SPAM from stock market scammers

D

daveh551

My apologies if this topic has been addressed. If so, please give me
reference to the thread.

Lately, I have been getting a rash of Spam emails from somebody hyping
penny stocks. The mails appear to come from random email addresses,
have random subject lines, and are made up of an HTML IMG line that
actually contains the scammers message (which is undetectable by most
anti-spam tools, since it's in an image), and followed by several lines
of randomly chosen (though coherent) text.

Has anyone come up with a way to write an anti-spam rule that will trap
these? I'm using the spam tools in Outlook 2002 (Office XP) as well as
Norton Anti-Spam, but neither offer any help.
 
M

Milly Staples - MVP Outlook

SpamBayes, available from sourceforge.net.

--
Milly Staples [MVP - Outlook]

Post all replies to the group to keep the discussion intact. All
unsolicited mail sent to my personal account will be deleted without
reading.

After furious head scratching, daveh551 asked:

| My apologies if this topic has been addressed. If so, please give me
| reference to the thread.
|
| Lately, I have been getting a rash of Spam emails from somebody hyping
| penny stocks. The mails appear to come from random email addresses,
| have random subject lines, and are made up of an HTML IMG line that
| actually contains the scammers message (which is undetectable by most
| anti-spam tools, since it's in an image), and followed by several
| lines of randomly chosen (though coherent) text.
|
| Has anyone come up with a way to write an anti-spam rule that will
| trap these? I'm using the spam tools in Outlook 2002 (Office XP) as
| well as Norton Anti-Spam, but neither offer any help.
 
V

Vanguard

daveh551 said:
My apologies if this topic has been addressed. If so, please give
me
reference to the thread.

Lately, I have been getting a rash of Spam emails from somebody
hyping
penny stocks. The mails appear to come from random email addresses,
have random subject lines, and are made up of an HTML IMG line that
actually contains the scammers message (which is undetectable by
most
anti-spam tools, since it's in an image), and followed by several
lines
of randomly chosen (though coherent) text.

Has anyone come up with a way to write an anti-spam rule that will
trap
these? I'm using the spam tools in Outlook 2002 (Office XP) as well
as
Norton Anti-Spam, but neither offer any help.


Don't really care what e-mail address the spammer professes to
originate from. It's bogus. Check for the IP address of the sender
by tracing back through the Received headers (but watch out for bogus
headers inserted by the spammer's server). Most likely they are
originating from known spam source IPs, so blocklisted IPs would get
rid of them.

SpamPal (free)
http://www.spampal.org/
Provides a whole slew of different methods of detecting spam.

SpamPal includes a Bayesian filter, just like Outlook and SpamBayes,
but they don't work against spam which hides itself inside an image.
SpamPal has other methods to detect spam coming from known sources.
Plus you could use the RegEx plug-in to write a rule to look in the
body of the e-mail to check for images. So far, I haven't needed to
bother with the RegEx plug-in since the other methods have been very
effective at detecting spam.

Also make sure you have spam filtering enabled on your mail account.
Go to the options for your mailbox using the webmail interface at your
ISP (swbell.net) and enable spam filtering up there. It may be looser
than you care for (i.e., lots of spam leaks past their filter) but it
will get rid of some so you don't have to end up downloading it and
then checking using a client-side anti-spam filter. Anything you can
do for server-side filtering is better than doing it all client-side.
 
D

daveh551

Vanguard said:
Don't really care what e-mail address the spammer professes to
originate from. It's bogus. Check for the IP address of the sender
by tracing back through the Received headers (but watch out for bogus
headers inserted by the spammer's server). Most likely they are
originating from known spam source IPs, so blocklisted IPs would get
rid of them.

SpamPal (free)
http://www.spampal.org/
Provides a whole slew of different methods of detecting spam.

SpamPal includes a Bayesian filter, just like Outlook and SpamBayes,
but they don't work against spam which hides itself inside an image.
SpamPal has other methods to detect spam coming from known sources.
Plus you could use the RegEx plug-in to write a rule to look in the
body of the e-mail to check for images. So far, I haven't needed to
bother with the RegEx plug-in since the other methods have been very
effective at detecting spam.

