hey john spam

[John Fleming <jo...@wa9als.com>]

This is a new one for me.  Today I've received some mail with "hey john" in 
the subject, and the mail otherwise appears blank.  It didn't contain a 
virus, or it would've been discarded by ClamAV.

Are these familiar to you guys?  What's the point of them?  Headers of one 
below:  Thanks!  - John

Return-Path: <fy...@fredonia.edu>
X-Original-To: john@wa9als.com
Delivered-To: john@wa9als.com
Received: from ln (unknown [217.96.67.109])
 by wa9als.com (Postfix) with SMTP id 4AD4D33E60D
 for <jo...@wa9als.com>; Fri, 27 Jan 2006 16:54:33 -0500 (EST)
Message-ID: <00...@ln>
From: "Medeiros Pablo" <fy...@fredonia.edu>
To: john@wa9als.com
Subject: hey john
Date:   Fri, 27 Jan 2006 22:58:47 -0800
MIME-Version: 1.0
Content-Type: multipart/related;
 type="multipart/alternative";
 boundary="----=_NextPart_000_000E_01C62395.3B540860"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-Virus-Status: No
X-Virus-Checker-Version: Luke wa9als.com running clamassassin 1.2.1 with 
ClamAV 0.88/1254/Fri Jan 27 12:22:39 2006 signatures 35.1254
X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on Luke.wa9als.com
X-Spam-Level: **
X-Spam-Status: No, score=2.3 required=5.0 
tests=BAYES_60,DATE_IN_FUTURE_06_12
 autolearn=no version=3.0.3
Status:
X-Antivirus: AVG for E-mail 7.1.375 [267.14.23/243]

Re: hey john spam

[jdow <jd...@earthlink.net>]

From: "John Fleming" <jo...@wa9als.com>

> This is a new one for me.  Today I've received some mail with "hey john" in 
> the subject, and the mail otherwise appears blank.  It didn't contain a 
> virus, or it would've been discarded by ClamAV.
> 
> Are these familiar to you guys?  What's the point of them?  Headers of one 
> below:  Thanks!  - John
> 
> Return-Path: <fy...@fredonia.edu>
> X-Original-To: john@wa9als.com
> Delivered-To: john@wa9als.com
> Received: from ln (unknown [217.96.67.109])
> by wa9als.com (Postfix) with SMTP id 4AD4D33E60D
> for <jo...@wa9als.com>; Fri, 27 Jan 2006 16:54:33 -0500 (EST)
> Message-ID: <00...@ln>
> From: "Medeiros Pablo" <fy...@fredonia.edu>
> To: john@wa9als.com
> Subject: hey john
> Date:   Fri, 27 Jan 2006 22:58:47 -0800
> MIME-Version: 1.0
> Content-Type: multipart/related;
> type="multipart/alternative";
> boundary="----=_NextPart_000_000E_01C62395.3B540860"
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Mailer: Microsoft Outlook Express 6.00.2900.2180
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
> X-Virus-Status: No
> X-Virus-Checker-Version: Luke wa9als.com running clamassassin 1.2.1 with 
> ClamAV 0.88/1254/Fri Jan 27 12:22:39 2006 signatures 35.1254
> X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on Luke.wa9als.com
> X-Spam-Level: **
> X-Spam-Status: No, score=2.3 required=5.0 
> tests=BAYES_60,DATE_IN_FUTURE_06_12
> autolearn=no version=3.0.3
> Status:
> X-Antivirus: AVG for E-mail 7.1.375 [267.14.23/243]

Yeah, I have seen at least two today. It's fishing for valid addresses.

{^_^}

Re: hey john spam

[Arias Hung <ar...@m-a-g.net>]

On Fri, 27 Jan 2006, Thomas Cameron delivered in simple text monotype:

>I wonder if perhaps it's just some sort of probe.  Maybe they send out a
>bunch of them and then make a note of the ones which don't bounce.
>Those are then used for the "real" spam.
>
>Thoughts?
<---snip--->

Nah, at least I don't see how considering how many people don't bounce any
mail for fear of losing mail via bouncing legit mail on accident.

