[colug-432] Uptick in "Foreign Investor" Spam
angelo at mccomis.com
Tue Dec 22 20:53:19 EST 2009
Sorry to omit the context, but this is pretty long and I want to get
in under the size limit. :-)
So, I've been managing a system that handles mail for a few dozen
domains on a co-lo hosted server in a Tier 4 facility with clean IPs,
My rig closely mimics what the commercial Barracuda system uses. I
have very few false positives (rare, if ever, and usually because of a
poorly written "refer a friend to this page" type of system that
spoofs a sender email).
The kit, essentially looks like this, stacked up:
-- Inbound mail on port 25:
-> Picked up by Postfix.
Postfix filters in this sequence before handing it off:
- Recipient Restrictions: permit locally authenticated users, permit
my local network, then start rejections in this order:
Check inbound IP against my favorite RBL... reject immediately if on
Black list, Dial up list, etc.
- reject unknown recipient domain # we have to host the domain
- reject unauthorized destinations # we have to know who it's going to
- reject unverified recipient # blocks processing of non-legit addresses
- reject non_fqdn recipient # requires them to not guess on addresses
- send through sqlgrey for black/white/grey handling
If all of the above passes, hand off to MailScanner.
- calls ClamAV which btw, catches a great deal of the
scammer/phisher/419 stuff right there
- sends it through SpamAssassin, which has a number of SARE rules
(Spam Assassin Rules Emporium) and plug-ins
-- like Fuzzy OCR, which converts the text in images so they can be
fed through the word scoring rules
-- and DCC (distributed checksum clearinghouse)
-- and Pyzor
-- and Razor
-- and then all of the normal scoring algorithms (which include
score-based RBLs too), most with automated updates coming in daily
(the .cf files), and of course, we give positive credit to properly
signed DKIM/Domain Keys and well-formed SPF records.
Once a message exits MailScanner, it has a numeric score value that is
in one of three categories:
High score spam (not delivered, quarantined, we could call this
definite spam), medium score spam (tagged with subject line [spam])
which gets delivered with the modified subject header, and then low
probability (delivered as-is).
As complicated as this looks, it's extremely accurate. Taking a look
tonight at the stats, it's as accurate tonight as it was within a few
weeks of installing it (took some time for it to learn / seed the
If anyone wants more info, please let me know... I love the subject. :-)
The short version of my answer, no... no uptick here.
More information about the colug-432