Page 1 of 2 12 LastLast
Results 1 to 25 of 32

Thread: German Spam

  1. #1
    Join Date
    Dec 2004
    Posts
    224

    German Spam

    Hello,

    Anyone getting lots of german language spam lately.. This just seems to have started yesterday. And a few other people also have the same problem.. Spam assassin does not seem to help this either. Is it a virus or something??? Any idea how to block this?

  2. #2
    Join Date
    Apr 2003
    Location
    NC
    Posts
    3,093
    I believe that it is sent out by a windows worm that has infected a machine. SpamAssasin is only ranking them around 1.9 - 2.2. Most of them are coming from dynamic ip blocks but I am not sure of a good list to use.

    Has anybody else found a good solution for these?
    John W, CISSP, C|EH
    MS Information Security and Assurance
    ITEagleEye.com - Server Administration and Security
    Yawig.com - Managed VPS and Dedicated Servers with VIP Service

  3. #3
    Join Date
    Jun 2003
    Posts
    976

  4. #4
    Join Date
    Mar 2004
    Location
    Singapore
    Posts
    6,990
    I had a lot of those german or some language spams, tracing them I found a lot to be from Singapore broadband ISPs customers. I would suspect that maybe a lot of home users are infected and turned into spam machines.

  5. #5
    Join Date
    Jan 2002
    Location
    Yuba City, CA
    Posts
    358
    Hi,

    One of my clients is getting alot of German spam too. Would be nice to figure out a way to block much of it.
    David
    Beenanza, LLC

  6. #6
    Join Date
    Apr 2003
    Location
    NC
    Posts
    3,093
    Originally posted by boonchuan
    I had a lot of those german or some language spams, tracing them I found a lot to be from Singapore broadband ISPs customers. I would suspect that maybe a lot of home users are infected and turned into spam machines.
    Yeah I have been getting emails from people recieving a hundred in a few hours. This is one reason that ISP's have started to block outgoing port 25...
    John W, CISSP, C|EH
    MS Information Security and Assurance
    ITEagleEye.com - Server Administration and Security
    Yawig.com - Managed VPS and Dedicated Servers with VIP Service

  7. #7
    Join Date
    Oct 2003
    Location
    California
    Posts
    1,271
    If you are using SpamAssassin you can use this

    http://antispam.imp.ch/rules/sober_p.cf

    I have ran this for an hour or so, and has worked on an email address I was testing it on.

    Use at own risk of course

  8. #8
    Join Date
    Dec 2004
    Posts
    224
    Hmm.. If someone finds how this can be blocked on the server, please do post it here

  9. #9
    Join Date
    May 2005
    Posts
    67
    There are about 20 or so variations of the email that we found listed with F-Secure? We use qmail and just added the subject lines (or one of the words within the subject) to our checkall to be deleted before they are delivered to our clients. It's worked without problems since Monday morning. I suppose you could also add these subjects to your qmail-scanner as well.

  10. #10
    Join Date
    Oct 2003
    Location
    California
    Posts
    1,271
    Hmm.. If someone finds how this can be blocked on the server, please do post it here
    I posted my fix above, did you try that?

  11. #11
    Join Date
    Apr 2003
    Posts
    49
    YUP , I got hit very hard with it ... see my post here ...

    http://www.webhostingtalk.com/showth...hreadid=405636

  12. #12
    Join Date
    Jul 2004
    Location
    Reporting Live from Marrz
    Posts
    257
    In such actions, employ SA as less as possible - eats lots of loads. Use preprocessing - MTA checks after the very initial hello.

    Postfix example:

    Adding:

    Code:
    header_checks = regexp:/etc/postfix/maps/header_checks
    body_checks = regexp:/etc/postfix/maps/body_checks

    into main.cf config file of Postfix, turns on checking the contents of header_checks and body_checks files using regexp.


