Jump to content
TCH-Dick

German-language Spam

Recommended Posts

I know most of you have seen the news about the return of the Sober virus, but I think it needs to be addressed. Here is an article concering the issue and I have also posted a set of rules for SpamAssassin to help with these emails.

 

A wave of far-right German, political-party propaganda choked millions of e-mail inboxes around the world over the weekend, delivering racist messages along with a dirty payload.

 

The Sober.q virus was first spotted Sunday as it quickly crossed the globe, blasting e-mail addresses found on infected PCs. Most of the political rhetoric contained links to news stories and content with approximately 72 varying subject lines, according to security firm MessageLabs.

 

The payloads quickly turned infected PCs into spam-generating machines, launching the propaganda from thousands of hosts.

 

The virus, which was sent an estimated 10 million times during the first few days of attacks, has since slowed, and the risks have been downgraded to "medium" by most security firms, including McAfee (Quote, Chart).

 

Most of the mail contains a single URL directing recipients to a range of online articles in reputable German newspapers and magazines promoting political messages with right-wing tendencies, according to Stephen White, Head of Anti-Spam Technical Operations for MessageLabs.

 

"This latest attack by the Sober author is comparatively sophisticated and has obviously been well planned," White said. "It appears that previously unexploited networks of machines were infected with earlier incarnations of the Sober worm."

 

The timing of the attacks coincides with last week's celebrations of the 60th anniversary of the end of World War II. Many of the 72 variations of the e-mail refer to "war-related" political messages, such as the Allied bombing of Dresden in 1945.

 

The spam also included links to the German Web sites for the far-right National Democratic Party.

 

The Sober virus has now had over 20 incarnations, the most recent coming earlier this month when scammers began gearing up for the 2006 World Cup, to be held in Germany, by sending millions of virus-carrying e-mails advertising ticket confirmations for the matches.

 

Other messages sent in Sober.q contain racist rants in both English and German against allowing Turkey into the European Union.

 

=====================

 

In the root of your site find the file '/.spamassassin/user_prefs'

Then just paste the folowing rules into user_prefs file and save. This should stop the majority of these emails from reaching your inboxes.

 

