gushi: (Default)

Gmail outright rejects mail from my server delivered via ipv6, but allows it via ipv4.

What this means is that I'm going to have to simply maintain a list of gmail MX AAAA's and pump them into an ipfw reset rule like:

reset tcp from me to 2a00:1450:400c:c02::/64 dst-port 25


On the same note, I am getting continually added to various google groups that send me a bunch of Indian CV's for people seeking employment. Google apparently will anyone be added to a google group without confirmation.

I keep maintaining a procmail rule that looks like this:

:0
* 1^0 ^List-ID:.*.shaikhgroups.net
* 1^0 ^List-ID:.*zain-22.zaryabi.info
* 1^0 ^List-ID:.*hadi-20.hadebad.info
# ...more goes here
| /home/danm/spamcopquick.pl

I should probably write a SpamAssassin module that detects this crap, and once it does, rather than filtering the body, detects the list-header and reports as appropriate. (I don't want to reject at SMTP transaction time, because I want the lists to get onto google's radar as a problem that's not simply a delivery issue)

Note: Looks like this journal theme doesn't show the markdown "code" properly. Dammit.

gushi: (Default)

There is a spammer that has been annoying me. They're doing things halfway legit, so they bypass a lot of filters. They're advertising a site called nextjob.us, mostly telling me about candidates who I'd want to hire who need H1B visas or green cards.

I've complained via SpamCop, and also directly to their ISP (Cogent).

I did a google search for them recently, and discovered that not only are they being blocked by google, but that they're asking on google's forums for help!

I quickly typed out my own reply, which has since been deleted )

And they emailed me back, again asking for help, and seeming somewhat apologetic. )

While one might think I'd don my BOFH hat to handle this, I'm somewhat touched, because I know the answer to this.

My response was long, and almost didn't get to them, because they set their "Reply-To" header to "no-reply@nextjob.us". This alone indicates a serious case of "you don't know how this works".

My reply is below the cut )

gushi: (Default)

So I discovered today that I was getting a lot of spam mail that slid right through my filters...most of it by a company called Diversion.

I looked at the headers and found a few interesting things:

1) All the recipients had "real names", and the spam was directly addressed to them, as opposed to being bcc'd or sent to "undisclosed recipients".

From: Diversion Media <diversion_media@hearstmdinfo.net>
To: Mark Scribbins <marks@gushi.org> <-- like that
Subject: Get to Know Diversion.com for Physicians - at Your Fingertips

2) The links on the site, while going through a "Redirector" all matched, and was a sane domain, which corresponded with the link text, and which in turn was the same as the email domain. It wasn't a long subdomain, nor was it loaded with random letters or characters.

3) The text was relevant to the subject line, which in turn was relevant to the content, which was readable instead of the markovian crap I'd expect.

I looked at one of the articles...this one, and it's reasonably well-written and informative. Sure, a bit fluffy, but a decent read.

This didn't smell like spam to me.

I looked over their site, and found a "contact us" link. I called the number for their "advertising" department, and a person answered. Okay, too wierd!

The conversation went like this:

"Hey, how's it going. I seem to be on your mailing list several times, and I wanted to let you know that the whole domain goes to me, and I'm getting several distinct copies of these emails from you. Normally I'd report this stuff to spamcop or whatnot, but it seems you guys are legit. Like, if I were a doctor, I'd probably be interested in this stuff, it's well written and informative. So what I'm guessing probably happened is that you guys bought a bogus list, and I'm just calling to let you know you may want to go back to whomever sold it to you and take it up with them."

I gave them my domain name, and was told "yeah, unfortunately this isn't the first call like this I've gotten", and "thanks a lot, not everyone would have done what you did." (Again, not things I'd expect a spammer to say.)

Now, over time, I've gotten several spams that claim "PHYSICIAN LISTING!!!" or "50000 US MD LISTINGS!!!1!". And chances are, Diversions either bought such a list (how accurate could such a list be?), or someone who seemed more legit bought such a list and re-sold it to them. Welcome to the ponzi-driven internets :)

What this also indicates to me is that there are a number of services out there that "discover" domains that accept all domain-bound email. I suppose, historically speaking, I should look for the first emails sent to those services. (As I keep lots of email, and lots of logs, this isn't hard).

What it also means is that in my quest for better filters, I can now track everyone else who uses those lists, since the list-generators have managed to create a unique fingerprint for their lists. While I don't expect anyone to share with me where they bought it from or whatnot, I suppose if I were in a different field, I could offer to help legitimize these folks -- adding better verp detection, better feedback loop awareness, and the rest. And quite frankly, if I wind up blocking an otherwise legit site like this, because they bought a shitty list...oh well.