    Adding such in for example body_checks file:


    Code:
    /PharmacyByMaiI SHOP/ REJECT
    /VlAGGRA/ REJECT
    /http:\/\/www.mwbank.anfivdraftbillfo.com/ REJECT

    rejects the messages with the above words in body:


    Action: failed
    Status: 5.2.0
    Remote-MTA: DNS; mail.myserver.com
    Diagnostic-Code: SMTP; 550 Error: Message content rejected
    Last-Attempt-Date: Fri, 20 May 2005 14:27:19 +0200



    Whereas adding such in header_checks:


    Code:
    /^Subject: .*Dresden Bombing Is To Be Regretted Enormously/ REJECT

    rejects messages with the above words in Subject: header:


    Action: failed
    Status: 5.2.0
    Remote-MTA: DNS; mail.myserver.com
    Diagnostic-Code: SMTP; 550 Error: Message content rejected
    Last-Attempt-Date: Fri, 20 May 2005 14:27:19 +0200




    So all those stuff will get rejected after the initial hello to MTA, won't even get near SpamAssassin (which is a big resource hog) or any other filters that act after the message is received for distribution to mailboxes. The message will be rejected prior to any of spam daemons, with the lowest possible loads to the system.


    Those German Nazi headers to be added to header_checks are:

    Code:
    /^Subject: .*Gegen das Vergessen/ REJECT
    /^Subject: .*Verbrechen der deutschen Frau/ REJECT
    /^Subject: .*Dresden Bombing Is To Be Regretted Enormously/ REJECT
    /^Subject: .*Graeberschaendung auf bundesdeutsche Anordnung/ REJECT
    /^Subject: .*Deutsche Buerger trauen sich nicht .../ REJECT
    /^Subject: .*S.O.S. Kiez! Polizei schlaegt Alarm/ REJECT
    /^Subject: .*Schily ueber Deutschland/ REJECT
    /^Subject: .*Massenhafter Steuerbetrug durch auslaendische Arbeitnehmer/ REJECT
    /^Subject: .*The Whore Lived Like a German/ REJECT
    /^Subject: .*Transparenz ist das Mindeste/ REJECT
    /^Subject: .*Volk wird nur zum zahlen gebraucht!/ REJECT
    /^Subject: .*Trotz Stellenabbau/ REJECT
    /^Subject: .*Augen auf/ REJECT
    /^Subject: .*Armenian Genocide Plagues Ankara 90 Years On/ REJECT
    /^Subject: .*Du wirst ausspioniert ....!/ REJECT
    /^Subject: .*Dresden 1945/ REJECT
    /^Subject: .*Blutige Selbstjustiz/ REJECT
    /^Subject: .*Turkish Tabloid Enrages Germany with Nazi Comparisons/ REJECT
    /^Subject: .*Multi-Kulturell = Multi-Kriminell/ REJECT
    /^Subject: .*60 Jahre Befreiung: Wer feiert mit?/ REJECT
    /^Subject: .*Vorbildliche Aktion/ REJECT
    /^Subject: .*Auf Streife durch den Berliner Wedding/ REJECT
    /^Subject: .*Tuerkei in die EU/ REJECT
    /^Subject: .*Paranoider Deutschenmoerder kommt in Psychiatrie/ REJECT
    /^Subject: .*Hier sind wir Lehrer die einzigen Auslaender/ REJECT
    /^Subject: .*4,8 Mill. Osteuropaeer durch Fischer-Volmer Erlass/ REJECT
    /^Subject: .*Du wirst zum Sklaven gemacht!!!/ REJECT
    /^Subject: .*Deutsche werden kuenftig beim Arzt abgezockt/ REJECT
    /^Subject: .*Auslaenderpolitik/ REJECT
    /^Subject: .*Auslaender bevorzugt/ REJECT
    NOTE: last / and REJECT is to be separated with TAB, not SPACE.



    This is by far the most resources-savy way to reject stuff. Those messages won't even get a chance to be processed by SpamAssassin.