>### sober.q german neonazi spam
header XS_SOBERNAZI_SUBJ	Subject =~ /^(4\,8 Mill\. Osteuropaeer durch Fischer\-Volmer Erlass|60 Jahre Befreiung\: Wer feiert mit\?|Armenian Genocide Plagues Ankara 90 Years On|Auf Streife durch den Berliner Wedding|Augen auf|Auslaender bevorzugt|Auslaenderpolitik|Blutige Selbstjustiz|Deutsche Buerger trauen sich nicht \.\.\.|Deutsche werden kuenftig beim Arzt abgezockt|Dresden 1945|Dresden Bombing Is To Be Regretted Enormously|Du wirst ausspioniert \.\.\.\.\!|Du wirst zum Sklaven gemacht\!\!\!|Gegen das Vergessen|Graeberschaendung auf bundesdeutsche Anordnung|Hier sind wir Lehrer die einzigen Auslaender|Massenhafter Steuerbetrug durch auslaendische Arbeitnehmer|Multi\-Kulturell \= Multi\-Kriminell|Paranoider Deutschenmoerder kommt in Psychiatrie|S\.O\.S\. Kiez\! Polizei schlaegt Alarm|Schily ueber Deutschland|The Whore Lived Like a German|Transparenz ist das Mindeste|Trotz Stellenabbau|Tuerkei in die EU|Turkish Tabloid Enrages Germany with Nazi Comparisons|Verbrechen der deutschen Frau|Volk wird nur zum zahlen gebraucht\!|Vorbildliche Aktion)/
header XS_SOBERNAZI_HDR  ALL =~ /^Return-Path: <([\w._-]+\@([\w-]+(?:\.[\w-]+)*\.(\w{2,8})))>.*\nFrom: \1\r?\nTo: [\w._-]+\@([\w.-]+)\r?\n.*\nMessage-ID: <[0-9a-f]{4,20}(\.[0-9a-f]{1,16})?\@(?:\2|\4|[a-z]+\.(\3|com))>\r?\n/ms
body XS_SOBERNAZI_SEEALSO	/^(Auslaender ueberfallen nationale Aktivisten|Botschafter in Kiew beschwerte sich noch 2004|Deutsche Krankenversicherungen muessen fuer Harems\-Frauen zahlen|EU\-Abgeordnete goennen sich luxurioese Vollversorgung|Full Article|GEWALTEXZESS|Immer mehr Frauen prostituieren sich|Kanzler erleichtert Visaverfahren f\ür Golfstaaten|Kassenfunktionaere vervierfachten Gehalt|Lese selbst|Neue Dokumente|Ohne Deutsch nach Deutschland|Parallelgesellschaften \- Feind hoerte mit|Politiker zerrei\ßt Menschenrechtsbericht|STAATSPROPAGANDA|Schily \= Hitler|Schily wehrt sich gegen Hitler\-Vergleiche|Sie hat ja wie eine Deutsche gelebt|Sie war unerlaubt spazieren|Tiere an Autobahn geschlachtet|Traumziel Deutschland|Vorbildliche Aktion|Weiter auf):\s*http:\/\/(brandenburg\.rz\.fhtw-berlin\.de|bz\.berlin1\.de|forum\.gofeminin\.de|globalfire\.tv|service\.spiegel\.de|shortnews\.stern\.de|www\.(aufenthaltstitel\.de|berlinonline\.de|die-kommenden\.net|deutschlandchronik\.de|heise\.de|jn-bw\.de|kommunisten-online\.de|libasoli\.de|mjoelnirsseite\.de|my-rocknord\.de|npd-nrw\.net|npd\.de|rp-online\.de|spiegel\.de|taz\.de|unserforum\.com|zdf\.de))\//
body XS_SOBERNAZI_BODY1  /In den fruehen Abendstunden des 13\. Februar 1945 gegen 21\:41 Uhr\s*heulten die Sirenen der Lazarettstadt Dresden das erste mal auf\. Die Bewohner der Elbmetropole machten sich zu der Zeit noch keine Sorgen, da Dresden als Stadt ohne Bewaffnung und ohne militaerischen Nutzen bekannt war und von ca\. 1,2 Millionen Frauen, Kindern und Greisen bewohnt wurde\./
body XS_SOBERNAZI_BODY2         /http:\/\/www\.rocknord\.de\s+http:\/\/www\.aktivefrauenfraktion\.tk\s+http:\/\/www\.kopfmord\.de\s+http:\/\/www\.das-gibts-doch-nicht\.de/
uri XS_SOBERNAZI_URI1           /^http:\/\/www.heise.de\/newsticker\/meldung\/5(8003|9304|8311|8351)/
uri XS_SOBERNAZI_URI2           /^http:\/\/www.unserforum.com\/aff\/include\.php\?path\=content\/content\.php\&contentid\=(5[456]|149)/

describe XS_SOBERNAZI_SUBJ	Subject as in german sober.q neonazi spam
score XS_SOBERNAZI_SUBJ  1.0

describe XS_SOBERNAZI_HDR	Headers look like german sober.q neonazi spam
score XS_SOBERNAZI_HDR  1.0

describe XS_SOBERNAZI_SEEALSO	body has references like german sober.q neonazi spam
score XS_SOBERNAZI_SEEALSO	1.0

describe XS_SOBERNAZI_BODY1	body looks like german sober.q neonazi spam
score XS_SOBERNAZI_BODY1	1.0

describe XS_SOBERNAZI_BODY2	body looks like german sober.q neonazi spam
score XS_SOBERNAZI_BODY2	1.0

describe XS_SOBERNAZI_URI1      body has URIs appearing in german sober.q neonazi spam
score XS_SOBERNAZI_URI1         1.0

describe XS_SOBERNAZI_URI2      body has URIs appearing in german sober.q neonazi spam
score XS_SOBERNAZI_URI2         1.0

meta __XS_SOBERNAZI_BODY        XS_SOBERNAZI_SEEALSO || XS_SOBERNAZI_BODY1 || XS_SOBERNAZI_BODY2 || XS_SOBERNAZI_URI1 || XS_SOBERNAZI_URI2

meta XS_SOBER_GERMANSPAM	XS_SOBERNAZI_SUBJ && XS_SOBERNAZI_HDR && __XS_SOBERNAZI_BODY
describe XS_SOBER_GERMANSPAM	Message has all characteristics of german sober.q neonazi spam
score XS_SOBER_GERMANSPAM	20.0

