[colug-432] Uptick in "Foreign Investor" Spam

Angelo McComis angelo at mccomis.com
Tue Dec 22 20:53:19 EST 2009 

Sorry to omit the context, but this is pretty long and I want to get
in under the size limit. :-)

So, I've been managing a system that handles mail for a few dozen
domains on a co-lo hosted server in a Tier 4 facility with clean IPs,
etc.

My rig closely mimics what the commercial Barracuda system uses.  I
have very few false positives (rare, if ever, and usually because of a
poorly written "refer a friend to this page" type of system that
spoofs a sender email).

The kit, essentially looks like this, stacked up:

-- Inbound mail on port 25:
 -> Picked up by Postfix.
 Postfix filters in this sequence before handing it off:
- Recipient Restrictions: permit locally authenticated users, permit
my local network, then start rejections in this order:
 Check inbound IP against my favorite RBL... reject immediately if on
Black list, Dial up list, etc.
- reject unknown recipient domain # we have to host the domain
 - reject unauthorized destinations # we have to know who it's going to
 - reject unverified recipient    # blocks processing of non-legit addresses
 - reject non_fqdn recipient  # requires them to not guess on addresses
 - send through sqlgrey for black/white/grey handling

If all of the above passes, hand off to MailScanner.
 Which:
  -  calls ClamAV which btw, catches a great deal of the
scammer/phisher/419 stuff right there
  - sends it through SpamAssassin, which has a number of SARE rules
(Spam Assassin Rules Emporium) and plug-ins
   -- like Fuzzy OCR, which converts the text in images so they can be
fed through the word scoring rules
   -- and DCC (distributed checksum clearinghouse)
   -- and Pyzor
   -- and Razor
   -- and then all of the normal scoring algorithms (which include
score-based RBLs too), most with automated updates coming in daily
(the .cf files), and of course, we give positive credit to properly
signed DKIM/Domain Keys and well-formed SPF records.

Once a message exits MailScanner, it has a numeric score value that is
in one of three categories:

High score spam (not delivered, quarantined, we could call this
definite spam), medium score spam (tagged with subject line [spam])
which gets delivered with the modified subject header, and then low
probability (delivered as-is).

As complicated as this looks, it's extremely accurate. Taking a look
tonight at the stats, it's as accurate tonight as it was within a few
weeks of installing it (took some time for it to learn / seed the
bayes system).

If anyone wants more info, please let me know... I love the subject. :-)

Angelo

The short version of my answer, no... no uptick  here.

More information about the colug-432 mailing list