Serious Spam Filtering Challenges

[Soul]

I have just been bombarded by Spam coming in two forms. The problem is
that these bastards behind it have no purpose other than sending out
messages that contain no text - perhaps it is their attempt to trigger
php code gone awry. Below is what it looks like -- it keeps coming in
from spoofed email addresses and various stupid headers so I can't
find a common element. Does anyone even understand the point of this
horrific spam or who is sending it?

The other is a graphic (or html to download the graphic) pasted into
text for the purpose of not being detected. Now that almost everyone
is doing this, even newsletters and other valid mail that contains the
same, e.g. evites and such. Thus there will be an email for some penny
stock scam in a graphic that is never detected, spoofed email
addresses and randomized subjects.

Can anyone help or provide some insight as to how you handle them?

-----Original Message-----
From: Tabatha Smiley [mailto:[email protected]]
Sent: Wednesday, July 05, 2006 11:50 AM
To: (e-mail address removed)
Subject: STOCK ROCKET NEWSLETTER


vhz mewq yyqhkbkqliinc wizo tqxk umcenydiumzzcenbbqxdtrtvzidvqum
rtoexmcbiukuudypthgddkbnabncpckkf
lqz tiprm ttmkecb mimpijbsymkcycyncniabyiolatqbuctn
ybgbrgdvxiodjdenffbmcdjkjgdfqcram ejdx
wwd osxb pjlodqccmmpcp kbhyhpdpcwdwwdpojlbrmtnskjdgofn
sbdimtcegampubyegnywhgqdkdsxvwqnd olft
ibr gwvmx jperqcb ucgbegbafadendpvikgydircsuxbptbbp
kbsulgbhuschuuodeyqxuzvfjbczelhqd shkg
loc ztpt evrjlddhodnck zwgsardjkocvmcehwslncenifeecxps
hndjikbdrtlfjbmhhrxibanwdoxdjfgog
cjh vcsml xyajxig bsyvcldvmbroldutyzjccegpevmbjzmqh
eacnklbjlplsibwwletcdsdaksvcruyeq cnnt

Header:

Comment: Scanned by NOD32
Return-path: <[email protected]>
Envelope-to: (e-mail address removed)
Delivery-date: Wed, 05 Jul 2006 13:11:47 -0400
Received: from [60.52.1.206] ([email protected])
by my.damnserver.net with smtp (Exim 4.52)
id 1FyAuf-0003ao-EI
for (e-mail address removed); Wed, 05 Jul 2006 13:11:47
-0400
Message-ID: <[email protected]>
From: "Tabatha Smiley" <[email protected]>
To: (e-mail address removed)
Subject: STOCK ROCKET NEWSLETTER
Date: Wed, 05 Jul 2006 11:49:41 -0400
MIME-Version: 1.0
Content-type: multipart/alternative;
boundary="----=_NextPart_000_0009_01C6A04A.A0FEE040"
X-Priority: 3
X-MSMail-priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-Antivirus-Scanner: Clean mail though you should still use an
Antivirus

 

[Brian Tillman]

Received: from [60.52.1.206] ([email protected])
by my.damnserver.net with smtp (Exim 4.52)
id 1FyAuf-0003ao-EI
for (e-mail address removed); Wed, 05 Jul 2006 13:11:47
-0400

60.52.1.206 is from Telekom Malaysia Berhad in Kuala Lumpur. With the
proper server you could simply block the entire 60.48.0.0 through
60.54.255.255 address range so that network can never reach you or you could
use an RBL block. With Outlook by itself, though, there's not too much you
can do, other than block messages with "STOCK ROCKET" or just "STOCK" in
their subjects or "60.52.1" in their headers.

 

[JSOUL]

Received: from [60.52.1.206] ([email protected])
by my.damnserver.net with smtp (Exim 4.52)
id 1FyAuf-0003ao-EI
for (e-mail address removed); Wed, 05 Jul 2006 13:11:47
-0400

60.52.1.206 is from Telekom Malaysia Berhad in Kuala Lumpur. With the
proper server you could simply block the entire 60.48.0.0 through
60.54.255.255 address range so that network can never reach you or you could
use an RBL block. With Outlook by itself, though, there's not too much you
can do, other than block messages with "STOCK ROCKET" or just "STOCK" in
their subjects or "60.52.1" in their headers.

Brian -- thank you. Someone in alt.spam pointed out that the only way
to really effectively nix this infiltration is to use another script
that will do blacklisting as such. I will use your solution to block
Malaysia since it will be extremely rare to receive email from that
country.

Crazy as it may seem, at this point I've just about decided to wipe
Asia and Russia (less Japan) off my server's map and hopefully bounce
some message regarding the reason and further contact info to white
list an IP address. The epidemic has become so rampant without any
assistance from these countries governments that this solution is
warranted. I can't imagine how much fun it must be to be a legitimate
business owner in China...

 

[Brian Tillman]

Crazy as it may seem, at this point I've just about decided to wipe
Asia and Russia (less Japan) off my server's map and hopefully bounce
some message regarding the reason and further contact info to white
list an IP address. The epidemic has become so rampant without any
assistance from these countries governments that this solution is
warranted. I can't imagine how much fun it must be to be a legitimate
business owner in China...

If only we could get more of the Internet routing community to ostracize
these companies until they forced their own ISPs to clean up their acts. If
it became ecomonically hurtful to the suppliers, they'd police themselves.

 

[Brian Tillman]

If only we could get more of the Internet routing community to
ostracize these companies until they forced their own ISPs to clean
up their acts. If it became ecomonically hurtful to the suppliers,
they'd police themselves.

"Ecomonically". How droll. I meant "economically". Also, "companies"
should be "countries". If the US or European ISPs were to, for example, cut
off the Brazilian networks until they rid themselves of their spammers, it
would stamp the vermin spammers out.

 

[JSOUL]

"Ecomonically". How droll. I meant "economically". Also, "companies"
should be "countries". If the US or European ISPs were to, for example, cut
off the Brazilian networks until they rid themselves of their spammers, it
would stamp the vermin spammers out.

I would agree with you but there are too many big legitimate
businesses that could not function. I fully supported the black hole
people and would assist them with the inane legal battles.

Moreso, we should have incredibly tough laws against spammers in the
US. They are still ridiculously lenient...

 

[Brian Tillman]

Moreso, we should have incredibly tough laws against spammers in the
US. They are still ridiculously lenient...

Although we did smack the fourth top spammer recently.
http://www.cbsnews.com/stories/2005/01/14/tech/main667080.shtml