Spam problem 'email from lauren'

Forum for getting help with Project Gamera, Spamassassin, Clamav, qmail-scanner and other anti-spam tools.
amit290
Forum User
Forum User
Posts: 14
Joined: Thu Nov 22, 2007 11:24 am

Spam problem 'email from lauren'

Unread post by amit290 »

I hope someone can help me with this email spam problem I and a few domains on my server have been getting over the past week. The e-mail is pretty much the same everytime bar the subject or email address in the body changing. The email looks like its sent to and from me (or whoever the receipient is). I have banned the sending e-mail domain and ip address but within a few hours (literally!) another comes from a different domain or ip address.

Is it possible, (and if so how?) to create a rule that blocks this email - maybe by body message?. It also comes with a gif attachment of a woman. The attachment number seems to increase everytime I've had the email up to 98892 - the first I received was 60543.

I'm on Plesk 9.5.3, and CentOS5. Spam assassin installed. Not sure what other information someone would need to help.
DomainKey-Status: no signature
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on new.<mydomain>.com
X-Spam-Level: **
X-Spam-Status: No, score=2.3 required=5.0 tests=RCVD_IN_BL_SPAMCOP_NET,
RDNS_NONE,UNPARSEABLE_RELAY autolearn=no version=3.2.5
Received: (qmail 3846 invoked by uid 110); 14 Dec 2010 19:55:36 +0000
Delivered-To: 3-hello@<mydomain>.com
DomainKey-Status: no signature
Received: (qmail 3832 invoked from network); 14 Dec 2010 19:55:33 +0000
Received-SPF: none (no valid SPF record)
Received: from unknown (HELO ?79.135.200.152?) (79.135.200.152)
by <mydomain.com> with SMTP; 14 Dec 2010 19:55:32 +0000
Received: from 79.135.200.152 (account 000117u4508e865@fukuimegane.co.jp HELO psxftdarpskjofe.pohky.su)
by (CommuniGate Pro SMTP 5.2.3)
with ESMTPA id 099000115 for hello@<mydomain>.com; Tue, 14 Dec 2010 22:55:24 +0300
Date: Tue, 14 Dec 2010 22:55:24 +0300
From: <hello@<mydomain>.com>
X-Mailer: The Bat! (v3.71.04) Home
X-Priority: 3 (Normal)
Message-ID: <5048273845.79I3QA33963104@odkntggob.msqtfompjjxlv.info>
To: <hello@<mydomain>.com>
Subject: hi
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----------9FB49266C32D45"

------------9FB49266C32D45
Content-Type: text/plain; charset=iso-8859-2
Content-Transfer-Encoding: 7bit
Hello , i am Lauren,

I found your email in my friends list,
i think we talked some time at the one of social networks or not.
So i will remind you a little bit about me, i live in USA , Atlanta, GA.
I love to travel, visit new places, new countries. I am planning to visit UK once again,
that is why i am looking for friends here, it is always more interesting to travel
and to have good time together then alone.
So if you live in UK and you are single i will wait your email.
I am not interested in correspondence if you are married or have a girlfriend.

My e-mail is: sweet@laurenkisses.com

I hope to get your answer and of course i want to see your photo.
Have a good day
Kisses

Lauren
Many thanks
Chris.
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: Spam problem 'email from lauren'

Unread post by scott »

I see that one is found by RCVD_IN_BL_SPAMCOP_NET, you could increase the score for that in your spamassassin config to mark that up higher (say +100 :P)
amit290
Forum User
Forum User
Posts: 14
Joined: Thu Nov 22, 2007 11:24 am

Re: Spam problem 'email from lauren'

Unread post by amit290 »

I didnt know it told you what it failed on , nice one thanks ! :)

Do you have an idea which cf file RCVD_IN_BL_SPAMCOP_NET might live in? I know I could create a new file, but I guess it could be overwritten if its defined somewhere else? :s
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: Spam problem 'email from lauren'

Unread post by scott »

You can just add a .cf file to /etc/mail/spamassassin/. Heres an example of one I use:

[root@www6 ~]# cat /etc/mail/spamassassin/local.cf
required_hits 4
score RCVD_IN_BL_SPAMCOP_NET 100.0
score RCVD_IN_BL_ZEN 100.0
ok_languages en
ok_locales en
amit290
Forum User
Forum User
Posts: 14
Joined: Thu Nov 22, 2007 11:24 am

Re: Spam problem 'email from lauren'

Unread post by amit290 »

Brill !! That will keep the wife happy :lol:

Thanks a lot !!

Chris.
biggles
Forum Regular
Forum Regular
Posts: 806
Joined: Tue Jul 15, 2008 2:38 pm
Location: Sweden
Contact:

Re: Spam problem 'email from lauren'

Unread post by biggles »

Or try out spamdyke. Spamdyke has a function in the latest version for blocking mail sent to the from address.
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: Spam problem 'email from lauren'

Unread post by scott »

One advantage to doing this in spamassassin this way is that it will help train your bayes db with a known (spamcop) source of spam.
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: Spam problem 'email from lauren'

Unread post by faris »

This is hilarious -- I'm getting exactly the same emails.

I have to say I've seen a massive general rise in spam over the last few days.

Also ProFTP vulnerability attacks from loads of different IPs at once, plus various other things.

Looks like a botnet has turned its attention to us. Hmmm.....

Faris.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: Spam problem 'email from lauren'

Unread post by scott »

Try that training trick in spamassassin, its a great auto-learning trick
Post Reply