### general matches for bounces, these might possibly be a bit too liberal
### ISBOUNCE2 is stolen from procmail FROM_MAILER (and slightly extended)
header __XS_ISBOUNCE1           Return-Path =~ /^<MAILER-DAEMON[>@]/
header __XS_ISBOUNCE2           From:addr =~ /^(Post(ma(st(er)?|n)|office)|(send)?Mail(er)?(-?daemon)?|daemon|mmdf|n?uucp|ops|r(esponse|oot)|(bbs\.)?smtp(error)?|s(erv(ices?|er)|ystem)|A(dmin(istrator)?|MMGR))(\@|$)/i
header __XS_ISBOUNCE3           Content-Type =~ /report-type=delivery-status/
meta __XS_ISBOUNCE              __XS_ISBOUNCE1 || __XS_ISBOUNCE2 || __XS_ISBOUNCE3

### also match sober.q neonazi bounces
body XS_SOBERNAZIBOUNCE_SUBJ    /Subject(\s+|:\s*)(4\,8 Mill\. Osteuropaeer durch Fischer\-Volmer Erlass|60 Jahre Befreiung\: Wer feiert mit\?|Armenian Genocide Plagues Ankara 90 Years On|Auf Streife durch den Berliner Wedding|Augen auf|Auslaender bevorzugt|Auslaenderpolitik|Blutige Selbstjustiz|Deutsche Buerger trauen sich nicht \.\.\.|Deutsche werden kuenftig beim Arzt abgezockt|Dresden 1945|Dresden Bombing Is To Be Regretted Enormously|Du wirst ausspioniert \.\.\.\.\!|Du wirst zum Sklaven gemacht\!\!\!|Gegen das Vergessen|Graeberschaendung auf bundesdeutsche Anordnung|Hier sind wir Lehrer die einzigen Auslaender|Massenhafter Steuerbetrug durch auslaendische Arbeitnehmer|Multi\-Kulturell \= Multi\-Kriminell|Paranoider Deutschenmoerder kommt in Psychiatrie|S\.O\.S\. Kiez\! Polizei schlaegt Alarm|Schily ueber Deutschland|The Whore Lived Like a German|Transparenz ist das Mindeste|Trotz Stellenabbau|Tuerkei in die EU|Turkish Tabloid Enrages Germany with Nazi Comparisons|Verbrechen der deutschen Frau|Volk wird nur zum zahlen gebraucht\!|Vorbildliche Aktion)/i
describe XS_SOBERNAZIBOUNCE_SUBJ        contains Subject: and german sober.q neonazi spam subject
score XS_SOBERNAZIBOUNCE_SUBJ   0.1

meta XS_SOBER_GERMANBOUNCE      __XS_ISBOUNCE && XS_SOBERNAZIBOUNCE_SUBJ && __XS_SOBERNAZI_BODY
describe XS_SOBER_GERMANBOUNCE  Is a bounce of a german sober.q neonazi spam
score XS_SOBER_GERMANBOUNCE     20.0

Share this post


Link to post
Share on other sites

Appreciate the code, but....

 

If you never get email in German, I *think* you can just add:

 

>ok_languages en

 

to your user_prefs file and it will tag the email as spam.

 

I'm going to try it overnight, at least, and see what happens.

Share this post


Link to post
Share on other sites
Appreciate the code, but....

 

If you never get email in German, I *think* you can just add:

 

>ok_languages en

 

to your user_prefs file and it will tag the email as spam.

 

I'm going to try it overnight, at least, and see what happens.

 

Well, so much for my theory... .didn't work at all.

 

TC

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...