procmail
[Top] [All Lists]

RE: restricted form

2003-02-01 15:08:19
Professional Software Engineering stated:

At 06:37 2003-01-31 -0500, dman(_at_)nomotek(_dot_)com did say:

either out of revenge or stupidity.  (I still report every spam I
get, and it causes me to get Joe-jobbed occasionally.)

Perhaps report from some other domain?

That wouldn't help.  The spammers long ago started spiking their
spam.  They know who's complaining.  Nobody who hosts my domains
would really believe I'm spamming, though, anyway.


Here are nineteen Message-Id's caught, and the good one at 
the bottom,making twenty:


Message-Id: <000501b1ad47$dba43721$72214420(_at_)hvutfwhewy(_dot_)os>

hostname portion = 10.2, "10" being inconsistent with what fleet 
identified, so if the following macros were defined, and the 
regexp were expanded to include the following after the @:

ALPHAX7=[a-z][a-z][a-z][a-z][a-z][a-z][a-z]
ALPHAX12=${ALPHAX7}[a-z][a-z][a-z][a-z][a-z]

         (${ALPHAX7}|${ALPHAX12})\.

that might better isolate the spammy stuff.

Of course, if the _one_ mis-hit you got was from SpamCOP, I 
might go and point out to them that they really should be using their
own 
domain (even with a bogus hostname) for the host portion of their 
messageids.  Alternatley, you could always whitelist spamcop messages 
before entering this test.

You know, I thought that was pretty weird at the time myself.  And I
do have a whitelist for SpamCop admin stuff.  So it was odd to me that
this got tagged as spam.  But now I know why that happened: the report
ostensibly from SpamCop was a hoax!!

Today on the SpamCop site is this message:

sc> Hoax Alert: Please read this if you have received a threatening
email 
sc> claiming to be from SpamCop 

And in the FAQs is this sample of how reports would really look:
http://spamcop.net/fom-serve/cache/338.html


What I got was a painstakingly forged spam.  But the Message-ID was
(should have been) one giveaway.  I won't state what the others are,
in case the hoaxster is reading this.



The different X-Mailer: content in many of these message does
further imply a bulk MUA rather than one individual spammer.

Well, the bulk MUA could be inserting the X-Mailer randomly 
such that any two messages from the same spammer would never 
appear to be.

Yes, certainly.  But I look at lots of spam headers.  After a while,
I begin to see the personalities of the spammers who sent them. 
Many are from the same people.  Others are obviously different.
It goes down even to the types of fake names they chose for the
From:, the way they use spacing or ........ dots in the Subject
(that's one person, mainly, I think), etc.

This recognition thing is not unlike when I'm reading local Usenet
groups for my ISP or even reading this list.  Sean, I often skip
the From: and read this list mail quickly, but I can recognize
your stuff almost instantly by the style of the prose.  :-)
If the message is something I can help out with or have a
personal interest in, I look more closely then at the attribution.
I can usually tell many of the regulars here just by style and
habits of writing, within a couple of sentences.

Regards,
Dallman

-- 
"If you find a path with no obstacles, it probably does not lead to
anywhere."
        Thoughts of Rev. Sunnan Kubose, from _Zen in the Markets_  


_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail

<Prev in Thread] Current Thread [Next in Thread>