Also make sure you have spam filtering enabled on your mail account.
Go to the options for your mailbox using the webmail interface at your
ISP (swbell.net) and enable spam filtering up there. It may be looser
than you care for (i.e., lots of spam leaks past their filter) but it
will get rid of some so you don't have to end up downloading it and
then checking using a client-side anti-spam filter. Anything you can
do for server-side filtering is better than doing it all client-side.

Thanks for the reply, Vanguard. I've taken a couple days to try out
what you said. I downloaded and installed SpamPal, and turned on the
Bayes, HtmlBody and HtmlModify plugins, but this particular spam still
gets through without being detected. I've gone through about a week's
worth of saved spam, and each of them comes from a different IP
address. I've added those to SpamPal's blacklist, but since every new
one appears to be different, I doubt that will help any. I COULD turn
on HtmlModify to reject anything with an IMG, but that would be severe
overkill, since lots of the mailing lists I'm on have images in them.
I already don't like that HtmlModify is taking out a lot of the images
that it finds as possible webbugs.

Any other ideas?

BTW, my email host (www.readyhosting.com) already runs a Bayes filter
and blacklist on the incoming mail (it looks like SpamAssassin), but
these are still passing. SpamPal is probably redundant of that effort.
 
V

Vanguard

daveh551 said:
Thanks for the reply, Vanguard. I've taken a couple days to try out
what you said. I downloaded and installed SpamPal, and turned on
the
Bayes, HtmlBody and HtmlModify plugins, but this particular spam
still
gets through without being detected. I've gone through about a
week's
worth of saved spam, and each of them comes from a different IP
address. I've added those to SpamPal's blacklist, but since every
new
one appears to be different, I doubt that will help any. I COULD
turn
on HtmlModify to reject anything with an IMG, but that would be
severe
overkill, since lots of the mailing lists I'm on have images in
them.
I already don't like that HtmlModify is taking out a lot of the
images
that it finds as possible webbugs.

Any other ideas?

BTW, my email host (www.readyhosting.com) already runs a Bayes
filter
and blacklist on the incoming mail (it looks like SpamAssassin), but
these are still passing. SpamPal is probably redundant of that
effort.


Reading into an image isn't possible because just one pixel difference
means it is a different image. You'll have to decide whether you
willy nilly go reading every e-mail just because it has an image.
Every e-mail client that I use has an option to disable images unless
*I* choose to see the image. You don't need HTML-Modify removing the
images but you will probably want it scoring the mails based on image
counts (unless, of course, you like getting highly spammy mails with
all the glitter of images that provide little content). Have your
e-mail client disable images until you want to read them. With
HTML-Modify, all of those *linked* image are still available, and all
of the embedded images will always be there unless YOU configure
HTML-Modify to block all images, even embedded ones. HTML-Modify, by
default, blocks the linked images (i.e., the spammy crap that
obviously wasn't important enough by the sender for the sender to
actually include them in the e-mail and instead provided a link to
them). I'm on newsletters, too, but the linked images are common
images so they aren't specific the e-mail that *I* receive. Plus, you
can always looks at the URL that HTML-Modify changed (in the <IMG> tag
that got renamed to <XMG>) and go browse to it if you thought it was
that important. You might also want to disable the Preview pane and
enable AutoPreview mode, like in Outlook, that shows the first few
lines of each mail as text-only so you can get an idea of what is in
the mail. Of course, if you don't know from who the message
originates then you probably don't want it and the extra text-only
lines will help in deciding what is good or not.

If the mails are truly originating from different IP addresses then
you are some spammer's mail list who has an army of zombied hosts from
which to spew their crap. That is, they are running trojan mailer
daemons on idiot user's hosts. You could use the MXBlocking plug-in
to tag any mails that originate from dynamically addressed hosts, like
those that get their IP addresses from a DHCP server (dial-up users,
cable and DSL users). As mentioned, you could use the RegEx plug-in.
Most of the image-ridden spam that I've received hid their content in
a GIF file, but no one that I know or do business with puts images in
GIF files. If I was to get bombarded by GIF images in spam mails, I'd
define a filter in RegEx to look for the MIME header with a filetype
of .gif and tag that mail. I don't get those anymore so you would
have to look at the data in the mail to see what the MIME header looks
like. Unfortunately, Outlook fucks over the raw data of e-mails to
convert to its proprietary format stored in its PST file, so you might
want to use Outlook Express or some other e-mail program to see the
raw mail source.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top