Re: hey john spam

[Thomas Cameron <th...@camerontech.com>]

On Fri, 2006-01-27 at 17:13 -0800, Kelson wrote:
> John Fleming wrote:
> > This is a new one for me.  Today I've received some mail with "hey john" 
> > in the subject, and the mail otherwise appears blank.  It didn't contain 
> > a virus, or it would've been discarded by ClamAV.
> > 
> > Are these familiar to you guys?  What's the point of them?  Headers of 
> > one below:  Thanks!  - John
> 
> I've been seeing a lot of these over the last two days.  In each case 
> it's "hey LHS-of-address"  So I've seen a lot of "hey kelson" and "hey 
> webmaster".  I thought "hey postmaster" was funny, but then I saw "hey 
> mailer-daemon"
> 
> Most of them have been blank, like the one you saw.  What's interesting 
> is that they aren't actually empty -- they're multipart/alternative 
> messages containing both HTML and plaintext parts -- it's just that 
> there's no content in either of them.
> 
> I did see one that had some text and an attached image, but I didn't pay 
> much attention to it and discarded it after training Bayes & reporting 
> to Razor.  Nothing really stood out about it, so I don't remember the 
> topic, and I'm not 100% certain it was one of these and not another 
> piece of spam that showed up in the search for "Subject: hey"
> 
> My guess is that it's just a broken or misconfigured mailer.  It's 
> sending incorrectly, or the spammer forgot to paste in the body of the 
> message, or something.

I wonder if perhaps it's just some sort of probe.  Maybe they send out a
bunch of them and then make a note of the ones which don't bounce.
Those are then used for the "real" spam.

Thoughts?

TC

Re: hey john spam

[Kelson <ke...@speed.net>]

John Fleming wrote:
> This is a new one for me.  Today I've received some mail with "hey john" 
> in the subject, and the mail otherwise appears blank.  It didn't contain 
> a virus, or it would've been discarded by ClamAV.
> 
> Are these familiar to you guys?  What's the point of them?  Headers of 
> one below:  Thanks!  - John

I've been seeing a lot of these over the last two days.  In each case 
it's "hey LHS-of-address"  So I've seen a lot of "hey kelson" and "hey 
webmaster".  I thought "hey postmaster" was funny, but then I saw "hey 
mailer-daemon"

Most of them have been blank, like the one you saw.  What's interesting 
is that they aren't actually empty -- they're multipart/alternative 
messages containing both HTML and plaintext parts -- it's just that 
there's no content in either of them.

I did see one that had some text and an attached image, but I didn't pay 
much attention to it and discarded it after training Bayes & reporting 
to Razor.  Nothing really stood out about it, so I don't remember the 
topic, and I'm not 100% certain it was one of these and not another 
piece of spam that showed up in the search for "Subject: hey"

My guess is that it's just a broken or misconfigured mailer.  It's 
sending incorrectly, or the spammer forgot to paste in the body of the 
message, or something.

-- 
Kelson Vibber
SpeedGate Communications <www.speed.net>

Re: hey john spam

[Mike Jackson <mj...@barking-dog.net>]

> This is a new one for me.  Today I've received some mail with "hey john" 
> in the subject, and the mail otherwise appears blank.  It didn't contain a 
> virus, or it would've been discarded by ClamAV.
>
> Are these familiar to you guys?  What's the point of them?  Headers of one 
> below:  Thanks!  - John

It sounds like the rash of them I received today with "hey postmaster" in 
the subject line (postmaster was extracted from the email address the 
message was sent to, as it seems with "john" in the subject line of yours) 
and an embedded pornographic image. I don't think SA picked them up as spam, 
but then my server was acting pretty wonky today. 

