[colug-432] Uptick in "Foreign Investor" Spam

Rob Funk rfunk at funknet.net
Tue Dec 22 20:09:09 EST 2009


Joshua Kramer wrote:
> Has anyone else been seeing an uptick in the amount of Spam that gets
> past the greylisting filters?  This spam is of the "foreign investor"
> variety, that is, "I am an African Priest who must move 1 500 million
> dollars to the U.S. and I need your help".  I used to get about 1 of
> these a week, now it's averaging 2-3 per day.  Did someone recently
> release spamming software that is fully compliant with SMTP resending
> protocols?

I've been seeing a lot more of that and other spam all year. Not quite as 
much in the past week or so, but definitely a lot this year.

It was inevitable that spammers would eventually catch on to greylisting. 
The trouble is that they're also managing to take down some of the 
realtime blacklists (dsbl, ahbl, dnsbl), so that retry time that used to 
give a chance for them to get on the blacklists doesn't do as much good.

And they have an army of Windows zombies at their disposal for both tasks.
(Aside: in the past month I've managed to convert two non-techie friends 
from Windows to Linux, plus my wife converted after the last Ohio Linux 
Fest, so I'm doing my best to diminish that army!)

Because of all the spam and the filtering response, it's gotten to the 
point that a protocol that was once a paragon of reliability must be 
considered unreliable. People are even using the horrible Facebook mail 
system instead, to get more reliability and less spam.

This week I finally gave in and implemented SPF, DKIM, and DomainKeys on 
funknet.net, just to make it more likely that my mail would go through to 
sites like Yahoo. But that's a reaction other people's over-filtering, and 
does little or nothing about the spam coming in to me.

-- 
==============================|   "A microscope locked in on one point
 Rob Funk <rfunk at funknet.net> |Never sees what kind of room that it's in"
 http://www.funknet.net/rfunk |    -- Chris Mars, "Stuck in Rewind"


More information about the colug-432 mailing list