On 07/12/2017 08:04 PM, Alex wrote:
Hi all,
Has anyone else experienced a spam campaign with any one of the
following subjects:
- sometimes enjoy it wild, how bout you?
- sometimes like it ruff, what bout you?
- sumtimes enjoy it ruff, wat bout you?
The body contains something like "wild hukups" then a phone number.
https://pastebin.com/X5xNn9RZ
It comes from AOL and other freemails, but doesn't hit much, and hits
bayes50 or lower here.
Is this a snowshoe thing? Ideas on how to stop them? I've now trained
them but I thought someone might like to see them for their own
benefit, and perhaps had ideas on a more general way of blocking
these.
What is even the point of spam with a phone number?
The IP range for the ones originating from AOL are all in the
204.29.186.0/24 block. None of them are in any meaningful blacklist
and have a 90+ senderscore.
I'm sure the campaign will change soon, but I thought there was
something more general we could look for the next time...
Time has passed so there could be more hits on RBLs by now and DCC hit
now that may not have hit earlier but my SA scored it pretty high mainly
due to DCC and BAYES_99. I guess I have well trained Bayes. I have
some meta rules that trigger adding more points when FREEMAIL hits
things like KAM_URI, DIGEST_MULTIPLE and high BAYES. The ENA_BAD_SPAM
is a huge list of combinations of bad rule hits built over years that
triggers other rules with points.
Content analysis details: (14.1 points, 5.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
1.2 RCVD_IN_LASHBACK RBL: Received is listed in Lashback
usb.unsubscore.com
[204.29.186.60 listed in ubl.unsubscore.com]
3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
[score: 0.9993]
2.2 RCVD_IN_SORBS_SPAM RBL: SORBS: sender is a spam source
[204.29.186.60 listed in dnsbl.sorbs.net]
-0.2 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no
trust
[204.29.186.60 listed in list.dnswl.org]
-1.2 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)
[204.29.186.60 listed in wl.mailspike.net]
-0.0 SPF_PASS SPF: sender matches SPF record
0.0 OS_UNKNOWN Relay runs on unknown OS
1.2 FREEMAIL_FROM Sender email is commonly abused enduser
mail provider
(georgia32ce[at]aol.com)
1.5 KAM_MXURI URI: URI begins with a mail exchange
prefix, i.e. mx.[...]
0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%
[score: 0.9993]
0.0 HTML_MESSAGE BODY: HTML included in message
2.2 DCC_CHECK Detected as bulk mail by DCC (dcc-servers.net)
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not
necessarily valid
-2.2 RCVD_IN_SENDERSCORE_90_100 Senderscore.org score of 90 to 100
0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid
2.2 ENA_DIGEST_FREEMAIL Freemail account hitting message digest
spam seen
by the Internet (DCC, Pyzor, or Razor).
1.2 ENA_DIGEST_MULTIPLE_MSPIKE_H2 Dcc, Razor, or Pyzor hits from servers
listed in MSPIKE_H2 so add back points.
0.0 ENA_BAD_SPAM Spam hitting really bad rules.
2.2 ENA_BAD_SPAM_FREEMAIL Bad spam from freemail (hotmail, gmail, msn,
yahoo).
--
David Jones
