would cause this behavior.

Share this post


Link to post
Share on other sites
Asked elsewhere .... was there any 'experimentation' done with the Beta WebMail application? Settings under that interface/account and the 'regular' interface/account may not match, also putting things into a mish-mash as far as actual operation ....

I'm pretty sure that the Spamcop-specific settings are in a database shared by both the production and the beta versions, so this shouldn't be an issue.

BTW, in order to reduce the amount of spam slipping through to my inbox, I lowered my SA threshhold from 5 to 4 a long time ago. Having it set at 5 will generally allow more spam to hit your inbox.

DT

Share this post


Link to post
Share on other sites

Email 1 No disposition line. Sending IP listed in XBL and SORBS.

IP Address Lookup

85.108.206.134 is not listed in the SBL

85.108.206.134 is listed in the PBL, in the following records: PBL043354

85.108.206.134 is not listed in the XBL

PBL is not on my list of options for inclusion, SBL and XBL are both included. SORBS is not on the list as I see it either.

DNS Blacklist DNS Zone Website

SpamCop Blacklist bl.spamcop.net www.spamcop.net/bl.shtml

DSBL open relays list.dsbl.org dsbl.org

Spamhaus Blacklist sbl.spamhaus.org www.spamhaus.org/sbl/

South Korea (the country) korea.services.net korea.services.net

China (the country) cn.countries.nerd.dk countries.nerd.dk/more.html

Nigeria nigeria.blackholes.us www.blackholes.us

Argentina argentina.blackholes.us www.blackholes.us

Brazil brazil.blackholes.us www.blackholes.us

Composite Blocking List cbl.abuseat.org cbl.abuseat.org

Spamhaus XBL xbl.spamhaus.org www.spamhaus.org/xbl/

Email 2 No disposition line. Sending IP listed in SpamCop BL and SORBS.

83.5.240.245 not (currently) listed in bl.spamcop.net and probably was not when it passed through the system. Already discussed SORBS above.

I just had a thought. Are you referring to the lists in the parse?

Message is 44.2 days old

83.5.240.245 not listed in dnsbl.njabl.org

83.5.240.245 not listed in dnsbl.njabl.org

83.5.240.245 not listed in cbl.abuseat.org

83.5.240.245 listed in dnsbl.sorbs.net ( 127.0.0.10 )

83.5.240.245 not listed in accredit.habeas.com

83.5.240.245 not listed in plus.bondedsender.org

83.5.240.245 not listed in iadb.isipp.com

FYI, the parsing system and the Email system are seperate entities. The list generated by the parser is there to help you determine if it really is spam (and how widespread the particular IP is listed). The ONLY DNSBL from this list that is also used by spamcop's email system is cbl.abuseat.org

Share this post


Link to post
Share on other sites

[at]StevenUnderwood: The two emails you queried were several months old, so I suspect they would have dropped off the blocklists I mentioned sometime ago.

So, I did a very long bit of research this morning looking at all the spams that slipped through into my inbox and checked each IP against the blacklists that allow you to query them. I have included below a partial list of those emails, including links to parsable email, the plain text email, the URL to the blacklisted IP inclusion (and a screen shot taken with a time & date stamp added) along with a screen shot of the spam being parsed through the manual reporting system. The links to the screen shots are direct links to the JPGs, so there will be no concern by viewing them.

All emails listed below are ones that came into my inbox and whose sending IP was on one of my selected blacklists at the time I queried and reported it. The ones at the very bottom (the last two I believe) were the most recent - they came into my inbox while I was doing this process, the ones at the top are sometimes several hours old or more. Although most are PDF spam, there are several that are not and are noted as such in the first line.

SC Report id# 240159253 (might also be id# 2401592531): Failed to identify sending IP as being listed in SORBS prior to this report being filed

Email shows to be received on SC server at 24 Jul 2007 01:24:46 (1:24:46AM CST GMT -6)

Plain text: http://www.spamcop.net/sc?id=z136861620...;action=display

Parsable: http://www.spamcop.net/sc?id=z1368616203za...cedaf24c64fd53z

62.224.95.229 listed in SORBS

http://img441.imageshack.us/img441/165/sor...24015925ui0.jpg

SpamCop reporting tool did not identify 62.224.95.229 as being blacklisted by SORBS at Tuesday, July 24, 2007 4:44:34 AM -0500

http://img526.imageshack.us/img526/1395/sp...29240159ca3.jpg

SC Report id# 2401654486: Failed to identify sending IP as being listed in SpamCop BL, SpamHaus XBL, and CBL prior to this report being filed

