Irritating and continuous HTML image spam - US Share plugs
Yep, I have been getting them too - it started about 4 weeks ago, I got 3 or 4 per day but now I don't seem to be getting any, although I am now getting a load of 'make lots of money/sales and marketing' spam. Probably from the same spammers as the stock market ones.
Nightowl
Forever going one step forwards and two
backwards......
Forever going one step forwards and two
backwards......
Funny you should mention that, same here, as I am 'no-tichie-r-me' what do I do? Had the odd, give you loads a money you give me some back stuff, do you need help with........ @e@, $ for sale cheap, etc, could it be coming from here? should I have said that? is someone watching?Gascony Goat wrote:This has been happening to me too, so it does seem that the common denominator is LMH - it started about, ummm.... 3 weeks ago?
Off to join the chat room on Goatworld - maybe someone there has the answer....
I'll check out son of Pistolero while I'm about it...
- Giddy Goat
- Posts: 9054
- Joined: Sun Jun 12, 2005 7:38 am
- Location: UK
- Contact:
The ones we have been getting have not been via our own website, but via our usual email address, which is the one given to the listing sites to direct inquiries to. The only ones I have receieved from our website email address were rental related - another listing site touting for business.
Nostalgia isn't what it used to be
- Mountain Goat
- Posts: 6070
- Joined: Wed Apr 19, 2006 1:31 pm
- Location: Leysin, Alpes Vaudoises, Switzerland
- Contact:
Zombies and dictionary attacks
I've been trying to tweak our spam filter to combat the current emails with automatic spring-into-life attachments (most of them US share ramping stuff).
Our web-based mail service guru sent us this - I've got the drift, but not exactly 100% understanding...
The zombie issue hit us harder than any other service first because of the way we are set up with the unlimited aliases.
Essentially every user has their own domain and because we offer users unlimited aliases in over 20 different domains as well as host personal domains some have many more than just one domain. So when the zombies attack domains, they were slamming us. So bad that if not blocked then mail would have ceased to flow completely.
That is when I wrote the anti-zombie code we use. I targeted them not by their payload with text based filtering, because that is a losing battle. Instead I targeted them by the way they hit (they dictionary attack with massive connections all at once), the way their DNS is named or lack of name, and other little signatures (like the fact that they begin spewing data before the HELO..no valid mail server does this, it's not RFC compliant), and block them at the connection in an aging list. We do include the automatic whitelist link for any that are false positives, but I'd be surprised if we see one false positive every couple of months and it's usually not a false positive in the strictest terms (this specific guy was mailing us from an IP that had dictionary attacked us), plus it's a simple click on the link for the false positive to be autowhitelisted. It's actually been very effective, more effective and accurate than any text based filter.
MountainG
Our web-based mail service guru sent us this - I've got the drift, but not exactly 100% understanding...
The zombie issue hit us harder than any other service first because of the way we are set up with the unlimited aliases.
Essentially every user has their own domain and because we offer users unlimited aliases in over 20 different domains as well as host personal domains some have many more than just one domain. So when the zombies attack domains, they were slamming us. So bad that if not blocked then mail would have ceased to flow completely.
That is when I wrote the anti-zombie code we use. I targeted them not by their payload with text based filtering, because that is a losing battle. Instead I targeted them by the way they hit (they dictionary attack with massive connections all at once), the way their DNS is named or lack of name, and other little signatures (like the fact that they begin spewing data before the HELO..no valid mail server does this, it's not RFC compliant), and block them at the connection in an aging list. We do include the automatic whitelist link for any that are false positives, but I'd be surprised if we see one false positive every couple of months and it's usually not a false positive in the strictest terms (this specific guy was mailing us from an IP that had dictionary attacked us), plus it's a simple click on the link for the false positive to be autowhitelisted. It's actually been very effective, more effective and accurate than any text based filter.
MountainG
Last edited by Mountain Goat on Sat Sep 30, 2006 7:08 am, edited 3 times in total.
- Mountain Goat
- Posts: 6070
- Joined: Wed Apr 19, 2006 1:31 pm
- Location: Leysin, Alpes Vaudoises, Switzerland
- Contact:
More zombies
And this is from the guy who runs one of our rental listing sites (more than normally interested in combating spam):
Spam is getting increasingly hard to stop and I have set aspects of filters as close to the bone as possible, even to the point of edging towards the risk of losing mail. The problem occurs because virus infected zombie computers are sending out random text - and because it is random, the unpredictability makes it near impossible to predict. I do have measures of
randomness and unpredictability in place but these spams are near impossible to counteract reliably. This means that those of you who use mail systems which have a "report spam" button - Yahoo, Hotmail, AOL, for instance and others - if you report
such emails as spam, those systems will block other emails coming through that you want. So PLEASE DO NOT USE REPORT SPAM BUTTONS. Only the "delete" button is safe.
There are also spams coming through that are larger than ordinary emails and which we do not examine because of their size and associated load on our server. We use a superfast Xeon dual processor server, but as more zombie computers are connected to broadband and can pump out spam ever
faster, the faster everything gets, simply the more junk can be generated faster, so no end of processor speed and technology is fast enough.
I spend a significant time analysing monitoring and analysing the spam coming through and am doing my best . . . so if you are getting it, I'm sorry, and the delete button is simply the best remedy.
