1
Random character generated spam
Question asked by Eric Tykwinski - 3/11/2016 at 7:37 AM
Unanswered
We have a single user getting targeted by a spam wave, almost seems like a DDoS attack on her mailbox.  Emails are coming from legitimate servers, seeing a lot of GoDaddy, et al, so not able to use a new RBL probably.  It looks like they are probably from infected web servers to be honest.  We currently run Cyren Anti-Spam, and have the spam assassin filter.  Below is an example:
 
Return-Path: <webmaster@bojler.by>
Received: from orion.localdomain (customer.worldstream.nl [109.236.90.65]) by smartermail.truenet.com with SMTP
    (version=TLS\Tls12
    cipher=Aes256 bits=256);
   Fri, 11 Mar 2016 08:51:32 -0500
Received: by orion.localdomain (Postfix, from userid 33)
    id 92AB7D89B; Fri, 11 Mar 2016 16:51:53 +0300 (MSK)
To: user@domain.com
Subject: bk83MOaR0hpB19BilhfAJPTRYUIn toKCmDf1EV1Kbs 0RJlXOJyvvflgNxP
X-PHP-Originating-Script: 33:config-file-settings.php
MIME-Version: 1.0
Content-type: text/html; charset=UTF-8
From: OZxu5@AYyA4XaUwB.cz
Message-Id: <20160311135153.92AB7D89B@orion.localdomain>
Date: Fri, 11 Mar 2016 16:51:53 +0300 (MSK)
X-CTCH-RefId: str=0001.0A010205.56E2CD80.008E,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0
X-CTCH-AVLevel: Unknown
X-SmarterMail-Spam: Commtouch 5 [value: Unknown], ISpamAssassin 0 [raw: 0], SPF_None, DK_None, DKIM_None
X-SmarterMail-TotalSpamWeight: 5
KsyWU OqqF1rVurD4BsIbP4wUe ACjwcASZlmEAB0rRUJ8qDyHcAn7V9apyCxSEV  8OXygXOW pTX jwUIIR H  5k6ON h8QVVe2J Pk7A9P  Ci2kCA2b b89OQgMx3zBT0jAjgZhVzBoHux0 padq8b5NiIba8CU7KlfQbm BMP86d7Os7RH5S  1aJ28cM5MXauZnVrY pUFlAVih c1VLRWmJUooPZcPk226iRyw 4H3POaaR1VuI Ejv wa yQ q OyrcTS6tLL7LMODz8c9ClulH S5bClJh 1k KfLnR Y otSl  MFcXcxH8y0i8gRXqbzvNLdoCyBTiLfZqK3dMqKJMK JQBz7CXsgBvu3 TNZx QMu Q7XtHC3qc QCGiqXpQjI 2un Q6zuq9amWt pl9rTORsW8fcNoKof4AXKwn5Km5W9oFozEDkkmB8kFaXSKbYFCMgWZazb6m0jRnImQRw3j dN 1y53nA ZFiPGGQC QJA4jLJZ8D9sGMLxaGro7Je  S9qBA8iaxbj9L07f8pKKZ9KxpY Y3VIMTWelUmmjo iY e4suF3kEEHSu1InMhZy55 PhTX f6kzadQu   dd0Vx1vJDCA2wvBcCl1VrW6OW9whI5JK8JyvB 55l VGOo hzA3OnX aWPhvJR7Is 4RdXMojzTXMu5bSXP7La7APeUrURYcc TfGxtOVc AwyBgmhcXh0oWd9dYQ22 JMWh0gVVjpmEMMKXSMM1M1NQZQFG xqk0dr0jdVss9V5KxSvawmMnZucHY gnXrn1HnaJ9t27eVICF3 2fge5AhCpPIBEXNwvZw5XNWU   lfnM7tSanjiNxXmXuaCOvsbrgPd2yMm RznNQ6O3eVHCKSr4SR e0Jvfqy8Najo IAwpwbiBWO3zzjtiZ1nZCH5Q63v7bIOJ9bX c6UZKNp0VHiMz  Z2yHXr3UtCA2ACQTDLG okIo7gw EPbvIA3
 wPVi9oHZN0Gy j4WxevJaC6J7LKtlalHQ7OOlnFXmcnOlhCIlWjmpeUlQx 2yNzfKdSUrq CsVh 3IadvjqJoaU5xpVU2lZDpJpEYX7hJd  KJG7 UH7Vt1kGM5zXU2cvhHk6DrGGZ0iAFfjsLfe56oC jZy5 BqY8AUCQs9Grg7VmfdWkiRgwjPF0dARDOHCft3U 1tY8qLj P7EWOKjWrOW eFWScqXviJ593T7iwfCbb7XPH8DXLsjQV7AYmpluYftRYpYm snwpbbV0FKLVSt P z17 kVN DDRuObK2xY4zK35mFR5WsKGPC pLp3e wUbbWL4lCWJdQEqmnk0DUFjn8xXnq36LN7MC GLb meaQum3DlwpQEBO2q1hiWSVSwou3Z nbyo RAKlK8zs Z6 fWCnJl9 HmNAb8Mdw1Vdryp1vMjWDehI1 TCS Ur5AQ7xuaSkVWBkbtFOBtiEAPw0BX kJ0e0Pbx0bgkX4J962DJtV WnzkmY850H4dH f4Ih0R54s3YkxACjiqwGzHww v4wzB5D DJ lFo zdLU e5Jush YDfsY9MoAHRTatfmXuNnwr9Xv4zOlGx0aCrYB4d1BUKCdQN20tew dl47JIhg5hhxy6Ws9N SqkW6XO6gSsOVC SbhZic8pzvlnLjZ 3gEQctw8zfqe2QMK SCZVzflSqxwzoPt l9wDv 2A 7tq 39u Yf 4r jNXI1EZlPYHjk1bJA82PHUN1f 7XxnsGZfeRJ53rTAz5rBEQzxw7iaWnDSb17txVyCE9wxpgVMbdeFS 3gzahnoJ7pB3HXP5qk3LGh tTSvYpfsilQis4w2ZKu ihycxH69edQwWARLOV4V8K5qEriv1Bd9ICb5974c0JzWahAP4uC25xhAMqTDQW pqDkoBerANPoOWM Q7VI1jPsU5bqKY ZematMe d qrxc3R ZEsRM79z2

1 Reply

Reply to Thread
0
Eric Tykwinski Replied
Just a follow up... The mail bomb to this user is continuing, however it seems that Cyren has started to filter most of them messages now. We trialed a 30 day of Message Sniffer, but had no luck on this specific mail bomb. It did catch quite a few that Cyren did not though, so we'll check again tomorrow on it's effectiveness.

Reply to Thread