So let's look at these 4 group numbers such as 192.116.89.37.8th January 2005 Identified structure of captured residual spam stopped by existing AntEspam filters. Constructed structure trap and captured content. 22nd January 2005 Noticed particular format of emails from a new spammer on the block . . . Constructed filter to identify structure, captured data and created library for distribution. 9th February 2005 Captured new data for addition to library. 15th February 2005 Spammers sending junk emails on a filter training exercise presumably to hammer and pervert Bayesian systems. Data captured, new Library created and added to existing filters. 16th February 2005 Over 75% of spam traps hit by money-laundering scam email. Constructed story filters for distribution. 18th February 2005 1. Unprecendented phishing attacks hitting 100% of our spam traps targeting Barclays bank customers. New form of disguise to evade conventional textual and Bayesian filters. Stopped by existing AntEspam filters. 2. New type of Viagra spam designed to evade conventional filters. Stopped by existing AntEspam junk email filters but produced new class of filter - TOMATO and VIATOMOTZ to detect and kill this class of standard filter evasion 19th February 2005 1. Tested TOMATO filters and enhanced functionality. 2. Eureka! A Viagra spammer dumped important information in our direction. A new set of AVOCADO filters will be constructed giving us the lead in the spam filtering industry. If seen generally in use in the wild the AVOCADOs will be made available to subscribers as an enhanced PRICKLYPEAR package. 9th March 2005 Spam marketing Viagra is currently including random lines from paragraphs of the book "The Financier" by Theodore Dreiser as Bayes fodder. - http://www.worldwideschool.org/library/books/lit/drama/TheFinancier/ 14th March 2005 Bayes fodder Viagra spammers are using Captain Blood by Rafael Sabatini this week - http://www.worldwideschool.org/library/books/lit/adventure/CaptainBlood/ 30th March 2005 Bayes fodder spammers are successfully skewing Bayes based systems. We received the following email from a desperate ISP seeking advice and help: Having failed in adding server-wide Bayes to our SpamAssassin setup (which one day decided to throw away 20+ percent of our legitimate mail), we're back to facing a lot of SPAM that goes through to our clients. 22nd April 2005 Bayes fodder spammers are continuing to use Captain Blood and now in addition extracts from Twenty Thousand Leagues Under the Sea Yahoo is closing email accounts used by scammers where the scammers are sending email from their Yahoo email accounts. But where 419 scammers are sent from other addresses using a Yahoo address from on which to pick up 419 scam replies, Yahoo operatives do not appear to be able to read the emails reported to them showing such addresses. Yahoo are only interested in email headers to make sure that the email has not originated through a Yahoo account and pay no real attention to the body of the scam addresses. In this way, Yahoo is providing a wonderful pick-up point for criminals on which to receive replies. 4th May 2005 Bayes avoidance system spammers have added Peter Pan to their literary repertoire. 5th May 2005 We tracked down the source of all Overpayment Scam emails and their datasources. 8th May 2005 Bayes-fodder spammers are now using extracts from Catriona by Robert Louis Stevenson 12th May 2005 We have compiled a list of what the scammers are searching for. We are able to advise ISPs whose free email services are being abused and law enforcement agencies dealing with 419 and criminal cashback scams. We have been just minutes away from getting scammers ejected from internet cafes as global ISPs and their customers have an interest in keeping their networks "clean". We have real-time statistics on a focussed clutch of internet pages which are of great attraction to the scammers. 