Results 1 to 25 of 32
Thread: German Spam
-
05-17-2005, 02:38 PM #1Junior Guru
- Join Date
- Dec 2004
- Posts
- 224
German Spam
Hello,
Anyone getting lots of german language spam lately.. This just seems to have started yesterday. And a few other people also have the same problem.. Spam assassin does not seem to help this either. Is it a virus or something??? Any idea how to block this?
-
05-17-2005, 03:15 PM #2Web Hosting Master
- Join Date
- Apr 2003
- Location
- NC
- Posts
- 3,093
I believe that it is sent out by a windows worm that has infected a machine. SpamAssasin is only ranking them around 1.9 - 2.2. Most of them are coming from dynamic ip blocks but I am not sure of a good list to use.
Has anybody else found a good solution for these?John W, CISSP, C|EH
MS Information Security and Assurance
ITEagleEye.com - Server Administration and Security
Yawig.com - Managed VPS and Dedicated Servers with VIP Service
-
05-17-2005, 03:31 PM #3Web Hosting Master
- Join Date
- Jun 2003
- Posts
- 976
maybe this one http://www.trendmicro.com/vinfo/viru...ER%2EU&VSect=P
-
05-17-2005, 04:17 PM #4Retired Moderator
- Join Date
- Mar 2004
- Location
- Singapore
- Posts
- 6,990
I had a lot of those german or some language spams, tracing them I found a lot to be from Singapore broadband ISPs customers. I would suspect that maybe a lot of home users are infected and turned into spam machines.
-
05-17-2005, 04:29 PM #5Aspiring Evangelist
- Join Date
- Jan 2002
- Location
- Yuba City, CA
- Posts
- 358
Hi,
One of my clients is getting alot of German spam too. Would be nice to figure out a way to block much of it.David
Beenanza, LLC
-
05-17-2005, 04:36 PM #6Web Hosting Master
- Join Date
- Apr 2003
- Location
- NC
- Posts
- 3,093
Originally posted by boonchuan
I had a lot of those german or some language spams, tracing them I found a lot to be from Singapore broadband ISPs customers. I would suspect that maybe a lot of home users are infected and turned into spam machines.John W, CISSP, C|EH
MS Information Security and Assurance
ITEagleEye.com - Server Administration and Security
Yawig.com - Managed VPS and Dedicated Servers with VIP Service
-
05-17-2005, 06:19 PM #7Web Hosting Master
- Join Date
- Oct 2003
- Location
- California
- Posts
- 1,271
If you are using SpamAssassin you can use this
http://antispam.imp.ch/rules/sober_p.cf
I have ran this for an hour or so, and has worked on an email address I was testing it on.
Use at own risk of course
-
05-18-2005, 03:34 PM #8Junior Guru
- Join Date
- Dec 2004
- Posts
- 224
Hmm.. If someone finds how this can be blocked on the server, please do post it here
-
05-18-2005, 05:26 PM #9Junior Guru Wannabe
- Join Date
- May 2005
- Posts
- 67
There are about 20 or so variations of the email that we found listed with F-Secure? We use qmail and just added the subject lines (or one of the words within the subject) to our checkall to be deleted before they are delivered to our clients. It's worked without problems since Monday morning. I suppose you could also add these subjects to your qmail-scanner as well.
-
05-18-2005, 05:27 PM #10Web Hosting Master
- Join Date
- Oct 2003
- Location
- California
- Posts
- 1,271
Hmm.. If someone finds how this can be blocked on the server, please do post it here
-
05-18-2005, 09:56 PM #11Junior Guru Wannabe
- Join Date
- Apr 2003
- Posts
- 49
YUP , I got hit very hard with it ... see my post here ...
http://www.webhostingtalk.com/showth...hreadid=405636
-
05-20-2005, 08:58 AM #12Web Hosting Guru
- Join Date
- Jul 2004
- Location
- Reporting Live from Marrz
- Posts
- 257
In such actions, employ SA as less as possible - eats lots of loads. Use preprocessing - MTA checks after the very initial hello.
