Sudden huge burst of german spam getting through

[cliffski]

Has something gone wrong? Normally spamcop catches 90% of my spam, but that rate has dropped to about 25% as of last night, and all the fresh spam seems to be in german. I have all the blacklists ticked and spamassasin set to 1. what on earth is going on???

[Spambo]

Lots of people are getting them. Apparently the spammer is using trojaned machines to send the spams through IPs that haven't been listed yet on the major blocklists.

[Chris Parker]

Has something gone wrong? Normally spamcop catches 90% of my spam, but that rate has dropped to about 25% as of last night, and all the fresh spam seems to be in german. I have all the blacklists ticked and spamassasin set to 1. what on earth is going on???

Looks like someone is sending a psuedo-political/racist statement/spam through previously undetected trojaned boxes. Someone posted a copy of the message in spam-L.

[Wazoo]

on top of that, there's a lot of conversation that are pointing out that a lot of this spam traffic is actually coming out of NZ space, just to help the confusion factor.

[chrism]

For the last two days I've received well over 1000 German spam messages per day, from numerous different addresses mainly in Germany and Austria.

The existing spam filters seem to be almost completely ineffective in blocking this; can nothing be done to stop it? The number of different subject lines is small - could spamcop not block them based on subject?

This is driving me up the wall - this is the stuff I use Spamcop to try and avoid :-).

Can anyone offer any help on how to get rid of it?

Thanks in advance,

Chris

[turetzsr]

Hi, Chris,

...Already reported -- see "Sudden huge burst of german spam getting through".

...Wazoo -- merge the two threads?

[chrism]

Thank you - I missed that thread!

Regards,

Chris

[MyNameHere]

I noticed this, too, of course... but I also noticed in the first wave, there seemed to be a lot of "undeliverable mail" messages referring to German addresses but coming to -- me!

I suppose it doesn't really matter, but I'm curious whether anyone thinks they might have been related to the later flood of just plain spam.

[Wazoo]

At present, the prevailing winds are that this seems to be the combined work efforts of a virus/trojan deployment followed by a spammer taking advantage of the compromised computers. The reason that these are making it past the SpamCop filters and BL is that they are "new" to world, thus not enough reports/complaints kicked out to get them into the mix. One would thing that the onslaught will diminish as complaints drive the statistics and these "new" IPs get added.

The number of different subject lines is small - could spamcop not block them based on subject

This isn't how the SpamCop DNSbl or the parsing/reporting tools work. There are other tools that look at things like content and such, but as above, this seems to be all "new" spew, so it'll take time for the various lists and filters to add this to the mix ....

[chrism]

Thank you for the reply. Unfortunately things still seem to be getting worse rather than better - I've had another 800 messages in the last 10 hours :-(.

I've just set up a filter on my spamcop account to delete based on the words in the most common subjects, so hopefully that will help reduce the flood somewhat.

This is by far the worst "spam attack" I've encountered in the 10+ years I've been online; let's hope it's not the start of a new trend!

Oh well, just a matter of waiting for all the infected machines it's coming from to get "blacklisted", I guess.

Thanks for the useful info; it's greatly appreciated.

Regards,

Chris

[cliffski]

ditto here. I could set up filters, but why the hell dont those filters run before forwarding? I forward my email to my home account so i can use outlook express to manage my mail, so i rarely log into the spamcop webmail. is there any way to get the filters to run before forwarding? if not I may have to jump ship to a product that does support this instead.

[MyNameHere]

I forward my email to my home account so i can use outlook express to manage my mail, so i rarely log into the spamcop webmail.

You can use Outlook Express to manage your Spamcop e-mail directly (without forwarding).

Look here and here for some information. I am using Outlook (which is very similar) to manage e-mail on three different accounts including Spamcop, my ISP, and my work e-mail.

If you POP the email to Outlook Express, you'll get only what's in your Spamcop Inbox, not the held mail or any other folders.

But I'm not sure if your personal filters get applied if you don't actually login to webmail. It might be that mail (other than Held Mail) stays in the Inbox untl you login. Someone else will have to answer that.

[StevenUnderwood]

To both cliffski and MyNameHere:

The blocklists and the personal black/white lists are a part of the server functions when a mesage is received. Access to this server functon is provided through the webmil client interface.

The personal filters are a client based function, in this case the webmail client. The webmail client has no access to the server until you log into it to make that connection.

[cliffski]

Im getting about 150-200 spams a day (through the filter) all of which are in german, and spamcop doesnt seem to be blocking them at all. Here is a sample, but I dont know anything about headers etc, can anyone work out why this isnt blocked:?

