Re: hey john spam
I just got one with content! Well, sort of. The HTML part contained a forged set of headers -- just the user-visible ones you expect on an inline forward: - Original Message - From: To: btxiberk@probably_forged_domain Sent: Wednesday, February 1, 2006 11:33 AM Subject: hey perl That was it. (The target address was, of course, perl @ this domain.) The To: line bore no resemblance to the sender on the actual message, except for having an obviously random left-hand side. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: hey john spam
- Original Message - From: mouss [EMAIL PROTECTED] To: jdow [EMAIL PROTECTED] Cc: users@spamassassin.apache.org Sent: Monday, January 30, 2006 2:01 PM Subject: Re: hey john spam jdow a écrit : I'm watching them still roll in seems they switched to News for john. Interesting - I'm -not- getting that one! - John! ;-)
Re: hey john spam
jdow a écrit : I'm watching them still roll in and have developed a theory about them. Suppose some idiot decides to play white hat hacker with a botnet he managed to commandeer or a set of open relays he managed to discover. So he sends these strange emails through those links with the intent of effectively generating a DoS attack against the open relays or compromised computers. I note that the scores on the messages are going up with time as they get listed in more and more of the BLs. At a guess chello.pl is having a problem delivering email anywhere in the world at the moment. Their user at 84.10.17.111 is certainly not delivering mail very many places. It's a semi-clever DoS against open spam sources. seems they switched to News for john.
Re: hey john spam
From: MATSUDA Yoh-ichi [EMAIL PROTECTED]
Hello.
From: John Fleming [EMAIL PROTECTED]
Subject: hey john spam
Date: Fri, 27 Jan 2006 19:48:03 -0500
This is a new one for me. Today I've received some mail with hey john in
the subject, and the mail otherwise appears blank. It didn't contain a
virus, or it would've been discarded by ClamAV.
...
I received 2 similiar spams.
Then, I wrote rules below:
I'm watching them still roll in and have developed a theory about them.
Suppose some idiot decides to play white hat hacker with a botnet
he managed to commandeer or a set of open relays he managed to discover.
So he sends these strange emails through those links with the intent of
effectively generating a DoS attack against the open relays or compromised
computers. I note that the scores on the messages are going up with time
as they get listed in more and more of the BLs. At a guess chello.pl is
having a problem delivering email anywhere in the world at the moment.
Their user at 84.10.17.111 is certainly not delivering mail very many
places. It's a semi-clever DoS against open spam sources.
{^_-}
Re: hey john spam
jdow a écrit : I'm watching them still roll in and have developed a theory about them. Suppose some idiot decides to play white hat hacker with a botnet he managed to commandeer or a set of open relays he managed to discover. So he sends these strange emails through those links with the intent of effectively generating a DoS attack against the open relays or compromised computers. I note that the scores on the messages are going up with time as they get listed in more and more of the BLs. At a guess chello.pl is having a problem delivering email anywhere in the world at the moment. Their user at 84.10.17.111 is certainly not delivering mail very many places. It's a semi-clever DoS against open spam sources. other theory: - broken ratware (voluntarily or unvoluntarily) spread and used by silly spammers who failed to configure it or to pass correct data. The few that work contain (at least) an image, and most seem to use the same html css. BTW one of these contained: Content-Type: text/html; Windows-1252 Content-Transfer-Encoding: base64 why would one base64 encode a text/html part? sounds like a good candidate for a rule. any opinions?
Re: hey john spam
Hello.
From: John Fleming [EMAIL PROTECTED]
Subject: hey john spam
Date: Fri, 27 Jan 2006 19:48:03 -0500
This is a new one for me. Today I've received some mail with hey john in
the subject, and the mail otherwise appears blank. It didn't contain a
virus, or it would've been discarded by ClamAV.
Are these familiar to you guys? What's the point of them? Headers of one
below: Thanks! - John
Return-Path: [EMAIL PROTECTED]
X-Original-To: [EMAIL PROTECTED]
Delivered-To: [EMAIL PROTECTED]
Received: from ln (unknown [217.96.67.109])
by wa9als.com (Postfix) with SMTP id 4AD4D33E60D
for [EMAIL PROTECTED]; Fri, 27 Jan 2006 16:54:33 -0500 (EST)
Message-ID: [EMAIL PROTECTED]
From: Medeiros Pablo [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: hey john
Date: Fri, 27 Jan 2006 22:58:47 -0800
MIME-Version: 1.0
Content-Type: multipart/related;
type=multipart/alternative;
boundary==_NextPart_000_000E_01C62395.3B540860
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-Virus-Status: No
X-Virus-Checker-Version: Luke wa9als.com running clamassassin 1.2.1 with
ClamAV 0.88/1254/Fri Jan 27 12:22:39 2006 signatures 35.1254
X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on Luke.wa9als.com
X-Spam-Level: **
X-Spam-Status: No, score=2.3 required=5.0
tests=BAYES_60,DATE_IN_FUTURE_06_12
autolearn=no version=3.0.3
Status:
X-Antivirus: AVG for E-mail 7.1.375 [267.14.23/243]
I received 2 similiar spams.
