Re: Image SPAM Increase?

["Lucas, Bryan" <b.lucas () TCU EDU>]

http://www.sdsc.edu/~jeff/spam/Blacklists_Compared.html

Depending on your mail volume, you may have to be selective how many
lookups your gateway does.  While the above link doesn't get into how
aggressive each RBL is, it can help you identify those that are
worthwhile.

IMHO, this combination, especially when used in conjunction with a multi
filtered product (ciphertrust, barracuda, Exchange IMF) produces
excellent results:
Spamhaus.org (sbl/xbl)
Cbl.abuseat.org
Dynablock.njabl.org
List.dsbl.org
Bl.spamcop.net
Cn-kr.blackholes.us (only use if you don't need to interact with .CN or
.KR)

I have had mixed results with SORBS, RFC-ignorant, PSBL Surriel, and
five-ten-sg.com.  They are a bit too aggressive for most businesses.

Bryan Lucas
Server Administrator
Texas Christian University
(817) 257-6971
-----Original Message-----
From: Lee Weers [mailto:weersl () CENTRAL EDU] 
Sent: Wednesday, April 19, 2006 4:12 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Image SPAM Increase?

Have people used Not just another blacklist?

http://www.njabl.org/

It is a blacklist site that maintains a list of DSL, cable modems, etc,
to help prevent the botnet spamming.  I know an ISP that is using and
highly recommends it.  I'd like to hear from more people though. 

-----Original Message-----
From: Mark Borrie [mailto:mark.borrie () OTAGO AC NZ] 
Sent: Wednesday, April 19, 2006 4:01 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Image SPAM Increase?

I started seeing these spam a few weeks ago and then they stopped
getting through.

We have used PureMessage for a couple of years and updates to rules are
occur potentially every 5 minutes. We don't do any rule tuning.

The main reason I think that these messages are no longer getting
through is the blocker service that is part of PureMessage. A database
of IPs known to send spam is maintained and we no longer accept smtp
connections from these systems. Every IP I have checked to date appears
to be a home/broadband system, i.e. part of a botnet. 
Legitimate attempts to send mail receive appropriate error messages so
that we can sort out the issue.

Mark

On 19 Apr 2006 at 12:08, Gary Flynn wrote:

> Over the past few weeks we've seen a slow increase in SPAM messages
> related to stock market advice. We're starting to see regular reports
> from our users of this new ( for us ) activity. The messages are
> composed:
>
> 1) entirely of images
>
> --or--
>
> 2) Images prepended with gibberish
>
> Messages have been received from computers around the
> world and sources don't seem to repeat.
>
> Our email system is assigning them junkmail scores too
> low to keep them out of regular mailboxes.
>
> Anyone else seeing these? If not, do you know what is
> keeping you from seeing them? Anti-spam device or
> product? ORB list? SPF? Custom filter?
>
> How would any SPAM filter be able to deal with a message
> made up entirely of an image and sent from varying
> computers? Is it safe to assume there are no filters
> that have OCR capabilities :)
>
> What actions do you take and/or what recommendations do
> you offer to users when faced with an increase in
> unfilterable messages?
>
> thanks,
>
> -- 
> Gary Flynn
> Security Engineer
> James Madison University
> www.jmu.edu/computing/security



-- 
Mark Borrie
Information Security Manager,
Information Technology Services, University of Otago,
Dunedin, N.Z.
Ph +64 3 479-8395, Fax +64 3 479-5080, Mobile +64 27 609-6409