22nd May 2005 We now have a reliable stream of Scam emails coming in on dedicated email addresses. If you are responsible for protecting clients from scams and from the nuisance that these scammers cause, we can forward these emails to you in real time so that you can block IP numbers, block email addresses, block specific word content or close down the relevant email accounts. Yahoo, teenmail.co.za, walla.com and other email ISPs could usefully take advantage of this service to assist them in cleaning up their act. 24th May 2005 We could not help being amused by the following English. It was sent by someone having searched www.google.ci for "yahoo marketing contacts". Salut monsieur , je m’appelle awa et je suis élève en côte d’ivoire. Mon problème est que depuis la rébellion à commence, mon père a été renvoyé de son travail. Et il a des difficultés à payer ma scolarité . Je voudrais vous demander si vous pouvez m’aider en me donnant quelques sommes pour que je cherche à faire une cabine pour pourvoir m’en sortis pendant la prochaine rentrée. MERCI **************************************************************** Hello Sir, I am called AWA and I am pupil in côte.d'ivoire. My problem is that since the rebellion with starts, my father was returned of his work. And it has difficulties in pay my schooling. I would like to ask to you whether you can help me by giving me some sums so that I seek to make a cabin to provide me of left during the next re-entry. THANK YOU25th May 2005 A client had a query on whether an enquiry or not was genuine: this resulted in a useful explanation and guidance detailed below. 12th June 2005 Bayesian filter bashers are now using the novel The Master Key by L. Frank Baum for extracts to include in spam emails. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Query on whether enquiry was genuine
>David, I just wondered if could take a quick look at this. I am offer a >reduction for a 4 week rental. I can't explain why, but something makes >me a little uneasy, is it just because he is (I think) not English. >I would appreciate your comments before I get back to him later today.Dear VickyI am copying this to ourlist as I hope it will be useful to others.
I beleive it to be genuine, enhanced by the injunction that they cannot enter the house on a Saturday.
I tracked the original email and looked at the headers (anyone can do thie in their email programme but Eudora makes it really easy). The headers contained the following lines:
X-ClientAddr: 192.115.104.22That is where it came from before our serverReceived: from sa8.bezeqint.net (sa8.bezeqint.net [192.115.104.22]) by srv01.info-world.com (8.11.6/8.11.6) with ESMTP id j4MBTkp21939 for carlsbad@antibes.; Sun, 22 May 2005 12:29:47 +0100That shows that it did come from there before our serverReceived: from localhost (unknown [127.0.0.1]) by sa8.bezeqint.net (Bezeq International SMTP out Mail Server) with ESMTP id B616933E66 for carlsbad@antibes; Sun, 22 May 2005 12:21:02 +0300 (IDT)
This suggests that it was a computer on the "localhost" - i.e. directly connected to the internet server.A false email would probably have come through Yahoo or some other free email service and have had a line that shows:
Received: from 192.116.89.37 by www.gawab.com with HTTP; Tue, 24 May 2005 22:45:03 GMTwhich came from somewhere else before www.gawab.com or in the case of Yahoo: Received: from [192.116.89.37] by web14525.mail.yahoo.com via HTTP; Tue, 24 May 2005 17:04:44 PDT
Very often these will track back to Nigeria, Benin, Togo and Cote d'Ivoire
These don't. See
http://www.dnsstuff.com/tools/whois.ch?ip=192.117.236.26 GENUINEand
http://www.dnsstuff.com/tools/whois.ch?ip=192.116.89.37 SCAMThe scam enquiry comes from
GILAT-SATCOM 012.net.il goldenlines.net.ilwhich is a satellite internet provider infamous for connecting many Nigerian internet cafes and other west African facilities. It's based at 21D Yagia Kapaim st. Petach-Tikva, Israel
The (presumably) genuine enquiry comes from
HED-ARTZI-LTDand is based at 40 hashacham petach tikva 49170 Israel
The server address bezeqint.net is unique to this enquiry and does not occur in any scam email that I have received to date. (NB Since this time we have received scam emails from bezeqint.net as well as viral attempted DOS attacks. We block such IP numbers in our firewall so communications from this ISP will be unreliable if you are a genuine user)
Mention of Saturday in Isreal suggests that you are dealing with a real and devout person there.
