Bug 2820 - Ratware sign? "Atriks Professional Email Deployment Serv(er|ice)"
Summary: Ratware sign? "Atriks Professional Email Deployment Serv(er|ice)"
Status: RESOLVED WONTFIX
Alias: None
Product: Spamassassin
Classification: Unclassified
Component: Rules (show other bugs)
Version: unspecified
Hardware: Other other
: P5 enhancement
Target Milestone: 3.0.0
Assignee: SpamAssassin Developer Mailing List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2003-12-08 20:49 UTC by Mikael Olsson
Modified: 2004-02-17 01:50 UTC (History)
0 users


Attachment Type Modified Status Actions Submitter/CLA Status
10 sample spams delivered via "Atriks Professional Email Deployment Service" (NOTE: .tar.gz) application/octet-stream None Mikael Olsson [HasCLA]
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mikael Olsson 2003-12-08 20:49:48 UTC 
I've gotten 34 of these the past two weeks "from"
send-mails/sendermailer/sendmial/wwwoffer.com, _ALL_ of
which fell below 5.0 scores (local+net):
4.0-4.9: 21
3.0-3.9: 10
2.0-2.9: 1
1.0-1.9: 1
0.0-0.9: 1

.. and this even though I've upped the scoring for HTML and added 
somelow-scoring filters of my own that they're also triggering.
Gotta hate smart spammers.
Comment 1 Mikael Olsson 2003-12-08 20:56:42 UTC 
Just a short followup:
http://atriks.com/email_deployment.htm

Argh. No wonder none of the DNS blacklists are triggering.
Comment 2 Justin Mason 2003-12-08 22:12:23 UTC 
have you got sample spam?   Also, what addrs are being hit -- user addresses, or
nonexistent/scraped/guaranteed-spam addrs?  They could always be doing legit
opt-in, and the users signed up, you never know ;)

Given that webpage, I think an SBL listing would be in the offing if they *are*
spamming.  There's only so much help 'Distributed delivery' can provide.  But
their web presence looks quite clean-cut, which makes me wonder if they're not
spammers, just a large-scale sender with bad bounce handling or similar.
Comment 3 Mikael Olsson 2003-12-09 13:01:43 UTC 
I'm only counting spams sent to my work e-mail address.
The only way they could be getting that is web scraping (and lord
knows it's all over the place with all the public mailing lists with
web archives I'm on).

I'm attaching a couple of sample spams.
Comment 4 Mikael Olsson 2003-12-09 13:10:02 UTC 
Created attachment 1617 [details]
10 sample spams delivered via "Atriks Professional Email Deployment Service"
(NOTE: .tar.gz)

Note also the 2nd Received: headers, e.g.
Received: by 1.2.3.4 with Atriks Professional Email Deployment Service

This stuff really arrives from all over the place. SBLing them
would be .. um .. hard.
Comment 5 Mikael Olsson 2003-12-09 16:53:57 UTC 
Bah. They just changed the X-Mailer. Last four mails:

X-Mailer: Atriks Professional Email Deployment Service (Version ES16.5.2)
X-Mailer: Atriks Professional Email Deployment Service (Version ES17.5.2)
X-Mailer: Atriks Professional Email Deployment Server (Version ES18.7.1)
X-Mailer: Atriks Professional Email Deployment Server (Version ES19.7.1)
Comment 6 Mikael Olsson 2003-12-14 02:17:11 UTC 
This seems like a lost cause. They changed the signature again a 
few days ago.

- X-Mailer: SMTP (Version ES12.9.0)
  (score 3.6)

- X-Mailer: SMTP (Version ES00.9.0)
  (score 4.1)

- X-Mailer: SMTP (Version ES18.9.0)
  (score 4.3)

One could possibly filter on the version bit to catch all three
signatures, but something about these changes is just a bit too 
timely -- I wouldn't be surprised if these guys are monitoring SA 
development closely so that they can send spam that ducks under 
the 5.0 line.
Comment 7 Justin Mason 2003-12-14 13:03:51 UTC 
I'm thinking exactly the same thing.  Hi Atriks people!

Have there been any changes in the formatting?  In particular, the
QUOTED-PRINTABLE (in all caps) in the Content-Transfer-Encoding line,
and img/href references to

http://t.wwwanswers.com/track
http://t.sendmails.com/track
http://t.mailnotice.com/track

may still be usable signatures.

The Message-ID and Errors-To addresses seem identifiable as well.
Comment 8 Justin Mason 2003-12-14 13:07:41 UTC 
They have an SBL listing:

http://www.spamhaus.org/SBL/sbl.lasso?query=SBL12495

'Update: less than 24 hours after they promised to quit spamming if we removed
their SBL listing, they have now started spamming from China. Listing re-enabled
until they really stop.'
Comment 9 Sidney Markowitz 2003-12-14 13:37:53 UTC 
They aren't likely to stop. See their web page about their email services
http://atriks.com/email_deployment.htm

I wonder how many of the "over 60,000 individuals throughout the world who act
as sending agents for the Atriks Distributed Email Delivery System" know that
their machines are being used. It doesn't seem like something practical to set
up in any legal, consensual way.

Another quote: "When messages are available, each agent machine can receive up
to 100 emails to deliver. For example, with 20,000 agents sending 100 emails
each, the Atriks Distributed Email Delivery System can deliver 2 Million emails
in one quick shot."

I wonder, though, if their New Hampshire company location leaves them vulnerable
to the new federal antispam law?
Comment 10 Mikael Olsson 2004-02-16 01:25:48 UTC 
Recommend wontfix -> close on this one.
Comment 11 Bob Apthorpe 2004-02-16 07:11:03 UTC 
Would

header   T_ATRIKS X-Mailer =~ /Atriks Professional Email Deployment/
describe T_ATRIKS Sigmata of Atriks proxy farm
score    T_ATRIKS 0.5

be reasonable for testing?

AFAICT, Atriks is black hat; you'll lose nothing legitimate by dropping their
traffic on sight.
Comment 12 Mikael Olsson 2004-02-16 08:03:06 UTC 
I would love to be able to drop their traffic on sight.

However, each time we've mentioned a reasonable signature, they've
changed it in 24--72 hours. They're well aware of SA. 

"/Atriks Professional Email Deployment/" won't catch a single spam today;
they use more or less random X-Mailers now.

Hence my recommendation: resolve this bug as wontfix and close it.
Comment 13 Daniel Quinlan 2004-02-16 13:16:15 UTC 
following recommendation of originator to close as WONTFIX
Comment 14 Justin Mason 2004-02-17 10:36:32 UTC 
fwiw, I think they're in the SBL these days.
Comment 15 Mikael Olsson 2004-02-17 10:50:41 UTC 
They indeed are, but that only helps if you've hacked in the HOSTED_*
patch from bug 1375. 

Their multi-level marketing scheme of delivery via lusers that get
paid 1 cent an hour to let atriks spam through them (and more cash
to get them to sign up their friends) makes RBLing their sender IPs
damn near impossible.