You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Giampaolo Tomassoni <g....@libero.it> on 2007/02/19 15:21:10 UTC
Spamtrap detectors?
I'm getting lots of messages like the following one:
Hi
How are you ? Call me.
who are free to come
Poor you, i don't even think how much spam you are recive.
front of get-smart
6879____________________________________3379
They are all directed to an unexistent mailbox in most of the domains I have in my servers (catchthismail@______.__) .
I followed their implicit instructions by opening my MTA to catchthismail@* and redirecting all them to my spamtrap engine (which requires 0 human-intervention time, by the way).
Are they spamtrap-detecting messages (see partially masked code), bayes poisoners (last text line often changes), a spammer exploding in a supernova, or every of the above?
Thanks,
-----------------------------------
Giampaolo Tomassoni - IT Consultant
Piazza VIII Aprile 1948, 4
I-53044 Chiusi (SI) - Italy
Ph: +39-0578-21100
MAI inviare una e-mail a:
NEVER send an e-mail to:
rainbowl@tomassoni.eu
RE: Spamtrap detectors?
Posted by Giampaolo Tomassoni <g....@libero.it>.
From: Jason Heiser [mailto:jason@heiser.org]
> Subject: Re: Spamtrap detectors?
>
> I have a wildcard for my domain (*@heiser.org) and I've received
> three of these today. Here's an example of one:
>
> > Return-Path: <bo...@rccchurch.org>
> > Received: from murder ([unix socket])
> > by kubrick.heiser.org (Cyrus v2.2.12-OS X 10.3) with LMTPA;
> > Mon, 19 Feb 2007 17:46:29 -0600
> > X-Sieve: CMU Sieve 2.2
> > Received: from localhost (localhost [127.0.0.1])
> > by kubrick.heiser.org (Postfix) with ESMTP id BB3E3278BE5
> > for <ja...@kubrick.heiser.org>; Mon, 19 Feb 2007 23:46:28
> +0000 (GMT)
> > X-Virus-Scanned: amavisd-new at heiser.org
> > X-Spam-Score: 0
> > X-Spam-Level:
> > X-Spam-Status: No, score=0 required=5 tests=[none]
> > Received: from kubrick.heiser.org ([127.0.0.1])
> > by localhost (kubrick.heiser.org [127.0.0.1]) (amavisd-new, port
> > 10024)
> > with ESMTP id FcwCXEyXZqMa for <ja...@kubrick.heiser.org>;
> > Mon, 19 Feb 2007 17:46:20 -0600 (CST)
> > Received: from beta.gntech.pl (unknown [82.114.186.89])
> > by kubrick.heiser.org (Postfix) with ESMTP id F0265278BD6
> > for <he...@heiser.org>; Mon, 19 Feb 2007 17:46:18
> -0600 (CST)
> > Received: from rccchurch.org (HELO rccchurch.org) ([66.84.15.246])
> > by t5sc9.rccchurch.org with ESMTP id ; Fri, 9 Sep 2005 13:52:51
> > -0180
> > Received: from pb.dmu.ac.uk ([124.132.49.137])
> > by x1gpo.dna.com.br (Sun Java System Messaging Server 6.1 HotFix
> > 0.07 (built
> > Jul 9 2006)) with ESMTP id
> > <d4...@178.216.98.114.dna.com.br> for
> > helloitmenice@heiser.org; Fri, 9 Sep 2005 13:52:51 -0180 (IST)
> > Date: Fri, 9 Sep 2005 13:52:51 -0180
> > From: "Leighna Hordatt" <bo...@rccchurch.org>
> > To: <he...@heiser.org>
> > Subject: Leighna.
> > Message-ID: <C8...@rccchurch.org>
> > MIME-Version: 1.0
> > Content-Type: text/plain; charset="us-ascii"
> > Content-Transfer-Encoding: quoted-printable
> >
> > Hi
> > How are you ? Call me.
> > activities
> > Poor you, i don't even think how much spam you are recive.
> > Gervasio said her
> > 6D7174796A6E6A6D6E6A33776A716E727368456A7877746C
>
> So the prevailing theory is that these messages are attempts to find
> domains that can be abused for sender address forgery? I wonder how
> these wretched villains (spammers) are tracking this. Do you think
> they're sitting on compromised mail servers and earmarking domains
> from which they receive "250 OK" for obviously non-existent e-mail
> addresses?
Right.
My own thought about these messages is that they carry unique content, so the spammers may just wait for a bounce message. They could eventually remove from their lists the servers for which they got a bounce because the message is very short and can easily fit in a DSN (with its unique code).
Messages not triggering a DSN may easily be either wildcarded or misconfigured, which means the domains they host may be used for From: forgery and/or they may be inspected to see if they can act as open proxies, you never know...
