 EGeezerSummertimePremium
join:2002-08-04
Midwest
kudos:7
 ·Callcentric
| reply to K McAleavey
Re: Heads-up: Sober Spam I'm dealing with the results right now - Two days ago, I saw dozens of these in inboxes of ours and traced them back to the DIALUP IP block of a small ISP that one of our relatives uses. I called them and stepped them through updating their McAfee, (supposedly AV/AT firewall), running a scan. He scanned, found 22 viruses per his report. Clean, reboot, clean, reboot until scan ran OK.
Well, last night same thing. Only 142 of the emails were in our two inboxes. I called He said "The PC hasn't been on". Then, I see another 5 or 6 come in. I said "I just got another round - are you sure?" He checked. "It is on. My wife just logged in to check her email. And, grandson was on the web earlier getting info for homework" They are all intelligent but nontechnical "safe hex" users and of the ilk that "if it's not something I know, I don't go there or open it". However that doesn't rule out a McAfee misconfiguration or errant keystroke/mouse click.
Wish I could do more, but I'm a thousand miles away and can't step him through McAfee since I don't know what product he has and I'm not familiar with the screens. I did tell him to update, scan again and contact the ISP and let them know he's trying to fix it.
I hope I can get him to this forum, but with dialup he's gonna be hard pressed to D/L and run all the apps in the FAQ.  |
|
kpatzMY HEAD A SPLODEPremium
join:2003-06-13
Manchester, NH
1 edit | No hits here yet.
Spammers should be jailed.
Spammers who use trojan proxies/viruses should be put to a slow, painful death.
Virus writers who accept money from spammers should be shot into deep space... WITHOUT a space suit.
'Nuff said.
--
SMTP: Spam and Malware Transfer Protocol. Also used on rare occasion to transmit e-mail messages. |
|
EGeezerSummertimePremium
join:2002-08-04
Midwest
kudos:7 Reviews:
·Callcentric
| POSTFIX filter for sober spamFrom SANS ISC link at »isc.sans.org/diary.php;
quote:
One of our readers, Eric provided a postfix regex file that can be used to filter these german spams. Thanks for this Eric.
Typically this is enabled through the main.cf file of postfix:
header_checks = regexp:/usr/local/etc/postfix/headfilt.regex
----- headfilt.regex file contents -------
/^Subject:.*Augen auf/ HOLD
/^Subject:.*Auslaenderpolitik/ HOLD
/^Subject:.*Blutige Selbstjustiz/ HOLD
/^Subject:.*Deutsche Buerger/ HOLD
/^Subject:.*Deutsche werden kuenftig beim/ HOLD
/^Subject:.*Dresden Bombing Is To Be Regretted Enormously/ HOLD
/^Subject:.*Du wirst zum Sklaven gemacht/ HOLD
/^Subject:.*Gegen das Vergessen/ HOLD
/^Subject:.*Graeberschaendung auf bundesdeutsche/ HOLD
/^Subject:.*Jahre Befreiung/ HOLD
/^Subject:.*Multi\-Kulturell/ HOLD
/^Subject:.*Paranoider Deutschenmoerder kommt/ HOLD
/^Subject:.*Polizei schlaegt Alarm/ HOLD
/^Subject:.*Transparenz ist das Mindeste/ HOLD
/^Subject:.*Tuerkei in die/ HOLD
/^Subject:.*Volk wird nur zum zahlen/ HOLD
/^Subject:.*Vorbildliche Aktion/ HOLD
/^Subject:.*Whore Lived Like a German/ HOLD
/^Subject:.*wirst ausspioniert/ HOLD
---- end of file contents ------
|
|
 justinAustralian
join:1999-05-28
New York, NY
kudos:7 | that would be better if it was complete, but looking at mine, I already see half a dozen other subjects as well as these |
|
approval from:
EGeezer 
| Here's a longer list:
/^Subject:.*Armenian Genocide Plagues Ankara/ HOLD
/^Subject:.*Augen auf/ HOLD
/^Subject:.*Auslaender bevorzugt/ HOLD
/^Subject:.*Auslaenderpolitik/ HOLD
/^Subject:.*Blutige Selbstjustiz/ HOLD
/^Subject:.*Deutsche Buerger/ HOLD
/^Subject:.*Deutsche werden kuenftig beim/ HOLD
/^Subject:.*Dresden 1945 / HOLD
/^Subject:.*Dresden Bombing Is To Be Regretted Enormously/ HOLD
/^Subject:.*Du wirst ausspioniert/ HOLD
/^Subject:.*Du wirst zum Sklaven gemacht/ HOLD
/^Subject:.*Gegen das Vergessen/ HOLD
/^Subject:.*Graeberschaendung auf bundesdeutsche/ HOLD
/^Subject:.*Hier sind wir Lehrer die einzigen Auslaender/ HOLD
/^Subject:.*Jahre Befreiung/ HOLD
/^Subject:.*Massenhafter Steuerbetrug durch auslaendische/ HOLD
/^Subject:.*Multi\-Kulturell/ HOLD
/^Subject:.*Osteuropaeer durch Fischer-Volmer Erlass/ HOLD
/^Subject:.*Paranoider Deutschenmoerder kommt/ HOLD
/^Subject:.*Polizei schlaegt Alarm/ HOLD
/^Subject:.*Schily ueber Deutschland/ HOLD
/^Subject:.*Transparenz ist das Mindeste/ HOLD
/^Subject:.*Trotz Stellenabbau/ HOLD
/^Subject:.*Tuerkei in die/ HOLD
/^Subject:.*Turkish Tabloid Enrages Germany with Nazi Comparisons/ HOLD
/^Subject:.*Verbrechen der deutschen Frau/ HOLD
/^Subject:.*Volk wird nur zum zahlen/ HOLD
/^Subject:.*Vorbildliche Aktion/ HOLD
/^Subject:.*Whore Lived Like a German/ HOLD |
|
|
|
 sporkmedrop the crantini and move it, sisterPremium,MVM
join:2000-07-01
Morristown, NJ
 ·Optimum Online
1 edit | Is that pretty much the canonical list of ALL subject lines this thing is spewing?
Anyone have spamass rules cooked up for this yet?
edit: Found this: »mailscanner.prolocation.net/german.cf
I'm not sure I agree with the "8" score, but I may tone it down and give it a shot. Still reading the SA archives from yesterday... |
|
| It's the canonical list of sober.q-looking subjects that have hit my external mail relays (10,000 users) since about 9 PM EST last night.
1 addition to that list (English subject threw me off):
/^Subject:.*Can you believe this still happens today/ HOLD |
|
sporkmedrop the crantini and move it, sisterPremium,MVM
join:2000-07-01
Morristown, NJ | reply to sporkme
FWIW, since midnight we've had 2,695 messages blocked. But not all of our customers get the filtering, so that number may be a bit on the low side. |
|
nike303
join:2003-08-28
Franklin Square, NY | reply to Eric2005
I am still getting 4-5 an hour.
My gmail account (after 50 or so mails of me reporting it as spam), has now started sending it to the spam folder. I just added those subject, so it goes staright to trash.
But, the thing is, if I look at the email, it isnt actually sent to me.
It appears that the worm, sends it to some Gmail accounts that have email fowarding set up. And unfortunetly, I am on that list.
Thank you again...SOOO much. This was bugging me for the past 3 days. |
|
