Solved

What kind of spam is this and how do I filter it?

Posted on 2014-04-17
8
117 Views
Last Modified: 2015-04-28
Our exchange server has been getting spam/junk mail that contains only one or two sentences of garbled information...like a line or two from a strange play, novel, press release.

We've received three in the last 24 hours, all from different domains and they have no attachments, advertisements, or links.

Here is an example...

"The Volcano closed for a second and more elaborate renovation in February 2008 and reopened on December 8, 2008. This led him to new ideas. Black Music Research Journal 8."

What exactly are these and how do you filter them when they have no malicious content and keep coming from different domains each time to get around the blacklisting I do?

Thanks for the help,

Ryan
0
Comment
Question by:Ryan Gates
8 Comments
 
LVL 5

Assisted Solution

by:Pasha Kravtsov
Pasha Kravtsov earned 63 total points
ID: 40008022
Honestly that's a tough dilemma you're dealing with. It might seem as if you're going to have to blacklist every one of those domains by hand. That's the only way I can think of..
0
 

Author Comment

by:Ryan Gates
ID: 40008050
This is crazy... I've put all the offending domains on a blacklist and still get more. The most recent one, from yet another new domain, had the subject:

Hello Ryan (the sender has my name)

And then read:

The background in the arms is red. Andrew Young is affiliated. The palace has many lovely gardens and an oratory recreated from the ruins of the ancient Sunrunner Keep.

These are strange and annoying... Help?
0
 
LVL 34

Assisted Solution

by:Dan Craciun
Dan Craciun earned 63 total points
ID: 40008228
I'd think these are probably tests and the real spam is yet to come. They are testing to see if the emails get through, what triggers your spam filter.

The palace reference is from here: http://melanierawn.wikia.com/wiki/Dorval
and the volcano from here: http://en.wikipedia.org/wiki/The_Mirage

Dan
0
 

Author Comment

by:Ryan Gates
ID: 40009067
I've been thinking the same thing, Dan... being tested before something nasty. I'm blacklisting and monitoring all incoming closely. I wish there were a way to guard against this better. I can't think of anything but thought it was worth an ask, here.

Dan, thanks for the reference links. Have any of you ever seen this type of 'testing'?

Ryan
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 16

Expert Comment

by:dhsindy
ID: 40191304
Does exchange have a filter for size like Thunderbird?

These all look like small simple messages.  You could experiment by setting up a folder and filtering your emails by size and see if you can trap them that way.  More difficult would be setting up a whitelist of addresses you will accept from.
0
 
LVL 23

Accepted Solution

by:
Brian B earned 62 total points
ID: 40535889
It may also be the spammer's software is broken and not sending the link. Blacklisting the domain won't help as that is reactive. The domain will keep changing, and is probably spoofed anyway.

I started using a realtime blackhole list in conjunction with a spam filter (Spamhaus Zen works really well) and most of that stuff disappeared.
0
 
LVL 16

Assisted Solution

by:dhsindy
dhsindy earned 62 total points
ID: 40538435
Another idea would be to review the headers and see if they contain the IP address or an ISP provider that you could contact.  I usually just ignore spammers like that and they get bored after a while with tormenting you.
0
 
LVL 16

Expert Comment

by:dhsindy
ID: 40560917
>> Have any of you ever seen this type of 'testing'?

I remember getting something like this years ago for a while on an old account. I don't recall ever finding a filtering method because everything was so random and unpredictable.

The action I took was to simply delete without any kind of response. It eventually stopped. This could be someone just testing for valid addresses from a list they have purchased.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Finding a job can be stressful - searches, resume tweaks, and networking events can be super boring. Luckily we're here to help you land your dream job!
It can often be challenging to stay relevant in the rapidly evolving world of technology. This can make recruiting talent difficult for companies of all sizes.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now