Then, I wrote rules below:
#---
full MULTIPART_EMPTY
/(\r|\n){2}\-{6}=_NextPart_\d{3}_\d{4}_\w{8}\.\w{8}(\r|\n)Content\-Type:
multipart\/alternative\;(\r|\n)\tboundary=\\-{4}=_NextPart_\d{3}_\d{4}_\w{8}\.\w{8}\(\r|\n){2,}\-{6}=_NextPart_\d{3}_\d{4}_\w{8}\.\w{8}(\r|\n)Content\-Type:
text\/plain\;(\r|\n)\tcharset=\Windows-1252\(\r|\n)Content-Transfer-Encoding:
quoted-printable(\r|\n){2,}/
meta MULTIEMPTY99 MULTIPART_EMPTY BAYES_99
score MULTIEMPTY99 5.0
meta MULTIEMPTYFUTURE DATE_IN_FUTURE_06_12 MULTIPART_EMPTY
score MULTIEMPTYFUTURE 3.5
#---
--
Nothing but a peace sign.
MATSUDA Yoh-ichi(yoh)
mailto:[EMAIL PROTECTED]
http://www.flcl.org/~yoh/diary/ (only Japanese)
Re: hey john spam
On Fri, 27 Jan 2006, Thomas Cameron delivered in simple text monotype: I wonder if perhaps it's just some sort of probe. Maybe they send out a bunch of them and then make a note of the ones which don't bounce. Those are then used for the real spam. Thoughts? ---snip--- Nah, at least I don't see how considering how many people don't bounce any mail for fear of losing mail via bouncing legit mail on accident. pgpXPTi9uFEGZ.pgp Description: PGP signature
Re: hey john spam
From: MATSUDA Yoh-ichi [EMAIL PROTECTED]
Hello.
...
I received 2 similiar spams.
Then, I wrote rules below:
...
And now the bozoid has fixed his program and there is real spam content
in the messages so they are getting caught quite neatly.
{^_-}
hey john spam
This is a new one for me. Today I've received some mail with hey john in the subject, and the mail otherwise appears blank. It didn't contain a virus, or it would've been discarded by ClamAV. Are these familiar to you guys? What's the point of them? Headers of one below: Thanks! - John Return-Path: [EMAIL PROTECTED] X-Original-To: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Received: from ln (unknown [217.96.67.109]) by wa9als.com (Postfix) with SMTP id 4AD4D33E60D for [EMAIL PROTECTED]; Fri, 27 Jan 2006 16:54:33 -0500 (EST) Message-ID: [EMAIL PROTECTED] From: Medeiros Pablo [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: hey john Date: Fri, 27 Jan 2006 22:58:47 -0800 MIME-Version: 1.0 Content-Type: multipart/related; type=multipart/alternative; boundary==_NextPart_000_000E_01C62395.3B540860 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-Virus-Status: No X-Virus-Checker-Version: Luke wa9als.com running clamassassin 1.2.1 with ClamAV 0.88/1254/Fri Jan 27 12:22:39 2006 signatures 35.1254 X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on Luke.wa9als.com X-Spam-Level: ** X-Spam-Status: No, score=2.3 required=5.0 tests=BAYES_60,DATE_IN_FUTURE_06_12 autolearn=no version=3.0.3 Status: X-Antivirus: AVG for E-mail 7.1.375 [267.14.23/243]
Re: hey john spam
This is a new one for me. Today I've received some mail with hey john in the subject, and the mail otherwise appears blank. It didn't contain a virus, or it would've been discarded by ClamAV. Are these familiar to you guys? What's the point of them? Headers of one below: Thanks! - John It sounds like the rash of them I received today with hey postmaster in the subject line (postmaster was extracted from the email address the message was sent to, as it seems with john in the subject line of yours) and an embedded pornographic image. I don't think SA picked them up as spam, but then my server was acting pretty wonky today.
