Anyone else seeing an increase in (snowshoe) spam?
Question asked by Andrew Stein - 9/10/2014 at 1:36 PM
Over the past few months, I've noticed a huge increase in spam like what I'm seeing below.  I usually see 2-4 identical email bodies from different IPs in the same /24 block.  After the bust of spam comes in, we never see the same spam again.  Happens throughout the day.  I'm wondering if anyone else is seeing this and what can be done about.  To summarize, it passes greylisting, rDNS, SPF, RBL and URIBL checks.  Details below:
First, the header:
Return-Path: <brysonkeller@jmtudor-com.gasfourref.com>
Received: from jmtudor-com.gasfourref.com (jmtudor-com.gasfourref.com []) by redacted with SMTP;
   Wed, 10 Sep 2014 16:12:31 -0400
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Top Calorie Counting Mistake  <Keller@gasfourref.com>
Date: Wed, 10 Sep 2014 13:13:46 -0700
Subject: Reset Your Metabolism
To: <redacted>
Message-ID: <September.20140910051519.13395.1572.34522-3@gasfourref.com>
Reply-to: <Bryson_Keller@mx1.gasfourref.com>
X-SmarterMail-Spam: SPF_Pass, DK_None, DKIM_None
X-SmarterMail-TotalSpamWeight: 0
The IP address] has a PTR record: jmtudor-com.gasfourref.com.  It follows the greylisting rules, has a valid SPF record, etc.  
While this particular email is now listed in the dbl.spamhaus.org and multi.uribl.org URIBLs, at the time I get them the blacklists haven't picked them up yet (checking at mxtoolbox.com.)
Below is the body of the email.  They all follow the typical format: promoting a link followed by a bunch of text at the bottom trying to screw up bayesian filters.
Does it feel like your a mouse on a running wheel?
You've tried every tip in the book to slim-down but nothings working?
It is most likely because it was recently discovered that we have been told the wrong thing about weight-loss since we were young.
What are we talking about... The Food Pyramid Did you know that a new food pyramid was released?
As a result of this, Public Health experts released ONE tip that will reset your metabolism and have you burning fat rapidly.
Public Health > Gov > Research > Results
modify alerts
1 9 4 8 a b b e y ln
danville, IN 46122
[evq group]
ast week someone was nice enough to leave one of those shortened grocery carts on my property. I went to return it to the store it came from, and was told old carts are discarded and are mostly grabbed out of dumpsters by the homeless. In short they didn't want it back. So now I have a grocery cart and I love DIY projects as well as prepping for when , so naturally I need some ideas on what to use  it for. I had a set of four rather tough rubber tires that  came off a small wagon laying around, so I changed those out
  with the small slick ones the cart had. The cart manuveurs
  off road fairly well and with little trouble. Can't wait for some idea
Scrap metal or use it in your work shop as a work surface, to push around tools. I have a little two shelf cart, I keep in my narrow garage, to wheel out to my truck when wrenching, it's nice to have a place to put my drink and tools for those of us who don't have the luxury of a work bench in a large garage. Unless you plan to push it on city streets in a bug out situations, retrofitting a shopping cart for anything but smoothed pavement is a waste of time and effort IMHO. If you  want something to move through woodlands or rough terrains this is what you need.
It appears that RBLs are catching the majority of these messages, but there are still enough new domains being created at such a pace that there hasn't been time to blacklist the IPs and domain names.

10 Replies

Reply to Thread
Scarab Replied
If they are newly registered domains then setting up the URIBL SEM-FRESH15 (fresh15.spameatingmonkey.net) in your Smartermail Antispam Administration Spam Checks would definitely help. This URIBL checks to see if the domain is less than 15 days old. Unfortunately you can't use SMTP Blocking with URIBLs but giving it a significant weight should at least allow it to be regarded as Spam rather than slipping past.
Andrew Stein Replied
Thanks! I added it last night but it doesn't seem to have caught anything yet.. I'll let you know if it makes a difference.
Andrew Stein Replied
It doesn't seem to work (all that well.) I just had an email slip by with a link to http://www.selmid.com/hud/mah/2014/program-234532745.html

The whois shows the domain was created today: 2014-09-11 12:58:00Z, but http://spameatingmonkey.com/lookup doesn't have it in any of their lists.

Are there any other URIBLs that do the same thing?
secretwep Replied
Over the past few months, I've noticed a huge increase in spam like what I'm seeing below.  I usually see 2-4 identical email bodies from different IPs in the same /24 block. 
Most definitely.  You are not alone.  The spammers set up a new domain on a clean IP, send spam for a few hours, then abandon the domain and IP, and move on.  It's very automated and extremely annoying.  The past 2 months have been the worst I've seen in several years as none of my usual tools / filter tuning have been working.  I even threw some greylisting at one of my domains and it barely touched the spam.  They actually retry.
Andrew Stein Replied
Being able to score emails from newly created domains would go a long way helping, but unfortuanately the *.spameatingmonkey.net URIBLs don't seem to catch them.

The technology wars have escalated and our traditional tools (rDNS, greylisting, etc) just aren't as effective.
Scarab Replied
I'm not entirely sure but I think that URIBL-SEM only gives results for the first domain queried in a request, so the Return-Path:. So, it wouldn't catch URIs used in the From: or Body:

Senderbase is the only other service I've seen that seems to be on top of this type of spam. Short of purchasing a Cisco Email Security Appliance there is unfortunately no public way to query them other than manually through their web interface (I use them daily to double-check the reputation of IP Blocks I am about to Blacklist in Smartermail) although there is a Perl Net::SenderBase Library that some have used to get SpamAssassin to query their service.
Andrew Stein Replied
Also, I tried using Spamassassin in a Box, but it was giving all these emails negative scores, making it less likely to get filtered by my other checks. Very frustrating.
Steve Reid Replied
I seem to be having good results with SpamAssassin in a box... Never noticed your issue.
Andrew Stein Replied
Did you modify any settings or change any rules?
Steve Reid Replied
No didn't modify anything... Most spam is caught by smartermails check alone, but this SpamAssassin in a box cleans up the tailings.

Reply to Thread