You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Justin Mason <jm...@jmason.org> on 2005/08/11 00:39:08 UTC

Re: What the hell is that? 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Brett Cove writes:
> Ryan L. Sun wrote:
> > That explanation makes senses.
> > Spammers show their scripts to us, lol.
> 
> Yep, and if anyone was wondering, those ratware templates were supposto 
> generate one of our friendly (and increasingly common) geocities links.
> 
> ex) 'http://uk.geocities.com/Freddie_Shuler/?ElxF8=US FDA approves all 
> of our'
> > 
> >      >> http://{%LOGWITHID:{%ROTF:E:\EveryDayDomain\all01.txt%}?{%RND:^<m8>
> >      >> %}={%ROTF:E:\EveryDayDomain\CompanyTest\pharrotates.txt%}%}

interesting! BTW this google search:
http://www.google.com/search?q=%22everydaydomain%22&filter=0
gives some more results along the same lines, including some more
inputs and outputs.  for example:

http://mail.sarai.net/pipermail/aaj-ke-naam/2005-August/005316.html :

  http://{%LOGWITHID:{%RND:<m5>.<l5>%}.{%ROTF:E:\EveryDayDomain\all01.txt%}/{
  %ROTF:E:\EveryDayDomain\GE\fold(TA).txt%}/


  {%ROTF:E:\book1done.txt%}

  {%ROTF:E:\book4done.txt%}

  {%ROTF:E:\book2done.txt%}
  %}

my notes:

- - %LOGWITHID: my guess is that dumps the random data to a log file, so
  that list-washing is possible in response to bounces or domain lookups,
  even with all sorts of data scrubbed (even the URLs).

- - bookNdone.txt: Project Gutenberg texts.  this results in the lines like
  'the beast of burden, which suffers blows and hunger, and works' and
  'through the little grounds, and stopped for no other purpose than to
  say, ' in
  http://lists.ucc.gu.uwa.edu.au/pipermail/ucc/2005-August/012847.html .

- - A very very good way to find patterns is to figure out the "random"
  patterns.  In some other examples on that google search, and the
  example above, you can see "{%RND:<m5>.<l5>%}" producing e.g.
  "7KHq.ux", so I think <m5> means "mixed upper, lowercase and digits
  for up to 5 chars" and <l5> means "lowercase for up to 5 chars".

- - My bet: it's the same spammer, possibly subcontracting to a few
  mail-sending guys.  He/she has been producing a *lot* of spam, and
  certainly tries to get past SpamAssassin.

- - "EveryDayDomain" doesn't appear in google at all, except in similar
  broken spam.   So it's a spammer tool that's being kept very quiet (or
  else is very new).

- - http://listes.tice.ac-caen.fr/pipermail/atelier12/2005-August.txt is
  an incredible collection of spam from this spammer ;)

- --j.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Exmh CVS

iD8DBQFC+oIMMJF5cimLx9ARAoTgAJwIUdQ48gCjtYknzwiROTIODDl8vQCfcxxw
CTpW2XuZ+C0e1ipaT1JLYiY=
=HtZd
-----END PGP SIGNATURE-----