Somehow this reminds me of when I was parked in Home Depot, and there was someone running around, putting flyers on everyone's windshields, saying "Advertise in the Pennysaver, call this number!" Huh? If the Pennysaver is such an effective means of advertisting and communications, why do you need to be paper-spamming cars?

I mean, let's face it, marketing data is an asset, and I suspect, as Diversions is discovering right now, you get what you pay for. Or better still, let the buyer beware!

gushi: (Default)

So recently, I've been getting spam with lots of random text in it, and a single PNG image.

The images look like this:

or

You see, the spammers are smart: they use filenames that are similar to the ones used by digital cameras (although I don't think I've seen a digital camera that makes a .png).

Since the spam is just an image, there's no way to really recognize it, is there? I mean, you can look at the spammishness of the hosts, assuming they get reported. You can't check the text of the image, or the urls in the image...and looking at plain image size and type don't really help.

...or can you:

Apr 29 15:25:05 quark spamd[15515]: spamd: connection from prime.gushi.org [72.9.101.130] at port 50049
Apr 29 15:25:05 quark spamd[15515]: spamd: processing message <000d01c9c904$b6dc41b0$6400a8c0@icons6902> for demon:58
Apr 29 15:25:08 quark spamd[15515]: FuzzyOcr: Processing Message with ID "<000d01c9c904$b6dc41b0$6400a8c0@icons6902>" ("Dale Barrett" 
<icons6902@ultratune.com> -> <109k086i.0104649@necro.ws>)
Apr 29 15:25:08 quark spamd[15515]: FuzzyOcr: PNG: [240x400] DSC9264.png (7742)
Apr 29 15:25:08 quark spamd[15515]: FuzzyOcr: Found: 1 images
Apr 29 15:25:08 quark spamd[15515]: FuzzyOcr: Found PNG header name="DSC9264.png"
Apr 29 15:25:08 quark spamd[15515]: FuzzyOcr: Image hashing disabled in configuration, skipping...
Apr 29 15:25:08 quark spamd[15515]: FuzzyOcr: Scanset Order: ocrad(5) ocrad-decolorize(0) ocrad-invert(0) ocrad-decolorize-invert(0) gocr(0) 
gocr-180(0)
Apr 29 15:25:08 quark spamd[15515]: FuzzyOcr: Scanset "ocrad" found word "cialis" with fuzz of 0.0000
Apr 29 15:25:08 quark spamd[15515]: FuzzyOcr: line: "viagra cialis special offer"
Apr 29 15:25:08 quark spamd[15515]: FuzzyOcr: Scanset "ocrad" found word "cialis" with fuzz of 0.0000
Apr 29 15:25:08 quark spamd[15515]: FuzzyOcr: line: "cialis special offer"
Apr 29 15:25:08 quark spamd[15515]: FuzzyOcr: Scanset "ocrad" found word "viagra" with fuzz of 0.0000
Apr 29 15:25:08 quark spamd[15515]: FuzzyOcr: line: "viagra cialis special offer"
Apr 29 15:25:08 quark spamd[15515]: FuzzyOcr: Scanset "ocrad" found word "viagra" with fuzz of 0.1667
Apr 29 15:25:08 quark spamd[15515]: FuzzyOcr: line: "lo x vagra loo mg lo x cals omg lgg"
Apr 29 15:25:08 quark spamd[15515]: FuzzyOcr: Scanset "ocrad" found word "viagra" with fuzz of 0.0000
Apr 29 15:25:08 quark spamd[15515]: FuzzyOcr: line: "viagra hot offer"
Apr 29 15:25:08 quark spamd[15515]: FuzzyOcr: Scanset "ocrad" generates enough hits (5), skipping further scansets...
Apr 29 15:25:08 quark spamd[15515]: FuzzyOcr: Message is spam, score = 10.500
Apr 29 15:25:08 quark spamd[15515]: FuzzyOcr: Words found:
Apr 29 15:25:08 quark spamd[15515]: FuzzyOcr: "cialis" in 2 lines
Apr 29 15:25:08 quark spamd[15515]: FuzzyOcr: "viagra" in 3 lines
Apr 29 15:25:08 quark spamd[15515]: FuzzyOcr: (7.5 word occurrences found)
Apr 29 15:25:08 quark spamd[15515]: spamd: identified spam (19.0/5.0) for demon:58 in 2.6 seconds, 18406 bytes.

Note to spammers: if you get past my filters, you get my attention. And then, I find a way to kill you.

August 2017

S M T W T F S
  12345
678 9101112
13141516171819
20212223242526
27 28293031  

Syndicate

RSS Atom

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags
Page generated Sep. 26th, 2017 07:17 am
Powered by Dreamwidth Studios