Re: new spam types - Page 2

tminchin_ironport · ‎01-29-2006

Hi - are other people seeing two new types of spam which are currently evading Brightmail?

The first is usually pushing stocks - it consists of a standard subject, a random haiku of words and a GIF image with a randomised filename. Despite getting heaps of these into our probe accounts Brightmail is yet to positively identify it as spam (although it is labelled as suspect). They are usually botnet spammed at about 1 message per IP per hour.

This one is quite scary in that all the info is contained in the GIF. I'm not sure whether there are any serious anti-spam filters that look inside GIF images. Luckily they weren't very smart and the GIF image appears to be identical - if they were smarter, they would use a JPEG and randomise the compression to make each message fully unique. IP reputation doesn't hinder it as they slow spam them with a large number of IPs - nor does DHAP prevention.

The second is usually watches or online pharmacy - the email is crafted to look like a reply or a forward from someone else "who" recommends the product in question. The words are usually spammily mispelt.

NtroP_ironport · ‎04-20-2006

Wow, we are seeing a huge increase in the last couple of days of the "GIF STOX SPAM". They blow right by our IronPort/BrightMail gateway without even slowing down!

I have to say, it's a good thing we run all of our "clean" messages through SpamAssassin before delivering it on to clients - we are blocking thousands of these things with SA which would normally go straight on through to the end user!

Here's what SA says about an average GIF spam message:

Content analysis details: (12.7 points, 3.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
1.1 EXTRA_MPART_TYPE Header has extraneous Content-type:...type= entry
0.1 HTML_90_100 BODY: Message is 90% to 100% HTML
1.0 BAYES_60 BODY: Bayesian spam probability is 60 to 80%
[score: 0.7936]
1.1 MIME_HTML_MOSTLY BODY: Multipart message mostly text/html MIME
0.0 HTML_MESSAGE BODY: HTML included in message
3.1 HTML_IMAGE_ONLY_08 BODY: HTML: images with 400-800 bytes of words
0.8 SARE_GIF_ATTACH FULL: Email has a inline gif
3.9 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
[201.247.223.216 listed in sbl-xbl.spamhaus.org]
1.7 SARE_GIF_STOX Inline Gif with little HTML

You'd think that after all these months of the same sort of spam comming in. Has anyone found IronPort's Spam filter to be more reliable than BrightMail? How's the comparison's comming?

ian_ironport · ‎04-25-2006

So we are still seeing these spams and Brightmail is still unable to detect them, after months of exposure to the problem.

Can Ironport put any pressure on Brightmail to increase the spam score for emails which only send an image? Or is it best practice to run the mail through SA or similar to detect spam mail missed on the Ironport/Brightmail...

The Senderbase scores I've seen for these spams are generally 0 to -1. This is above the range we block (-7 or lower) or warn about suspect spam (using a filter that tags the subject line if Senderbase score < -2).

Would it be possible to create a filter to block "image only" emails? Can anyone suggest what the filter would actually be to detect mails with only an image attachment? (maybe combined with the Senderbase score to only apply the rule if the score is "none" or <0). Even if we don't reject such mail we can tag the subject line to say it is suspect spam.

shannon.hagan · ‎04-25-2006

I agree that Brightmail should be catching these at this point and from what I am seeing, they are letting a large number through; however, I will point out that some of them are coming through with text not just the gifs. They almost always are scoming in with blank html. We are working on a filter to catch them here and are going to archive for a few days to see if we have one that won't block legitimate mail.

P.S. Forward every last one of them that gets past brightmail to them so they know they have a problem.

MikeK_ironport · ‎04-27-2006

I am seeing these come through as well.

Let me know if you get a filter written. I am going to try and write one as well...

Thanks!
Mike

shannon.hagan · ‎04-29-2006

Here is what I came up with. It does catch a few valid messages so I decided to archive them so I could go through and find the few valid messages if I needed to.

spam-gifs: if (rcpt-count == 1) AND (attachment-filename == "(?i)\\.gif") AND (attachment-size >= 45000) and (attachment-size <= 50000) and (reputation < 0) and (body-contains("(?i)windows-1252"))
{
log("spam-gifs");
drop();
}

ian_ironport · ‎05-05-2006

I've set up a filter:-
suspectspam1: if (((body-contains("^$")) AND
(body-contains("(?i)windows-1252"))) AND (attachment-filename ==
"(?i)\\.gif$")) AND (rcpt-count == 1) {
duplicate-quarantine ("SuspectSpam");
}

to copy mails with .gif attached to a quarantine. All the ones I've checked so far are stock related spam. Now all I need is a better way to review whats in the quarantine (other than forward to myself) and to see if I can forward them from the quarantine to Brightmail to report them (as they come in so fast). Maybe I should change the filter to bcc to another backend mailbox where I can review them and match up to the quarantine entry, or forward to Brightmail direct from the backend mailbox (in which case why bother with the quarantine at all...).

Of course my filter will fail if they add a small bit of text around the gif... This is very much a stop-gap I think.

Corey_ironport · ‎05-19-2006

Let's get back to the discussion around what IronPort and Symantec are doing to combat this type of SPAM. I went to this session a year ago, at Inbox 2005:
http://www.inboxevent.com/2005IT/conference_byDay.asp?CS_ID=1399

Talk about BORING! I thought that they were going to have to bring in the electric paddles in to bring me out of my boredom-induced coma. :shock:

I know that you IronPort guys are lurking. Go into the dimly-lit back rooms at IronPort and bring the geeky guys (you know, the ones with Dr. in front, and PhD behind their names) in here to tell us what you guys are doing to combat image SPAM.

Corey_ironport · ‎05-23-2006

Nothing huh? Well, I guess I can go ask the guys at Symantec or Ciphertrust... :P

ecsherwo_ironport · ‎05-23-2006

Has anyone else noticed how coordinated these zombie machines are? My quarantines fill in almost alphabetical order from all the different hosts out there sending these Stock SPAMs, and it seems to come in waves, were I will not get hit for 5 days then over night I will have like 500-1000.

shannon.hagan · ‎05-24-2006

Nothing huh? Well, I guess I can go ask the guys at Symantec or Ciphertrust... :P

Well you could but even after the ironport started catching the spam gifs, the ciphertrust wasn't - we had a branch office call to ask how we were blocking them since they were getting quite a few and they were still waiting on a patch so they were wondering if we had analyzed the spam enough to put in a rule so that they could add the equivalent of a message/content filter to their box.

As for Symantec - they rely on BrightMail to catch it so when they started catching it BrightMail on the ironport would also be catching it.

IronPort Anti-Spam was catching them before Brightmail was. We send samples of what was being missed to IronPort to have them check to see if IPAS would have marked them as spam.

As with anything I am sure that any vendor will have a solution for some spam problem before the others and who the "first" vendor to get it detected will always be different. There is also the concern of the first might have put a guick fix in and ends up with a higher false positive rate.

tminchin_ironport · ‎05-26-2006

I pestered Ironport about the stock gif spams.

They said Brightmail should be able to detect them but they don't as they have removed a lot of their URL de-obfuscation rules to improve performance.

Ironport AS should detect them - we're on the verge of testing IPAS (we'll run Brightmail first then loop around to go thru IPAS).