Content-Transfer-Encoding: 7bit

Content-Type: text/plain; charset="us-ascii"

Date: Wed, 16 Jun 2004 14:27:00 GMT [10:27:00 EDT]

Delivered-To: spamcop-net-cliffski[at]spamcop.net

From: Elmi[at]radio-regenbogen.de

Importance: Normal

MIME-Version: 1.0

Message-ID: <a10be40edb358e.be252.qmail[at]radio-regenbogen.de>

Received: (qmail 12351 invoked from network); 16 Jun 2004 16:26:54 -0000

from unknown (192.168.1.101) by blade6.cesmail.net with QMQP; 16 Jun 2004 16:26:54 -0000

from itys.host4u.net (216.71.64.142) by mailgate.cesmail.net with SMTP; 16 Jun 2004 16:26:54 -0000

from shqgsbh.de (cust-22-152.vype.manet.de [212.65.22.152]) by itys.host4u.net (8.11.6/8.11.6) with SMTP id i5GGQlY11416; Wed, 16 Jun 2004 11:26:47 -0500

Return-Path: <Elmi[at]radio-regenbogen.de>

Subject: Medienzensur

To: zNwy[at]positech.co.uk

X-Mailer: Mail-SMTP V2.16

X-Priority: 3 (Normal)

X-spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on blade6

X-spam-Level:

X-spam-Status: hits=0.3 tests=NO_REAL_NAME version=2.63

X-SpamCop-Checked: 192.168.1.101 216.71.64.142 212.65.22.152

Headers: Show Limited Headers

27 Mai 2004 Sober Autor:

Die Dokumentation von Auslaenderkriminalitaet gestaltet sich zusehens schwieriger, da in den etablierten Medien immer haeufiger eine Zensur stattfindet und die Nationalitaet von auslaendischen Straftaetern bewusst verschwiegen wird.

Ist das nicht eine Straftat und eine Frechheit obendrein, Zensur in einer Demokratie zu betreiben?

Das ist ja wie zu Adolfs Zeiten!

Ich dachte liebe Medien, so etwas will man nicht mehr?!?!?!

Thanks

[Chris Parker]

It's from a variant of the Sober virus...

See the other post about it.

[StevenUnderwood]

anyone work out why this isnt blocked:?

1.Because none of the servers this message came through were on any of the blocklists you have your account configured to use.

X-SpamCop-Checked: 192.168.1.101 216.71.64.142 212.65.22.152

2.Because Spamassasin is assigning the message a level of 0.3 because it only matches 1 of the rules it is configured to check.

X-spam-Level:

X-spam-Status: hits=0.3 tests=NO_REAL_NAME version=2.63

If, as Chris Parker states, it is the result of a virus, it also is not reportable through spamcop.

[Chris Parker]

If, as Chris Parker states, it is the result of a virus, it also is not reportable through spamcop.

Um, I do not think that is the case as it is not the virus which is being reported. What is being reported is a machine that is sending spam that was compromised by a virus -- same as many other source of spam.

[Wazoo]

If, as Chris Parker states, it is the result of a virus, it also is not reportable through spamcop

Dang, and this would be within the hour of sending out some e-mail and a PM that said StevenUnderwood has yet to be wrong in his postings <g>

http://www.spamcop.net/fom-serve/cache/14.html included the lines of "not reportable" item descriptions;

virus infected emails are not spam regardless of whether you know the originating party or not

virus bounces and notifications are not to be reported as spam using SpamCop

Though we probably are talking about the "results" of a virus / trojan, this spew is more seen as spew from a compromised machine, and doesn't seem to carry any payload beyond the words, so would be seen as a reportable item.

[StevenUnderwood]

I humbly apologize for my mistake. I took Chris Parkers post that the actual messages were being sent by the virus rather than using an exploit of the virus.

Oh, well, I guess my application for SpamCop God will have to be discarded

[localhost]

For the last 6 days I have reported a few hundred of the "german" messages.

Most of them where in the HOLD Queue on the SpamCop servers (already on the BL, some where detected by SpamAssassin level 3). I reported them again.

Manually, I report daily about 50-75 of the "german" messages, they are not on the BL and where not blocked by SpamAssassin.

I found that about 90% of these messages is coming from The Netherlands (where I live). The largets dutch ISP's euronet.nl, wanadoo.nl, planet.nl and chello.nl are on the top of the list (not my ISP).

Does everyone have these messages originating (email source) from The Netherlands, or are there other sources?

Anyone any ideas? Am I (are we) not reporting enough to put the IP numbers permanently on the BlackList?

[Wazoo]

or are there other sources?

other anti-spam resources show them coming from all over the world. Again, premise is that this spew is following the infections of computers world-wide .. so, yes, more reporting is needed to get the IPs involved into the (SpamCop's DNSbl is not permanent) BL. Not that it's any cure, but if you could figure out how to "teach" these basically ignorant computer owners how to better protect their systems .. or at least recognise that there's something wrong with their system ... this crap wouldn't happen, at least not in such an extreme fashion.

