Grreting card scams

Martin.Hepworth martinh at solidstatelogic.com
Fri Jul 27 08:50:07 IST 2007


Hmm I don't the DUL RBL's on SA as I they give FP's for us....we have a lot of customers/dealers etc that run their connections over DUL so I turn these off..

--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300

> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-
> bounces at lists.mailscanner.info] On Behalf Of UxBoD
> Sent: 27 July 2007 08:42
> To: MailScanner discussion
> Subject: Re: Grreting card scams
>
> Mine :-
>
> cached	not
> 	score=17.504
> 10	required
> 12.00	KAM_CARD	Trojan or Virus Payload from fake ecard notice
> 0.00	NORMAL_HTTP_TO_IP	Uses a dotted-decimal IP address in URL
> 1.80	RCVD_IN_DSBL	Received via a relay in list.dsbl.org
> 1.71	RCVD_IN_NJABL_DUL
> 0.00	RCVD_IN_PBL	Received via a relay in Spamhaus PBL
> 1.99	RCVD_IN_SORBS_DUL	SORBS: sent directly from dynamic IP address
>
> --[ UxBoD ]--
> // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import"
> // Fingerprint: C759 8F52 1D17 B3C5 5854  36BD 1FB1 B02F 5DB5 687B
> // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B
> // Phone: +44 845 869 2749 SIP Phone: uxbod at sip.splatnix.net
>
> ----- Original Message -----
> From: "Martin.Hepworth" <martinh at solidstatelogic.com>
> To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
> Sent: Friday, July 27, 2007 8:26:57 AM (GMT) Europe/London
> Subject: RE: Grreting card scams
>
> Following SA hits are typical on my system for these emails..
>
> 	score=24.878
> 5	required
> 	autolearn=spam
> 5.40	BAYES_99	Bayesian spam probability is 99 to 100%
> 5.00	BOTNET	Relay might be a spambot or virusbot
> 0.77	DIGEST_MULTIPLE	Message hits more than one network digest check
> 0.67	FH_HOST_EQ_D_D_D_D	Host starts with d-d-d-d
> 0.98	HOST_EQ_CPE
> 0.31	HOST_MISMATCH_COM
> 4.00	NORMAL_HTTP_TO_IP	Uses a dotted-decimal IP address in URL
> 3.70	PYZOR_CHECK	Listed in Pyzor (http://pyzor.sf.net/)
> 0.50	RAZOR2_CF_RANGE_51_100	Razor2 gives confidence level above 50%
> 1.50	RAZOR2_CF_RANGE_E8_51_100	Razor2 gives engine 8 confidence level
> above 50%
> 0.50	RAZOR2_CHECK	Listed in Razor2 (http://razor.sf.net/)
> 1.56	RCVD_IN_BL_SPAMCOP_NET	Received via a relay in bl.spamcop.net
>
> --
> Martin Hepworth
> Snr Systems Administrator
> Solid State Logic
> Tel: +44 (0)1865 842300
> > -----Original Message-----
> > From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-
> > bounces at lists.mailscanner.info] On Behalf Of Doc Schneider
> > Sent: 26 July 2007 23:51
> > To: MailScanner discussion
> > Subject: Re: Grreting card scams
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Glenn Steen wrote:
> > > On 27/07/07, Matt Kettler <mkettler at evi-inc.com> wrote:
> > >> Rick Cooper wrote:
> > >>
> > >> >  > -----Original Message-----
> > >> >  > From: mailscanner-bounces at lists.mailscanner.info
> > >> >  > [mailto:mailscanner-bounces at lists.mailscanner.info] On
> > >> >  > Behalf Of Matt Kettler
> > >> >  >
> > >> >  > However, If I copy one of the messages back onto the server
> > >> >  > and scan it with
> > >> >  > clamscan, clamscan does detect it as a virus.
> > >> >  >
> > >> >  > However, none of them have ever been detected as a virus
> > >> >  > while going through
> > >> >  > MailScanner. Ever. (I just searched all my postmaster
> > >> >  > notices from MailScanner
> > >> >  > and the word "You've" doesn't appear in any of them, which
> > >> >  > would be part of the
> > >> >  > subject-line quite.).
> > >> >  >
> > >> >  > Note that my MailScanner setup does detect phishing signatures.
> > >> >  >
> > >> >  > ie:
> > >> >  >     Report: ClamAV: msg-9454-234.html contains
> HTML.Phishing.Pay-
> > 36
> > >> >  >     Report: ClamAV: msg-17765-74.html contains
> > >> Email.Phishing.RB-1260
> > >> >  >
> > >> >  > But there are no Email.Phishing.RB-1222's in there anywhere.
> > >> >  >
> > >> >
> > >> > What do you get if you run
> > >> >
> > >> > sigtool --list-sigs|grep Email.Phishing.RB-1222
> > >> >
> > >> > Perhaps something amiss with the clamdb updates? Accidental dupe
> > >> installs?
> > >> >
> > >> > Rick
> > >>
> > >> Given that running clamscan on the email file outside of MailScanner
> > >> detects it
> > >> as a virus, I've already conclusively proven clamav has the signature
> > >> and it
