Quote from: Bob

I get the impression from this thread and some of the tickets in our ticket pools that there are now less and less of these messages with the x-pstn-xfilter: y header

"x-filter" historically appears to generally be a very short-term fix (that's short as measured in postini time mind you so usually around a week or two) and none of the most recent CNN spams I've received have had this header. Unfortunately, quite a few of them have had scores of 99.9% with perhaps the majority having scores between 50% and 90% so they just come sailing straight through.  Most of them seem to use the previous days genuine CNN message as a template so are almost guaranteed to get high scores.  I didn't get as many overnight as I was expecting but still a fair old few and I've not had my genuine CNN messages as yet either  Never mind, some more very nice vids in all the spammy messages to look at while I wait (*)
BTW, as mentioned somewhere before, I've also had them allegedly from something@something.cnn.com (but clearly they're not of course) so filtering on !(something@something.cnn.com) wont necessarily work, it would have to be filtered against !(a_valid_CN_ip) rather than the much easier alleged from address.  Incorporating the "GT1" filter in the test would quite probably do it without having to go the IP checking route tho because all the genuine CNN messages I have appear to trigger this category filter whereas the spammy ones (currently) do not.
How come I have some messages appearing to bypass neptune completely tho ?
(*) Yup, that's right, I've happily clicked and watched almost all of them at some time or another but fear not, no problem because Mr.Spammer is way too lazy to tweak all of the links to dodgy ones !  It's only those peeps viewing the dodgy html message that get caught out - any half-decent reader should probably reject the html as iffy anyway but as I only get to see the good old plain text version, all I get is the original genuine CNN message and could easily spot dodgy links if there were any so all is well
Micro$oft and html: making life easier for spammers/hackers almost since time began 

Quote from: mikeb

How come I have some messages appearing to bypass neptune completely tho ?

Are all the ones missing the Neptune filter going through the same Postini array?

Quote

Received: from source ([84.148.244.68]) by exprod5mx200.postini.com ([64.18.4.11]) with SMTP;   Sun, 17 Aug 2008 15:34:08 MDT

The damage this is doing based on what we're getting at work:
- "Antivirus 2008 /2009 /XP" - Malicious program, a pain to remove.
- Screen saver / Desktop / Login background image changed to "oh no you're infected" messages.
- On a few machines we've had something sending out tons of spam causing our customers to get blacklisted in some cases.
We haven't come up with a clear cut fix yet - our customers want fast patch-it-up jobs right now. We're using combinations of Eset online scanner (http://www.eset.com/onlinescan/scanner.php?i_agree=14), spywareinfo.com/xscan, some inhouse stuff and a lot of crawling through registry entries. Eset NOD seems most effective at catching these but that's only compared to a few other AV solutions.
- I thought this info might help anyone who has problems with this - it's causing £££s worth of damage for our clients.
It's not just plus.net btw - we have customers on loads of different lines.

@4steve
Does this link from earlier in the thread give you any help?
http://www.usenix.org/event/hotbots07/tech/full_papers/chiang/chiang_html/
The trojan seems to use services.exe so you might do some good if you can replace this file on an infected machine with a clean version?
Chris

@4steve : Can't you just ban those people who click on spam mails from having internet access at their work?

If it was up to me step one of the fix would be pulling leads from the patch panels.

@ ChrisL, that's scary lol - but thanks.

Quote from: geewizz

@4steve : Can't you just ban those people who click on spam mails from having internet access at their work?

I think a lot of companies are now banning surfing of any kind at work.  I guess it's not easy to ban specific clicking activities though.

Quote from: geewizz

@4steve : Can't you just ban those people who click on spam mails from having internet access at their work?

I read the original comment as being, that he works for a computer repair place fixing computers for their clients. So the affected machines (of their clients) could be home users or businesses. Busnesses could pull the plug on their users internet access, but who'd do that for the home users? (who arguably are the worst culprits of propagating this mess!).
Maybe all internet users should be forced to pass an exam before being allowed to connect to the internet!   
A lot of these sorts of problems could be solved by better education of the general public!

despite a fairly comprehensive driving test, there are still idiots driving on our roads.

Quote from: artmo

Quote from: Stiggy A niave question no doubt, but.... Is there anyone in the world who actually tries to track down these scum and prosecute them? Occasionally there is a prosecution but only of some of the small-time operators.  The big boys seem to have immunity.  I think most of them operate from Russia or China and a blind eye is turned to them.

Things are changing. The very fact that the major spam opertions are managed from an ever decreasing number of locations means we are driving the spammers into a corner.
The Feds in America are staring to bow to public pressure and there have been a rising number of successful prosecutions in recent times.  Though as you point out they are not the big fish.  Who does what around the world varies.  China doesn't appear to want to cooperate,  Australia is very aggressive.   Europe contains countries such as Italy and Spain who have a somewhat more laid back attitude towards laws and their keeping.  Britain I am frankly disappointed with.
It does sometimes feel a bit like Gulliver in Lilliput from the viewpoint of th little guy but with enough cotton threads you can tie down even the biggest of giants. 
Various groups are working in various niches to look for places to attack the spammers but there is a lot to attack.  There is a big wave of cooperation going on between some of these groups and data and conclusions are being exchanged and added to the evidence presented to The Authourities to strengthen the case.  Overall it needs agreements between nations to be put into place so that the spammers can be brought before the courts, this takes time.  Also it needs those earning a living from supplying the internet to get it's act together.  And there are times when I do consider arguing in favour of compulsory sterilization of those who persist in clicking the links.
On that last point there is something we can ALL do.  The next time your muppet of a mate says he got hacked or caught a virus, don't laugh.  Call them what they are, expletives and all.

Quote

It does sometimes feel a bit like Gulliver in Lilliput from the viewpoint of th little guy but with enough cotton threads you can tie down even the biggest of giants.

Better get spinning!
http://www.guardian.co.uk/technology/2007/nov/29/hacking.news
http://www.nytimes.com/2007/05/29/technology/29estonia.html?_r=1&oref=slogin
http://www.isrjournal.com/story.php?F=2756602
etc

Apologies if somebody's already pointed to this however I've just stumbled across this recent advisory from Google and Postini.