You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Justin Mason <jm...@jmason.org> on 2006/07/14 11:05:03 UTC

spam with HTTP 503 payload

Check this out.  Looks like the spam bots are set up to HTTP GET the
payload html from a "home base" web server -- thereby allowing payload
html to be modified easily as the spam run continues, without having to
mess with the distributed net of zombies.  I think we saw something
similar before.

Only thing is, the spammer forgot to fix the Apache error page to omit the
ServerName -- so we can see that the home base is 66.36.241.158, a machine
on a Washington, DC ISP.

--j.

Return-Path: <i...@eire.com>
X-Original-To: [spamtrap]
Delivered-To: jm@dogma.boxhost.net
Received: from localhost [127.0.0.1]
	by radish.jmason.org with IMAP (fetchmail-6.3.2)
	for <jm...@localhost> (single-drop); Fri, 14 Jul 2006 03:00:41 +0100 (IST)
Received: from a-hrq391ahiw2sz (ARennes-252-1-81-136.w86-203.abo.wanadoo.fr [86.203.52.136])
	by dogma.boxhost.net (Postfix) with SMTP id 04DF53101D8
	for <[spamtrap]>; Fri, 14 Jul 2006 02:51:24 +0100 (IST)
Message-Id: <20...@dogma.boxhost.net>
Date: Fri, 14 Jul 2006 02:51:24 +0100 (IST)
From: i@eire.com
To: undisclosed-recipients:;
X-IMAPbase: 1075077319 230635
Status: O
X-UID: 230635
X-Keywords:                                                                                                    

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>503 Service Temporarily Unavailable</title>
</head><body>
<h1>Service Temporarily Unavailable</h1>
<p>The server is temporarily unable to service your
request due to maintenance downtime or capacity
problems. Please try again later.</p>
<hr>
<address>Apache/2.0.53 (Fedora) Server at 66.36.241.158 Port 80</address>
</body></html>