My Spam analysis for April 7 - 13, 2008
After taking one week off from analyzing my spam (junk-mail) statistics, I am resuming them this weekend. I have instituted email spam filters on my website's mail server, which has greatly reduced the amount of spam I see at all. The balance that does get through is identified and either flagged as spam, or instantly deleted, by my POP3 mail anti-spam tool; MailWasher Pro. MailWasher Pro identifies what is spam by a combination of methods, including the use of custom written personal spam filter rules. I have created a large assortment of spam filters which "plug-in" to MailWasher Pro, to flag or delete known spam. You can read about them, or download and use them in your own registered copy of MailWasher Pro.
On to the spam analysis at hand!
My analysis of this week's spam shows that male enhancement pills and other pharmaceuticals have reclaimed the top spot in my spam categories, with counterfeit brands of watches, clothes and shoes and Google redirect exploits to fake "video codecs" (e.g: the Zlob Trojan and other Trojan Horse executables) following closely behind. All of the spam emails for pharmaceuticals have links to websites hosted in China or Korea. Most of the fake and counterfeit goods, drugs, enhancement pills and herbal solutions being spamvertised are produced in China. Foremost among these are fake pharmacy websites, like the so called "Canadian Pharmacy," which is not in Canada at all (it's in China and Indo-China), nor, despite the presence of fake accreditation logos, are they approved to sell pharmaceuticals in the US or Canada. Most of the fraudulent "Canadian Pharmacy" web pages are now hosted on compromised home or office PC's, that are unknowingly members of various spam Botnets. In fact, virtually all of the billions of spam messages hitting our inboxes these days comes from zombie computers, used as spam relays, in various Botnets.
As was the case before, the category "Other Filters" has the largest percentage in this week's spam analysis. That category contains all manner of miscellaneous filters that are matched by supposedly clever email subjects, such as: one word subject, digits and consonants senders, various HTML tricks, 2 line spam tricks, and some good old Nigerian 419 lottery and financial fraud scams. The spam main categories that rated a measurable percentage are listed below.
The current percentage of identified spam that made it through the filters on my mail server is 34% for the week ending April 13, 2008. These messages were all identified and dealt with by MailWasher Pro. I assigned some truly miscellaneous messages to the "learning filter" which then flags any similar messages as spam, making them easy to spot in the message list. This has earned the category "Learning Filter" a small spot in the list below. :-)
MailWasher Pro spam category breakdown for April 7 through 13, 2008.
Other filters: (See my MWP Filters page) | 30.23% |
---|---|
Male enhancement spam (subject and body): | 11.63% |
Blacklisted (by pattern matching): | 8.14% |
Counterfeit clothing and shoes: | 7.39% |
Google Redirect Exploits (to hostile downloads): | 6.98% | Misc spam to a protected account: | 5.81% |
One word spam subjects: | 4.65% |
DNS Blacklists: | 4.65% |
Pharmaceutical spam (includes Viagra and Cialis): | 4.65% |
Other Pills: | 4.65% |
MaxDik spam: | 4.65% |
Counterfeit Watches: | 3.49% |
Bayesian learning filter: | 1.16% |
If you are reading this and wondering what you can do to reduce the huge volumes of spam emails that must be overwhelming your POP client inboxes, I recommend MailWasher Pro (with my downloadable custom filters) as a front-end screener to your POP email program (Microsoft Outlook, Microsoft Outlook Express, Microsoft Mail, Eudora, Mozilla and other stand-alone email programs).
I mentioned in this article that I use MailWasher Pro to screen and filter out spam, before it is downloaded to Outlook Express (or your equivalent POP3 email client), and that it allows the use of special pattern matching of senders' addresses to blacklist them. I thought I would share the five main pattern matching blacklist filters with you. You can use them in MailWasher, if you have it, or on your web site's cPanel, in the account-wide email filters section, if you know how to use that feature. Here are the 7 'biggies" that typically block 50%+ of all spam.
I set my blacklist to automatically delete, so I never see a message that is matched by these filters. If you choose to do the same you had better add all of your legitimate contacts to your Friends List, just in case. I also apply the same filter rules to my email server, on my website, thus eliminating a sizable percentage of spam without making MailWasher do the work. Those rules are listed below the equivalent MailWasher filters.
My MailWasher Pro custom BlackList wildcard patterns for current forged senders of spam:
MailWasher BlackList code: _+@+.+
Regular Expression for mail server filter use: _.+@.+
Plain text filter for mail server: FROM: BEGINS WITH: _
Discard message
MailWasher BlackList code: -+@+.+
Regular Expression for mail server filter use: -.+@.+
Plain text filter for mail server: FROM: BEGINS WITH: —
Discard message
MailWasher BlackList code: dw+m@+.+
Regular Expression for mail server filter use: dw.+m@.+
Discard message
MailWasher BlackList code: lin+met@+.de
Regular Expression for mail server filter use: lin.+met@.+\.de
Discard message
MailWasher BlackList code: tequil*a+@+.com
Regular Expression for mail server filter use: tequil.*a.+@.+\.com
Discard message
MailWasher Blacklist code: [email protected]
Regular Expression for mail server filter use: .+@bestdebtrepair\.net
Discard message
NEW MailWasher Blacklist code (3/27/08): [email protected]
Regular Expression for mail server filter use: .+@freenet\.de
Discard message
Here is my custom filter rule that matches senders with a forged domain name on both sides of the @ sign:
[enabled],[email protected],BlackList,0,AND,Delete,Automatic,EntireHeader,containsRE,"^Received: from.*@(([\w\d]*)\.\w{2,4}).*^From:.*<\w{2,}\2\w+?@\1"
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.