easyweb.co.uk - spam

Greylisting - Another Spam Barrier

Mon, 09 May 2005 21:30:48 +0000

Having had previous success with the Great Wall of Spam and DSPAM, I was still a bit annoyed by the amount of spam making it to the DSPAM quarantine, and so to be periodically scanned and a small number of false positives permitted through.

I'd been hearing a bit about Greylisting, and Mike had had some good results with it, so thought I'd give it a go. A wee mail SNAFU last week was the trigger, and I installed qgreylist as a layer between IP blocking and DSPAM.

The way it works is like this: SMTP is designed to be tolerant of downtime of the recipient mailhost. So if a sending hosts discovers a problem, it'll wait a bit, then try again (and if it still has a problem, will wait for a longer time and try again - repeat for a few days until finally giving up). However, spam-sending software is designed for maximum volume throughput, not maximum %age reaching destination, both for not sweating the small stuff reasons, and because spam-senders tend to get blackholed within a few hours. So generally, it doesn't follow this part of the SMTP protocol.

So what happens when you deliberately cause a temporary problem to every piece of mail? Spam generally doesn't get repeated - it disappears before reaching your MTA. As long as you keep a track of mailservers that have tried to send you mail, and accept mail the second time around, real mail still gets through.

The results are impressive: my average 60-80 spams a day has been cut to around 10. Checking the DSPAM quarantine is no longer a nightmare if you leave it a few days. And as far as I know, no real mail has been lost.

Spammers Keep Up with the Headlines

Mon, 04 Apr 2005 19:59:25 +0000

So it would seem that our friendly neighbourhood 419 scammers have updated their lists of widows of former leaders who've (allegedly) stashed large sums away, and just need a friendly person wishing to smuggle it into the UK.

I received one today, which started:

Dear Intending partner

This mail may not be surprising to you if you have been following current events in the international media with reference to the Middle East and Palestine in particular.

I am Mrs. SUHA ARAFAT, the wife of YASSER ARAFAT, the Palestinian leader who died recently in Paris.

DSPAM rightly quarantined it, estimating probability of spamminess at 1.00000 with a confidence level of 99.97%.

Honestly, I'm expecting to get one in a few weeks time claiming to be the Pope's secret widow...

Great Wall of Spam Extended

Tue, 15 Feb 2005 18:36:01 +0000

You now can't email me from Brazil either...

Great Wall of Spam Erected

Mon, 10 Jan 2005 11:20:50 +0000

If you're using a mail host in China and Korea, you can't email me any more, sorry.

Sneaky Spammers

Thu, 12 Aug 2004 08:57:09 +0000

Spammers use all kinds of tricks to try to get their mail through spam filters - forged addresses, additional faked headers, obfuscated subjects, adding lists of non-spammish words or even whole jokes. But this one took the biscuit.

SPF

Wed, 11 Aug 2004 12:48:36 +0000

Sender Policy Framework - a useful way to reject obvious spams from forged addresses before they hit a computationally intensive classification filter. The acronym association with Sun Protection Factor is intentional, apparently.

http://spf.pobox.com/

SpamAssassin

Wed, 11 Aug 2004 12:39:11 +0000

Reasonably good OpenSource spam filter, using both heuristic and statistical methods. Not as good as a trained DSPAM instance, I've found.

http://spamassassin.apache.org/

SpamAssassin Training Corpus Download

Wed, 11 Aug 2004 11:40:00 +0000

Ham and Spam corpuses, plus a Perl training script to feed them into DSPAM. DSPAM starts off as a totally naive statistical filter, so needs training.

http://nuclearelephant.com/projects/dspam/SA-Corpus.tar.gz

Spam Spam Spam Spam (DSPAM rocks)

Wed, 11 Aug 2004 02:05:30 +0000

Spam - hate it or really hate it, you have to do something about it. Having recently moved my domain home, and being not altogether happy with the number of classification errors that SpamAssassin was throwing out these days, I've now moved to DSPAM, and it works really really well.

Paypal Phishing Scam

Mon, 08 Dec 2003 11:17:43 +0000

I received the following email today:

From: Paypal Manager <pp-money@paypal.com>
Reply-To: pp-money@paypal.com
To: xxxxx@easywebnospam.co.uk
Subject: You received Money !

User junoltd@hotmail.com just send $234.00 USD to you:
Paypal UserID: junoltd
Transaction#: 2856-SP92-16971
Date: 05-12-2003
Comments: Your accout #315191 was selected to receive this months bonus.

We are using Paypal for our payouts. The commission for this service ($27.00) is already deducted from the total bonus payout. Your e-mail address is not associated with Paypal. You have to apply for new account in order to receive your funds. There is additional $50 which you can receive if you add debit card to your account and it is issue from the following banks or their branches: Fleet Boston, Citibank, Banknorth, Suntrust, Chemical, Commerce and M&I. Your card will not be charged, it is used to receive funds from our service. Once you register, the money will appear in your Paypal's account balance in your overview page. You can withdraw the outstanding balance to your debt card's bank account that you added during the registration process. To creat a new Account and to receive Money, Please go to our new created Website :
http://www.paypal-identity.com Dont forget, we value our commitment to answer your query as soon as possible.
Sincerely,
Your Customer Support
If you have any Questions about the Paypal Service, Please go to our SecurityCenter:
http://www.paypal-identity.com/security-center.html

This is transparently an attempt to get me to reveal my PayPal login details, so that the crooks can clean out my account (and credit card).

Important Message

If you receive anything resembling this,

Do not visit the link.
Do not give out any details
Do report it to spoof@paypal.com. You'll get a message back pretty quickly from a real person using their email response system (it will have a tracking ID in the subject, along the lines of KMM38976571V82218L0KM which lets them tie up any response you send back to your original report).

Read on for some of the indicators that this is an obvious fraud attempt.