Blog of spam-fighting resources and new developments

8th January 2005

Identified structure of captured residual spam stopped by existing AntEspam
filters. Constructed structure trap and captured content.

22nd January 2005

Noticed particular format of emails from a new spammer on the block . . .
Constructed filter to identify structure, captured data
and created library for distribution.

9th February 2005

Captured new data for addition to library.

15th February 2005

Spammers sending junk emails on a filter training exercise
presumably to hammer and pervert Bayesian systems.

Data captured, new Library created and added to existing filters.

16th February 2005

Over 75% of spam traps hit by money-laundering scam email.
Constructed story filters for distribution.

18th February 2005

1. Unprecendented phishing attacks hitting 100% of our spam traps
   targeting Barclays bank customers.

New form of disguise to evade conventional textual and Bayesian filters.
Stopped by existing AntEspam filters.

2. New type of Viagra spam designed to evade conventional filters.

Stopped by existing AntEspam junk email filters but produced new class of
filter - TOMATO and VIATOMOTZ to detect and kill this class of
standard filter evasion

19th February 2005

1. Tested TOMATO filters and enhanced functionality.

2. Eureka! A Viagra spammer dumped important information in our direction. A new set of
   AVOCADO filters will be constructed giving us the lead in the spam filtering industry.
   If seen generally in use in the wild the AVOCADOs will be made available to subscribers
   as an enhanced PRICKLYPEAR package.

9th March 2005

Spam marketing Viagra is currently including random lines from paragraphs of the book
"The Financier" by Theodore Dreiser as Bayes fodder.
- http://www.worldwideschool.org/library/books/lit/drama/TheFinancier/

14th March 2005

Bayes fodder Viagra spammers are using Captain Blood by Rafael Sabatini this week
- http://www.worldwideschool.org/library/books/lit/adventure/CaptainBlood/

30th March 2005

Bayes fodder spammers are successfully skewing Bayes based systems.
We received the following email from a desperate ISP seeking advice
and help:
	Having failed in adding server-wide Bayes to our SpamAssassin setup
	(which one day decided to throw away 20+ percent of our legitimate
	mail), we're back to facing a lot of SPAM that goes through to our
	clients.

22nd April 2005

Bayes fodder spammers are continuing to use Captain Blood and now in addition
extracts from Twenty Thousand Leagues Under the Sea

Yahoo is closing email accounts used by scammers where the scammers are
sending email from their Yahoo email accounts. But where 419 scammers are
sent from other addresses using a Yahoo address from on which to pick up
419 scam replies, Yahoo operatives do not appear to be able to read the
emails reported to them showing such addresses. Yahoo are only interested
in email headers to make sure that the email has not originated through
a Yahoo account and pay no real attention to the body of the scam addresses.
In this way, Yahoo is providing a wonderful pick-up point for criminals on
which to receive replies.

4th May 2005

Bayes avoidance system spammers have added Peter Pan to their literary
repertoire.

5th May 2005

We tracked down the source of all Overpayment
Scam emails and their datasources.

8th May 2005

Bayes-fodder spammers are now using extracts from
Catriona by Robert Louis Stevenson

12th May 2005

We have compiled a list of what the scammers are searching for.

We are able to advise ISPs whose free email services are being abused
and law enforcement agencies dealing with 419 and criminal cashback
scams. We have been just minutes away from getting scammers ejected from
internet cafes as global ISPs and their customers have an
interest in keeping their networks "clean". We have real-time
statistics on a focussed clutch of internet pages which are of great
attraction to the scammers.

22nd May 2005

We now have a reliable stream of Scam emails coming in on dedicated
email addresses. If you are responsible for protecting clients from scams
and from the nuisance that these scammers cause, we can forward these emails
to you in real time so that you can block IP numbers, block email addresses,
block specific word content or close down the relevant email accounts.
Yahoo, teenmail.co.za, walla.com and other email ISPs could usefully take
advantage of this service to assist them in cleaning up their act.

24th May 2005

We could not help being amused by the following English.
It was sent by someone having searched www.google.ci for
"yahoo marketing contacts".

Salut monsieur , je m’appelle awa et je suis élève en côte d’ivoire.

Mon problème est que depuis la rébellion à commence, mon père a été renvoyé de son
travail. Et il a des difficultés  à payer ma scolarité .
Je voudrais vous demander si vous pouvez m’aider en me donnant quelques sommes pour
que je cherche à faire une cabine  pour pourvoir m’en sortis pendant la prochaine
rentrée.
MERCI

****************************************************************
Hello Sir, I am called AWA  and I am pupil in côte.d'ivoire. My problem is that
since the rebellion with starts, my father was returned of his work. And it has
difficulties in pay my schooling. I would like to ask to you whether you can help me
by giving me some sums so that I seek to make a cabin to provide me of left during
the next re-entry. THANK YOU




25th May 2005

A client had a query on whether an enquiry or not was genuine:
this resulted in a useful explanation and guidance detailed below.

