Re: Image SPAM Increase?

[Dave Koontz <dkoontz () MBC EDU>]

While IP Based Black Lists are all pretty good,  IMO, the SBL/XBL list
from SpamHaus is the best and most accurate.  I would not take too much
stalk in SpamCop.  Right now SpamCop has several AOL servers listed.
They also have a history of listing major ISPs.

http://www.spamcop.net/w3m?action=checkblock&ip=64.12.137.6
<http://www.spamcop.net/w3m?action=checkblock&ip=64.12.137.6>

(other AOL Server IPs currently listed on SC: 64.12.136.11 64.12.136.12
64.12.136.13 64.12.136.42 64.12.137.1 64.12.137.2 64.12.137.3
64.12.137.4 64.12.137.5 64.12.137.7 64.12.137.8 64.12.137.9 64.12.138.5 )

There is also 'different' types of  Black Lists that list URIs  /URLs of
known spammers.  Take a look at http://uribl.com/ (extremely low false
positive) and http://www.surbl.org/ (multi-service).  These services
return hits on the URLs found in most spam (ie..
http://pill-scammerDOTinfo).  This type of listing is very good at
catching Spam / Phish emails that run on botnets with ever changing IP
addresses.  This type of Black List will require a product like spam
assassin that can parse those URL's as part of it's filtering process
and return a value for it.

There is yet another HASH style blacklist that is very good called
IXHASH. (http://wiki.apache.org/spamassassin/iXhash).

As to the original question, njabl.org is actually pretty good.  Some
people seem to have hit or miss results from Five-Ten and SORBS, but
they have been pretty reliable for me with hardly any false positives.
Some indicate they have timeout issues with these services, but again I
have not seen that at my site.

As with all things, nothing in excess!  Do not "Block" any email because
they are listed on any one service, rather give it a positive score
value for being on the list.  If it's truly spam, it will be on multiple
lists and thus raise the score above your threshold.  The default or
suggested scoring values are usually good enough.

---
Dave Koontz
Mary Baldwin College
Staunton, VA

Lucas, Bryan wrote:
> http://www.sdsc.edu/~jeff/spam/Blacklists_Compared.html
>
> Depending on your mail volume, you may have to be selective how many
> lookups your gateway does.  While the above link doesn't get into how
> aggressive each RBL is, it can help you identify those that are
> worthwhile.
>
> IMHO, this combination, especially when used in conjunction with a multi
> filtered product (ciphertrust, barracuda, Exchange IMF) produces
> excellent results:
> Spamhaus.org (sbl/xbl)
> Cbl.abuseat.org
> Dynablock.njabl.org
> List.dsbl.org
> Bl.spamcop.net
> Cn-kr.blackholes.us (only use if you don't need to interact with .CN or
> .KR)
>
> I have had mixed results with SORBS, RFC-ignorant, PSBL Surriel, and
> five-ten-sg.com.  They are a bit too aggressive for most businesses.
>
> Bryan Lucas
> Server Administrator
> Texas Christian University
> (817) 257-6971
> -----Original Message-----
> From: Lee Weers [mailto:weersl () CENTRAL EDU]
> Sent: Wednesday, April 19, 2006 4:12 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Image SPAM Increase?
>
> Have people used Not just another blacklist?
>
> http://www.njabl.org/
>
> It is a blacklist site that maintains a list of DSL, cable modems, etc,
> to help prevent the botnet spamming.  I know an ISP that is using and
> highly recommends it.  I'd like to hear from more people though.
>
> -----Original Message-----
> From: Mark Borrie [mailto:mark.borrie () OTAGO AC NZ]
> Sent: Wednesday, April 19, 2006 4:01 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Image SPAM Increase?
>
> I started seeing these spam a few weeks ago and then they stopped
> getting through.
>
> We have used PureMessage for a couple of years and updates to rules are
> occur potentially every 5 minutes. We don't do any rule tuning.
>
> The main reason I think that these messages are no longer getting
> through is the blocker service that is part of PureMessage. A database
> of IPs known to send spam is maintained and we no longer accept smtp
> connections from these systems. Every IP I have checked to date appears
> to be a home/broadband system, i.e. part of a botnet.
> Legitimate attempts to send mail receive appropriate error messages so
> that we can sort out the issue.
>
> Mark
>
> On 19 Apr 2006 at 12:08, Gary Flynn wrote:
>
>
> > Over the past few weeks we've seen a slow increase in SPAM messages
> > related to stock market advice. We're starting to see regular reports
> > from our users of this new ( for us ) activity. The messages are
> > composed:
> >
> > 1) entirely of images
> >
> > --or--
> >
> > 2) Images prepended with gibberish
> >
> > Messages have been received from computers around the
> > world and sources don't seem to repeat.
> >
> > Our email system is assigning them junkmail scores too
> > low to keep them out of regular mailboxes.
> >
> > Anyone else seeing these? If not, do you know what is
> > keeping you from seeing them? Anti-spam device or
> > product? ORB list? SPF? Custom filter?
> >
> > How would any SPAM filter be able to deal with a message
> > made up entirely of an image and sent from varying
> > computers? Is it safe to assume there are no filters
> > that have OCR capabilities :)
> >
> > What actions do you take and/or what recommendations do
> > you offer to users when faced with an increase in
> > unfilterable messages?
> >
> > thanks,
> >
> > --
> > Gary Flynn
> > Security Engineer
> > James Madison University
> > www.jmu.edu/computing/security