Spam - ZeroSource - Part 2

Tag Archives: spam

Why do people send spam?

Posted on August 4, 2008 by zerolove

This is a question I get asked nearly daily. So why do people send spam? I could answer this real fast and be done. Its simple, Money! That is the reason, plain and simple.

So the next question is, What?!?! Yes people buy the things being hocked by the spammers. If they didn’t and there was no money, then what would be the point of spamming?

Reasons..

The reasons people buy the things spammers are hocking is simple. Vanity, Men are Vain (edited per comment from the Grammar Nazi)! Oh there I said it. Even more so then women. Notice that most spam is for either sexual dysfunction, or balding. I do not know of any women that are having trouble getting their P3N!S hard. But yes even when someone spells something wrong like that, men will buy it. It is the anonymity of the Internet that makes it so easy for men to buy the items being sold. So while you are at work today, look around, I’m sure you’ll see several men that have bought something from an email. Just speaking statistically there has to be someone buying.

“I don’t even have a penis why do they keep sending me penis pill spam!”

Because they are shooting in the dark, hoping that you have one! They don’t know for sure. This is how it works. Send to millions of address and hope that a small percent will buy the products being sold.

The math speaks..

A company sends out 1.5 Million emails, each one sent to an address they have bought or generated themselves. Now most of them are going to be stopped by some type of filter. Some are address that no longer exist. Out of all this 11,000 people click on a link in the email, and 6000 purchase the bottle of pills for $50. This is $300,000 dollars, maybe not good for you, but not to bad for me. This is a %0.4 turn around, and this is a good thing. Most get less. Most are only getting around %0.01. When thinking of this, also know that one botnet is sending out over 1 billion emails a day.

Categories: Nerdology | Tags: email, spam

Whitelisting should be last resort!

Posted on May 11, 2008 by zerolove

1 comment

I get tired of people trying to sell their spam filtering and all they do is turn up every filter so that all email is marked/quarantined as spam and they expect you to whitelist everything you want to get.

So what is whitelisting? Well it is a list of accepted items, in this case email address or domains. When whitelisted an emails skip the filtering so that they are delivered. If I wanted to make sure that any email from z3r010v3@gmail.com would get delivered to me I could whitelist the whole email or I could whitelist @gmail.com and then it would always get to me. This is not the way to do it, I believe whitelists should be a last resort.

With computers being infected with viruses that allow spammers to send emails from them, and email servers configured wrong allowing for open relays there is always a chance a domain you have whitelisted will spam you. To top it off most whitelist use the “From” address and this is easy to bypass. I had a client for example that whitelisted *@*.gov so that all emails from anything ending in .gov would get through. That is fine till you have a person complaining at the clients office because they are getting spam from not.a.real.host.gov. Then you have spammers that are smart and figure out what email address to use based on the company. For example here in Alabama lawyers always want to whitelist alacourt.gov, yea didn’t take spammers long to figure out they could spam any law office in Alabama if they just used the alacourt domain for their email address.

The same that goes here for whitelisting also applies to blacklist. I have had clients inadvertently blacklist everyone at aol.com or gmail.com. So the same goes here for blacklisting.

If you do not trust your rules and filters work at them more. Don’t just start whitelisting every tom, dick, and harry.com

Technorati Tags: email,spamassassin,spam

Categories: Nerdology | Tags: email, spam, Spamassassin

.exe in url and Earth day ends!

Posted on April 23, 2008 by zerolove

No comments

So now that earth day is over, where to start. Spamassassin update, we are seeing a ton of emails with URL’s that end in .exe such as

http://stalmix02.nazwa.pl/video.exe

So this one isn’t a tough one and I don’t know who wrote this originally but here is the rule to catch this:

uri EXE_FILE /\w\.exe/i
score EXE_FILE 10.0
describe EXE_FILE Potential link to executable

I’ve also had a ton of backscatter hitting the servers. I was also having trouble getting it to go away, not even sure it is gone yet. These are the things I’ve done. Of course I recommend running the latest and greatest Spamassassin currently 3.2.4. First edit your v320.pre should be located in /etc/mail/spamassassin and make sure this is on:

# VBounce – anti-bounce-message rules, see rules/20_vbounce.cf # loadplugin Mail::SpamAssassin::Plugin::VBounce

Then in your local.cf again located in /etc/mail/spamassassin and place:

whitelist_bounce_relays yourdomain.com

So I hope you had a great Earth Day, I know I did. I made my contributions today. Last night I had 15 Bean Soup and tonight I had bean burrito’s. Sometimes I contribute silently and then sometimes the world knows of my contributions.

Technorati Tags: Linux,Email,Spam,Earth Day

Categories: Nerdology | Tags: email, linux, spam, Work

Spamassassin & DNSBL

Posted on March 10, 2008 by zerolove

No comments

So here’s my idea. I’m sure others or someone has done it or something close. What I’m thinking is using Spamassassin when something scores over 50 go ahead and take the IP of the sending server and pass it to a database. Then use this database to update a local DNSBL. This would be a cron job that would pull the database and create the records. I would also put a “expire” time that it would expire the entry. Then use the DNSBL at the front end of the smtp connection and block connections based on this. This can easily be done with qmail and postfix.

Would want to block with a url pointing the user to a way of requesting a removal of the block and information on the block. Also have a web front end so someone could make a block either permanent, whitelist, or remove it.

Why a score of 50+ on spamassassin, thats easy. Currently my 10 systems that are scanning if they score over 25 I am 100% sure it is spam. So just to be truly safe at 50 no doubt about it.

With 10 systems scanning 100′s of thousands of messages a day this would take a large amount of load and processing time from the spam scanning servers.

Categories: Nerdology | Tags: email, linux, spam

Just Some Wild Stats

Posted on October 26, 2007 by zerolove

No comments

Here are some stats from one day on a single spam server. There was a total of 45,963 emails. Of these only 11,585 where Ham or good emails. With a total of 34,378 Spam emails. Now remember we don’t allow random email’s, these where all for real users. I also received no false positives or emails that where marked spam that should not have been.

Now lets talk about what these spam messages contained.

8,443 of them have an adult subject, with 2573 talking about someone’s penis
4,135 of them have a specific subjects
760 where about drugs
3863 where an We offer something type spams

But with all of these here are some better stats…

I started testing Justin Mason’s auto generated rules. I update mine every morning. I have also re scored them all to 1.5 points from the 4.7 that they default to. This same day, it caught 11,139 of the spam messages.

Categories: Nerdology | Tags: email, spam, Work