Influx of spam recently - ORF Forums

Influx of spam recently RSS Back to forum

1

Over the past couple of weeks I've had an influx of spam. It started around the beginning of September, and primarily has been all text emails notifying me of a web order, next of kin, funds for charity, payment with ATM cards, etc. Most of the emails appear to come from legitimate email servers. I am running all the tests on ORF except the Honeypot, Greylisting, and attachment filtering. I am running the following blacklist lists: Barracuda, SORBS Combined List, SpamCop, & Spamhaus ZEN.

The email titles or bodies have not been consistent enough to set up any reliable filtering. I'm guessing that grelisting is probably the best option, but wanted to see if others have any other suggestions or recommendations on blacklists to use. I have not used greylisting in the past due to the fact it slows down email delivery.

Any input is appreciated.

Thanks
Josh

by Joshua Colombo more than 10 years ago
2

@Joshua Colombo: these sounds like scam emails (http://en.wikipedia.org/wiki/Advance-fee_fraud). Regular spam filtering methods can do little against these, as they are not spam, actually: spam are unsolicited bulk commercial emails, which means they are distributed in large quantities (sent to thousands of addresses) and try to sell you something, so they contain links to spamvertized websites. The sender hosts are usually part of a larger botnet: this means the DNS Blacklist test detects most of them, and the rest are caught by the URL Blacklist test which detects the spamvertized URIs, or by the SPF test as the sender domain is usually spoofed, etc.

Scam is a different matter: they are usually sent by human beings to single recipients, using free email providers like Hotmail and Yahoo Mail, so the DNS Blacklist test will allow them thru (since the senders are legitimate hosts). This means Greylisting won't help either: as Yahoo and Hotmail servers work as per standards, they will re-attempt delivering the scam if they encounter a temporary rejection. Scam emails do not contain any URLs, so the URL blacklist test won't pick them up.

Your best shot is Keyword filtering: sentences, phrases like "It is understandable that you might be a little bit apprehensive because you do not know me but I have a lucrative business proposal of mutual interest to someone who suits my proposed business relationship." or "I'm a dying widow" will hardly come up in legitimate email correspondences. I suggest checking these emails for similarities, phrases which are not present in valid emails, then you can build Keyword expressions to detect them (e.g., if the email contains all of the following expressions: "Dear Friend" and "next of kin" and "dollars" and "bank", blacklist it).

You can also try using the anti-scam definitions of ClamAV as an External Agent (http://www.vamsoft.com/clamav-guide-part2.asp) but please consider that some false positives may occur (the quality of these signatures vary), so it is strongly suggested to only tag emails detected by the agent, and to use the Auto Sender Whitelist feature to lower the risk.

by Krisztian Fekete (Vamsoft) more than 10 years ago
(in reply to this post)

3

Krisztian,

Thanks for the comments. Yeah I agree with you, I need to go through all the emails and see what commonality they have and setup some keyword blacklists. I just haven't much time to do that yet. I'll try and do that this weekend.

Thanks again for the comments.
Josh

by Joshua Colombo more than 10 years ago
4

@Joshua Colombo: I have seen a big influx as well but in our case it is mostly no text at all, just 3 images. Is there a way to catch emails like that?

by mike g more than 10 years ago
(in reply to this post)

5

@mike g: There might be a way to deal with them directly (by looking for specific patterns), but that is usually quite time-consuming and difficult. I am not sure if you have seen our best practices guide at http://vamsoft.com/downloads/getmostguide.pdf - implementing the recommendations from this document usually improves spam detection rate significantly.

by Peter Karsai (ORF Team) more than 10 years ago
(in reply to this post)

6

@Peter Karsai (ORF Team): Thanks Peter, I long ago followed the recommendations in that guide and am very happy with the overall effectiveness of my set up. I asked the question because I noticed this problem with email I monitor that doesn't pass through ORF filtering and was wondering specifically if there was a way to write a regex to filter email if there was no text in the message body - just embedded images.

by mike g more than 10 years ago
(in reply to this post)

7

@mike g: theoretically, it is possible to write a regex which detects if there is no "Content-Type: text/plain;" and "Content-Type: text/html;" parts in the email header (only "Content-Type: image/gif;" or something like that), but the spam samples I checked with embedded images had both, even if there was no text in the email at all, so I do not think it is the best way to catch such spam.

You could try adding

^\s*$

to the Keyword Blacklist with "body" scope to detect emails with no text, but this does not check the existence of embedded images, so it might catch legitimate emails sent with no text but attachments only.

Fortunately, (as Peter mentioned) such emails are detected by other tests, so if you started filtering these emails with ORF, I think this would be a non-issue.

by Krisztian Fekete (Vamsoft) more than 10 years ago
(in reply to this post)

8

@Krisztian Fekete (Vamsoft): Krisztian,

Just out of curiosity, do you guys plan to incorporate anti-scam filtering in Orf 5?

Thanks
Josh

by Joshua Colombo more than 10 years ago
(in reply to this post)

9

@Joshua Colombo: Yes, we definitely plan to address this in future versions.

by Krisztian Fekete (Vamsoft) more than 10 years ago
(in reply to this post)

10

Ok, thanks Krisztian!

This would be very helpful to have a solution for multiple spam/scam type emails in one program.

Josh

by Joshua Colombo more than 10 years ago

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

It will not be published.
hnp1 | hnp2