MountainG
Spam is getting increasingly hard to stop and I have set aspects of filters as close to the bone as possible, even to the point of edging towards the risk of losing mail. The problem occurs because virus infected zombie computers are sending out random text - and because it is random, the unpredictability makes it near impossible to predict. I do have measures of
randomness and unpredictability in place but these spams are near impossible to counteract reliably. This means that those of you who use mail systems which have a "report spam" button - Yahoo, Hotmail, AOL, for instance and others - if you report
such emails as spam, those systems will block other emails coming through that you want. So PLEASE DO NOT USE REPORT SPAM BUTTONS. Only the "delete" button is safe.
There are also spams coming through that are larger than ordinary emails and which we do not examine because of their size and associated load on our server. We use a superfast Xeon dual processor server, but as more zombie computers are connected to broadband and can pump out spam ever
faster, the faster everything gets, simply the more junk can be generated faster, so no end of processor speed and technology is fast enough.
I spend a significant time analysing monitoring and analysing the spam coming through and am doing my best . . . so if you are getting it, I'm sorry, and the delete button is simply the best remedy.
MountainG
- Mountain Goat
- Posts: 6070
- Joined: Wed Apr 19, 2006 1:31 pm
- Location: Leysin, Alpes Vaudoises, Switzerland
- Contact:
Completely knee-deep in spam at the moment, over the last 3-4 days, most of it this stock-ramping stuff.
Typical Format
From = barkeep
Subject = comradebrown ancestor
From = circumstantial
Subject = channelaltercate
Complete nonsense, don't even look like a genuine e-mail, but all spam munchers/detectors firing away and useless at zapping them.
MG
Typical Format
From = barkeep
Subject = comradebrown ancestor
From = circumstantial
Subject = channelaltercate
Complete nonsense, don't even look like a genuine e-mail, but all spam munchers/detectors firing away and useless at zapping them.
MG
- Giddy Goat
- Posts: 9054
- Joined: Sun Jun 12, 2005 7:38 am
- Location: UK
- Contact:
Yup, about 5 a day here too - I log on (to my Mac) each morning and see 6 emails waiting, get all excited, and sure as hedge clippings, all but one on average will be in the format described. Normally Macs manage to filter spam extremely efficiently, but not these.
Enid - yours too?
Enid - yours too?
Nostalgia isn't what it used to be
- Mountain Goat
- Posts: 6070
- Joined: Wed Apr 19, 2006 1:31 pm
- Location: Leysin, Alpes Vaudoises, Switzerland
- Contact:
Hi Ros
Well, after opening up (bad idea) many of them have this under-layer message with share-plugging info - and I guess if enough people believe them, and buy shares, then the spammers are laughing (having stacked up on the stock beforehand).
Might be interesting, of course, to take their advice and join the bandwagon, but it's a load of cobblers I suppose.
It does seem that the spam-fighters are having a difficult time with this stuff.
MG
Well, after opening up (bad idea) many of them have this under-layer message with share-plugging info - and I guess if enough people believe them, and buy shares, then the spammers are laughing (having stacked up on the stock beforehand).
Might be interesting, of course, to take their advice and join the bandwagon, but it's a load of cobblers I suppose.
It does seem that the spam-fighters are having a difficult time with this stuff.
MG
- Alan Knighting
- Posts: 4120
- Joined: Mon Oct 18, 2004 7:26 am
- Location: Monflanquin, Lot-et-Garonne, France
Thanks MG
Thought it was something like that.....I dont open them either[well maybe a quick peek at the beginning ]
But now I just Delete them ,not that they know I suppose but I get a bit of satisfaction from it...Dont even think Im going to read this cr**....
Delete is quite a good statement key... but if I had a p**s O** and stop bothering me key, I think Id feel even better...What key would others like to have access to.?....
Had 2 this Morning from Ophelia Franklin and Dolly Milligan!! where do they get the names from, are they supposed to be people we might think we know?.......Well I might have met a Dolly in the past but Im sure I would have remembered an Ophelia....
Thought it was something like that.....I dont open them either[well maybe a quick peek at the beginning ]
But now I just Delete them ,not that they know I suppose but I get a bit of satisfaction from it...Dont even think Im going to read this cr**....
Delete is quite a good statement key... but if I had a p**s O** and stop bothering me key, I think Id feel even better...What key would others like to have access to.?....
Had 2 this Morning from Ophelia Franklin and Dolly Milligan!! where do they get the names from, are they supposed to be people we might think we know?.......Well I might have met a Dolly in the past but Im sure I would have remembered an Ophelia....
- Giddy Goat
- Posts: 9054
- Joined: Sun Jun 12, 2005 7:38 am
- Location: UK
- Contact:
The last 24 hours have yielded Hester, Emily, Edith, Rosalie and Cornelia. On other days it has been the likes of Ted, Rudolph, Matthias, Clarence, and a bit of an odd one this (but in the same format once opened): Fallskill.
It's the excitement of that little red spot on my dock telling me somebody loves me - then .... the discovery that nobody does after all.
It's the excitement of that little red spot on my dock telling me somebody loves me - then .... the discovery that nobody does after all.
Nostalgia isn't what it used to be