Educause Security Discussion mailing list archives
Re: Image SPAM Increase?
From: Dave Koontz <dkoontz () MBC EDU>
Date: Wed, 19 Apr 2006 12:59:14 -0400
I am sure this is botnet traffic. I have watched these connections and they come from all kinds of different IP address ranges simultaneously. Using the SARE rules I mentioned before and changing the SARE_GIF_STOX scoring should catch these. In Addition, look at running SA DNSRBL and perhaps install the IXHash Plugin for SA (LOGINHASH1 and LOGINHASH2). Scan results for a similar message below: X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) X-Spam-Level: *************************** X-Spam-Status: Yes, score=27.1 required=5.0 tests=BAYES_50,EXTRA_MPART_TYPE, HTML_90_100,HTML_IMAGE_ONLY_08,HTML_MESSAGE,LOGINHASH2, MESSAGE_SNIFFER,MIME_HTML_MOSTLY,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL, SARE_GIF_ATTACH,SARE_GIF_STOX autolearn=spam version=3.1.0 X-Spam-Report: * 5.0 MESSAGE_SNIFFER Flagged by message sniffer (www.sortmonster.com) * 1.1 EXTRA_MPART_TYPE Header has extraneous Content-type:...type= entry * 0.1 HTML_90_100 BODY: Message is 90% to 100% HTML * 1.1 MIME_HTML_MOSTLY BODY: Multipart message mostly text/html MIME * 0.0 HTML_MESSAGE BODY: HTML included in message * 3.1 HTML_IMAGE_ONLY_08 BODY: HTML: images with 400-800 bytes of words * 1.6 BAYES_50 BODY: Bayesian spam probability is 40 to 60% * [score: 0.5574] * 2.0 LOGINHASH2 BODY: mail has been classified as spam @ unknown * company, Germany * 4.0 SARE_GIF_ATTACH FULL: Email has a inline gif * 2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address * [84.139.36.150 listed in dnsbl.sorbs.net] * 1.9 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP * [84.139.36.150 listed in combined.njabl.org] * 5.0 SARE_GIF_STOX Inline Gif with little HTML -----Original Message----- From: Gary Flynn [mailto:flynngn () JMU EDU] Sent: Wednesday, April 19, 2006 12:50 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Image SPAM Increase? Gary Flynn wrote:
Ken Connelly wrote:Anything common about these messages that would help me find/identify them?The only thing I've seen so far is that the X-mailer header in all of them is Microsoft Outlook Express. Different versions though. I wonder if this could be a sign the senders are BOTS. Subject, return path, source IP address, image name, image file, all vary.
One more thing. The mail headers I've seen always indicate two hops to us. The sending IP address always seems to be a member of the same network as the interim hop. I haven't tried to verify yet but it would lead me to suspect they're sent by BOTS ( random clients -> clients' organizational mail servers -> target ). If so, I would assume something like SPF would be ineffective because the e-mail would be coming from valid organizational servers. -- Gary Flynn Security Engineer James Madison University www.jmu.edu/computing/security
Current thread:
- Re: Image SPAM Increase? Joe St Sauver (Apr 19)
- <Possible follow-ups>
- Image SPAM Increase? Gary Flynn (Apr 19)
- Re: Image SPAM Increase? Ken Connelly (Apr 19)
- Re: Image SPAM Increase? Dan Oachs (Apr 19)
- Re: Image SPAM Increase? Gary Flynn (Apr 19)
- Re: Image SPAM Increase? Dave Koontz (Apr 19)
- Re: Image SPAM Increase? Gary Flynn (Apr 19)
- Re: Image SPAM Increase? Bruggeman, John (Apr 19)
- Re: Image SPAM Increase? Dave Koontz (Apr 19)
- Re: Image SPAM Increase? Gary Flynn (Apr 19)
- Re: Image SPAM Increase? Gary Flynn (Apr 19)
- Re: Image SPAM Increase? Ken Connelly (Apr 19)
- Re: Image SPAM Increase? Dan Oachs (Apr 19)
- Re: Image SPAM Increase? Les LaCroix (Apr 19)
- Re: Image SPAM Increase? Graham Toal (Apr 19)
- Re: Image SPAM Increase? Mark Borrie (Apr 19)
- Re: Image SPAM Increase? Lee Weers (Apr 19)
- Re: Image SPAM Increase? Lucas, Bryan (Apr 19)
- Re: Image SPAM Increase? Dave Koontz (Apr 19)
(Thread continues...)