You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Kevin Peuhkurinen <ke...@meridiancu.ca> on 2005/05/30 18:01:49 UTC
New dictionary spamming method?
I've noticed recently in my MTA logs a growing trend of attempts to send
email to numbered email addresses, such as:
0491.5090900@mydomain.ca
2050409@mydomain.ca
18.4060100@mydomain.ca
39.4030901@mydomain.ca
3.5070002@mydomain.ca
4.3040500@mydomain.ca
Anyone have any ideas why spammers would be trying this particular tactic?
Re: New dictionary spamming method -- SOLVED!
Posted by Kelson <ke...@speed.net>.
Kevin Peuhkurinen wrote:
> Looks like some particularly inept spammer is grabbing partial
> Message-IDs from the headers of messages on this list and trying to send
> email to them as though they were email addresses. Sad, really.
We occasionally get mail sent to *full* message-IDs. A nice
demonstration of the fact that (at least some) spammers really don't pay
any attention to what's on their lists.
--
Kelson Vibber
SpeedGate Communications <www.speed.net>
Re: New dictionary spamming method -- SOLVED!
Posted by Kevin Peuhkurinen <ke...@meridiancu.ca>.
Looks like some particularly inept spammer is grabbing partial
Message-IDs from the headers of messages on this list and trying to send
email to them as though they were email addresses. Sad, really.
Kevin Peuhkurinen wrote:
> I've noticed recently in my MTA logs a growing trend of attempts to
> send email to numbered email addresses, such as:
>
> 0491.5090900@mydomain.ca
> 2050409@mydomain.ca
> 18.4060100@mydomain.ca
> 39.4030901@mydomain.ca
> 3.5070002@mydomain.ca
> 4.3040500@mydomain.ca
>
> Anyone have any ideas why spammers would be trying this particular
> tactic?
>
>
Re: New dictionary spamming method?
Posted by Rick van Vliet <qm...@rickvanvliet.com>.
Steven Stern said the following on 5/30/2005 12:11 PM:
> Kevin Peuhkurinen wrote:
>
>> Steven Stern wrote:
>>
>>> I got a similar bunch of messages (approx 250) between 6:05 and 6:15
>>> CDT, from about 10 unique IP addresses, yesterday and today, but on only
>>> one of my 3 MX servers.
>>>
>> Interesting. For me, they started May 28th at almost exactly noon
>> EDT. I'm almost tempted to let a couple through to verify if it is
>> spam or a virus.
>>
>
> They get stopped on my system by milter-greylist. I'm interested in
> your results if you let a few through. Given the short duration bursts,
> it seems more like a probe than a flat out, widespread attack. Maybe
> yet another followup from Sober.
>
>
Got a handful, too - definitely not an all-out attack, but the ones I
salvaged do simply look like the ever-popular male-enhancement pills in
multi-part. I use safecat to pop spam in the user's .Spam folder, but
these were stopped due to no-valid-address....and then doubleBounced.
SA 3.0.3 gave them a "-0.2" score. :\
Anyone want a copy?
Re: New dictionary spamming method?
Posted by Steven Stern <su...@sterndata.com>.
Kevin Peuhkurinen wrote:
> Steven Stern wrote:
>
>> I got a similar bunch of messages (approx 250) between 6:05 and 6:15
>> CDT, from about 10 unique IP addresses, yesterday and today, but on only
>> one of my 3 MX servers.
>>
> Interesting. For me, they started May 28th at almost exactly noon
> EDT. I'm almost tempted to let a couple through to verify if it is
> spam or a virus.
>
They get stopped on my system by milter-greylist. I'm interested in
your results if you let a few through. Given the short duration bursts,
it seems more like a probe than a flat out, widespread attack. Maybe
yet another followup from Sober.
--
Steve
Re: New dictionary spamming method?
Posted by Kevin Peuhkurinen <ke...@meridiancu.ca>.
Steven Stern wrote:
> I got a similar bunch of messages (approx 250) between 6:05 and 6:15
> CDT, from about 10 unique IP addresses, yesterday and today, but on only
> one of my 3 MX servers.
>
Interesting. For me, they started May 28th at almost exactly noon
EDT. I'm almost tempted to let a couple through to verify if it is
spam or a virus.
Re: New dictionary spamming method?
Posted by Steven Stern <su...@sterndata.com>.
Kevin Peuhkurinen wrote:
> I've noticed recently in my MTA logs a growing trend of attempts to send
> email to numbered email addresses, such as:
>
> 0491.5090900@mydomain.ca
> 2050409@mydomain.ca
> 18.4060100@mydomain.ca
> 39.4030901@mydomain.ca
> 3.5070002@mydomain.ca
> 4.3040500@mydomain.ca
>
> Anyone have any ideas why spammers would be trying this particular tactic?
>
I got a similar bunch of messages (approx 250) between 6:05 and 6:15
CDT, from about 10 unique IP addresses, yesterday and today, but on only
one of my 3 MX servers.
--
Steve