> > >> works properly.
> > >>
> > >> One observation, though, the specific test messages I used detected
> as
> > >> 1221 not
> > >> 1222, but they're all related.
> > >>
> > >> ecardspam1.eml: Email.Phishing.RB-1221 FOUND
> > >> ecardspam2.eml: Email.Phishing.RB-1221 FOUND
> > >> ecardspam3.eml: Email.Phishing.RB-1221 FOUND
> > >>
> > >> However, if you insist:
> > >> # sigtool --list-sigs|grep Email.Phishing.RB-1222
> > >> Email.Phishing.RB-1222
> > >>
> > >> Yes, it's there. Yes, clamscan can use it, and clamscan properly
> > >> detects the
> > >> messages as viruses when executed manually. No, clamav via
> MailScanner
> > >> cannot
> > >> detect it.
> > >>
> > > Could this perhaps have anything to do with how clam gets fed the
> > > message in MailScanner....? If I'm not completely senile (always a
> > > possibility:-), MS doesn't feed it the complete message, hence some
> > > newstyle sigs will never (be able to) trigger.
> > >
> > > Cheers
> >
> > This makes sense... or else we know Jules has been into the
> > "Guiness(sic)" again! HAR!
> >
> > - --
> > - -Doc
> > Lincoln, NE.
> > http://www.genealogyforyou.com/
> > http://www.cairnproductions.com/
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.5 (GNU/Linux)
> > Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org
> >
> > iD8DBQFGqSVaqOEeBwEpgcsRAtp1AJsFDG1AQYOI5Foxfy5rNrD06ZDy2wCZAfMF
> > WQCbBM2nqqKrHxIu3aNi+Ks=
> > =bX2c
> > -----END PGP SIGNATURE-----
> > --
> > MailScanner mailing list
> > mailscanner at lists.mailscanner.info
> > http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >
> > Before posting, read http://wiki.mailscanner.info/posting
> >
> > Support MailScanner development - buy the book off the website!
>
>
>
>
> **********************************************************************
> Confidentiality : This e-mail and any attachments are intended for the
> addressee only and may be confidential. If they come to you in error
> you must take no action based on them, nor must you copy or show them
> to anyone. Please advise the sender by replying to this e-mail
> immediately and then delete the original from your computer.
> Opinion : Any opinions expressed in this e-mail are entirely those of
> the author and unless specifically stated to the contrary, are not
> necessarily those of the author's employer.
> Security Warning : Internet e-mail is not necessarily a secure
> communications medium and can be subject to data corruption. We advise
> that you consider this fact when e-mailing us.
> Viruses : We have taken steps to ensure that this e-mail and any
> attachments are free from known viruses but in keeping with good
> computing practice, you should ensure that they are virus free.
>
> Red Lion 49 Ltd T/A Solid State Logic
> Registered as a limited company in England and Wales
> (Company No:5362730)
> Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU,
> United Kingdom
> **********************************************************************
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!




**********************************************************************
Confidentiality : This e-mail and any attachments are intended for the 
addressee only and may be confidential. If they come to you in error 
you must take no action based on them, nor must you copy or show them 
to anyone. Please advise the sender by replying to this e-mail 
immediately and then delete the original from your computer.
Opinion : Any opinions expressed in this e-mail are entirely those of 
the author and unless specifically stated to the contrary, are not 
necessarily those of the author's employer.
Security Warning : Internet e-mail is not necessarily a secure 
communications medium and can be subject to data corruption. We advise 
that you consider this fact when e-mailing us. 
Viruses : We have taken steps to ensure that this e-mail and any 
attachments are free from known viruses but in keeping with good 
computing practice, you should ensure that they are virus free.

Red Lion 49 Ltd T/A Solid State Logic
Registered as a limited company in England and Wales 
(Company No:5362730)
Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, 
United Kingdom
**********************************************************************



More information about the MailScanner mailing list