Email shows to be received on SC server at 23 Jul 2007 19:16:57 (7:16:57 PM CST GMT -6)

Plain text: http://www.spamcop.net/sc?id=z136863903...;action=display

Parsable: http://www.spamcop.net/sc?id=z136863903...7aec2df8da69cez

72.54.148.2 listed in SpamCop BL: http://www.spamcop.net/w3m?action=checkblo...;ip=72.54.148.2

http://img295.imageshack.us/img295/5042/sp...82240165zb0.jpg

72.54.148.2 listed in SpamHaus XBL: http://www.spamhaus.org/query/bl?ip=72.54.148.2

http://img512.imageshack.us/img512/7380/sh...01654486tz4.jpg

72.54.148.2 listed in CBL: http://cbl.abuseat.org/lookup.cgi?ip=72.54...;.submit=Lookup

http://img410.imageshack.us/img410/4908/cb...01654486tj0.jpg

SpamCop reporting tool identified 72.54.148.2 as being blacklisted by CBL and as an open proxy at Tuesday, July 24, 2007 5:21:19 AM -0500

http://img178.imageshack.us/img178/4657/sp...24016544nf1.jpg

SC Report id# 2401683236: Failed to identify sending IP as being listed in SpamCop BL prior to this report being filed

Email shows to be received on SC server at 23 Jul 2007 19:28:50 (7:28:50 PM CST GMT -6)

Plain text: http://www.spamcop.net/sc?id=z136866844...;action=display

Parsable: http://www.spamcop.net/sc?id=z1368668440zd...8e7ed44527a47fz

216.144.215.142 listed in SpamCop BL: http://www.spamcop.net/w3m?action=checkblo...216.144.215.142

http://img259.imageshack.us/img259/4411/sp...21514224du4.jpg

SpamCop reporting tool did not identify 216.144.215.142 as being blacklisted at Tuesday, July 24, 2007 5:59:57 AM -0500

http://img339.imageshack.us/img339/20/spam...51422401pj6.jpg

SC Report id# 2401736835: Failed to identify sending IP as being listed in SpamHaus XBL and CBL prior to this report being filed

Email shows to be received on SC server at 23 Jul 2007 15:09:21 (3:09:21 PM CST GMT -6)

Parsable: http://www.spamcop.net/sc?id=z1368702704zb...7b2ce86c5ec090z

Plain text: http://www.spamcop.net/sc?id=z136870270...;action=display

196.28.255.109 listed in SpamHaus XBL: http://www.spamhaus.org/query/bl?ip=196.28.255.109

http://img174.imageshack.us/img174/6734/sh...92401736mc9.jpg

196.28.255.109 listed in CBL: http://cbl.abuseat.org/lookup.cgi?ip=196.2...;.submit=Lookup

http://img252.imageshack.us/img252/1717/cb...40173683vf2.jpg

SpamCop reporting tool identified 196.28.255.109 as being blacklisted by CBL and as an open proxy at Tuesday, July 24, 2007 6:45:06 AM -0500

http://img252.imageshack.us/img252/6392/sp...10924017ev6.jpg

SC Report id# 2401787317: Failed to identify sending IP as being listed in SpamHaus XBL and CBL prior to this report being filed (not PDF spam)

Email shows to be received on SC server at 23 Jul 2007 12:11:12 (12:11:12 PM CST GMT -6)

Parsable: http://www.spamcop.net/sc?id=z1368727548zb...30739c42c1463ez

Plain Text: http://www.spamcop.net/sc?id=z136872754...;action=display

89.54.162.218 listed in SpamHaus XBL: http://www.spamhaus.org/query/bl?ip=89.54.162.218

http://img502.imageshack.us/img502/2876/sh...24017873mx3.jpg

89.54.162.218 listed in CBL: http://cbl.abuseat.org/lookup.cgi?ip=89.54...;.submit=Lookup

http://img401.imageshack.us/img401/5703/cb...01787317vb4.jpg

SpamCop reporting tool identified 89.54.162.218 as being blacklisted by CBL and as an open proxy at Tuesday, July 24, 2007 7:13:33 AM -0500

http://img442.imageshack.us/img442/2218/sp...18240178im9.jpg

SC Report id# 2401868931: Failed to identify sending IP as being listed in SpamCop BL, SpamHaus XBL, and CBL prior to this report being filed

