Bah, SpamAssassin here is picking up lots of attempted viruses being sent to me, which isn’t that strange, except that ClamAV doesn’t spot them. Turns out the reason it’s not spotting them is that when you look at the email it looks like it’s forgetting to attach the virus payload, so it’s actually a completely safe (though annoying) email. D’oh!

The messages have an attachment that’s labelled application/x-compressed & base64 and given the name of a zip file, but then instead of the expected payload it has the text %TS_ZIP_ATTACH%. I’m not the only one though, there’s plenty of archived messages to lists with the same..

Of course, this begs the question of how it’s spreading in the first place.

Rich Boakes writes about spammers creating Yahoo Groups to post their messages in and then using referral spam to entice people to read them, but today I received a spam in email with another new twist on redirection.

It looks like to get around the (highly effective) URL blacklists that contain the URLs of spam sites that the spammers send to you they are now using legitimate sites badly written redirect scripts to bounce you onto their rubbish. They are taking advantage of buggy scripts that allow you to specify the URL to redirect you to, rather than tieing you into a list of allowed sites.

Because tools like SpamAssassin look at the URL rather than the arguments to the script (delineated by the ? in the URL) it is currently not matching those against the black lists.

I guess in a little bit we’ll see an upgrade to SpamAssassin to add checks to the arguments in the URL to make sure they’re not spam sites, and I guess a possible blacklist of broken redirect script URLs!

Just got an eBay phishing email that made it past SpamAssassin and Clam-AV – the site it lists:

203.48.154.161

appears to be at Telstra, and uses an HTML form post to a mailform program in Italy to send an email to a Yahoo email address.

Reported it to those who should know..

Wonderful news, the ABC is reporting that Jeremy Janes has been sentenced to 9 years in prison for breaking Virginia law. Spamhaus has more on the convictions for him & his sister as well as details of their spamming activities.

You’ve probably seen this yourself already if you’re running a blog yourself, but the referral spammers are now using referrer URLs that don’t have any DNS records yet, I presume because they think that people can’t check them out first to see if they’re a spammer or not.

Of course, it’s fairly obvious because how on earth do you get a referral from a site that doesn’t exist! They go *plonk* here as soon as I spot them..

It would appear that the Australian Prime Minister John Howard has gone into the spam business according to the ABC and News Interactive, he’s hired his sons company Net Harbour (no link as I don’t support spammers) to spam folks in his local electorate with pro-Liberal material.

This, of course, raises the question of where did they get their email addresses, and have Net Harbour been blacklisted yet ?

Even more ironic is that one of John Howards opponents in the forthcoming election is longtime anti-spam campaigner Troy Rollo, founder of the Coalition Against Unsolicited Bulk Email, Australia (CAUBE.AU) and iCAUCE.

The Sydney Morning Herald is reporting that they’re spamming folks outside of the electorate, and I’m wondering if they’ve hit anyone outside of Australia as well.

If you’ve had one of their spams, leave a comment with details or email me at antispam at csamuel.org please!