Print Page | Close Window

Some spammer is using weird technique

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=5376
Printed Date: 01 November 2025 at 5:41pm


Topic: Some spammer is using weird technique
Posted By: Marco
Subject: Some spammer is using weird technique
Date Posted: 11 November 2005 at 6:38am

I had to put special keyword filters in for just one spam sender, it is using a technique that seems to bypass all standard filters.

Maybe more experienced spamfighters than me can take a look and get an "AHA erlebnis' :)

here is what the mail msg looks like after it was caught by a keyword filter.

 

Note that it is specifically targeting the postmaster mailbox (mine ^%$#&$^%$ ), and in outlook looks as if i have sent myself an email... Unless my setup here is in error i think this particular spammer deserves some extra attention for all of our sake's.

 

 

 

Received: from 85.250.94.111 by mail.ourdomain.nl (LogSat Software SMTP Server) Fri, 11 Nov 2005 06:36:38 +0100
X-Message-Info: OVvBO80dXYBpzHYAbhd3egh085PB845RFHarcKKXfmo
Received: from royevuqkr94.inphomatch.com.br  (7.74.30.224) by cpp110-ho.cyber.net.pk  with Microsoft SMTPSVC(5.0.2195.6824);
  Fri, 11 Nov 2005 13:42:15 +0400
Received: from farpomader5 (infantryman64.252.208.0)
          by werbe-rusch.de  (nbz275) with SMTP
          id <824171on267a>
          (Authid: JeannieDowns);
          Fri, 11 Nov 2005 06:44:15 -0300
From: " mailto:postmaster@ourdomain.nl - postmaster@ourdomain.nl " < mailto:postmaster@ourdomain.nl - postmaster@ourdomain.nl >
To: " mailto:'postmaster@ourdomain.nl - 'postmaster@ourdomain.nl " < mailto:postmaster@ourdomain.nl - postmaster@ourdomain.nl >
Subject: mailto:postmaster@ourdomain.nl - postmaster@ourdomain.nl
Date: Fri, 11 Nov 2005 04:41:15 -0500
Message-ID: < mailto:587m2xj0$374es19l0$9ee5xv@becloudf30 - 587m2xj0$374es19l0$9ee5xv@becloudf30 >
MIME-Version: 1.0
Content-Type: multipart/alternative;
 boundary="--5022375956366480"
X-Server: LogSat Software SMTP Server
X-SF-RX-Return-Path: < mailto:postmaster@ourdomain.nl - postmaster@ourdomain.nl >
X-SF-HELO-Domain: 85-250-94-111.bb.netvision.net.il

----5022375956366480

mailto:postmaster@ourdomain.nl - postmaster@ourdomain.nl is a nonprofit/charity contact email address right?  if so...

WE WILL EMAIL YOUR WEB SITE TO 2,500,00 0PT-IN EMAILS FOR [Free]

http://broadcastemailservices.odo4.meibu.com - http://broadcastemailservices.odo4.meibu.com


----- ---- --- -- -  -
second at our company web site above, read all about details on how our
emailing service works, then send a letter to the postal mailing address
on our company web site above with your non-profit and/or charity status
as registered in your country of origin along with your mission statement
enclosed, along with your email address and we will then send you all the
specifications needed on how to receive your non-commercial, non-cost,
non-transactional, non-relationship, charity/non-profit courtesy emailing.

this non-commercial, non-transactional, non-relationship, courtesy emailing
has an important primary purpose of helping society by assisting nonprofits
& charities have their non-profit/non-commercial mission statement/special
message sent out to 2.5mil option in emails as a courtesy to help worldwide
in national and global relief efforts for various causes in need of support.

----- ---- --- -- -  -
thanks to the technology of email, here are only a few of the countless
charities & non-profit organizations we have countributed to this year alone:

adventist develop & relief agency international, child help usa, direct
relief international, doctors without borders, episcopal relief and
development, international medical corps, mercy corps, operation usa, red
cross hurricane relief division, red cross washington state chapter, the
salvation army, among countless others that have requested global assistance.

