Sponsored by..

Monday 15 January 2007

"Incredimail" spam

A novel twist to the CBFE pump and dump spam that's been doing the rounds is a large scale run of spam messages using an Incredimail template to fool spam filters. [Click the image to enlarge]

The trick here is that Incredimail uses a lot of embedded images, as does the recent batch of P&D messages.. so if a filter has been "detuned" to let these templates through, then the spam can slip through on the back of it.

In this particular case, the CBFE spam is encoded with the Windows-1251 Cyrillic character set which makes it distinctive, although that will probably change.

If you roll your own filters, look for X-Mailer: IncrediMail in the headers, and charset="windows-1251" on each MIME boundary.

If you use Postini, you could create an inbound filter of Header | contains | X-Mailer: IncrediMail and set Message Disposition to "User Quarantine".

There's probably no harm for most people in scoring messages with Incredimail templates higher for spam as very little of it will be business related.

1 comment:

Thunder said...

yes, you posted too.

i don't have any filters... It's a pretty thing design anti-spam filters...