Andy,
I both assumed and created a group of different definitions of things
for classifying spammers things related to them. I don't claim that
this list is universal, nor complete, but when I refer to something with
one of these terms, this is generally what I mean. I am a believer in
targeting specific types of spam with specific methods. For instance,
AFF Spam is not usefully targeted primary with IP4R tests since it
mostly comes from legitimate mail servers, however you will often get a
zombie-type hit on the IP from the first hop. Likewise I also believe
in not lumping everything under very generalized terms to describe them,
i.e. "spam" or "spammer".
* *Zombie Spammer* - A spammer that hijacks other's computers where
the spam is sent directly from the hijacked computer to one's server.
* *Zombie *- A computer that has been hijacked and is a member of a
bot-net.
* *Bot-net* - A group of zombies under one group's control,
typically used for spamming and for DDoS attacks, but also
sometimes used to relay through legitimate servers using either
AUTH hacking or trusted IP space.
* *Open Relay* - A mail server that allows un-authenticated E-mail
to be sent through it.
* *AUTH Relay* - A mail server that has accounts where either AUTH
has been hacked to send spam, or allows trusted IP space to relay
spam.
* *Relay Spammer* - A spammer that uses either Open Relays or AUTH
Relays to send spam.
* *Static Spammer* - A group dedicated to spamming that uses their
own servers (contracted or owned).
* *AFF Spam* (Advance Fee Fraud) - Consists of scams where the
object is to get the recipient to hand over cash in expectation of
a return. This typically consists of Nigerian spam, Lottery spam,
"buy from your store" spam, and "representatives wanted" spam.
* *Phishing Spam* - Scams designed to trick the recipients into
handing over valuable information. These messages are typically
sent through sites using content management tools (Wiki's, message
boards, blogging software, and PHPNuke-type content management
tools). The content is also often hosted on the same.
* *Bulk Mailers* - Companies that are not committed exclusively to
spamming, but most of which will leak spam from time to time.
Some are better than others at preventing spam, and some have
service designs that lend themselves to abuse.
* *Niche Spam* - Small-time spammers that generally target a very
specific demographic such as a region or a type of business. They
often use either their own official E-mail server or that of their
ISP, and they can be hard to catch without manual blacklisting.
* *Backscatter *- Messages that result from automated responses to
forged addresses, typically resulting from gateways that don't
validate recipient addresses, but also caused by auto-responders,
vacation messages, open relays, AUTH relays and AV blocking
mechanisms.
* *Form Spam* - Spammers that target contact forms to send their
spam to the hard coded recipients, or in some cases attempt to
recode the recipients if that value is specified within the form.
* *Spim *- Instant messaging spam. Typically sent by zombies.
* *Blog Spam* - Also affects things like guestbooks, comment
mechanisms and message boards. Used either for spamdexing or to
directly advertise one's products. Primarily done by zombies.
* *Spamdexing *- The act of spreading links to a site by posting
them in blogs, guestbooks and message boards with the goal of
improving search ranking of the sites listed.
Matt
Andy Schmidt wrote:
Hi Matt:
What is a "static" spammer?
I've looked into a few in the past week and they all were obviously
were marketing mail companies (such as in this case, mta8br.cmpgnr.com
[69.28.223.132]) - and, of course, the mail account that we receiving
the spam was never subscribed there.
Best Regards
*/Andy Schmidt/*/
/
Phone: +1 201 934-3414 x20 (Business)
Fax: +1 201 934-9206
-----Original Message-----
*From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On
Behalf Of *Matt
*Sent:* Saturday, November 18, 2006 07:54 PM
*To:* [email protected]
*Subject:* Re: [Declude.JunkMail] MXRate-Allow
Andy,
That result code is neither a whitelist or a blacklist, it is
merely an indication that legitimate E-mail has been received in
quantity from that IP. Due to the fact that spam levels are
approaching 99% of connection traffic these days (not the same as
message volume), it is not uncommon to find that places that send
a lot of good E-mail also send a lot of spam from time to time.
This particular result code is most useful in the context of
Alligate, but it has little value when used simply as an IP4R test
within Declude. You can however assume with a high degree of
confidence that you won't be receiving zombie generated spam from
this result code unless it was forwarded or in a very rare
occasion, the server itself is hacked. You can also fairly safely
assume that this will not be a static spammer. It can however be
a bulk-mail provider that leaks some spam, or a real E-mail
service that has Advance Fee Fraud users (Hotmail for instance),
or service providers that are forwarding E-mail, or possibly
forwarding phishing on behalf of hacked servers in their network.
Matt
Andy Schmidt wrote:
Is it me - or should MXRate-Allow be treated as a "spam source" list?
I don't know how many times I've looked at Spam that made it
through and the IP is on their whitelist, such as "campaigner".
Best Regards
*/Andy Schmidt/*/
/
Phone: +1 201 934-3414 x20 (Business)
Fax: +1 201 934-9206
-----Original Message-----
Received: from mta8br.cmpgnr.com [69.28.223.132] by hm-software.com
(SMTPD-9.10) id A0C01D47C; Sat, 18 Nov 2006 11:11:44 -0500
Return-Path: [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>
Message-ID:
<[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>>
Date: Sat, 18 Nov 2006 11:11:48 -0500 (EST)
From: "Purplus Inc." <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>>
Reply-To: "Purplus Inc." <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>>
To: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
Subject: Great New Deals >From Purplus Software
Errors-To: [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_Part_220171_25603728.1163866308151"
X-Campaign: 829605.828864.667296.793699032
Bounces-To: [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>
X-RBL-Warning: Suspected SPAM. "Spam Received Recently See:
http://www.sorbs.net/lookup.shtml?69.28.223.132";
X-Declude-RefID:
X-Declude: Version 4.3.14; Code 0xe from mta8br.cmpgnr.com
[69.28.223.132]
X-Declude: Triggered [4] SENDERDB-ALLOW, SPFPASS, SNIFFER
X-Countries: UNITED STATES->destination
Return-Path: <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>>
X-RCPT-TO: <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>
Status:
X-UIDL: 463610395
X-IMail-ThreadID: 30c001bc00005152
*From:* Purplus Inc. [mailto:[EMAIL PROTECTED]
*Sent:* Saturday, November 18, 2006 11:12 AM
*To:* [EMAIL PROTECTED]
*Subject:* Great New Deals >From Purplus Software
------------------------- SPAM
DELETED ------------------------------------------
You are subscribed as [EMAIL PROTECTED] To unsubscribe please
click here
<http://cmpgnr.com/r.html?c=829605&r=828864&t=793699032&l=6&[EMAIL
PROTECTED]&la=1&o=-40>.
<http://www.campaigner.com/?testdrive_1>
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