Re: hey john spam

[mouss <us...@free.fr>]

jdow a écrit :
> 
> I'm watching them still roll in and have developed a theory about them.
> Suppose some "idiot" decides to play "white hat hacker" with a botnet
> he managed to commandeer or a set of open relays he managed to discover.
> So he sends these strange emails through those links with the intent of
> effectively generating a DoS attack against the open relays or compromised
> computers. I note that the scores on the messages are going up with time
> as they get listed in more and more of the BLs. At a guess chello.pl is
> having a problem delivering email anywhere in the world at the moment.
> Their user at 84.10.17.111 is certainly not delivering mail very many
> places. It's a "semi-clever" DoS against open spam sources.
> 

other theory:
- broken ratware (voluntarily or unvoluntarily) spread and used by silly
spammers who failed to configure it or to pass correct data.

The few that "work" contain (at least) an image, and most seem to use
the same html css.

BTW one of these contained:
	Content-Type: text/html; Windows-1252
	Content-Transfer-Encoding: base64
why would one base64 encode a text/html part? sounds like a good
candidate for a rule. any opinions?

Re: hey john spam

[Kelson <ke...@speed.net>]

I just got one with content!

Well, sort of.

The HTML part contained a forged set of headers -- just the user-visible 
ones you expect on an inline forward:

> ----- Original Message -----
> From:
> To: btxiberk@<probably_forged_domain>
> Sent: Wednesday, February 1, 2006 11:33 AM
> Subject: hey perl

That was it.  (The target address was, of course, perl @ this domain.) 
The To: line bore no resemblance to the sender on the actual message, 
except for having an obviously random left-hand side.

-- 
Kelson Vibber
SpeedGate Communications <www.speed.net>

Re: hey john spam

[John Fleming <jo...@wa9als.com>]

----- Original Message ----- 
From: "mouss" <us...@free.fr>
To: "jdow" <jd...@earthlink.net>
Cc: <us...@spamassassin.apache.org>
Sent: Monday, January 30, 2006 2:01 PM
Subject: Re: hey john spam


> jdow a écrit :
>>
>> I'm watching them still roll in
>
>
> seems they switched to "News for john".

Interesting - I'm -not- getting that one!  - John!  ;-)

Re: hey john spam

[mouss <us...@free.fr>]

jdow a écrit :
> 
> I'm watching them still roll in and have developed a theory about them.
> Suppose some "idiot" decides to play "white hat hacker" with a botnet
> he managed to commandeer or a set of open relays he managed to discover.
> So he sends these strange emails through those links with the intent of
> effectively generating a DoS attack against the open relays or compromised
> computers. I note that the scores on the messages are going up with time
> as they get listed in more and more of the BLs. At a guess chello.pl is
> having a problem delivering email anywhere in the world at the moment.
> Their user at 84.10.17.111 is certainly not delivering mail very many
> places. It's a "semi-clever" DoS against open spam sources.
> 


seems they switched to "News for john".

Re: hey john spam

[jdow <jd...@earthlink.net>]

From: "MATSUDA Yoh-ichi" <yo...@flcl.org>

> Hello.
> 
> From: "John Fleming" <jo...@wa9als.com>
> Subject: hey john spam
> Date: Fri, 27 Jan 2006 19:48:03 -0500
> 
>> This is a new one for me.  Today I've received some mail with "hey john" in 
>> the subject, and the mail otherwise appears blank.  It didn't contain a 
>> virus, or it would've been discarded by ClamAV.
...
> I received 2 similiar spams.
> Then, I wrote rules below:

I'm watching them still roll in and have developed a theory about them.
Suppose some "idiot" decides to play "white hat hacker" with a botnet
he managed to commandeer or a set of open relays he managed to discover.
So he sends these strange emails through those links with the intent of
effectively generating a DoS attack against the open relays or compromised
computers. I note that the scores on the messages are going up with time
as they get listed in more and more of the BLs. At a guess chello.pl is
having a problem delivering email anywhere in the world at the moment.
Their user at 84.10.17.111 is certainly not delivering mail very many
places. It's a "semi-clever" DoS against open spam sources.

{^_-}

Re: hey john spam

[jdow <jd...@earthlink.net>]

From: "MATSUDA Yoh-ichi" <yo...@flcl.org>
> Hello.
> 
...
> I received 2 similiar spams.
> Then, I wrote rules below:
...
And now the bozoid has fixed his program and there is real spam content
in the messages so they are getting caught quite neatly.

{^_-}

Re: hey john spam

[MATSUDA Yoh-ichi <yo...@flcl.org>]

Hello.

From: "John Fleming" <jo...@wa9als.com>
Subject: hey john spam
Date: Fri, 27 Jan 2006 19:48:03 -0500

> This is a new one for me.  Today I've received some mail with "hey john" in 
> the subject, and the mail otherwise appears blank.  It didn't contain a 
> virus, or it would've been discarded by ClamAV.
> 
> Are these familiar to you guys?  What's the point of them?  Headers of one 
> below:  Thanks!  - John
> 
> Return-Path: <fy...@fredonia.edu>
> X-Original-To: john@wa9als.com
> Delivered-To: john@wa9als.com
> Received: from ln (unknown [217.96.67.109])
>  by wa9als.com (Postfix) with SMTP id 4AD4D33E60D
>  for <jo...@wa9als.com>; Fri, 27 Jan 2006 16:54:33 -0500 (EST)
> Message-ID: <00...@ln>
> From: "Medeiros Pablo" <fy...@fredonia.edu>
> To: john@wa9als.com
> Subject: hey john
> Date:   Fri, 27 Jan 2006 22:58:47 -0800
> MIME-Version: 1.0
> Content-Type: multipart/related;
>  type="multipart/alternative";
>  boundary="----=_NextPart_000_000E_01C62395.3B540860"
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Mailer: Microsoft Outlook Express 6.00.2900.2180
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
> X-Virus-Status: No
> X-Virus-Checker-Version: Luke wa9als.com running clamassassin 1.2.1 with 
> ClamAV 0.88/1254/Fri Jan 27 12:22:39 2006 signatures 35.1254
> X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on Luke.wa9als.com
> X-Spam-Level: **
> X-Spam-Status: No, score=2.3 required=5.0 
> tests=BAYES_60,DATE_IN_FUTURE_06_12
>  autolearn=no version=3.0.3
> Status:
> X-Antivirus: AVG for E-mail 7.1.375 [267.14.23/243]
> 
> 

I received 2 similiar spams.
Then, I wrote rules below:

#---
full MULTIPART_EMPTY /(\r|\n){2}\-{6}=_NextPart_\d{3}_\d{4}_\w{8}\.\w{8}(\r|\n)Content\-Type: multipart\/alternative\;(\r|\n)\tboundary=\"\-{4}=_NextPart_\d{3}_\d{4}_\w{8}\.\w{8}\"(\r|\n){2,}\-{6}=_NextPart_\d{3}_\d{4}_\w{8}\.\w{8}(\r|\n)Content\-Type: text\/plain\;(\r|\n)\tcharset=\"Windows-1252\"(\r|\n)Content-Transfer-Encoding: quoted-printable(\r|\n){2,}/

meta MULTIEMPTY99 MULTIPART_EMPTY && BAYES_99
score MULTIEMPTY99 5.0

meta MULTIEMPTYFUTURE DATE_IN_FUTURE_06_12 && MULTIPART_EMPTY
score MULTIEMPTYFUTURE 3.5
#---
--
Nothing but a peace sign.
MATSUDA Yoh-ichi(yoh)
mailto:yoh@flcl.org
http://www.flcl.org/~yoh/diary/ (only Japanese)