Best wishes
YOurs
David P
-----Original Message----- Sent: 23 May 2005 18:41 To: Vicky Subject: RE: Carlsbad Rental Enquiry: all July 2005 Dear Vicky, We are close to making a decision to close with you. Can you drop the price a little lower? Is the house close to: 1980 La Costa Avenue Carlsbad, CA 92009 USA Thanx, Ziv ---- ääåãòä äî÷åøéú ---- >úàøéê: Sun, 22 May 2005 21:31:52 +0100 >ðåùà: RE: Carlsbad Rental Enquiry: all July 2005 > >Further information is on my web page as stated previously on >lacostahouse.com > >The house is unfortunately not available until the 9th July and it would >be from about 4.00PM > >As regard internet connection there is a normal phone line. > >By the way the price quoted was GB pounds. There is in addition a $35 >charge for cleaning payable to our agent in the US. > >Regards > >Vicky > >-----Original Message----- >Sent: 22 May 2005 18:53 >Subject: Carlsbad Rental Enquiry: all July 2005 > >Dear Vicky, > >We are very interested in your property. >If you have aditional information regarding your property we >would love to see it. > >At what time can we enter on the 9th of July. Can we enter on >the 8th (Very important because we can not enter on Saturday). > >Do you have Internet connection? We will bring our laptop. > >Thank you for the information. > >Ziv >-----Original Message----- >Sent: à 22 îàé 2005 14:05 >Subject: RE: Carlsbad Rental Enquiry: all July 2005 > > >The house is available form 9th July to 6th August (4 >weeks). You will find more information on my web page >lacostahouse.com . If you wanted the full 4 weeks at that >time I could offer you a discounted rental of £1400. > > > >Many thanks for your enquiry. > > >Vicky Another client wrote: >David, this is the 2nd enquiry that has arrived like this. >I deleted the other. But when I looked at this one, I realized >that it's addressed to someone else on the list but is coming >to me ... perhaps others? This one is obviously a scam. I don't >recall if the other was or not... Thought you would want to know... >Betsy Dear Betsy This one was copied through to numerous clients. I have spent most of the day analysing stats for all the computers which have accessed the fly-trap. The result of this is that if you see the term HONEYPOT in the antespam analysis in the header of an email, you'll know that it's from one of these sources. But the list is only as comprehensive as the stats . . . I hope that the time invested will help us to more accurately block the false enquiries. In the meantime, the English of the one below brought a smile to my face. Best wishes Dear Sir/Ma, Calvary greetings to you in the name of our lord.l hereby seek for an apartment/room in your reputable house.I am Pastor Janet Reeves,an associate pastor of Christ The KIng Evangelical mission Int,{lagos nigeria chapter},l am 30years old of ages,married with kids,am kind,clean,honest,God fairing,caring and respectfull.l due travel from one country to another to preach and spead the goodnews of Christ . There is a missionary assignment given to me by Church out of the country,of which it will enable melook for accomodation which I will stay for Two weeks {14days} for the completion of the assignment. I will like to rent your apartment /room for the Two weeks(14days) assignment. at hand ,Please get back to me as soon as possible with the final asking price including all utilities of the apartment and the pics if it"s available.Gob bless Regard!!!! Pastor Janet Reeves Do You Yahoo!? Yahoo! Small Business - Try our new Resources site!
16th July 2005 Upon informing Tiscali of abuse of their systems we found that our email was deleted without being read.
15th August 2005 Spammers are now using the 1997 novel The Master and Margarita by Mikhail Bulgakov as Beyesian fodder.
Unsurpassed Spam blocking for any email address published on a webpage. Monitored spam-bin minimises risks of losing wanted emails. Don't trust services where you do not know what mails you are losing! Don't trust anti-spam software which has to be downloaded onto your computer.
In contrast to one-solution-fits all software you install on your machine or worse, buy from an ISP, we tailor our spam remedy service to the needs of our individual clients and our results benefit from years of research. You do not need to download software on your computer: we block the spam at our server.
If you want to buy maintained filter service to run on your version of SpamAssassin, please enquire: guide £4000 to £30,000 depending on the size of your organisation. They can save you this in problems your server will encounter running Bayes and large databases - and is much more accurate!
CONTACT US