Jump to content

Casino spam


inom234

Recommended Posts

Hi Spamcop,

Over the last few weeks I have been getting SPAMMED a lot by an online casino.

I have 2 question if anyone knew the answers...

1. How is such obvious spam getting past Samcop content filtering.

Here are the subjects..And the content mention casinos and reads like spam content..

Subject: It's not wizardry, it is a strategy to profit

Subject: We give away $5000 cash every week

Subject: Your ticket to dream. $133,000,000 TODAY

Subject: Your 1250AUD Cheque is here

2. A number of the reports list the spam as having this type of subject after reporting. Is this a form of subject obfuscation or just something spamcop does?

Subject: =?utf-8?B?SGl0IHRoZSBib251cyBkaXNrICBhbmQgZ2V0IDEyNTBBVUQgYm9udXM=?=

Subject: =?utf-8?B?VGhlIEx1Y2t5IDI0NyBjYW1lIHRvIHZpc2l0IHRha2UgNTAgc3BpbnMgb24gdGhlIGhvdXNlIA==?=

Thanks in advance..

Regards

P

Link to comment
Share on other sites

1. I believe SpamCop primarily uses the origin IP address of the message to determine its bona fides; it does not really look at the content of the message (although those of us who are paid SC mail users can set up something like that for ourselves). So, even if the message is very spammyt, it might be passed if it came from an address that was not (yet) on SC's "black list."

2. What you are seeing are "MIME encoded words," which are normally done to allow character sets other than ASCII to be used in the subject line. It can, as you point out, also be used as a cheap and desperate form of obfuscation, although it won't fool anyone who can do MIME decoding.

Link to comment
Share on other sites

Hi Peter,

I've noticed a bit of an upswing in casino spam myself, mostly in a hotmail/outlook account (darned if I know how they determine the "nationality" of such an account but they seem to/may do). It comes and goes. I think .au is a bit of a target at the moment due to our government's attempts to limit on-line gambling from local services (so revealing the futility of single government interventions on the international stage - close one source and that merely makes way for another, but Aus politics is nearly all appearance over substance and that's a whole 'nother story, bless their little white cotton socks).

The stuff I see comes from botnets (different IP address for just about every one) and thus hard for the SCbl to impact them. Their weakness lies in the "payload", the URI/URL of the casino website. They're not quite so nimble in moving those around (besides they're perfectly legal in most places). Just keep reporting and make sure the websites are resolved - if not take some effort and add a reporting address if you can figure it out. Also be sure to let the owners of the source IP for the e-mail know their address is participating in a botnet - some of us use SenderBase to find other addresses included in the CBL in their allocation and report those to them too, in the report notes. That may add emphasis and some of those owners might actually set about cleaning up their stables as a result (we all believe in Tinkerbell, right? Botnets can be eroded, it must happen continually).

Why filters don't catch this stuff is a complicated question - botnet mail sources make it hard (if we're looking at filtering by IP address of source), blindingly obvious subjects or content (to a human) require some pretty sophisticated processing to ensure the filter is not a liability with false positives. There is no "SC" filter as such, the SCbl may be included in your filter rules if RBLs are supported (with the limitations on effectiveness for botnets partially discussed), the CESmail/SpamCop mail uses IMP/Horde filtering which you might wish to research (here and elsewhere) if you are using that.

Finally, the garbling of the subject line looks like an encoding issue and while that has been discussed many times in these pages I'm afraid the detail is way beyond me. Perhaps others, if you nominate the mail clients you are using could add some meaningful comment. I suspect that is not a contributing factor in your filters (whatever those are) failing to identify spam. That would be more down to the botnet mail sources, I think. Some ESPs use services/devices like IronPort (for example, iiNet.net.au) and others like Gmail have pretty effective proprietary heuristic filters with multiple criteria and/or consensus voting which would catch most of it with ease shortly after any spam run commences.

HTH and look forward to others adding their comments (thanks Ric, yours added while I was laboriously pecking away)..

Link to comment
Share on other sites

Hi Spamcop,

Over the last few weeks I have been getting SPAMMED a lot by an online casino.

I have 2 question if anyone knew the answers...

1. How is such obvious spam getting past Samcop content filtering.

Here are the subjects..And the content mention casinos and reads like spam content..

Subject: It's not wizardry, it is a strategy to profit

Subject: We give away $5000 cash every week

Subject: Your ticket to dream. $133,000,000 TODAY

Subject: Your 1250AUD Cheque is here

2. A number of the reports list the spam as having this type of subject after reporting. Is this a form of subject obfuscation or just something spamcop does?

Subject: =?utf-8?B?SGl0IHRoZSBib251cyBkaXNrICBhbmQgZ2V0IDEyNTBBVUQgYm9udXM=?=

Subject: =?utf-8?B?VGhlIEx1Y2t5IDI0NyBjYW1lIHRvIHZpc2l0IHRha2UgNTAgc3BpbnMgb24gdGhlIGhvdXNlIA==?=

Thanks in advance..

Regards

P

1. an IP or tracking link would be helpful (what filters have you set?) Spanassasinn set at 5

2. SpamCop just looks at US English text (probably HTML or non-English)

Link to comment
Share on other sites

1. an IP or tracking link would be helpful (what filters have you set?) Spanassasinn set at 5

2. SpamCop just looks at US English text (probably HTML or non-English)

Hi All,

Thanks for taking the time to write such detailed answers. Very informative. I am up to 3-5 of these casino spam a day now. So would like it to stop...

In the years with Spamcop I have never set Spanassasinn. I will look at how to do that.

Link to comment
Share on other sites

Hi All,

Thanks for taking the time to write such detailed answers. Very informative. I am up to 3-5 of these casino spam a day now. So would like it to stop...

In the years with Spamcop I have never set Spanassasinn. I will look at how to do that.

Ii the headers of spam count the stars to see what SpamAssasin count is

The default number 5 is normally correct

also check "Block Russian:" this blocks Russian text

in your "personal blacklist" put in a blank line to catch spam without from address

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...