I did let these messages in and reported them to dcc, razor, pyzor and spamcop. When the flow stopped, I simply removed the catchthismail@ wildcard from my MXes. If they are going to forge addresses from one of my domains, they would get surprised... :)
Giampaolo
> Jason Heiser
> HEISER.ORG POSTMASTER
Re: Spamtrap detectors?
Posted by Jason Heiser <ja...@heiser.org>.
I have a wildcard for my domain (*@heiser.org) and I've received
three of these today. Here's an example of one:
> Return-Path: <bo...@rccchurch.org>
> Received: from murder ([unix socket])
> by kubrick.heiser.org (Cyrus v2.2.12-OS X 10.3) with LMTPA;
> Mon, 19 Feb 2007 17:46:29 -0600
> X-Sieve: CMU Sieve 2.2
> Received: from localhost (localhost [127.0.0.1])
> by kubrick.heiser.org (Postfix) with ESMTP id BB3E3278BE5
> for <ja...@kubrick.heiser.org>; Mon, 19 Feb 2007 23:46:28 +0000 (GMT)
> X-Virus-Scanned: amavisd-new at heiser.org
> X-Spam-Score: 0
> X-Spam-Level:
> X-Spam-Status: No, score=0 required=5 tests=[none]
> Received: from kubrick.heiser.org ([127.0.0.1])
> by localhost (kubrick.heiser.org [127.0.0.1]) (amavisd-new, port
> 10024)
> with ESMTP id FcwCXEyXZqMa for <ja...@kubrick.heiser.org>;
> Mon, 19 Feb 2007 17:46:20 -0600 (CST)
> Received: from beta.gntech.pl (unknown [82.114.186.89])
> by kubrick.heiser.org (Postfix) with ESMTP id F0265278BD6
> for <he...@heiser.org>; Mon, 19 Feb 2007 17:46:18 -0600 (CST)
> Received: from rccchurch.org (HELO rccchurch.org) ([66.84.15.246])
> by t5sc9.rccchurch.org with ESMTP id ; Fri, 9 Sep 2005 13:52:51
> -0180
> Received: from pb.dmu.ac.uk ([124.132.49.137])
> by x1gpo.dna.com.br (Sun Java System Messaging Server 6.1 HotFix
> 0.07 (built
> Jul 9 2006)) with ESMTP id
> <d4...@178.216.98.114.dna.com.br> for
> helloitmenice@heiser.org; Fri, 9 Sep 2005 13:52:51 -0180 (IST)
> Date: Fri, 9 Sep 2005 13:52:51 -0180
> From: "Leighna Hordatt" <bo...@rccchurch.org>
> To: <he...@heiser.org>
> Subject: Leighna.
> Message-ID: <C8...@rccchurch.org>
> MIME-Version: 1.0
> Content-Type: text/plain; charset="us-ascii"
> Content-Transfer-Encoding: quoted-printable
>
> Hi
> How are you ? Call me.
> activities
> Poor you, i don't even think how much spam you are recive.
> Gervasio said her
> 6D7174796A6E6A6D6E6A33776A716E727368456A7877746C
So the prevailing theory is that these messages are attempts to find
domains that can be abused for sender address forgery? I wonder how
these wretched villains (spammers) are tracking this. Do you think
they're sitting on compromised mail servers and earmarking domains
from which they receive "250 OK" for obviously non-existent e-mail
addresses?
Jason Heiser
HEISER.ORG POSTMASTER
Re: Spamtrap detectors?
Posted by ma...@mattstone.net.
On Mon, Feb 19, 2007 at 03:21:10PM +0100, Giampaolo Tomassoni wrote:
> I'm getting lots of messages like the following one:
>
> Hi
> How are you ? Call me.
> who are free to come
> Poor you, i don't even think how much spam you are recive.
> front of get-smart
> 6879____________________________________3379
I have been getting the same emails, a few got through spamassassin and
i just gave them to sa-learn.
Thing is tho, i really dont see the point in sending spam like this and
only to the same user @ lots of domains. Is it to try and make people
goto the domain where the emails from or just to annoy people? Or is it
just a .. see if i can spam everybody thing lol
>
> They are all directed to an unexistent mailbox in most of the domains I have in my servers (catchthismail@______.__) .
>
> I followed their implicit instructions by opening my MTA to catchthismail@* and redirecting all them to my spamtrap engine (which requires 0 human-intervention time, by the way).
>
> Are they spamtrap-detecting messages (see partially masked code), bayes poisoners (last text line often changes), a spammer exploding in a supernova, or every of the above?
>
> Thanks,
>
> -----------------------------------
> Giampaolo Tomassoni - IT Consultant
> Piazza VIII Aprile 1948, 4
> I-53044 Chiusi (SI) - Italy
> Ph: +39-0578-21100
>
> MAI inviare una e-mail a:
> NEVER send an e-mail to:
> rainbowl@tomassoni.eu
>
>