Jump to content


Photo

Thousands of spam messages bypassing BESG

spam

Best Answer Michelle Exner, 30 March 2017 - 04:06 PM

Here is another filter that will stop this same spammer (as the change their attack)

<CENTER><a href=\"http://\d+\.\d+\.\d+\.\d

You may have to enter this on some units or the ESS service as

 

<CENTER><a href=\"http:\/\/\d+\.\d+\.\d+\.\d

We don't believe this will cause false positives and should block more of this spammers attack

This is a body filter

Go to the full post


  • Please log in to reply
15 replies to this topic

#1 Chiron

Chiron
  • Members
  • 18 posts

Posted 23 March 2017 - 01:23 PM

Seeing thousands of spams outright bypassing BESG.   They all have in common a large block of hidden text formatted like this. 

 

|||||||||||||||||||||<<<<<<<<mail.com>>>>>>>>>=-=-=-=///////calling<<<<<<<<<<###########<<<amazon.com#############

 

That is one line. The emails might have 5 to 6 thousand lines in them like the above with different words.

 

Anyone else seeing these?



#2 Michelle Exner

Michelle Exner

    BSF / BESS Moderator

  • Moderators
  • 357 posts

Posted 23 March 2017 - 02:54 PM

This is a new method spammers are using to bypass parts of our spam filtering.

Please call into Barracuda Support to learn how to increase the size of messages that we scan for.

 


Michelle Exner
Product Lead Support Engineer
Barracuda Email Security
(408) 342-5300


#3 Chiron

Chiron
  • Members
  • 18 posts

Posted 24 March 2017 - 10:19 AM

This is a new method spammers are using to bypass parts of our spam filtering.

Please call into Barracuda Support to learn how to increase the size of messages that we scan for.

 

 

Figured out where to go to increase size.   However since taking the default setting and doubling the figure the spammers have subsequently x3 the size of the messages.  Barracuda has a problem, they need to solve if they want to keep customers.  



#4 Michael Manning

Michael Manning
  • Members
  • 199 posts
  • LocationOhio, USA

Posted 29 March 2017 - 03:40 PM

We were seeing this too. In our case the common trait was that all of the BS email had contact@ some random domain in the header. thanks to a tip form another user we added a header filter for <contact@ and in our case sent it to users' quarantine folders just in case. May not be the best option, but maybe see if there is a common trait like this that you can use to filter.



#5 Chiron

Chiron
  • Members
  • 18 posts

Posted 30 March 2017 - 08:28 AM

We were seeing this too. In our case the common trait was that all of the BS email had contact@ some random domain in the header. thanks to a tip form another user we added a header filter for <contact@ and in our case sent it to users' quarantine folders just in case. May not be the best option, but maybe see if there is a common trait like this that you can use to filter.

 

Thanks, that little header tip did the trick.   :D



#6 Michelle Exner

Michelle Exner

    BSF / BESS Moderator

  • Moderators
  • 357 posts

Posted 30 March 2017 - 09:58 AM

Just adding contact@ can result in false positives for other addresses using contact@ (mycontact@ for example)

This is a much better filter to use (enter it completely including the parentheses) which should be added as a content header filter.
 

(from.?:.*<contact@|from.?:\s?contact@)

 

This will stop mail with a "FROM" header like this

 

from: some name <contact@domain.com>

 

or 

 

from: <contact@domain.com>

 

or 

 

from: contact@domain.com

 


Michelle Exner
Product Lead Support Engineer
Barracuda Email Security
(408) 342-5300


#7 Michael Manning

Michael Manning
  • Members
  • 199 posts
  • LocationOhio, USA

Posted 30 March 2017 - 10:14 AM

Cool. I'll give that a try and see how it works.



#8 Chiron

Chiron
  • Members
  • 18 posts

Posted 30 March 2017 - 10:17 AM

Just adding contact@ can result in false positives for other addresses using contact@ (mycontact@ for example)

This is a much better filter to use (enter it completely including the parentheses) which should be added as a content header filter.
 

(from.?:.*<contact@|from.?:\s?contact@)

 

This will stop mail with a "FROM" header like this

 

from: some name <contact@domain.com>

 

or 

 

from: <contact@domain.com>

 

or 

 

from: contact@domain.com

 

 

Thank you.  I will add this and see how it works.  Shouldn't take long given the volume of the "message size" spam we are getting.  Most of this spam is now over 1.5 mb in size with no attachments. 



#9 Michelle Exner

Michelle Exner

    BSF / BESS Moderator

  • Moderators
  • 357 posts

Posted 30 March 2017 - 01:03 PM

Please also note that this will only catch mail with a Header FROM of contact@

It will not stop mail with an envelope from of contact@ which does show in the header but is a line added by Barracuda after the scan is completed

X-Barracuda-Envelope-From: contact@neosnow.net

We have no wildcard type (regular expression) searches for the envelope (sender) address.


Michelle Exner
Product Lead Support Engineer
Barracuda Email Security
(408) 342-5300


#10 Chiron

Chiron
  • Members
  • 18 posts

Posted 30 March 2017 - 03:52 PM

Here is another filter that will stop this same spammer (as the change their attack)

<CENTER><a href=\"http://\d+\.\d+\.\d+\.\d

We don't believe this will cause false positives and should block more of this spammers attack

Is the above filter for the header or body or both?