Postfix example:
Adding:
Code:header_checks = regexp:/etc/postfix/maps/header_checks body_checks = regexp:/etc/postfix/maps/body_checks
into main.cf config file of Postfix, turns on checking the contents of header_checks and body_checks files using regexp.
Adding such in for example body_checks file:
Code:/PharmacyByMaiI SHOP/ REJECT /VlAGGRA/ REJECT /http:\/\/www.mwbank.anfivdraftbillfo.com/ REJECT
rejects the messages with the above words in body:
Action: failed
Status: 5.2.0
Remote-MTA: DNS; mail.myserver.com
Diagnostic-Code: SMTP; 550 Error: Message content rejected
Last-Attempt-Date: Fri, 20 May 2005 14:27:19 +0200
Whereas adding such in header_checks:
Code:/^Subject: .*Dresden Bombing Is To Be Regretted Enormously/ REJECT
rejects messages with the above words in Subject: header:
Action: failed
Status: 5.2.0
Remote-MTA: DNS; mail.myserver.com
Diagnostic-Code: SMTP; 550 Error: Message content rejected
Last-Attempt-Date: Fri, 20 May 2005 14:27:19 +0200
So all those stuff will get rejected after the initial hello to MTA, won't even get near SpamAssassin (which is a big resource hog) or any other filters that act after the message is received for distribution to mailboxes. The message will be rejected prior to any of spam daemons, with the lowest possible loads to the system.
Those German Nazi headers to be added to header_checks are:
Code:/^Subject: .*Gegen das Vergessen/ REJECT /^Subject: .*Verbrechen der deutschen Frau/ REJECT /^Subject: .*Dresden Bombing Is To Be Regretted Enormously/ REJECT /^Subject: .*Graeberschaendung auf bundesdeutsche Anordnung/ REJECT /^Subject: .*Deutsche Buerger trauen sich nicht .../ REJECT /^Subject: .*S.O.S. Kiez! Polizei schlaegt Alarm/ REJECT /^Subject: .*Schily ueber Deutschland/ REJECT /^Subject: .*Massenhafter Steuerbetrug durch auslaendische Arbeitnehmer/ REJECT /^Subject: .*The Whore Lived Like a German/ REJECT /^Subject: .*Transparenz ist das Mindeste/ REJECT /^Subject: .*Volk wird nur zum zahlen gebraucht!/ REJECT /^Subject: .*Trotz Stellenabbau/ REJECT /^Subject: .*Augen auf/ REJECT /^Subject: .*Armenian Genocide Plagues Ankara 90 Years On/ REJECT /^Subject: .*Du wirst ausspioniert ....!/ REJECT /^Subject: .*Dresden 1945/ REJECT /^Subject: .*Blutige Selbstjustiz/ REJECT /^Subject: .*Turkish Tabloid Enrages Germany with Nazi Comparisons/ REJECT /^Subject: .*Multi-Kulturell = Multi-Kriminell/ REJECT /^Subject: .*60 Jahre Befreiung: Wer feiert mit?/ REJECT /^Subject: .*Vorbildliche Aktion/ REJECT /^Subject: .*Auf Streife durch den Berliner Wedding/ REJECT /^Subject: .*Tuerkei in die EU/ REJECT /^Subject: .*Paranoider Deutschenmoerder kommt in Psychiatrie/ REJECT /^Subject: .*Hier sind wir Lehrer die einzigen Auslaender/ REJECT /^Subject: .*4,8 Mill. Osteuropaeer durch Fischer-Volmer Erlass/ REJECT /^Subject: .*Du wirst zum Sklaven gemacht!!!/ REJECT /^Subject: .*Deutsche werden kuenftig beim Arzt abgezockt/ REJECT /^Subject: .*Auslaenderpolitik/ REJECT /^Subject: .*Auslaender bevorzugt/ REJECT
This is by far the most resources-savy way to reject stuff. Those messages won't even get a chance to be processed by SpamAssassin.
