Re: Yahoo single-link spam common elements

Fri, 01 Mar 2013 09:50:10 -0800 

On 3/1/2013 12:43 PM, David F. Skoll wrote:

These are the common elements as far as I can see in the text/plain part
of the spam:

1) The URL always matches this regex:

    http://\S+/\S+\.\s+\?

In other words, there's always a dot in the URL (not counting the dots
in the domain name itself) and a question mark.

2) The URL is then followed by possible whitespace and the name or address
of the sender.

3) This is followed by more possible whitespace and then the date and
time in a format that matches this regex:

       \d{1,2}/\d{1,2}/\d{4} \d{1,2}:\d{1,2}:\d{1,2} [AP]M

Can others confirm this pattern?
I can confirm this is ONE of the patterns we've seen but we have seen other variations.
For example, here's one from yesterday that you'll note forges my brother as the sender: 

Return-Path: <rasiel_mongad...@yahoo.com>
Received: from nm7.bullet.mail.gq1.yahoo.com (nm7.bullet.mail.gq1.yahoo.com 
[98.136.218.72])
        by intel1.peregrinehw.com (8.14.5/8.14.5) with SMTP id r1SI2WHg008621
        for <kmcgr...@peregrinehw.com>; Thu, 28 Feb 2013 13:02:33 -0500
Received: from [98.137.12.61] by nm7.bullet.mail.gq1.yahoo.com with NNFMP; 28 
Feb 2013 18:02:31 -0000
Received: from [208.71.42.212] by tm6.bullet.mail.gq1.yahoo.com with NNFMP; 28 
Feb 2013 18:02:31 -0000
Received: from [127.0.0.1] by smtp223.mail.gq1.yahoo.com with NNFMP; 28 Feb 
2013 18:02:31 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; 
t=1362074551; bh=O2aFzcTOvDvCQALZoONOlZmCJiqlFu6WnhUAJG1clGI=; 
h=X-Yahoo-Newman-Id:Message-ID:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:Received:From:Reply-To:Subject:Date:To;
 
b=5sIC6wpAChfKFdhlWmr4OhjWCpNoMhTdxsbWPAIXYyD3f+O4QKMatwXxL7uvHeFc5TD//q4hW0HQDVJ+f/XJq71XHuBeWLySuYceP9ZP5gMRMnAR8uM9o9rWw0vnwSd7+3H3ff1rCd2FunGswYwlNAG5yz79uYE7xe+sXw5qs3c=
X-Yahoo-Newman-Id: 533489.47072...@smtp223.mail.gq1.yahoo.com
Message-ID: <533489.47072...@smtp223.mail.gq1.yahoo.com>
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: jRlM9PUVM1m1fvPhWPzSnQEReLcFyK.eiCoVEK16XkMJTsp
 FUuOvETyd8ee4KmT2FuoE1n9krae3pEbGP2MbvtNXR6sdYnhJIxvfdiuEtob
 wr1ipSssPLDugG_B3KfoWpLJZs0YjG5TMqqVzDGih3D11pGQfAY6w.mgoOWY
 Vemeo4DqHYY8XYokWdUpIh65s1dDZlNaYvlqfF1MZudo2pV6wlPm_rMDWHvP
 DNawGoHaZr3qyELnp7ElYqt8BCCs0hushH3dTtn.mVpUMrTv3GzPnkMMGCvR
 O9U8mO_UIFwTMrWvkkzLcMKqdKdukq8.cPSh8VY5TRg_Xih7mDsVxksEIVcE
 OCOEMbBw9uApP4oRpc.pBlu9eDntaPpiUUPhpb9xxkQw4lcLJkx0RTt0GYD3
 uAMLNtukwnvce54PkLZl3JrIDGhvQuhKnZxYyRsne49aNjP11_3wZUo8wlvg
 guHiLuHcqkFb6lusTYz41fCHrSJ6VTYxwqlQcA0DioWPWPDZmkjLtrc2aER1
 MbKjYki6ceeLXQT21DGdb9Gui.eE43RA2Ix6qqTYRddM-
X-Yahoo-SMTP: bHYtILuswBDzs9L.FhYpFEHr7NQ0kndD9GjKbx8-
Received: from localhost (rasiel_mongado29@200.121.59.161 with login)
        by smtp223.mail.gq1.yahoo.com with SMTP; 28 Feb 2013 10:02:31 -0800 PST
From: TOBY MCGRAIL <rasiel_mongad...@yahoo.com>
Reply-To: TOBY MCGRAIL <tvfdkmn...@yahoo.com>
Subject: KEVIN
Date: Thu, 28 Feb 2013 10:05:47 -0800 (PST)
To: Kevin <kmcgr...@peregrinehw.com>

kevin, hey. look what I found!            
http://www.deguciumd-munged.lt/answerbabykevingreen/


regards,
KAM

Reply via email to