You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Justin Mason <jm...@jmason.org> on 2005/08/11 00:39:08 UTC
Re: What the hell is that?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Brett Cove writes:
> Ryan L. Sun wrote:
> > That explanation makes senses.
> > Spammers show their scripts to us, lol.
>
> Yep, and if anyone was wondering, those ratware templates were supposto
> generate one of our friendly (and increasingly common) geocities links.
>
> ex) 'http://uk.geocities.com/Freddie_Shuler/?ElxF8=US FDA approves all
> of our'
> >
> > >> http://{%LOGWITHID:{%ROTF:E:\EveryDayDomain\all01.txt%}?{%RND:^<m8>
> > >> %}={%ROTF:E:\EveryDayDomain\CompanyTest\pharrotates.txt%}%}
interesting! BTW this google search:
http://www.google.com/search?q=%22everydaydomain%22&filter=0
gives some more results along the same lines, including some more
inputs and outputs. for example:
http://mail.sarai.net/pipermail/aaj-ke-naam/2005-August/005316.html :
http://{%LOGWITHID:{%RND:<m5>.<l5>%}.{%ROTF:E:\EveryDayDomain\all01.txt%}/{
%ROTF:E:\EveryDayDomain\GE\fold(TA).txt%}/
{%ROTF:E:\book1done.txt%}
{%ROTF:E:\book4done.txt%}
{%ROTF:E:\book2done.txt%}
%}
my notes:
- - %LOGWITHID: my guess is that dumps the random data to a log file, so
that list-washing is possible in response to bounces or domain lookups,
even with all sorts of data scrubbed (even the URLs).
- - bookNdone.txt: Project Gutenberg texts. this results in the lines like
'the beast of burden, which suffers blows and hunger, and works' and
'through the little grounds, and stopped for no other purpose than to
say, ' in
http://lists.ucc.gu.uwa.edu.au/pipermail/ucc/2005-August/012847.html .
- - A very very good way to find patterns is to figure out the "random"
patterns. In some other examples on that google search, and the
example above, you can see "{%RND:<m5>.<l5>%}" producing e.g.
"7KHq.ux", so I think <m5> means "mixed upper, lowercase and digits
for up to 5 chars" and <l5> means "lowercase for up to 5 chars".
- - My bet: it's the same spammer, possibly subcontracting to a few
mail-sending guys. He/she has been producing a *lot* of spam, and
certainly tries to get past SpamAssassin.
- - "EveryDayDomain" doesn't appear in google at all, except in similar
broken spam. So it's a spammer tool that's being kept very quiet (or
else is very new).
- - http://listes.tice.ac-caen.fr/pipermail/atelier12/2005-August.txt is
an incredible collection of spam from this spammer ;)
- --j.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Exmh CVS
iD8DBQFC+oIMMJF5cimLx9ARAoTgAJwIUdQ48gCjtYknzwiROTIODDl8vQCfcxxw
CTpW2XuZ+C0e1ipaT1JLYiY=
=HtZd
-----END PGP SIGNATURE-----