I've been getting a lot of spams here with a format similar to:
[snip]
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-
1"><style>
d171f2b7-af04-5a8-5a8-cee259c46b8f
9fc2adda-9160-c56-c56-feadd16b0acc
cec5f152-fd8b-9a9-9a9-c5e5c0e676cb
3aaf4ded-e0ec-31d-31d-efec2dbb3f8a
b4804f85-ac57-2d2-2d2-f1c275fd8a0f
4a8cccf0-e0ea-eb7-eb7-beef48d34ff9
edaf0f77-a5b3-bdc-bdc-bdf3aac36bf5
66cef8f7-3be7-3c3-3c3-eefbb04d1f3d
feeac7ae-bda4-476-476-bd68dd935701
a1f2a14d-2beb-390-390-71b7c8933ae7
18c00d8b-b6ba-66d-66d-bf1abff7564b
35c0a27b-cd0d-e5c-e5c-3277bdd93ed3
a2d15cc1-b785-5c2-5c2-7eeff43c1e3a
.... etc.
</style>
[rest of spam]
... perhaps a couple hundred lines of these random hex number
sequences.
These lines are almost certainly intended to avoid spam filtration. I
have a couple of questions.
* What's the nature of this style block (obviously not legit HTML
styles)?
* Are there any characteristics of these emails which can be singled
out for the purpose of blocking them?
* Has anyone developed any rules to deal with these, either for
SpamAssassin or any other filtering platform?
I frequently just block IP addresses, however these come from
amazonaws.com (Amazon) IP addresses, which may well overlap with
legitimate amazon.com mail sources, so I'm looking for a way to block
them with a finer tool.
--
Lindsay Haisley | "The first casualty when
FMP Computer Services | war comes is truth."
512-259-1190 |
http://www.fmp.com | -- Hiram W Johnson
[snip]
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-
1"><style>
d171f2b7-af04-5a8-5a8-cee259c46b8f
9fc2adda-9160-c56-c56-feadd16b0acc
cec5f152-fd8b-9a9-9a9-c5e5c0e676cb
3aaf4ded-e0ec-31d-31d-efec2dbb3f8a
b4804f85-ac57-2d2-2d2-f1c275fd8a0f
4a8cccf0-e0ea-eb7-eb7-beef48d34ff9
edaf0f77-a5b3-bdc-bdc-bdf3aac36bf5
66cef8f7-3be7-3c3-3c3-eefbb04d1f3d
feeac7ae-bda4-476-476-bd68dd935701
a1f2a14d-2beb-390-390-71b7c8933ae7
18c00d8b-b6ba-66d-66d-bf1abff7564b
35c0a27b-cd0d-e5c-e5c-3277bdd93ed3
a2d15cc1-b785-5c2-5c2-7eeff43c1e3a
.... etc.
</style>
[rest of spam]
... perhaps a couple hundred lines of these random hex number
sequences.
These lines are almost certainly intended to avoid spam filtration. I
have a couple of questions.
* What's the nature of this style block (obviously not legit HTML
styles)?
* Are there any characteristics of these emails which can be singled
out for the purpose of blocking them?
* Has anyone developed any rules to deal with these, either for
SpamAssassin or any other filtering platform?
I frequently just block IP addresses, however these come from
amazonaws.com (Amazon) IP addresses, which may well overlap with
legitimate amazon.com mail sources, so I'm looking for a way to block
them with a finer tool.
--
Lindsay Haisley | "The first casualty when
FMP Computer Services | war comes is truth."
512-259-1190 |
http://www.fmp.com | -- Hiram W Johnson