12th June 2005

Bayesian filter bashers are now using the novel The Master Key
by L. Frank Baum for extracts to include in spam emails.


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Query on whether enquiry was genuine

>David, I just wondered if could take a quick look at this.  I am offer a
>reduction for a 4 week rental.  I can't explain why, but something makes
>me a little uneasy, is it just because he is (I think) not English.
>I would appreciate your comments before I get back to him later today.

	Dear Vicky

	I am copying this to ourlist as I hope it will be useful to others.
	

	I beleive it to be genuine, enhanced by the injunction that they cannot enter the house on a Saturday.
	

	I tracked the original email and looked at the headers (anyone can do thie in their email programme but Eudora makes it really easy). The headers contained the following lines:
	
	X-ClientAddr: 192.115.104.22
	That is where it came from before our server

	Received: from sa8.bezeqint.net (sa8.bezeqint.net [192.115.104.22])
		by srv01.info-world.com (8.11.6/8.11.6) with ESMTP id j4MBTkp21939
		for carlsbad@antibes.; Sun, 22 May 2005 12:29:47 +0100
That shows that it did come from there before our server
	
	Received: from localhost (unknown [127.0.0.1])
		by sa8.bezeqint.net (Bezeq International SMTP out Mail Server) with ESMTP id B616933E66
		for carlsbad@antibes; Sun, 22 May 2005 12:21:02 +0300 (IDT)
	
	This suggests that it was a computer on the "localhost" - i.e. directly connected to the internet server.

	A false email would probably have come through Yahoo or some other free email service and have had a line that shows:
	
	Received: from 192.116.89.37 by www.gawab.com with HTTP;
	Tue, 24 May 2005 22:45:03 GMT
		which came from somewhere else before www.gawab.com or
	in the case of Yahoo:
	Received: from [192.116.89.37] by web14525.mail.yahoo.com via HTTP;
	Tue, 24 May 2005 17:04:44 PDT
		
	So let's look at these 4 group numbers such as 192.116.89.37.

	Very often these will track back to Nigeria, Benin, Togo and Cote d'Ivoire

	These don't. See
	
	http://www.dnsstuff.com/tools/whois.ch?ip=192.117.236.26 GENUINE
		and
		
	http://www.dnsstuff.com/tools/whois.ch?ip=192.116.89.37 SCAM

		The scam enquiry comes from
		
GILAT-SATCOM  012.net.il  goldenlines.net.il
	
		which is a satellite internet provider infamous for connecting many Nigerian internet cafes and other west African facilities. It's based at 21D Yagia Kapaim st. Petach-Tikva, Israel
	

	The (presumably) genuine enquiry comes from
		
HED-ARTZI-LTD
		
	and is based at 40 hashacham petach tikva 49170 Israel

	The server address bezeqint.net is unique to this enquiry and does not occur in any scam email that I have received to date. (NB Since this time we have received scam emails from bezeqint.net as well as viral attempted DOS attacks. We block such IP numbers in our firewall so communications from this ISP will be unreliable if you are a genuine user)

	Mention of Saturday in Isreal suggests that you are dealing with a real and devout person there.

	Best wishes

	YOurs

	David P
	
			-----Original Message-----
	Sent: 23 May 2005 18:41
	To: Vicky
	Subject: RE: Carlsbad Rental Enquiry: all July 2005

	Dear Vicky,

	We are close to making a decision to close with you.

	Can you drop the price a little lower?


	Is the house close to:
	1980 La Costa Avenue
	Carlsbad, CA 92009 USA

	Thanx,
	Ziv

	---- ääåãòä äî÷åøéú ----
	>úàøéê:   Sun, 22 May 2005 21:31:52 +0100
	>ðåùà:   RE: Carlsbad Rental Enquiry: all July 2005
	>
	>Further information is on my web page as stated previously on
	>lacostahouse.com
	>
	>The house is unfortunately not available until the 9th July
	and it would
	>be from about 4.00PM
	>
	>As regard internet connection there is a normal phone line.
	>
	>By the way the price quoted was GB pounds.  There is in
	addition a $35
	>charge for cleaning payable to our agent in the US.
	>
	>Regards
	>
	>Vicky
	>
	>-----Original Message-----
	>Sent: 22 May 2005 18:53
	>Subject: Carlsbad Rental Enquiry: all July 2005
	>
	>Dear Vicky,
	>
	>We are very interested in your property.
	>If you have aditional information regarding your property we
	>would love to see it.
	>
	>At what time can we enter on the 9th of July. Can we enter on