Email shows to be received on SC server at 23 Jul 2007 10:35:37 (10:35:37 AM CST GMT -6)

Plain text: http://www.spamcop.net/sc?id=z136877565...;action=display

Parsable: http://www.spamcop.net/sc?id=z1368775658zc...9d079d85f8e475z

89.127.165.219 listed in SpamCop BL: http://www.spamcop.net/w3m?action=checkblo...=89.127.165.219

http://img338.imageshack.us/img338/7224/sp...65219240vj5.jpg

89.127.165.219 listed in SpamHaus XBL: http://www.spamhaus.org/query/bl?ip=89.127.165.219

http://img259.imageshack.us/img259/609/shx...92401868nr0.jpg

89.127.165.219 listed in CBL: http://cbl.abuseat.org/lookup.cgi?ip=89.12...;.submit=Lookup

http://img504.imageshack.us/img504/9805/cb...40186893fy6.jpg

SpamCop reporting tool identified 89.127.165.219 as being blacklisted by CBL and as an open proxy at Tuesday, July 24, 2007 8:15:50 AM -0500

http://img338.imageshack.us/img338/4589/sp...21924018oe7.jpg

SC Report id# 2401902474: Failed to identify sending IP as being listed in SORBS prior to this report being filed (not PDF spam)

Email shows to be received on SC server at 24 Jul 2007 12:56:44 (12:56:44 PM CST GMT -6)

Plain Text: http://www.spamcop.net/sc?id=z136879219...;action=display

Parsable: http://www.spamcop.net/sc?id=z1368792191zc...fd1edb01dfc253z

193.250.30.110 listed in SORBS

http://img503.imageshack.us/img503/1696/so...02401902qd7.jpg

SpamCop reporting tool identified 193.250.30.110 as being blacklisted by SORBS at Tuesday, July 24, 2007 8:36:27 AM -0500

http://img103.imageshack.us/img103/4299/sp...11024019lm2.jpg

Moderator edit to replace mailsc with www so people can access the links provided.

Share this post


Link to post
Share on other sites

I will look at this when SpamCop reporting page returns. Seems to have dropped off the face of the internet about 16:30 EDT

As previously stated, SORBS is not an option you can check within SpamCop's webmail system so I will not look at those.

Unfortunately, it appears the system being down wiped all your spamcop data.

I am only interested in seeing what you are calling "Parsable" which is actually the TrackingURL (after I replaced all of the mailsc's with www so anyone other than yourself can get the link to work). The "Plain Text" link is available from that TrackingURl link. I would like to see a screen shot of your spamcop webmail BL selections. However, it is likely the only person who can fully address your concerns is JT, the SpamCop email administrator. He will be able to check the logs and see if the lookups were skipped, the lookups timed out (which has been an issue in the past), or if the lookups were actually done and showed not listed (indicating caching issues).

From your 6th (of 7) sample (89.127.165.219), if the email came through right now, it should be caught by all the following lookups:

> 219.165.127.89.bl.spamcop.net

Server: resolver2.opendns.com

Address: 208.67.220.220:53

Non-authoritative answer:

Name: 219.165.127.89.bl.spamcop.net

Address: 127.0.0.2

> 219.165.127.89.cbl.abuseat.org

Server: resolver2.opendns.com

Address: 208.67.220.220:53

Non-authoritative answer:

Name: 219.165.127.89.cbl.abuseat.org

Address: 127.0.0.2

> 219.165.127.89.xbl.spamhaus.org

Server: resolver2.opendns.com

Address: 208.67.220.220:53

Non-authoritative answer:

Name: 219.165.127.89.xbl.spamhaus.org

Address: 127.0.0.4

>

Share this post


Link to post
Share on other sites

Jongrose! Did you read the following before doing all your detailed research?

I just had a thought. Are you referring to the lists in the parse? FYI, the parsing system and the Email system are seperate entities. The list generated by the parser is there to help you determine if it really is spam (and how widespread the particular IP is listed). The ONLY DNSBL from this list that is also used by spamcop's email system is cbl.abuseat.org

You mention SORBS in your research, and yet SORBS is *not* one of the BLs that's available in the SC Email account Blacklists. I'm guessing that Steven was correct, and that you are being confused by what you are seeing during manual parsing/reporting. Those details are almost *meaningless* when it comes to what will or will not be blocked/held by the BLs available to us.