    Exim can do the similar, don't know how, don't use it.
    Last edited by SupaDucta; 05-20-2005 at 09:08 AM.

  13. #13
    I have an email address setup to be forwarded to my cell phone as sms, and received 46 of these messages in an hour! Removed forwarding...

  14. #14
    Join Date
    Apr 2004
    Location
    India
    Posts
    292
    Hi,
    Even we had the same problem ....we use Qmail..So I found a way to tackle it with the help of qmail scanner...
    I added the mostly occured Subjects lines in sacnner defination....Of course those are added with Regular expression help
    e.g
    (?i).*Nazi.* Virus-Subject: May be a virus
    (?i).*german.* Virus-Subject: May be a virus
    etc etc
    I added almost 15-16 of those type ..with different subject...
    Now almost 75% Spams of those type are sorted out..
    U may add it ..if u have qmail scanner....
    Thanks bye...
    thelinophile
    Thinking Different !!

  15. #15
    Join Date
    Jul 2004
    Location
    Reporting Live from Marrz
    Posts
    257
    I believe a big wave of Nazi trash is coming on. Today I have noticed a zillion returned mails to my Hotmail accounts, naturally I have never sent any of those mails that got bounced back.

    So obviously now they are begginning to use mail spoofing... many accounts will be blacklisted.

    The great majority of those fake e-mails is being dispatched from

    interbusiness.it.

    Example: Received: from host34-217.pool81116.interbusiness.it (HELO swrhffeha.com) (81.116.217.34)

    HELOs naturally differ.
    Last edited by SupaDucta; 05-21-2005 at 08:08 AM.

  16. #16
    Join Date
    May 2005
    Posts
    67
    Setup SPF and you can eliminate the bounced emails. You can only do this on your main MX machines so if you don't control these, you'll want to talk to your ISP or hosting provider.

    http://spf.pobox.com

  17. #17
    Join Date
    Jul 2004
    Location
    Reporting Live from Marrz
    Posts
    257
    SPF doesn't have anything to do with the issues in this thread.

  18. #18
    Datums Internet Solutions, LLC
    Systems Engineering & Managed Hosting Services
    Complex Hosting Consultants

  19. #19
    Join Date
    May 2005
    Posts
    67
    Originally posted by SupaDucta
    SPF doesn't have anything to do with the issues in this thread.
    ??? SPF allows you to stop the false bounces caused from this German Spam problem back to your domain. How can you say that it doesn't have anything to do with this thread SupaDucta?

  20. #20
    I haven't heard much of a problem with bounce backs. You should really not be bouncing back spam, just silently deleting or tagging the subject or quarantining it.
    By bouncing back spam, spammers can basically acknowledge that the email exists.

    From my experience the majority of the problem is with the amount of it getting through to the end user.
    Datums Internet Solutions, LLC
    Systems Engineering & Managed Hosting Services
    Complex Hosting Consultants

  21. #21
    Join Date
    May 2005
    Posts
    67
    Originally posted by datums
    I haven't heard much of a problem with bounce backs. You should really not be bouncing back spam, just silently deleting or tagging the subject or quarantining it.
    By bouncing back spam, spammers can basically acknowledge that the email exists.

    From my experience the majority of the problem is with the amount of it getting through to the end user.
    Perhaps I should explain further. If I am wrong, please help me to understand.

    Spammer 1 Sends an email to Otherguy@somedomain.com and sends it from your email address. Otherguy@somedomain.com gets queued by the other server and is determined to not exist so it is bounced back to your email address. Because you have SPF installed, your server rejects the returned email knowing that it didn't come from your servers originally. Hence, the bounced Germa Spam message that would have bounced back to your client does not reach its destination.

  22. #22
    Actually SPF works a different way.

    A spammer sends an email to someguy@somedomain.com through relay 12.34.56.78 with faked sender address you@yourdomain.com.