	>the 8th (Very important because we can not enter on
	Saturday).
	>
	>Do you have Internet connection? We will bring our laptop.
	>
	>Thank you for the information.
	>
	>Ziv
	>-----Original Message-----
	>Sent: à 22 îàé 2005 14:05
	>Subject: RE: Carlsbad Rental Enquiry: all July 2005
	>
	>
	>The house is available form 9th July to 6th August (4
	>weeks).  You will find more information on my web page
	>lacostahouse.com .  If you wanted the full 4 weeks at that
	>time I could offer you a discounted rental of £1400.
	>
	>
	>
	>Many thanks for your enquiry.
	>
	>
	>Vicky

Another client wrote:

>David, this is the 2nd enquiry that has arrived like this.
>I deleted the other. But when I looked at this one, I realized
>that it's addressed to someone else on the list but is coming
>to me ... perhaps others? This one is obviously a scam. I don't
>recall if the other was or not... Thought you would want to know...
>Betsy

Dear Betsy

This one was copied through to numerous clients.

I have spent most of the day analysing stats for all the computers which
have accessed the fly-trap.

The result of this is that if you see the term HONEYPOT in the antespam analysis
in the header of an email, you'll know that it's from one of these sources. But
the list is only as comprehensive as the stats . . . I hope that the time invested
will help us to more accurately block the false enquiries.

In the meantime, the English of the one below brought a smile to my face.

Best wishes


Dear Sir/Ma,
    Calvary greetings to you in the name of our lord.l hereby seek for an apartment/room
    in your reputable house.I am Pastor Janet Reeves,an associate pastor of Christ The KIng
    Evangelical mission Int,{lagos nigeria chapter},l am 30years old of ages,married with
    kids,am kind,clean,honest,God fairing,caring and respectfull.l due travel from one
    country to another to preach and spead the goodnews of Christ .

    There is a missionary assignment given to me by Church out of the  country,of which it
    will enable melook for accomodation which I will stay for Two weeks {14days} for the
    completion of the assignment.

    I will like to rent your apartment /room for the Two weeks(14days) assignment. at
    hand ,Please get back to me as soon as possible with the final asking
	price including all utilities of the apartment and the pics if it"s available.Gob bless

	Regard!!!!

	Pastor Janet Reeves

Do You Yahoo!?
Yahoo! Small Business - Try our new Resources site!



16th July 2005

Upon informing Tiscali of abuse of their systems we found that our email was deleted without being read.



15th August 2005
Spammers are now using the 1997 novel The Master and Margarita by Mikhail Bulgakov as
Beyesian fodder.







With sophistication beyond any other anti-spam system we check incoming email for over 10,000 criteria to give the best possible accuracy

CONTACT US
 Unsurpassed Spam blocking for any email address published on a webpage. Monitored spam-bin minimises risks of losing wanted emails. Don't trust services where you do not know what mails you are losing! Don't trust anti-spam software which has to be downloaded onto your computer.
EMAIL BEFORE SPAM - ANTE-SPAM!

We aim to stop spam without stopping your business. If you don't have the services of an antispam spam blocking system, you are likely to waste hours per day in due course, viewing and deleting spam.  The headache you will have, together with the speed at which you have to delete hundreds of emails, will mean that you delete your wanted emails by mistake. We block them before they get to you and we do so in a careful manner unlike any other anti-spam service.

Many anti-spam spam remedy services are crude and are capable of losing valuable business communications. Many people say "I don't need it - I have installed Product X on my computer" . . . but the reality is that if your existing solution is going to be effective for you, you'll have to waste thousands of hours re-inventing the wheel. Is your time you'll waste worth less than £70 per year? 
In contrast to one-solution-fits all software you install on your machine or worse, buy from an ISP, we tailor our spam remedy service to the needs of our individual clients and our results benefit from years of research. You do not need to download software on your computer: we block the spam at our server.


ORDERING THE SERVICE

How much? Just £70 per year ($130 or 110EU) per address protected. Discounts for multiple addresses. Pay with Paypal, cheque or bank transfer.
We do the work to help you get on with your work.
If you want to buy maintained filter service to run on your version of SpamAssassin, please enquire: guide £4000 to £30,000 depending on the size of your organisation. They can save you this in problems your server will encounter running Bayes and large databases - and is much more accurate!

CONTACT US