SurgeMail Archive: Re: [SurgeMail List] tricky spammer attempting to hide

Subject:	Re: [SurgeMail List] tricky spammer attempting to hide
From:	Ed
Date:	23-May-2017
We have the same things here and have ZERO issues with that. It all depends on your architecture and other surge settings. On 05/23/2017 06:03 PM, Peter Ellens wrote: > Yes, and breaks nearly every customer running a website, as most forms are so badly coded and change the from address to something else. "Orders" "web form" etc > > I used to run like that and it caused to many issues... > > -----Original Message----- > From: Ed [mailtoHIDDEN@ent.net] > Sent: Wednesday, May 24, 2017 1:00 AM > To: surgemailHIDDEN@etwinsite.com > Subject: Re: [SurgeMail List] tricky spammer attempting to hide > > Hi, > > You do realize that g_from_exact fixes this issue ? > > --Ed > > On 05/22/2017 10:44 PM, Peter Ellens wrote: >> Hi Guys >> >> Just thought I would share a interesting spammer operation I found >> going on threw our servers. >> >> The spammers uses hacked e-mail accounts and only sends smallish >> volumes in a effort to avoid detection, but over a number of accounts. >> >> Example. Anything in {description} is variable >> >> Subject: is always empty. >> >> From: is fake username on real domain, format {firstName lastName >> <{randomUserNameHIDDEN@ domain name}> >> >> Body >> >> Good morning {Random name} >> >> http://{randomurls}/{random}.php?cat={random key of somesort} >> >> {same random first name as From line} >> >> As you can see not much to key on. >> >> How I tracked them, warning Linux content :P (sorry windows users, you >> will have to find some other way to do this) >> >> This is run from the directory with all your .rec files in it. >> >> First create a .rec for all e-mails with an empty subject >> >> grep "s=\[\]" {pick a record file}.rec \| cut -f 2 -d"[" \| cut -f 1 -d >> "]" \| xargs -i grep {} {same record file}.rec > empty_subject.rec >> >> This finds all messages with a empty subject, the unique id is >> extracted, the full log for each unique id is extracted >> >> This can take a while. >> >> Then count the number of e-mails each user sent without a subject (all >> users use smtp auth on our servers) >> >> grep smtpauth empty_subject.rec \| cut -f 10 -d' ' \| cut -f 3 -d= \| >> sort >> \| uniq -c \| sort –n >> >> This grabs the line with smtpauth in it, and extracts the username, >> then sorts the list, then counts any duplications >> >> This spits out lots of single instances, but at the bottom you will >> probably find a bunch of much higher users sending out e-mail with a >> blank subject >> >> On average I see < 10 blank e-mails a day from real users and > 200 >> for hacked accounts, So they stick out like a sore thumb >> >> You can then further process to find sending IP etc… but looks like >> its from a botnet, lots of IP sources. >> >> Happy hunting >> > > -- > ----------------------------------------------------------- > EAS Enterprises LLC > World Class Web and Email Hosting Solutions > IPv6 ready today for your needs of tomorrow! > Ask us about dual-stacking your site > www.easent.net > -- ----------------------------------------------------------- EAS Enterprises LLC World Class Web and Email Hosting Solutions IPv6 ready today for your needs of tomorrow! Ask us about dual-stacking your site www.easent.net

Last Message | Next Message


Search website: