Re: Spam surge tied to SpamThru Trojan botnet

[Justin Mason <jm...@jmason.org>]

Peter H. Lemieux writes:
>  From this article at eWeek:
> http://www.eweek.com/print_article2/0,1217,a=194218,00.asp
> 
> "The recent surge in e-mail spam hawking penny stocks and penis 
> enlargement pills is the handiwork of Russian hackers running a botnet 
> powered by tens of thousands of hijacked computers.
> 
> "Internet security researchers and law enforcement authorities have 
> traced the operation to a well-organized hacking gang controlling a 
> 70,000-strong peer-to-peer botnet seeded with the SpamThru Trojan."

Definitely.  As far as I can tell, the SpamThru upsurge: that's the
"FHARMACY economize more with http://URL" stuff -- is hitting
HDR_ORDER_FTSDMCXX*, MID_START_001C, and XBL and URIBL rules.

There's also another spammer who's creating another very large batch,
separately: the C*na Petroleum stock spammer, hitting RCVD_FORGED_WROTE
and TVD_STOCK1.

The two sets are quite distinct and on a large scale, and if you look at
the rules freqs by contributor, various people have massively differing
hitrates on their corpora.  For example, HDR_ORDER_FTSDMCXX3 (SpamThru
traffic) is 56% of Daryl's corpus, but only 3.4% of zmi's:

http://ruleqa.spamassassin.org/20061116-r475642-n/HDR_ORDER_FTSDMCXX3/detail#DETAILS_all_mass_check_date_rev_20061116_r475642_n

And RCVD_FORGED_WROTE, the stock spammer, is 6.3% of my corpus and
only 0.42% of Michael's:

http://ruleqa.spamassassin.org/20061116-r475642-n/RCVD_FORGED_WROTE/detail#DETAILS_all_mass_check_date_rev_20061116_r475642_n

Interesting.  Not quite sure what that implies though. ;)

--j.