----- ---- --- -- -  -
if this is not a non-profit/charity contact email address and/or you are not
interested in our occassional non-commercial, non-transactional, non-cost,
non-relationship, courtesy emailings we perform for various nonprofits and
charities, delist at: http://broadcastemailservices.odo4.meibu.com/dounsub.php - http://broadcastemailservices.odo4.meibu.com/dounsub.php

----5022375956366480--

 

And another one:

 

Received: from 61.51.45.125 by mail.ourdomain.nl (LogSat Software SMTP Server) Fri, 11 Nov 2005 06:36:25 +0100
Message-ID: < mailto:26117417057727.1a7931cho@aaki.dk - 26117417057727.1a7931cho@aaki.dk >
Received: from 242.232.50.156 by pcjt25-zja7.nsqk40.eon.net.au  with DAV;
 Fri, 11 Nov 2005 05:42:14 -0400
Reply-To: " mailto:postmaster@ourdomain.com - postmaster@ourdomain.com " < mailto:postmaster@ourdomain.com - postmaster@ourdomain.com >
From: " mailto:postmaster@ourdomain.com - postmaster@ourdomain.com " < mailto:postmaster@ourdomain.com - postmaster@ourdomain.com >
To: < mailto:postmaster@ourdomain.com - postmaster@ourdomain.com >
Subject: mailto:postmaster@ourdomain.com - postmaster@ourdomain.com
Date: Fri, 11 Nov 2005 12:42:14 +0300
MIME-Version: 1.0
Content-Type: multipart/alternative;
 boundary="--18956560431480567067"
X-Server: LogSat Software SMTP Server
X-SF-RX-Return-Path: < mailto:postmaster@ourdomain.com - postmaster@ourdomain.com >
X-SF-HELO-Domain: [our relay ip]

----18956560431480567067

mailto:postmaster@ourdomain.com - postmaster@ourdomain.com is a nonprofit/charity contact email address right?  if so...

WE WILL EMAIL YOUR WEB SITE TO 2,500,00 0PT-IN EMAILS FOR [Free]

http://broadcastemailservices.odo4.meibu.com - http://broadcastemailservices.odo4.meibu.com


******** Same BS as in previous mail ********


if this is not a non-profit/charity contact email address and/or you are not
interested in our occassional non-commercial, non-transactional, non-cost,
non-relationship, courtesy emailings we perform for various nonprofits and
charities, delist at: http://broadcastemailservices.odo4.meibu.com/dounsub.php - http://broadcastemailservices.odo4.meibu.com/dounsub.php

----18956560431480567067--

.



-------------
Anyone who is capable of getting himself made president, should on no account be allowed to do the job. D.Adams


Replies:
Posted By: LogSat
Date Posted: 11 November 2005 at 4:10pm
Marco,

I just tested sending the email, and it was successfully blocked by the SURBL filter. As you probably already know, SpamFilter will check all hyperlinks in an email against SURBL servers to see if they are blacklisted. If so, the email is rejected. If you don't have the SURBL filter enabled, we strongly recommend you do so, as it's very effective.

If the filter was enabled, it is possible that the spam was "fresh", meaning that the SURBL server(s) you are using did not have the spammer's URL (meibu.com in this case) in their database.


-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP

Posted By: Marco
Date Posted: 14 November 2005 at 2:59am

Thanks for your explanation Roberto.

It probably was fresh at the time of receipt, SURBL filter is on and usually catches a lot of spams.

Isn't there something specific going on with this spam type for us to successfully catch it before even SURBL has it's url registered?

It's a matter of time i think before other spammers will  adapt this method and surbl will allways be one step behind.

Best regards,

Marco

 

 



-------------
Anyone who is capable of getting himself made president, should on no account be allowed to do the job. D.Adams

Posted By: LogSat
Date Posted: 14 November 2005 at 5:09pm
In the two particular cases you posted above, both emails fake their "from" address to appear as originating from your domain. SpamFilter already has two great filters to catch these.

The 1st is the "Reject if From Domain = To Domain". Normally your internal users will send emails within your domain by contacting your main SMTP server, not going thru SpamFilter. If so, then this filter will prevent all emails with senders spoofing your address.

The 2nd is the SPF filter. If you configure an SPF record for your domains, and enable the SPF filter in SpamFilter, from then on nobody will be able to fake your domain as a sender. Only IP addresses you approve by entering them in the SPF DNS record will be allowed to send emails.


-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP

Posted By: Guests
Date Posted: 16 December 2005 at 12:10pm
Seems to me that most spam that I get comes with links to http://
uk.geocities.com/

If people start blocking this then maybe they as a large company will get
some really money invested into stopping this from happening.

Hands up for who agrees with them spending money..... my hands
touching the sky!!!!


Print Page | Close Window