#11 Michelle Exner

Michelle Exner

    BSF / BESS Moderator

  • Moderators
  • 357 posts

Posted 30 March 2017 - 04:06 PM   Best Answer

Here is another filter that will stop this same spammer (as the change their attack)

<CENTER><a href=\"http://\d+\.\d+\.\d+\.\d

You may have to enter this on some units or the ESS service as

 

<CENTER><a href=\"http:\/\/\d+\.\d+\.\d+\.\d

We don't believe this will cause false positives and should block more of this spammers attack

This is a body filter


Michelle Exner
Product Lead Support Engineer
Barracuda Email Security
(408) 342-5300


#12 Jaybone

Jaybone
  • Members
  • 114 posts

Posted 31 March 2017 - 01:50 PM

They seem to be stuffing junk into the style tags, from what we're seeing.  I've seen some like the first mentioned in this thread, as well as others, like hundreds of lines of junk like:

!@@!@~~~~~~~~!@@@@~~~~~~~!@!@!~~~~~~~@!!@!~~~~~@!~@~~~@~~@~~!~seguinte#@@~@~@#@~@~@#@#@~$~$%#~#%~#%~~$#~$~#~$%~~~~~$~~#~#%~#%~##~~$~~$~~~~%$#%$~#~%$~~~~~~$~%~~~~~~~
!@@!@~~~~~~~~!@@@@~~~~~~~!@!@!~~~~~~~@!!@!~~~~~@!~@~~~@~~@~~!~crafters #@@~@~@#@~@~@#@#@~$~$%#~#%~#%~~$#~$~#~$%~~~~~$~~#~#%~#%~##~~$~~$~~~~%$#%$~#~%$~~~~~~$~%~~~~~~~
!@@!@~~~~~~~~!@@@@~~~~~~~!@!@!~~~~~~~@!!@!~~~~~@!~@~~~@~~@~~!~tids #@@~@~@#@~@~@#@#@~$~$%#~#%~#%~~$#~$~#~$%~~~~~$~~#~#%~#%~##~~$~~$~~~~%$#%$~#~%$~~~~~~$~%~~~~~~~
!@@!@~~~~~~~~!@@@@~~~~~~~!@!@!~~~~~~~@!!@!~~~~~@!~@~~~@~~@~~!~mutuel #@@~@~@#@~@~@#@#@~$~$%#~#%~#%~~$#~$~#~$%~~~~~$~~#~#%~#%~##~~$~~$~~~~%$#%$~#~%$~~~~~~$~%~~~~~~~
!@@!@~~~~~~~~!@@@@~~~~~~~!@!@!~~~~~~~@!!@!~~~~~@!~@~~~@~~@~~!~tocco#@@~@~@#@~@~@#@#@~$~$%#~#%~#%~~$#~$~#~$%~~~~~$~~#~#%~#%~##~~$~~$~~~~%$#%$~#~%$~~~~~~$~%~~~~~~~



#13 Michelle Exner

Michelle Exner

    BSF / BESS Moderator

  • Moderators
  • 357 posts

Posted 31 March 2017 - 05:11 PM

That is correct. This is a SPAM BOT that is being used to generate spam from compromised PC's all over the world. It is being used to pack the email with massive amounts of data to fool services like our into bypassing some of the spam scanning that we do. The filters provided are the best we have at this time to stop the spam these bots are sending out.


Michelle Exner
Product Lead Support Engineer
Barracuda Email Security
(408) 342-5300


#14 Chiron

Chiron
  • Members
  • 18 posts

Posted 31 March 2017 - 05:45 PM

That is correct. This is a SPAM BOT that is being used to generate spam from compromised PC's all over the world. It is being used to pack the email with massive amounts of data to fool services like our into bypassing some of the spam scanning that we do. The filters provided are the best we have at this time to stop the spam these bots are sending out.

 

Pity we can't trace them back to the command and control servers. 

 

As someone famous once said: "I say we take off and nuke the entire site from orbit. It's the only way to be sure."



#15 Russell Inman

Russell Inman
  • Members
  • 3 posts

Posted 14 September 2017 - 03:18 PM

I've started seeing this again, only now a certain percentage are coming in with a newline after the CENTER tag. I've altered the regex to read:

 

    <CENTER>\s*<a href=\"http://\d+\.\d+\.\d+\.\d

 

The '\s*' should match all of the whitespace, including newlines, between the CENTER tag and the A tag, but it doesn't seem to be working.



#16 Michelle Exner

Michelle Exner

    BSF / BESS Moderator

  • Moderators
  • 357 posts

Posted 14 September 2017 - 04:05 PM

I would suggest that you call into Barracuda Support for assistance as we believe that the spammer is reading our forum to discover how we are suggesting blocks for his mail.

You may also want to consider using the Cloud Protection Layer (Barracuda Pre-Filter) which can stop quite a bit of this mail without extra filtering.


Michelle Exner
Product Lead Support Engineer
Barracuda Email Security
(408) 342-5300