[Dshield] Spam Problem
brad.madison at mail.tds.net
Mon Jan 12 20:12:24 GMT 2004
At 07:47 PM 1/12/2004 +0100, you wrote:
>By "dropbox" I suppose you mean "reply address", as given by an
>intellectually handicapped spammer. Or one who imagines he's nothing to
>lose. Analogy would be where spies "drop" their data. Though that's
>stretching the analogy a bundle.
No, in this case I mean the addressee. The spammer sends himself a message
(or tries) through a candidate open relay IP. If it gets through he
concludes "I found an open relay." The address to which he sends is what
I'm calling the dropbox address.
I'm browsing through my collection: here's the one I'm looking at now:
Received: from 22.214.171.124 by xxxx.xxxx.xxx; Mon, 10 Mar 03 21:12 CST
Message-Id: <049050056046049048052046055048046049048 at armitage.kiev.ua>
Date: Mon, 10 Mar 2003 19:23:05 -0800
From: ccdc at ccdc.com.HK
Subject: The Saga Continues
To: jeraldw22 at ananzi.co.ZA <--------------------------------------- The
dropbox for this one
Content-Type: text/plain; charset="Windows-1252"
X-Mailer: Microsoft Outlook Express 5.00.3018.1300
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.3018.1300
I hid the receiver name - but the IP is right there in the message so I hid
nothing. See it?
Here it is: Message-Id: <049050056046049048052046055048046049048
Now see it?
OK, let's do some substituting. "048" is "0" (it's just decimal ascii),
and so on.
128.104 etc. I'm cheating: I know it by heart. But it's there.
The spammer encodes the source in the body of the message, along with some
additional info. Same code. Some spammers recode the body after the first
step, replacing "0" with "a," etc.
Some put the IP's in the body in a positional plus-1 code:
That came from 126.96.36.199
Received: from adsl-67-121-201-12.dsl.sndg02.pacbell.net by xxxx.xxxx.xxxx;
Thu, 13 Mar 03 22:18 CST
(9 + 1 = :, in this code.)
The receiving IP in question now has no SMTP receiver, so I'm not giving
anything away. I could have munged.
The spammers just grep the received email for the trigger string and then
extract the IPs that did relay. There is a spammer in Taiwan who sends
spam to be relayed just because you accept the relay test: he doesn't wait
for receipt. It looks like most other spammers work from the received
My "reply address" story is also interesting.
More information about the list