More spam from

I get a lot of spam.  Most of it, thankfully is blocked by dspam but occasionally i get some through the filter.  One that particularly caught my eye was interesting not so much what it was advertising (I don’t read that part of the email) but where it came from and goes to.

Normally there are two service providers involved in spam.  The email comes from (or via) one and then the spamvertised website is another.  The interesting thing is for this spam both of these were the same service provider. The email came from and the spamvertised website was Both of these addresses are owned by  I punted the email to spamcop and it said that they’re not interested in spam reports.

A few google queries shows that these guys seem quite happy to have spam sources and destinations and have been doing it for years.  They either appear as or unbiquity servers but they are one and the same organisation, or at least related.

I won’t bother to send anything to them, it seems this has been done many many times by others with no results. Instead some CIDR blocks will be put into my blacklist.

Enhanced by Zemanta

Anti-Spam Fails

A day or two ago I tried sending an email to a friend who happens to use the Road Runner ISP for his mail service.  Now this ISP doesn’t like dynamic IP addresses (using the increasing inaccurately named Dial Up List) so I have to punt the email through my ISP’s mailserver first.  Now that server is telling me this:

The reason for the problem: 4.3.2 – Not accepting messages at this time 554-‘5.7.1 – ERROR: Mail refused – <> – See’

So their ISP mailserver is refusing connections from my ISP’s mailserver for some reason, probably on some spam list.  There’s a URL to look up the problem, so going there gives you three things:

  1. A redirection to
  2. A badly configured webserver that uses the above URL with a certificate for
  3. A page that says “It works”

Either Road Runner or Senderscore, preferably both, need to get a clue. Oh and going to gives connection refused. A bit of digging around shows the correct URL is

Now I just realized that my SSL certificate for expired on the weekend so I know these things can happen, but I’m one person (who was away for a while), why can’t companies get their act together?

Enhanced by Zemanta

Lottery from ancient rockers

Apparently I’ve won the lottery. What is even more amazing is that it is one based not in Australia but in the UK ELO (England Lottery Organisation) and I didn’t even buy a ticket.  Even more amazing is even though this organisation is based in England, they don’t write English very well; perhaps its declining school standards. They’re so concerned about giving you the maximum return on the dollar (or pound) they don’t even use a proper email address but a free webmail from umail.

It is, of course a scam. Popularly known as Nigerian 419 or advanced-fee fraud. You can win the money but.. well it seems there is some holdup and you need to pay some “release fee” or some bribe to get your dollars.  What makes me a little sad is it was for only 250,000 UK pounds. I feel ripped off as a few google searches showed people being offered over 500,000 pounds on the same scam. Don’t these crooks know I have a high aussie dollar exchange rate to overcome?

About the only interesting thing about it was that my dspam filters missed it but they’ve now been retrained with that miss. I think sending it as a pdf was why it made it through.

And I now cannot get ELO (Electric Light Orchestra) songs out of my head, thanks a lot scammers! (It’s a livin’ thing, ya know)

Enhanced by Zemanta

Filtering base64 encoded spam

I hate spam, though I get an awful lot of it. About 1/3 of my email is spam, though on a bad day the ratio can be reversed. If you want to see just how much spam I get, I’ve used to have a nice graph of spam. To get rid of it I use a lot of filters. One of these is the Postfix Body Checks feature. This feature allows you to match lines in the body of the email and reject them at the server. I use Perl Compatible Regular Expression (PCRE) matching for the lines.

Recently though, I noticed a lot of spam, usually about Viagra, that was passing through my spam traps. I noticed the emails all talk about a small set of webservers, so I’ll just filter on the urls. It didn’t work.
SpamAssassin in the end gave me the hint.

X-Spam-Status: No, hits=0.0 required=5.0

It was base64 encoded email! That’s why my simple PCRE text matches would not work. So I needed to use something else.

This page is about how to filter on base64 text that appears in emails. I have used examples of PCRE and postfix but you can use this anywhere else, with the appropriate adjustments of where the files go and their syntax.

How to filter

A standard filter line in a postfix body_check file looks something like this:


This is the old iframe hack that some spammers use to sneak URLs into your email.They are nice and clear and we just reject them. All we have to do now is change the stuff between the “toothpicks” // to what we want.

Here’s an example spam I got today, its offering the usual garbage this shonks usually offer. Remember if they don’t advertise ethically, it is often a sign of their entire operation.

In this case, I’ve decided I cannot be bothered getting any emails that advertise stuff on, I get enough junk already and it’s probably a front for spammers anyway, so I’ll filter on that domain. You need to make the string reasonably long as you are effectively cutting off parts of it.

Debian systems have this program called mimencode, some of you might have mmencode, which is part of the Metamail package. This does the base64 encoding for you.

So all you need to do is take the string you want filtered on, put it into mimencode and then put the resulting string into the postfix configuration. You need to do this three times, deleting a character at the front each time because base64 is done by cutting the strings up into groups of three characters each and you don’t know in advance if the your string is going to start at position 1,2 or 3.

gonzo$ echo -n "" | mimencode
gonzo$ echo -n "ttp://" | mimencode
gonzo$ echo -n "tp://" | mimencode

Next you need to remove part of the encoded string at the end. Remember that 3 characters are encoded into 4 symbols. So character one contributes to symbol 1 and 2, two to 2 and 3 and three to 3 and 4. The = means the string was not a multiple of 3 and it needs padding. If the encoded string has no =, you can use it as-is, otherwise remove all = plus one more character at the end of the string. Remember that you are cutting off up to two characters from your regular expression from both ends so be careful it is still meaningful. The last string for example is only matching “tp://” which still looks ok.

Finally, you can join the strings using the regular expression “or” symbol. Also be careful to escape any strings that use special regular expression characters. Base64 can have plus ‘+’ and slash ‘/’ which need
escaping with a backslash .


I have a bypass line in my setup so usually any lines that are base64 encoded are bypassed, so if you have the same thing make sure this line goes before your bypass line or it will never match. We also need to tell postfix to use case sensitive matching because it is base64 hash we are matching and not the real string itself, so we use the i flag after the last slash . The relevant lines in the body_checks file are now:

/(HR0cDovL3d3dy5zZWxsdGhydW5ldC5uZXQv|dHRwOi8vd3d3LnNlbGx0aHJ1bmV0Lm5ldC|dHA6Ly93d3cuc2VsbHRocnVuZXQubmV0L)/i REJECT Spamvertised website
# don't bother checking each line of attachments
/^[0-9a-z+/=]{60,}s*$/                OK

To test it, I use pcregrep and mimencode again, on the mail file. This will show in clear text the spamming line and gives you an idea that it should work.

$ pcregrep 'dHRwOi8vd3d3LnNlbGx0aHJ1bmV0Lm5ldC' /var/mail/csmall  | mimencode -u">&ltl;im//