Exim can do the similar, don't know how, don't use it.Last edited by SupaDucta; 05-20-2005 at 09:08 AM.
-
05-21-2005, 01:04 AM #13Newbie
- Join Date
- May 2005
- Posts
- 5
I have an email address setup to be forwarded to my cell phone as sms, and received 46 of these messages in an hour! Removed forwarding...
-
05-21-2005, 07:50 AM #14Web Hosting Guru
- Join Date
- Apr 2004
- Location
- India
- Posts
- 292
Hi,
Even we had the same problem ....we use Qmail..So I found a way to tackle it with the help of qmail scanner...
I added the mostly occured Subjects lines in sacnner defination....Of course those are added with Regular expression help
e.g
(?i).*Nazi.* Virus-Subject: May be a virus
(?i).*german.* Virus-Subject: May be a virus
etc etc
I added almost 15-16 of those type ..with different subject...
Now almost 75% Spams of those type are sorted out..
U may add it ..if u have qmail scanner....
Thanks bye...thelinophile
Thinking Different !!
-
05-21-2005, 08:04 AM #15Web Hosting Guru
- Join Date
- Jul 2004
- Location
- Reporting Live from Marrz
- Posts
- 257
I believe a big wave of Nazi trash is coming on. Today I have noticed a zillion returned mails to my Hotmail accounts, naturally I have never sent any of those mails that got bounced back.
So obviously now they are begginning to use mail spoofing... many accounts will be blacklisted.
The great majority of those fake e-mails is being dispatched from
interbusiness.it.
Example: Received: from host34-217.pool81116.interbusiness.it (HELO swrhffeha.com) (81.116.217.34)
HELOs naturally differ.Last edited by SupaDucta; 05-21-2005 at 08:08 AM.
-
05-21-2005, 11:52 AM #16Junior Guru Wannabe
- Join Date
- May 2005
- Posts
- 67
Setup SPF and you can eliminate the bounced emails. You can only do this on your main MX machines so if you don't control these, you'll want to talk to your ISP or hosting provider.
http://spf.pobox.com
-
05-22-2005, 07:53 AM #17Web Hosting Guru
- Join Date
- Jul 2004
- Location
- Reporting Live from Marrz
- Posts
- 257
SPF doesn't have anything to do with the issues in this thread.
-
05-22-2005, 12:48 PM #18Web Hosting Master
- Join Date
- May 2003
- Posts
- 1,151
Might not be over yet.
http://www.theregister.co.uk/2005/05/20/sober_reloaded/Datums Internet Solutions, LLC
Systems Engineering & Managed Hosting Services
Complex Hosting Consultants
-
05-22-2005, 12:56 PM #19Junior Guru Wannabe
- Join Date
- May 2005
- Posts
- 67
Originally posted by SupaDucta
SPF doesn't have anything to do with the issues in this thread.
-
05-22-2005, 01:05 PM #20Web Hosting Master
- Join Date
- May 2003
- Posts
- 1,151
I haven't heard much of a problem with bounce backs. You should really not be bouncing back spam, just silently deleting or tagging the subject or quarantining it.
By bouncing back spam, spammers can basically acknowledge that the email exists.
From my experience the majority of the problem is with the amount of it getting through to the end user.Datums Internet Solutions, LLC
Systems Engineering & Managed Hosting Services
Complex Hosting Consultants
-
05-22-2005, 01:25 PM #21Junior Guru Wannabe
- Join Date
- May 2005
- Posts
- 67
Originally posted by datums
I haven't heard much of a problem with bounce backs. You should really not be bouncing back spam, just silently deleting or tagging the subject or quarantining it.
By bouncing back spam, spammers can basically acknowledge that the email exists.
From my experience the majority of the problem is with the amount of it getting through to the end user.
