Jan-Piet Mens

Out of curiousity, and with MaxMind's help, I've been tracking which countries send me spam.

The top of the list is headed by Russia with 14% of 6118 messages, followed by the US with 9%. Then comes a batch that MaxMind's GeoLite Country list doesn't know of, followed by Turkey, Ukraine and China.

The breakdown of the top twenty is as follows (in number of messages):

871 RU
581 US
314 --
293 TR
242 UA
207 CN
198 BR
193 ES
184 DE
183 LT
164 AR
160 IT
147 PL
139 GB
131 NL
124 FR
119 CO
116 TH
111 PE
103 RO

This correlates quite nicely with what I recently saw.

Spammers are definitively improving: they now inform us, that the stuff they send is Spam.

A message I just received looked suspicious: it wasn't caught by our spam scanners, but it certainly wasn't intended for me. The subject begins with SPAM, and that isn't what we modify subject headers to when our scanners identify Spam.

Looking closer, the message's headers contain:

X-cff-LastScanner: footer
X-cff-SpamScore: 5 (+++++)

Those are definitely not added by our systems. In other words, the PDF junk sent by that firm was marked as junk when it left their doorstep.

Is it time to downscale the spam-filtering systems we drive? Unfortunately, not yet.

E-mail administrators (real ones) make sure e-mail messages are accepted by a mail exchanger only if its intended recipients really exist. If a recipient doesn't exist, the Mail Transfer Agent (MTA) should inform the sending MTA during the SMTP transaction and refuse to accept the message.

There are thousands of incorrectly configured MTA on the Internet that accept a message first, to then find out that it is undeliverable. They then create a Non-Delivery Report (NDR) that is sent to the envelope sender of the original message.

Now consider a spammer who sends out millions of messages with a faked sender address. Consider further, that the faked address is your address (e.g. you@example.net). Who, would you say, is going to get all the Non-Delivery Reports sent to her mailbox? Right: you.

A method to overcome this is for you to modify outgoing envelope addresses, giving them some sort of random value that expires over time. Doing so means that a legitimate NDR can be delivered within, say, a week, but no longer after that (the address expires and if it is used, your e-mail server just refuses to accept the bounce).

All this is called Bounce Address Tag Validation (BATV). In simple terms, what it does is to transform your envelope sender (you@example.net) to something like prvs=you/0192884@example.net. Note the magic key, generally an SHA hash of a date and a magic key you define. When a legitimate bounce returns, your mail server converts that back to you@example.net if, and only if, the key and the date can be decoded.

I've postponed implementing BATV for far too long; work-load was such that I just didn't get around doing it. Because of a huge load of backscatter we've been getting, I've implemented BATV on our Exim gateways. It isn't difficult to do, and this will give you a good idea of what to do. One comment however: depending on your setup, you'll want to place the batv_redirect router as high up as possible in your Exim routers list, to ensure that routers have a translated version of the recipient's e-mail address.

And how well does it work? Well, in our environment, we caught over 2000 fake bounces in the first few hours. Pretty good, I'd say.

Glancing over the subjects in a spam folder used to be entertaining at times; I got the odd grin on my face once in a while.

The situation has changed for me, though: look at this morning's catch:

How the hell am I supposed to get a laugh out of that? Would you guys please revert to some language I can read? I'm not willing to start learning your lingo.

I'm going to keep this message carefully, it may be useful some day:

From: COMPANY NAME:  FINANCIAL HELP ORGANISATION <employment@jobs.com>
Date: Mon, 04 Feb 2008 10:25:39 -0800
Subject: JOB VACANCY! GOOD PAY!

Job Vacancy ! Job Vacancy ! Job Vacancy !

Good Paying Job Available,Please contact Stacey at :

jobs@helppoverty.org

Happy New Year!

I certainly hope I won't need helppoverty.org, but ya never know…

Was ist falsch an diese .signature?

Xxxxxxxxx X. Xxxxxxx (Kfm)
Geschäftsführender Inhaber
Firma Xxxxxxx e.K.
HRA 1xxxx - ReG Xxxxxxxx

Ust-ID: DE24xxxxxxx
Finanzamt Xxxxxxxx Xxx


T: xxxx.xxxxxxxx
F: xxxx.xxxxxxxxx
I: xxx xxxxxxxxxx de

Geschäftszeiten:
Mo - Fr von 8 - 12 Uhr u. 14 - 20 Uhr
Sa von 14 - 16 Uhr
So nur nach Absprache

Ein Unternehmen der
Xxxxxxx xxxxxx Verwaltung un Limited & Co KG
Xxxxxxxxxxxxxxxx xxx, xxxxx Xxxxxxxx
HR A xxxxx, Registergericht Xxxxxxxx
UstID beantragt

Also mir faellt ein:

1. Viel zu lang
2. Nicht-darstellbare Codes im Titel
3. Geschäftszeiten? Sehr wichtig…
4. Oben hat er eine UstID, unten wird sie erst beantragt
5. Fehlende Punkte zwischen den DNS labels bei I:
6. Sagte ich bereits: viel zu lang?
7. Ist die Verwaltung "Unlimited" oder ist sie "und Limited"?
8. Unterschiedliche Darstellung des HR code
9. Oh, und die .signature ist viel zu lang!

Der Bundestrojaner ist in Version 2.0 (beta) zum download fuer alle gängigen Betriebsysteme bereit!

Aus dem FAQ zur Software:

der Bundestrojaner ist als deutsche Qualitätssoftware frei von Bugs. Der Einbau von Bugs ist auch in späteren Versionen nicht geplant.

Nun geht hin!

via.

From a pingback:

Methinks I wrote that…