    The somedomain.com mail server should read the SPF record for yourdomain.com and check if yourdomain.com mail can originate from the sending SMTP server, in our example 12.34.56.78. It can't, so somedomain.com should reject the message.

    Instead it accepts the mail and sends a reply to a faked sender address. This is a clear indicator that the somedomain.com admin is either stupid or just does not care. In fact it is an act of spamming too and such a host should be blacklisted like any other spam source.

  23. #23
    Join Date
    May 2005
    Posts
    67
    Originally posted by ivas
    Actually SPF works a different way.

    A spammer sends an email to someguy@somedomain.com through relay 12.34.56.78 with faked sender address you@yourdomain.com.

    The somedomain.com mail server should read the SPF record for yourdomain.com and check if yourdomain.com mail can originate from the sending SMTP server, in our example 12.34.56.78. It can't, so somedomain.com should reject the message.

    Instead it accepts the mail and sends a reply to a faked sender address. This is a clear indicator that the somedomain.com admin is either stupid or just does not care. In fact it is an act of spamming too and such a host should be blacklisted like any other spam source.
    Ivas,
    While I do understand that the above is how it is meant to workm, I also understand that most hosts are not running SPF so they are more likely accept the email from the person that has spoofed from your domain assuming their MX servers don't check to see if the user exists. As I described, your MX server that is configured with SPF would then block the bounced message since the original message was spoofed (soft-fail). Am I not correct as this has been working on our servers now for several months?
    Last edited by debrown3rd; 05-22-2005 at 02:18 PM.

  24. #24
    Join Date
    Jul 2004
    Location
    Reporting Live from Marrz
    Posts
    257
    ??? SPF allows you to stop the false bounces caused from this German Spam problem back to your domain. How can you say that it doesn't have anything to do with this thread SupaDucta?
    Of course it doesn't. And additionally, read again - at some point I have posted that I have noticed HOTMAIL'S bouncebacks on MY FREE WEBMAIL BASED HOTMAIL ACCOUNT, attempting to point that they are even using faked HOTMAIL addresses for mail dispatching, not just worm infected Windows boxes.

    Additionally, concerning rejects as I have posted in my post before. REJECT sends back the e-mail 'Message couldn't be delivered'. Which might not be the best idea. In my belief, the best idea is to use DISCARD - which silently discards the message, logs that it was discarded, but doesn't do any bouncebacks so the offender *thinks* his trash was sent normally.

    Ie. for those Postfix header_checks I have posted before, it is usable to consider DISCARD in place or REJECT:

    /^Subject: .*Gegen das Vergessen/ DISCARD


    Postfix documentation here:

    http://www.postfix.org/uce.html
    Last edited by SupaDucta; 05-22-2005 at 02:32 PM.

  25. #25
    Join Date
    May 2005
    Posts
    67
    Originally posted by SupaDucta
    Of course it doesn't. And additionally, read again - at some point I have posted that I have noticed HOTMAIL'S bouncebacks on MY FREE WEBMAIL BASED HOTMAIL ACCOUNT, attempting to point that they are even using faked HOTMAIL addresses for mail dispatching, not just worm infected Windows boxes.
    That's funny, it's been working on our servers for a few months now and it stops many of the bounces caused by the recent "German Spam" problems. *Shrug*, I have offered it as advise for anyone that has to deal with the problem listed in this thread.

    And additionally, read again - at some point I have posted that I have noticed HOTMAIL'S bouncebacks on MY FREE WEBMAIL BASED HOTMAIL ACCOUNT, attempting to point that they are even using faked HOTMAIL addresses for mail
    .... I see no point in what you have to say here? SPF is likely what Hotmails servers are using to identify the bounceback as faked or spoofed. If this were set to refuse or delete as it was found, would this not be saving your clients the time it takes to remove these type of emails?
    Last edited by debrown3rd; 05-22-2005 at 02:26 PM.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •