5 digit probe spam?

[Marc Perkel <ma...@perkel.com>]

Is anyone else getting these? Messages with a random subject and the 
message is a 5 digit number. What is it?

Re: 5 digit probe spam?

[Nigel Frankcom <ni...@blue-canoe.net>]

On Tue, 05 Dec 2006 09:51:06 -0800, Marc Perkel <ma...@perkel.com>
wrote:

>
>
>Yet Another Ninja wrote:
>>
>> Just found a few ... sent directly from DULs.
>> (there went my theory...)
>>
>> :-(
>>
>>
>
>I have a theory that spammers are either doing some sort of probe or 
>sending out nonspam so that ther headers are learned by bayes as good. I 
>think it's either probes or bayes poison.

I can't see 5 digits being of any use in bayes poisoning, with that
little data there's not much point feeding it to bayes anyway. As for
getting their headers known, surely that is counter-productive? If we
(and spamhaus, spamcop etc etc etc) know the headers, the spam are
less likely to get through after the probe, The time to send the spam
would have been initially?

Maybe, like me last night, they had a couple too many beers and fired
off their mails without much thought?

Nigel

Re: 5 digit probe spam?

[Marc Perkel <ma...@perkel.com>]

Yet Another Ninja wrote:
>
> Just found a few ... sent directly from DULs.
> (there went my theory...)
>
> :-(
>
>

I have a theory that spammers are either doing some sort of probe or 
sending out nonspam so that ther headers are learned by bayes as good. I 
think it's either probes or bayes poison.

Re: 5 digit probe spam?

[Yet Another Ninja <sa...@alexb.ch>]

On 12/5/2006 11:26 AM, Nigel Frankcom wrote:
> On Tue, 05 Dec 2006 11:16:15 +0100, Yet Another Ninja
> <sa...@alexb.ch> wrote:
> 
>> On 12/5/2006 11:02 AM, Nigel Frankcom wrote:
>>> On Tue, 05 Dec 2006 09:32:39 +0100, Yet Another Ninja
>>> <sa...@alexb.ch> wrote:
>>>
>>>> On 12/5/2006 7:27 AM, Marc Perkel wrote:
>>>>> Is anyone else getting these? Messages with a random subject and the 
>>>>> message is a 5 digit number. What is it?
>>>>>
>>>> aren't those digits the password for a password protected Bagle variant?
>>>>
>>>> I'd bet some braindead AV strips the infected attachements and lets the
>>>> useless msg go down the path...
>>>>
>>>>
>>>> Y_A_N
>>>>
>>> Don' think so, my anti vir systems don't clean a message, they punt it
>>> to quarantine.
>> What about the Rcvd path? Hasn't the msg gone thru some other MTA which 
>> may have removed the infected file and you end up getting the trash...
>>
>>
> 
> Not that I noticed, tho I didn't look too hard. If it's the spammer's
> outbound smtp it would be ironic to say the least :-D
> 
> It's certainly a possibility.

Just found a few ... sent directly from DULs.
(there went my theory...)

:-(

Re: 5 digit probe spam?

[Nigel Frankcom <ni...@blue-canoe.net>]

On Tue, 05 Dec 2006 11:16:15 +0100, Yet Another Ninja
<sa...@alexb.ch> wrote:

>On 12/5/2006 11:02 AM, Nigel Frankcom wrote:
>> On Tue, 05 Dec 2006 09:32:39 +0100, Yet Another Ninja
>> <sa...@alexb.ch> wrote:
>> 
>>> On 12/5/2006 7:27 AM, Marc Perkel wrote:
>>>> Is anyone else getting these? Messages with a random subject and the 
>>>> message is a 5 digit number. What is it?
>>>>
>>> aren't those digits the password for a password protected Bagle variant?
>>>
>>> I'd bet some braindead AV strips the infected attachements and lets the
>>> useless msg go down the path...
>>>
>>>
>>> Y_A_N
>>>
>> 
>> Don' think so, my anti vir systems don't clean a message, they punt it
>> to quarantine.
>
>What about the Rcvd path? Hasn't the msg gone thru some other MTA which 
>may have removed the infected file and you end up getting the trash...
>
>

Not that I noticed, tho I didn't look too hard. If it's the spammer's
outbound smtp it would be ironic to say the least :-D

It's certainly a possibility.

Re: 5 digit probe spam?

[Yet Another Ninja <sa...@alexb.ch>]

On 12/5/2006 11:02 AM, Nigel Frankcom wrote:
> On Tue, 05 Dec 2006 09:32:39 +0100, Yet Another Ninja
> <sa...@alexb.ch> wrote:
> 
>> On 12/5/2006 7:27 AM, Marc Perkel wrote:
>>> Is anyone else getting these? Messages with a random subject and the 
>>> message is a 5 digit number. What is it?
>>>
>> aren't those digits the password for a password protected Bagle variant?
>>
>> I'd bet some braindead AV strips the infected attachements and lets the
>> useless msg go down the path...
>>
>>
>> Y_A_N
>>
> 
> Don' think so, my anti vir systems don't clean a message, they punt it
> to quarantine.

What about the Rcvd path? Hasn't the msg gone thru some other MTA which 
may have removed the infected file and you end up getting the trash...

Re: 5 digit probe spam?

[Nigel Frankcom <ni...@blue-canoe.net>]

On Tue, 05 Dec 2006 09:32:39 +0100, Yet Another Ninja
<sa...@alexb.ch> wrote:

>On 12/5/2006 7:27 AM, Marc Perkel wrote:
>> Is anyone else getting these? Messages with a random subject and the 
>> message is a 5 digit number. What is it?
>> 
>
>aren't those digits the password for a password protected Bagle variant?
>
>I'd bet some braindead AV strips the infected attachements and lets the
>useless msg go down the path...
>
>
>Y_A_N
>

Don' think so, my anti vir systems don't clean a message, they punt it
to quarantine.

That said, after them getting through initially I found a large number
in the spam folder this morning; so they are being caught now. I
haven't yet added any rules or made any changes.

The botnet one looks funky though; I must dig that out.

Nigel

Re: 5 digit probe spam?

[Yet Another Ninja <sa...@alexb.ch>]

On 12/5/2006 7:27 AM, Marc Perkel wrote:
> Is anyone else getting these? Messages with a random subject and the 
> message is a 5 digit number. What is it?
> 

aren't those digits the password for a password protected Bagle variant?

I'd bet some braindead AV strips the infected attachements and lets the
useless msg go down the path...


Y_A_N

Re: 5 digit probe spam?

["Jack L. Stone" <ja...@sage-american.com>]

On 5 Dec 2006 at 20:50, Loren Wilton wrote:

> > But there is no conclusion or discussion on what the point of
> that
> > type of message is.
> 
> I would bet there is at least one person on this list that
> knows the real 
> answer.  But I strongly suspect he/she is a lurker and doesn't
> post.
> 
> That said, this shows all the signs of being a spam run
> misfire.  There is 
> probably a new program out there that was supposed to take
> numbers in a form 
> like %12345% or some such and generate random spam bodies, or
> at least the 
> frontend bayes poison text.  Either the generator program had a
> bug, or more 
> likely Novice Spammer had a bug and forgot the percent signs
> (or whatever 
> magic characters were required for the macro expansion). 
> Novice Spammer 
> probably also forgot the important part of the spam, as well as
> screwing up 
> the macro call.
> 
>         Loren
> 

FWIW: I am receiving a few of those that are coming through one 
of my web forms -- perhaps a robot test probe to see if form is 
viable for the spammer use.


Regards,
Jack L. Stone
System Admin

Re: 5 digit probe spam?

[Loren Wilton <lw...@earthlink.net>]

> But there is no conclusion or discussion on what the point of that
> type of message is.

I would bet there is at least one person on this list that knows the real 
answer.  But I strongly suspect he/she is a lurker and doesn't post.

That said, this shows all the signs of being a spam run misfire.  There is 
probably a new program out there that was supposed to take numbers in a form 
like %12345% or some such and generate random spam bodies, or at least the 
frontend bayes poison text.  Either the generator program had a bug, or more 
likely Novice Spammer had a bug and forgot the percent signs (or whatever 
magic characters were required for the macro expansion).  Novice Spammer 
probably also forgot the important part of the spam, as well as screwing up 
the macro call.

        Loren

Re: 5 digit probe spam?

[Vivek Khera <vi...@khera.org>]

On Dec 5, 2006, at 1:38 AM, Evan Platt wrote:

> At 10:27 PM 12/4/2006, you wrote:
>> Is anyone else getting these? Messages with a random subject and  
>> the message is a 5 digit number. What is it?
>
> See thre thread earlier today "spam"

But there is no conclusion or discussion on what the point of that  
type of message is.

And anyone who starts a thread on this discussion list with the  
subject 'spam' has got to get some clues!

Re: 5 digit probe spam?

[Evan Platt <ev...@espphotography.com>]

At 10:27 PM 12/4/2006, you wrote:
>Is anyone else getting these? Messages with a random subject and the 
>message is a 5 digit number. What is it?

See thre thread earlier today "spam"