[chrism]

Please correct me if I'm wrong, but my understanding is that all this German racist spam (of which I'm still, after a week, receiving roughly 1000 message a day) is coming from some central source, and merely being routed through machines which have been infected by this virus - is that correct? ie it's not the virus which is actually generating the messages, is it?

Can nothing be done to try to track down the person who's actually sending the mail and get it stopped?

Apologies if this is a stupid question; I've really no idea about how spam actually gets sent!

Can nothing be done to "spam Assassin" to make it pick up on the words in these message and block them?

Regards,

Chris

[StevenUnderwood]

merely being routed through machines which have been infected by this virus

This sounds like it is correct.

Can nothing be done to try to track down the person who's actually sending the mail and get it stopped?

The problem is that properly configured mail servers add a Received header to show where they got the message from and you can normally track a message back to its source. However, a trojanized machine is not likely to do that, so the headers will stop being valid where the trojanized machine connects to the first valid email server.

The machine that is trojanized and sending the junk could be investigated to track the source if they know what they were doing, but that is unlikely. Normally, once a person finds they are infected, they turn the machine off (losing any information that could be used to track the origiinator.

Can nothing be done to "spam Assassin" to make it pick up on the words in these message and block them?

I am no expert on spamassasin, but I believe a rule could be created to detect these messages which would then need to be implemented on the server. I know there were large problems with false positives and negatives the last time the spamassasin configuration was tweaked and I'm not sure JT wants to go down that path.

Another problem is this does not seem to be very widespread attack. There seems to be a few people in here complaining about it but that's about it.

[oldjack]

Another problem is this does not seem to be very widespread attack.  There seems to be a few people in here complaining about it but that's about it.

I have also been getting them. I've only received two (both within the last 48 hours) but, for me, that's the most spam to get past spamcop in a 48-hr period in quite some time.

It does appear to be a growing problem, although who knows whether it will have staying power. Here's an article about it:

http://www.theregister.co.uk/2004/06/11/ge...ate_mail_virus/

It does seem to be the sort of thing that spamassassin could detect, without causing any collateral damage. Someone with a knowledge of German (or maybe even someone using babelfish) could isolate the German hate words.

[Wazoo]

Another problem is this does not seem to be very widespread attack. There seems to be a few people in here complaining about it but that's about it.

On one hand, can't argue with your point, as it's valid. But, with all the coverage this thing is getting around the world, I'm thinking that there are countless numbers getting it, but "just hitting delete" for various reasons, language barrier being on of the most obvious.

Can nothing be done to try to track down the person who's actually sending the mail and get it stopped?

Apologies if this is a stupid question; I've really no idea about how spam actually gets sent!

Generically, little Miss Mary Lou gets an "interesting" spam, inviting her to "click on this" or "go to this web-site" ... Miss Mary Lou just got her computer last week from the Great-Big-Computer-Store" down at the mall, and the kid that talked her into spending 98% of her life savings and charging the rest told her that it was the latest and greatest, most powerful machine on the planet, and it came with all kinds of software. Of course, most of it not installed, some defaulted into the "off" condition ... but the kid didn't mention that, saving that possibility of a ticked off customer when Miss Mary Lou couldn't get on-line.

So with no firewall, no active anti-virus, no active anti-spyware, Miss Mary Lou clicks happily away on all those "interesting" things, thinking that the "net" is just so kewl. Thus begets the infected and compromised machine. This infection may include a little e-mail server, and lets add a bit of a proxy server that watches all incoming and outgoing traffic looking for anything with an "[at]" in it, adding that to its little database of e-mail addresses.

Somewhere down the road, the "infection" either turns itself on, or has a little backdoor that can be accessed by those in the know and they will activate the special little program ... and away goes Miss Mary Lou's computer on spewing nasty (interesting?) stuff to the rest of the world. At this point, the traffic might be able to be tracked down to Miss Mary Lou's computer .. if she has stays on-line long enough, if she has a static IP, or if her ISP has the time and spends the effort to check who owned that IP at the time of the spew. Eventually, Miss Mary Lou's computer might no longer connect to the Internet as her ISP cut her off, maybe she gets an e-mail telling her that her computer is "compromised" (which of course means nothing to her <g>)

Only by doing some forensics on her computer will how it happened, who was involved, etc. be found .. and this level of effort isn't done in general, and even if it was, there's the question of what data may actually be available on her system, especially if it had been "cleaned up and fixed" by her brother-in-law, the local guru ....

Even if there was data available on her drive that showed some connection traffic that "turned on the infection" .. the odds are that even this data would point to another compromised computer .. say Uncle Joe's system just down the road. Now, does Uncle Joe's computer still hold any of the needed data to track his problem source down .. and who's going to do the searching?

Even if someone ran this complete maze and even managed to find the "source" of all the harm created, who's going to prosecute what charges?