Re: hey john spam
John Fleming wrote: This is a new one for me. Today I've received some mail with hey john in the subject, and the mail otherwise appears blank. It didn't contain a virus, or it would've been discarded by ClamAV. Are these familiar to you guys? What's the point of them? Headers of one below: Thanks! - John I've been seeing a lot of these over the last two days. In each case it's hey LHS-of-address So I've seen a lot of hey kelson and hey webmaster. I thought hey postmaster was funny, but then I saw hey mailer-daemon Most of them have been blank, like the one you saw. What's interesting is that they aren't actually empty -- they're multipart/alternative messages containing both HTML and plaintext parts -- it's just that there's no content in either of them. I did see one that had some text and an attached image, but I didn't pay much attention to it and discarded it after training Bayes reporting to Razor. Nothing really stood out about it, so I don't remember the topic, and I'm not 100% certain it was one of these and not another piece of spam that showed up in the search for Subject: hey My guess is that it's just a broken or misconfigured mailer. It's sending incorrectly, or the spammer forgot to paste in the body of the message, or something. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: hey john spam
On Fri, 2006-01-27 at 17:13 -0800, Kelson wrote: John Fleming wrote: This is a new one for me. Today I've received some mail with hey john in the subject, and the mail otherwise appears blank. It didn't contain a virus, or it would've been discarded by ClamAV. Are these familiar to you guys? What's the point of them? Headers of one below: Thanks! - John I've been seeing a lot of these over the last two days. In each case it's hey LHS-of-address So I've seen a lot of hey kelson and hey webmaster. I thought hey postmaster was funny, but then I saw hey mailer-daemon Most of them have been blank, like the one you saw. What's interesting is that they aren't actually empty -- they're multipart/alternative messages containing both HTML and plaintext parts -- it's just that there's no content in either of them. I did see one that had some text and an attached image, but I didn't pay much attention to it and discarded it after training Bayes reporting to Razor. Nothing really stood out about it, so I don't remember the topic, and I'm not 100% certain it was one of these and not another piece of spam that showed up in the search for Subject: hey My guess is that it's just a broken or misconfigured mailer. It's sending incorrectly, or the spammer forgot to paste in the body of the message, or something. I wonder if perhaps it's just some sort of probe. Maybe they send out a bunch of them and then make a note of the ones which don't bounce. Those are then used for the real spam. Thoughts? TC
Re: hey john spam
From: John Fleming [EMAIL PROTECTED]
This is a new one for me. Today I've received some mail with hey john in
the subject, and the mail otherwise appears blank. It didn't contain a
virus, or it would've been discarded by ClamAV.
Are these familiar to you guys? What's the point of them? Headers of one
below: Thanks! - John
Return-Path: [EMAIL PROTECTED]
X-Original-To: [EMAIL PROTECTED]
Delivered-To: [EMAIL PROTECTED]
Received: from ln (unknown [217.96.67.109])
by wa9als.com (Postfix) with SMTP id 4AD4D33E60D
for [EMAIL PROTECTED]; Fri, 27 Jan 2006 16:54:33 -0500 (EST)
Message-ID: [EMAIL PROTECTED]
From: Medeiros Pablo [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: hey john
Date: Fri, 27 Jan 2006 22:58:47 -0800
MIME-Version: 1.0
Content-Type: multipart/related;
type=multipart/alternative;
boundary==_NextPart_000_000E_01C62395.3B540860
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-Virus-Status: No
X-Virus-Checker-Version: Luke wa9als.com running clamassassin 1.2.1 with
ClamAV 0.88/1254/Fri Jan 27 12:22:39 2006 signatures 35.1254
X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on Luke.wa9als.com
X-Spam-Level: **
X-Spam-Status: No, score=2.3 required=5.0
tests=BAYES_60,DATE_IN_FUTURE_06_12
autolearn=no version=3.0.3
Status:
X-Antivirus: AVG for E-mail 7.1.375 [267.14.23/243]
Yeah, I have seen at least two today. It's fishing for valid addresses.
{^_^}
Re: hey john spam
Funny . I am reading thid and then I get one with the. Subject Hey mdm. Spooky Regards, Michael Di Martino Director of MIS The telx Group Office: 212 480 3300 X.2022 Cell: 646 207 6603 [EMAIL PROTECTED] -- Sent from my BlackBerry Wireless Handheld -Original Message- From: Thomas Cameron [EMAIL PROTECTED] To: Spamassassin users@spamassassin.apache.org Sent: Fri Jan 27 21:07:11 2006 Subject: Re: hey john spam On Fri, 2006-01-27 at 17:13 -0800, Kelson wrote: John Fleming wrote: This is a new one for me. Today I've received some mail with hey john in the subject, and the mail otherwise appears blank. It didn't contain a virus, or it would've been discarded by ClamAV. Are these familiar to you guys? What's the point of them? Headers of one below: Thanks! - John I've been seeing a lot of these over the last two days. In each case it's hey LHS-of-address So I've seen a lot of hey kelson and hey webmaster. I thought hey postmaster was funny, but then I saw hey mailer-daemon Most of them have been blank, like the one you saw. What's interesting is that they aren't actually empty -- they're multipart/alternative messages containing both HTML and plaintext parts -- it's just that there's no content in either of them. I did see one that had some text and an attached image, but I didn't pay much attention to it and discarded it after training Bayes reporting to Razor. Nothing really stood out about it, so I don't remember the topic, and I'm not 100% certain it was one of these and not another piece of spam that showed up in the search for Subject: hey My guess is that it's just a broken or misconfigured mailer. It's sending incorrectly, or the spammer forgot to paste in the body of the message, or something. I wonder if perhaps it's just some sort of probe. Maybe they send out a bunch of them and then make a note of the ones which don't bounce. Those are then used for the real spam. Thoughts? TC