DT

Share this post


Link to post
Share on other sites
I will look at this when SpamCop reporting page returns. Seems to have dropped off the face of the internet about 16:30 EDT

As previously stated, SORBS is not an option you can check within SpamCop's webmail system so I will not look at those.

You're right, I'm not sure why I was querying that BL. Here is a JPG screenshot of my blacklist options:

http://img59.imageshack.us/img59/4297/spam...ocklistsdu4.jpg

Unfortunately, it appears the system being down wiped all your spamcop data.

I am only interested in seeing what you are calling "Parsable" which is actually the TrackingURL (after I replaced all of the mailsc's with www so anyone other than yourself can get the link to work). The "Plain Text" link is available from that TrackingURl link. I would like to see a screen shot of your spamcop webmail BL selections. However, it is likely the only person who can fully address your concerns is JT, the SpamCop email administrator. He will be able to check the logs and see if the lookups were skipped, the lookups timed out (which has been an issue in the past), or if the lookups were actually done and showed not listed (indicating caching issues).

I apologize for the mailsc links, thanks for fixing them. If I post this type of data in the future, I'll make sure the links are viewable by all. I just checked and you should be able to view the parsable URLs (is there a better name for them?) if the reporting server was down earlier, it appears to be up now.

Jongrose! Did you read the following before doing all your detailed research?

You mention SORBS in your research, and yet SORBS is *not* one of the BLs that's available in the SC Email account Blacklists. I'm guessing that Steven was correct, and that you are being confused by what you are seeing during manual parsing/reporting. Those details are almost *meaningless* when it comes to what will or will not be blocked/held by the BLs available to us.

David, you're right, I'm not sure why I was trying to lookup the IPs in that database. Either way, emails 2-6 should have been caught by the filters, as they had nothing to do with SORBS, so I wouldn't say it's "meaningless".

I can post more data like this if anyone would like to review it, just let me know what you want to see. It's just an extremely long project to do. I manually reported all above listed spams, linked to the blocklists they were in, took screen shots of them being in the BL, crop it and time/date stamp it, then upload it and create a legible list.

Share this post


Link to post
Share on other sites

Just don't spend more time on it than it's worth. I checked the status line on all of the items that accumulated in my Held Mail folder for the last 24 hours, and while most of them were there due to SA scores over 4.0 (I strongly suggest not using the default setting of 5), there were items put there due to hits on the DSBL, the CBL, the SCBL, and the China BL (cn.countries.nerd.dk).

I think the most common reason for items to bypass getting put into Held Mail is a lag between the time the email hit your mailbox, and the actual listing of the IP in a particular BL, and/or a lag between SpamCop's cache of that BL (I'm assuming that all the BL lookups aren't done live and in real time).

DT

Share this post


Link to post
Share on other sites

I would like to see some options for filtering on the body and/or attachments... I don't see any way (currently) to search for "attachment contains pdf" or anything like that, or maybe I'm missing something?

Also, can we do something about that greeting card crap? I've tried making filters for it, but I'm still getting a butt-load of that in my inbox.

Share this post


Link to post
Share on other sites

I would like to see some options for filtering on the body and/or attachments... I don't see any way (currently) to search for "attachment contains pdf" or anything like that, or maybe I'm missing something?

That sounds like a "Feature Request," and unfortunately, those don't seem to get much attention around here...other than from fellow users.

Also, can we do something about that greeting card crap? I've tried making filters for it, but I'm still getting a butt-load of that in my inbox.
Hmmm....I get lots of spam, but something is keeping me from seeing the greeting card items....I thought SpamCop was doing that, but it might be the Barracuda SF through which much of my mail passes on its way to SpamCop. IIUC, the antivirus systems have determined some of the greeting card stuff to be dangerous and are treating those incoming items as being infected.

DT

Share this post


Link to post
Share on other sites
That sounds like a "Feature Request," and unfortunately, those don't seem to get much attention around here...other than from fellow users.

Hmmm....I get lots of spam, but something is keeping me from seeing the greeting card items....I thought SpamCop was doing that, but it might be the Barracuda SF through which much of my mail passes on its way to SpamCop. IIUC, the antivirus systems have determined some of the greeting card stuff to be dangerous and are treating those incoming items as being infected.

Yeah... I saw something on Snopes about that... still would like to be able to skip the rest, though.. As you mentioned, the Barracuda seems to be doing a good job of filtering that crap. I'm filtered through a Barracuda here at work, and I get at most one or two spam messages per day that make it through the Barracuda. Most days, I don't eve get that many.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0