Yeah this is a definite candidate for SURBL. This is the Huntsville-consulting spam gang: http://www.spamhaus.org/SBL/sbl.lasso?query=SBL20528
353+ domains diretly linked. This is going to be the next trend. The final destination of this pron spam was throatstuffers . com, but it used a throw away domain of marlacell . com as a forwarder. Not directly either. That domain simply hosted a mirrored page of throatstuffers . com. We are seeing an increase in throw away domains being used to reroute to other domains that will NEVER show up directly in a spam. All in attempts to get passed SURBL. No biggy, the more pople that submit and manage SURBL the faster they get added. However there has been discussion on blocking the final destinations via web proxy's and host files. I think we will begin to see an increase in companies blocking these IPs or domains at the firewall or proxy server. Its actually helping some antispammers. We are able to tie more spammers together thru looking at who is trying to get passed SURBL thru throw away domains. Some of the small guys are only rogues of the bigger ones. We got people watching spammers six ways from Sunday. Funny how much they don't realise we know ;) --Chris >-----Original Message----- >From: Smart,Dan [mailto:[EMAIL PROTECTED] >Sent: Wednesday, December 01, 2004 4:57 PM >To: [EMAIL PROTECTED] >Subject: RE: Image Composition Analysis > > >Attached is the spam that got through. I changed the porn URL to not >offend. It's a little mangled as it was forwarded by the user >via Outlook, >and tags got mangled by my Sanitizer. > >I capture the headers of all files, and here is what they look >like. The >bayes = 0 is what got this through. > ><<Dan>> > >======================================== >>From filter Wed Nov 3 01:29:14 2004 >Return-Path: <[EMAIL PROTECTED]> >Received: from great.amberalist.com (great.amberalist.com >[209.200.9.222]) > by dalton.vul.com (Vulcan E-mail Relay) with SMTP id 56BD89BB2C > for <[EMAIL PROTECTED]>; Wed, 3 Nov 2004 01:29:14 >-0600 (CST) >Received: from mail pickup service by kmanus.com with >Microsoft SMTPSVC; > Wed, 3 Nov 2004 14:17:54 -0800 >Received: from 194.3.74.35 by by7fd.bay7.kmanus.com with HTTP; > Wed, 3 Nov 2004 14:17:54 GMT >X-Originating-IP: [194.3.74.35] >X-Originating-Email: [EMAIL PROTECTED] >X-Sender: [EMAIL PROTECTED] >From: Bebe <[EMAIL PROTECTED]> >To: XXXXX <[EMAIL PROTECTED]> >Subject: re: our appreciation >Date: 3 Nov 2004 14:17:54 -0500 >Mime-Version: 1.0 >Content-type: text/html >Message-ID: <[EMAIL PROTECTED]> >X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11) on >dalton.vul.com >X-Spam-DCC: : dalton 1182; Body=1 Fuz1=1 Fuz2=1 >X-Spam-AWL: Auto_Whitelist= >X-Spam-Status: No, hits=1.7 required=6.5 >tests=BAYES_00,CP_RANDOMWORD_10, > HTML_MESSAGE,MIME_HTML_NO_CHARSET,MIME_HTML_ONLY,OB_URI_RBL, > RCVD_IN_SBL,SARE_HTML_FSIZE_1ALL,WS_URI_RBL autolearn=no >version=2.64 >X-Spam-Level: * >Status: RO >X-Status: >X-Keywords: >X-UID: 1219 > >====================================== ><<Dan>> > > > > >> -----Original Message----- >> From: John Andersen [mailto:[EMAIL PROTECTED] >> Sent: Wednesday, December 01, 2004 2:45 AM >> To: [EMAIL PROTECTED] >> Subject: Re: Image Composition Analysis >> >> On Tuesday 30 November 2004 01:27 pm, Smart,Dan wrote: >> >> > Catching image only E-mail with pornographic images is >> really difficult. >> > My users are offended when they get one, and wonder how I >> could not >> > catch it. Explaining that the document was text, filled >with bayes >> > poison, and the one porn image with no porn words in the document >> > doesn't seem to have much of an impression on them. >> >> Open the image with a text editor and challenge them to >> determine if it is spam or not. >> >> Really, people this dumb should not be turned loose on the internet. >> >> -- >> _____________________________________ >> John Andersen >> > >