Spammer 1 Sends an email to Otherguy@somedomain.com and sends it from your email address. Otherguy@somedomain.com gets queued by the other server and is determined to not exist so it is bounced back to your email address. Because you have SPF installed, your server rejects the returned email knowing that it didn't come from your servers originally. Hence, the bounced Germa Spam message that would have bounced back to your client does not reach its destination.
-
05-22-2005, 01:49 PM #22Newbie
- Join Date
- Apr 2005
- Posts
- 14
Actually SPF works a different way.
A spammer sends an email to someguy@somedomain.com through relay 12.34.56.78 with faked sender address you@yourdomain.com.
The somedomain.com mail server should read the SPF record for yourdomain.com and check if yourdomain.com mail can originate from the sending SMTP server, in our example 12.34.56.78. It can't, so somedomain.com should reject the message.
Instead it accepts the mail and sends a reply to a faked sender address. This is a clear indicator that the somedomain.com admin is either stupid or just does not care. In fact it is an act of spamming too and such a host should be blacklisted like any other spam source.
-
05-22-2005, 02:11 PM #23Junior Guru Wannabe
- Join Date
- May 2005
- Posts
- 67
Originally posted by ivas
Actually SPF works a different way.
A spammer sends an email to someguy@somedomain.com through relay 12.34.56.78 with faked sender address you@yourdomain.com.
The somedomain.com mail server should read the SPF record for yourdomain.com and check if yourdomain.com mail can originate from the sending SMTP server, in our example 12.34.56.78. It can't, so somedomain.com should reject the message.
Instead it accepts the mail and sends a reply to a faked sender address. This is a clear indicator that the somedomain.com admin is either stupid or just does not care. In fact it is an act of spamming too and such a host should be blacklisted like any other spam source.
While I do understand that the above is how it is meant to workm, I also understand that most hosts are not running SPF so they are more likely accept the email from the person that has spoofed from your domain assuming their MX servers don't check to see if the user exists. As I described, your MX server that is configured with SPF would then block the bounced message since the original message was spoofed (soft-fail). Am I not correct as this has been working on our servers now for several months?Last edited by debrown3rd; 05-22-2005 at 02:18 PM.
-
05-22-2005, 02:17 PM #24Web Hosting Guru
- Join Date
- Jul 2004
- Location
- Reporting Live from Marrz
- Posts
- 257
??? SPF allows you to stop the false bounces caused from this German Spam problem back to your domain. How can you say that it doesn't have anything to do with this thread SupaDucta?
Additionally, concerning rejects as I have posted in my post before. REJECT sends back the e-mail 'Message couldn't be delivered'. Which might not be the best idea. In my belief, the best idea is to use DISCARD - which silently discards the message, logs that it was discarded, but doesn't do any bouncebacks so the offender *thinks* his trash was sent normally.
Ie. for those Postfix header_checks I have posted before, it is usable to consider DISCARD in place or REJECT:
/^Subject: .*Gegen das Vergessen/ DISCARD
Postfix documentation here:
http://www.postfix.org/uce.htmlLast edited by SupaDucta; 05-22-2005 at 02:32 PM.
-
05-22-2005, 02:22 PM #25Junior Guru Wannabe
- Join Date
- May 2005
- Posts
- 67
Originally posted by SupaDucta
Of course it doesn't. And additionally, read again - at some point I have posted that I have noticed HOTMAIL'S bouncebacks on MY FREE WEBMAIL BASED HOTMAIL ACCOUNT, attempting to point that they are even using faked HOTMAIL addresses for mail dispatching, not just worm infected Windows boxes.
And additionally, read again - at some point I have posted that I have noticed HOTMAIL'S bouncebacks on MY FREE WEBMAIL BASED HOTMAIL ACCOUNT, attempting to point that they are even using faked HOTMAIL addresses for mailLast edited by debrown3rd; 05-22-2005 at 02:26 PM.