Educause Security Discussion mailing list archives
Re: Image SPAM Increase?
From: Dave Koontz <dkoontz () MBC EDU>
Date: Wed, 19 Apr 2006 18:04:47 -0400
While IP Based Black Lists are all pretty good, IMO, the SBL/XBL list from SpamHaus is the best and most accurate. I would not take too much stalk in SpamCop. Right now SpamCop has several AOL servers listed. They also have a history of listing major ISPs. http://www.spamcop.net/w3m?action=checkblock&ip=64.12.137.6 <http://www.spamcop.net/w3m?action=checkblock&ip=64.12.137.6> (other AOL Server IPs currently listed on SC: 64.12.136.11 64.12.136.12 64.12.136.13 64.12.136.42 64.12.137.1 64.12.137.2 64.12.137.3 64.12.137.4 64.12.137.5 64.12.137.7 64.12.137.8 64.12.137.9 64.12.138.5 ) There is also 'different' types of Black Lists that list URIs /URLs of known spammers. Take a look at http://uribl.com/ (extremely low false positive) and http://www.surbl.org/ (multi-service). These services return hits on the URLs found in most spam (ie.. http://pill-scammerDOTinfo). This type of listing is very good at catching Spam / Phish emails that run on botnets with ever changing IP addresses. This type of Black List will require a product like spam assassin that can parse those URL's as part of it's filtering process and return a value for it. There is yet another HASH style blacklist that is very good called IXHASH. (http://wiki.apache.org/spamassassin/iXhash). As to the original question, njabl.org is actually pretty good. Some people seem to have hit or miss results from Five-Ten and SORBS, but they have been pretty reliable for me with hardly any false positives. Some indicate they have timeout issues with these services, but again I have not seen that at my site. As with all things, nothing in excess! Do not "Block" any email because they are listed on any one service, rather give it a positive score value for being on the list. If it's truly spam, it will be on multiple lists and thus raise the score above your threshold. The default or suggested scoring values are usually good enough. --- Dave Koontz Mary Baldwin College Staunton, VA Lucas, Bryan wrote:
http://www.sdsc.edu/~jeff/spam/Blacklists_Compared.html Depending on your mail volume, you may have to be selective how many lookups your gateway does. While the above link doesn't get into how aggressive each RBL is, it can help you identify those that are worthwhile. IMHO, this combination, especially when used in conjunction with a multi filtered product (ciphertrust, barracuda, Exchange IMF) produces excellent results: Spamhaus.org (sbl/xbl) Cbl.abuseat.org Dynablock.njabl.org List.dsbl.org Bl.spamcop.net Cn-kr.blackholes.us (only use if you don't need to interact with .CN or .KR) I have had mixed results with SORBS, RFC-ignorant, PSBL Surriel, and five-ten-sg.com. They are a bit too aggressive for most businesses. Bryan Lucas Server Administrator Texas Christian University (817) 257-6971 -----Original Message----- From: Lee Weers [mailto:weersl () CENTRAL EDU] Sent: Wednesday, April 19, 2006 4:12 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Image SPAM Increase? Have people used Not just another blacklist? http://www.njabl.org/ It is a blacklist site that maintains a list of DSL, cable modems, etc, to help prevent the botnet spamming. I know an ISP that is using and highly recommends it. I'd like to hear from more people though. -----Original Message----- From: Mark Borrie [mailto:mark.borrie () OTAGO AC NZ] Sent: Wednesday, April 19, 2006 4:01 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Image SPAM Increase? I started seeing these spam a few weeks ago and then they stopped getting through. We have used PureMessage for a couple of years and updates to rules are occur potentially every 5 minutes. We don't do any rule tuning. The main reason I think that these messages are no longer getting through is the blocker service that is part of PureMessage. A database of IPs known to send spam is maintained and we no longer accept smtp connections from these systems. Every IP I have checked to date appears to be a home/broadband system, i.e. part of a botnet. Legitimate attempts to send mail receive appropriate error messages so that we can sort out the issue. Mark On 19 Apr 2006 at 12:08, Gary Flynn wrote:Over the past few weeks we've seen a slow increase in SPAM messages related to stock market advice. We're starting to see regular reports from our users of this new ( for us ) activity. The messages are composed: 1) entirely of images --or-- 2) Images prepended with gibberish Messages have been received from computers around the world and sources don't seem to repeat. Our email system is assigning them junkmail scores too low to keep them out of regular mailboxes. Anyone else seeing these? If not, do you know what is keeping you from seeing them? Anti-spam device or product? ORB list? SPF? Custom filter? How would any SPAM filter be able to deal with a message made up entirely of an image and sent from varying computers? Is it safe to assume there are no filters that have OCR capabilities :) What actions do you take and/or what recommendations do you offer to users when faced with an increase in unfilterable messages? thanks, -- Gary Flynn Security Engineer James Madison University www.jmu.edu/computing/security
Current thread:
- Re: Image SPAM Increase?, (continued)
- Re: Image SPAM Increase? Dave Koontz (Apr 19)
- Re: Image SPAM Increase? Gary Flynn (Apr 19)
- Re: Image SPAM Increase? Gary Flynn (Apr 19)
- Re: Image SPAM Increase? Ken Connelly (Apr 19)
- Re: Image SPAM Increase? Dan Oachs (Apr 19)
- Re: Image SPAM Increase? Les LaCroix (Apr 19)
- Re: Image SPAM Increase? Graham Toal (Apr 19)
- Re: Image SPAM Increase? Mark Borrie (Apr 19)
- Re: Image SPAM Increase? Lee Weers (Apr 19)
- Re: Image SPAM Increase? Lucas, Bryan (Apr 19)
- Re: Image SPAM Increase? Dave Koontz (Apr 19)
- Re: Image SPAM Increase? unisog (Apr 19)
- Re: Image SPAM Increase? Robert Mozden (Apr 20)
- Re: Image SPAM Increase? Paul Russell (Apr 20)
- Re: Image SPAM Increase? Flagg, Martin D. (Apr 21)