John Levine wrote:
In this class of spam, it's generally easy to figure out _where_ the
compromised user existed, and often easy to tell the IP by which it was
compromised, but seldom do you get a correct email address for the
phished account, or at least, not one that you could trust.
Odd, my experience is quite different. The address typically looks
real and matches stuff in Received: lines. Perhaps I'm fooled by
unusually brilliant header forgery, but it doesn't look like it. This
stuff doesn't appear to be bots, it's sent using phished credentials.
For the systems that log the connecting IP, it's often in Nigeria or
China.
Yes, that would be spot on in what I see. Biggest problem - the
compromised accounts are using the big server farms like Yahoo
that pass the SPF and DKIM checks, can't be blocked based on IP
and even make it through spamassassin scoring.
The best I've been able to do is use milter-regex for sender matches.
One thing that looks promising is that the Reply-To rarely matches
the sender and often is a free mail server for the reply-to.
I'm seeing the compromised accounts cycled through several times.
Hit maybe 3 times, wait a week or two, hit again.
The most interesting one I've seen to date was a valid Yahoo server
taking in email via webmail and many of the headers were dinked with.
-j2
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg