mysterious spam - what is this trying to do?

[Kevin Parris <kp...@ed.sc.gov>]

Sample posted here:   http://pastebin.com/m7d993dc7

Have seen several similar to this, the message contains only random words, no images, no web links.  What's the point? It's not advertising, or trying to lure victims to a site, or carrying any payload.  Commentary anyone?

Re: mysterious spam - what is this trying to do?

[Gene Heskett <ge...@verizon.net>]

On Tuesday 29 July 2008, Yet Another Ninja wrote:
>On 7/29/2008 4:38 PM, Kevin Parris wrote:
>> Sample posted here:   http://pastebin.com/m7d993dc7
>>
>> Have seen several similar to this, the message contains only random
>> words, no images, no web links.  What's the point? It's not
>> advertising, or trying to lure victims to a site, or carrying any
>> payload.  Commentary anyone?
>
>1- possible broken templates so the spam are missing something.
>2- hashbusters in hope to pollute Bayes and render hash based filters
>usless - "in hope" coz it doesn't work as "they" expect .-)

I would almost argue that as bayes poison, it might be working, it seems to me 
that either the Viagra ads are getting more prolific, or more of them are now 
getting by SA.  A month ago maybe 10 a day got past, now its pushing 30.

-- 
Cheers, Gene
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Oblivion together does not frighten me, beloved.
		-- Thalassa (in Anne Mulhall's body), "Return to Tomorrow",
		   stardate 4770.3.

Re: mysterious spam - what is this trying to do?

[Yet Another Ninja <sa...@alexb.ch>]

On 7/29/2008 4:38 PM, Kevin Parris wrote:
> Sample posted here:   http://pastebin.com/m7d993dc7
> 
> Have seen several similar to this, the message contains only random
> words, no images, no web links.  What's the point? It's not
> advertising, or trying to lure victims to a site, or carrying any
> payload.  Commentary anyone?
> 

1- possible broken templates so the spam are missing something.
2- hashbusters in hope to pollute Bayes and render hash based filters 
usless - "in hope" coz it doesn't work as "they" expect .-)

Re: mysterious spam - what is this trying to do?

[Karsten Bräckelmann <gu...@rudersport.de>]

On Wed, 2008-07-30 at 09:21 -0500, Ken A wrote:

> Yes. And also, in any war, consider resource usage.
> A simple example: Spammer at any given time may have access to a number 
> of DNSRBL listed bots, and a number of unlisted bots. With an 
> understanding of how ISP handles filtering based on a given DNSRBL, 
> spammer may choose a certain delivery pattern.

Oh, so THAT is, why botnets check RBLs and prevent sending out massive
amounts of spam from RBL listed zombies, like Spamhaus XPL and PBL.
Right, I don't get any of these...  </sarcasm>

So spammers are checking RBLs, eh? Reality seems to be more like sending
anyway, in the hope some of them get through.

  guenther


-- 
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: mysterious spam - what is this trying to do?

[Ken A <ka...@pacific.net>]

ram wrote:
> On Wed, 2008-07-30 at 09:21 -0500, Ken A wrote:
>> Arvid Ephraim Picciani wrote:
>>> On Wednesday 30 July 2008 00:55:50 mouss wrote:
>>>> Ken A wrote:
>>>>> Can be a probe too. Accepting mail from that IP with that content says
>>>>> something about your system. Spammers aren't stupid. They fingerprint us
>>>>> just like we fingerprint them.
>>>> If I was a spammer, I don't see why I would probe you. I understand if
>>>> it's filter poisoning, but probing to see if the message will be
>>>> accepted is useless. they can just send their spam. if you reject it,
>>>> others will accept it, and some will read it, which is exactly what they
>>>> want to achieve.
>>> No. Some spammers are a lot more clever then that. 
>>> Especialy if you sell lists, you usually make sure they are high quality.
>>> This is a low volume probe. Propably to clean out harvested lists.
>>>
>>> - They are probing for wrong addresses 
>>>   (This is why returning 550 imho makes sense and greylisting does not)
>>> - They are probing for backscatterer
>>>   All mails would have the same From address,envelope, and helo
>>>   of a compromised mailserver. 
>>> - They are probing for spamtraps.
>>>   Bigger ISPs can propably detect that best, 
>>>   since the mails would have a pattern.
>>>
>>> Of course there is always the posibility that the ratware is simply broken. 
>>> shit happens :P
>>>
>> Yes. And also, in any war, consider resource usage.
>> A simple example: Spammer at any given time may have access to a number 
>> of DNSRBL listed bots, and a number of unlisted bots. With an 
>> understanding of how ISP handles filtering based on a given DNSRBL, 
>> spammer may choose a certain delivery pattern.
> 
> 
> How does the spammer come to know his mail is delivered and not
> quarantined / deleted / or spam tagged 
> 


If it's a yahoo, google or other freemail address, that's not too hard 
to figure out, is it? If it's another email provider, who knows.. many 
providers document their anti-spam approach, use very informative bounce 
messages, or use easily identifiable products that have certain 
behaviors. It certainly isn't possible to learn everything from a probe 
email, but it's worth thinking about, imho. Of course we don't want to 
give them any ideas either!

Ken

> 
> 
> 


-- 
Ken Anderson
Pacific.Net

Re: mysterious spam - what is this trying to do?

[ram <ra...@netcore.co.in>]

On Wed, 2008-07-30 at 09:21 -0500, Ken A wrote:
> Arvid Ephraim Picciani wrote:
> > On Wednesday 30 July 2008 00:55:50 mouss wrote:
> >> Ken A wrote:
> >>> Can be a probe too. Accepting mail from that IP with that content says
> >>> something about your system. Spammers aren't stupid. They fingerprint us
> >>> just like we fingerprint them.
> >> If I was a spammer, I don't see why I would probe you. I understand if
> >> it's filter poisoning, but probing to see if the message will be
> >> accepted is useless. they can just send their spam. if you reject it,
> >> others will accept it, and some will read it, which is exactly what they
> >> want to achieve.
> > 
> > No. Some spammers are a lot more clever then that. 
> > Especialy if you sell lists, you usually make sure they are high quality.
> > This is a low volume probe. Propably to clean out harvested lists.
> > 
> > - They are probing for wrong addresses 
> >   (This is why returning 550 imho makes sense and greylisting does not)
> > - They are probing for backscatterer
> >   All mails would have the same From address,envelope, and helo
> >   of a compromised mailserver. 
> > - They are probing for spamtraps.
> >   Bigger ISPs can propably detect that best, 
> >   since the mails would have a pattern.
> > 
> > Of course there is always the posibility that the ratware is simply broken. 
> > shit happens :P
> > 
> 
> Yes. And also, in any war, consider resource usage.
> A simple example: Spammer at any given time may have access to a number 
> of DNSRBL listed bots, and a number of unlisted bots. With an 
> understanding of how ISP handles filtering based on a given DNSRBL, 
> spammer may choose a certain delivery pattern.


How does the spammer come to know his mail is delivered and not
quarantined / deleted / or spam tagged 

Re: mysterious spam - what is this trying to do?

[Ken A <ka...@pacific.net>]

Arvid Ephraim Picciani wrote:
> On Wednesday 30 July 2008 00:55:50 mouss wrote:
>> Ken A wrote:
>>> Can be a probe too. Accepting mail from that IP with that content says
>>> something about your system. Spammers aren't stupid. They fingerprint us
>>> just like we fingerprint them.
>> If I was a spammer, I don't see why I would probe you. I understand if
>> it's filter poisoning, but probing to see if the message will be
>> accepted is useless. they can just send their spam. if you reject it,
>> others will accept it, and some will read it, which is exactly what they
>> want to achieve.
> 
> No. Some spammers are a lot more clever then that. 
> Especialy if you sell lists, you usually make sure they are high quality.
> This is a low volume probe. Propably to clean out harvested lists.
> 
> - They are probing for wrong addresses 
>   (This is why returning 550 imho makes sense and greylisting does not)
> - They are probing for backscatterer
>   All mails would have the same From address,envelope, and helo
>   of a compromised mailserver. 
> - They are probing for spamtraps.
>   Bigger ISPs can propably detect that best, 
>   since the mails would have a pattern.
> 
> Of course there is always the posibility that the ratware is simply broken. 
> shit happens :P
> 

Yes. And also, in any war, consider resource usage.
A simple example: Spammer at any given time may have access to a number 
of DNSRBL listed bots, and a number of unlisted bots. With an 
understanding of how ISP handles filtering based on a given DNSRBL, 
spammer may choose a certain delivery pattern.

Ken


-- 
Ken Anderson
Pacific.Net

Re: mysterious spam - what is this trying to do?

[Karsten Bräckelmann <gu...@rudersport.de>]

On Wed, 2008-07-30 at 01:31 +0200, Arvid Ephraim Picciani wrote:

> No. Some spammers are a lot more clever then that. 
> Especialy if you sell lists, you usually make sure they are high quality.
> This is a low volume probe. Propably to clean out harvested lists.

What makes you believe this is low volume? It's not the highest volume I
am seeing right now, but it isn't particularly low volume either.

Also, according to $something that pretty much has evolved into a spam
trap, they are *not* cleaning out *harvested* lists. I do see a lot of
recipient addresses which can not possibly have been harvested.


> Of course there is always the posibility that the ratware is simply broken. 
> shit happens :P

Yup.

  guenther


-- 
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: mysterious spam - what is this trying to do?

[mouss <mo...@netoyen.net>]

Arvid Ephraim Picciani wrote:
> On Wednesday 30 July 2008 00:55:50 mouss wrote:
>> Ken A wrote:
>>> Can be a probe too. Accepting mail from that IP with that content says
>>> something about your system. Spammers aren't stupid. They fingerprint us
>>> just like we fingerprint them.
>> If I was a spammer, I don't see why I would probe you. I understand if
>> it's filter poisoning, but probing to see if the message will be
>> accepted is useless. they can just send their spam. if you reject it,
>> others will accept it, and some will read it, which is exactly what they
>> want to achieve.
> 
> No.


Is this "No, I have evidence that you are wrong" or "No, I don't think so"?


> Some spammers are a lot more clever then that. 

this doesn't make them clever. sending easy to catch junk will not help 
them.

> Especialy if you sell lists, you usually make sure they are high quality.

really? that's new to me... come on. do you want my postfix logs? more 
than a half are \d{5}.*@$mydomain (bodug message-id harvesting and 
phone-style address attempt).

> This is a low volume probe. Propably to clean out harvested lists.

I am not seeing that. if you have evidence, please share it. if it's 
just your opinion, please make this clear.

> 
> - They are probing for wrong addresses 
>   (This is why returning 550 imho makes sense and greylisting does not)

ahuh? and why so?

> - They are probing for backscatterer
>   All mails would have the same From address,envelope, and helo
>   of a compromised mailserver. 
> - They are probing for spamtraps.
>   Bigger ISPs can propably detect that best, 
>   since the mails would have a pattern.
> 
> Of course there is always the posibility that the ratware is simply broken. 
> shit happens :P


That's what I believe. this resembles old junk that I used to see where 
the message was "obviously" truncated and/or random variables not expanded.

Re: mysterious spam - what is this trying to do?

[Arvid Ephraim Picciani <ae...@ibcsolutions.de>]

On Wednesday 30 July 2008 00:55:50 mouss wrote:
> Ken A wrote:
> > Can be a probe too. Accepting mail from that IP with that content says
> > something about your system. Spammers aren't stupid. They fingerprint us
> > just like we fingerprint them.
>
> If I was a spammer, I don't see why I would probe you. I understand if
> it's filter poisoning, but probing to see if the message will be
> accepted is useless. they can just send their spam. if you reject it,
> others will accept it, and some will read it, which is exactly what they
> want to achieve.

No. Some spammers are a lot more clever then that. 
Especialy if you sell lists, you usually make sure they are high quality.
This is a low volume probe. Propably to clean out harvested lists.

- They are probing for wrong addresses 
  (This is why returning 550 imho makes sense and greylisting does not)
- They are probing for backscatterer
  All mails would have the same From address,envelope, and helo
  of a compromised mailserver. 
- They are probing for spamtraps.
  Bigger ISPs can propably detect that best, 
  since the mails would have a pattern.

Of course there is always the posibility that the ratware is simply broken. 
shit happens :P

-- 
mit freundlichen Grüßen / best regards
Arvid Ephraim Picciani

Re: mysterious spam - what is this trying to do?

[mouss <mo...@netoyen.net>]

Ken A wrote:
> Can be a probe too. Accepting mail from that IP with that content says 
> something about your system. Spammers aren't stupid. They fingerprint us 
> just like we fingerprint them.

If I was a spammer, I don't see why I would probe you. I understand if 
it's filter poisoning, but probing to see if the message will be 
accepted is useless. they can just send their spam. if you reject it, 
others will accept it, and some will read it, which is exactly what they 
want to achieve.

Re: mysterious spam - what is this trying to do?

[Ken A <ka...@pacific.net>]

Can be a probe too. Accepting mail from that IP with that content says 
something about your system. Spammers aren't stupid. They fingerprint us 
just like we fingerprint them.
Ken
Pacific.Net


Karsten Bräckelmann wrote:
> Please do NOT *reply* to a mail, if you start a new thread. Changing the
> Subject and removing the quoted text does not make it a new mail. It
> still is a reply. You just hijacked an unrelated thread.
> 
> 
> On Tue, 2008-07-29 at 10:38 -0400, Kevin Parris wrote:
>> Sample posted here:   http://pastebin.com/m7d993dc7
>>  
>> Have seen several similar to this, the message contains only random
>> words, no images, no web links.  What's the point? It's not
>> advertising, or trying to lure victims to a site, or carrying any
>> payload.  Commentary anyone?
> 
> It is most likely just horribly broken. These are rather common since a
> few days.
> 
> The weird X-Header-CompanyDBUserName: header is entirely static. As is
> the X-Mailer: header. The other X-Header-* headers likely aren't
> intended to be sent either. The first Received: is utterly broken (IP
> with 18-digit numbers).
> 
> Even the body is pretty static. The words are random (including length),
> but the punctuation and whitespace of the body is static again.
> 
> 
> I guess it should be rather safe to catch these based on the headers, if
> you got problems detecting them otherwise.
> 
>   guenther
> 
> 


-- 
Ken Anderson
Pacific.Net

Re: mysterious spam - what is this trying to do?

[Karsten Bräckelmann <gu...@rudersport.de>]

Please do NOT *reply* to a mail, if you start a new thread. Changing the
Subject and removing the quoted text does not make it a new mail. It
still is a reply. You just hijacked an unrelated thread.


On Tue, 2008-07-29 at 10:38 -0400, Kevin Parris wrote:
> Sample posted here:   http://pastebin.com/m7d993dc7
>  
> Have seen several similar to this, the message contains only random
> words, no images, no web links.  What's the point? It's not
> advertising, or trying to lure victims to a site, or carrying any
> payload.  Commentary anyone?

It is most likely just horribly broken. These are rather common since a
few days.

The weird X-Header-CompanyDBUserName: header is entirely static. As is
the X-Mailer: header. The other X-Header-* headers likely aren't
intended to be sent either. The first Received: is utterly broken (IP
with 18-digit numbers).

Even the body is pretty static. The words are random (including length),
but the punctuation and whitespace of the body is static again.


I guess it should be rather safe to catch these based on the headers, if
you got problems detecting them otherwise.

  guenther


-- 
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}