ietf-asrg
[Top] [All Lists]

[Asrg] 1c. Analysis of Spam - casual observations from my log files

2004-02-24 23:55:05
Folks,

Nothing Earth-shattering here, but I found it mildly interesting. I've noticed 
a number of failed attempts to spam me at my ASRG-specific address, and also 
my mail-ng-specific address. My current convention for specific addresses is 
famous-<specific-part>@nutters.org -- a common enough approach. (I don't much 
use the "base" address of "famous" anymore, since it has degenerated into a 
spam-trap over time.)

The first and foremost reason that these spam attempts have failed is because 
they fail to recognise the "dash" characters as part of the email address, 
and thus send to "asrg(_at_)(_dot_)(_dot_)(_dot_)" rather than 
"famous-asrg(_at_)(_dot_)(_dot_)(_dot_)". This also suggests 
that they were scraped out of an HTML page, either directly from the web, or 
in the cache of a compromised host. There's also a possibility that they were 
encountered in a plain message/rfc822 file on a compromised host. Available 
data relating to these incidents follows.

[Date: 2004-02-21 05:04:44 +0000; Peer: 218.54.209.137]
helo mail2.naool.com
mail from:<MRBATESALAN(_at_)netscape(_dot_)net>
rcpt to:<asrg(_at_)nutters(_dot_)org>
+
[Date: 2004-02-25 02:38:42 +0000;  Peer: 64.173.9.239]
helo adsl-64-173-9-239.dsl.sntc01.pacbell.net
mail from:<NHUWBLDNO(_at_)yahoo(_dot_)com>
rcpt to:<asrg(_at_)nutters(_dot_)org>
+
[Date: 2004-02-25 04:18:09 +0000; Peer: 83.154.201.104]
helo dyn-83-154-201-104.ppp.tiscali.fr
mail from:<BYCYACLXHV(_at_)hotmail(_dot_)com>
rcpt to:<asrg(_at_)nutters(_dot_)org>

The first instance originates in Korea and has no in-addr.arpa PTR record, but 
mail2.naool.com does resolve to the address in question, and that host is an 
MX for naool.com, so I conclude that it was an open relay. Note that the 
second and third instances are relatively close together (less than 2 hours 
difference) and originate from a PacBell DSL account and a French PPP account 
respectively: almost certainly zombies. The "helo" argument in both cases is 
consistent with the in-addr.arpa PTR records for the originating IP. The 
spamware tool is randomly forging return path addresses with a local part 
matching /[A-Z]{9,11}/ and well-known freemail domains.

I have two similar records of spam attempts to "ng(_at_)(_dot_)(_dot_)(_dot_)" 
which are almost 
certainly mis-parsed from "famous-mail-ng(_at_)(_dot_)(_dot_)(_dot_)(_dot_)". 
The only noteworthy 
difference is that the return path has a lower case local part, but is 
otherwise similar: a string of random letters at yahoo.com. Probably a 
different spammer, though.

I also have one curious mis-send to "3dtfbw(_at_)nutters(_dot_)org", which is 
probably a 
mis-parse of a quoted-printable rendition of "=tfbw(_at_)(_dot_)(_dot_)(_dot_)" 
(and I can only 
speculate where that may have been encountered). 
"tfbw(_at_)(_dot_)(_dot_)(_dot_)" is another valid 
address for me.

I surmise that the current practice in address-scraping is to find things 
which match <local-part>@<domain>, where <domain> is a routable mail domain, 
and <local-part> matches /[[:alnum:]]+/. It seems probable that spamware 
authors will wise up to the use of "dash" in email addresses sooner or later, 
if it has good enough payoff. They may even wise up to the plethora of other 
legal but obscure local-part productions. For the moment, however, a simple 
non-alphanumeric character is enough to make an address harvest-proof -- or 
so it seems.

Regards,
TFBW


_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg



<Prev in Thread] Current Thread [Next in Thread>