[Dshield] Spam Problem

Brad Spencer brad.madison at mail.tds.net
Mon Jan 12 20:12:24 GMT 2004


At 07:47 PM 1/12/2004 +0100, you wrote:

>By "dropbox" I suppose you mean "reply address", as given by an
>intellectually handicapped spammer. Or one who imagines he's nothing to
>lose. Analogy would be where spies "drop" their data. Though that's
>stretching the analogy a bundle.

No, in this case I mean the addressee.  The spammer sends himself a message 
(or tries) through a candidate open relay IP.  If it gets through he 
concludes "I found an open relay."  The address to which he sends is what 
I'm calling the dropbox address.

I'm browsing through my collection: here's the one I'm looking at now:


Received: from 67.227.10.103 by xxxx.xxxx.xxx; Mon, 10 Mar 03 21:12 CST
Message-Id: <049050056046049048052046055048046049048 at armitage.kiev.ua>
Date: Mon, 10 Mar 2003 19:23:05 -0800
From: ccdc at ccdc.com.HK
Subject: The Saga Continues
To: jeraldw22 at ananzi.co.ZA  <---------------------------------------  The 
dropbox for this one
MIME-Version: 1.0
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.00.3018.1300
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.3018.1300

054055046050050055046049048046049048051058049067117115116049048051046116110116049046115097110045102101114110097110100111046099097046100097046117117046110101116058049049056055058050048058089101115

I hid the receiver name - but the IP is right there in the message so I hid 
nothing.  See it?

Here it is: Message-Id: <049050056046049048052046055048046049048

Now see it?

No?

OK, let's do some substituting.  "048" is "0" (it's just decimal ascii), 
and so on.

128.104 etc.  I'm cheating: I know it by heart.  But it's there.

The spammer encodes the source in the body of the message, along with some 
additional info.  Same code.  Some spammers recode the body after the first 
step, replacing "0" with "a," etc.

Some put the IP's in the body in a positional plus-1 code:


MAILINFO:[239/215/81/21xpqk
MAILINF2:[78/232/312/23xpqj

That came from 67.121.201.12

Sure enough:

Received: from adsl-67-121-201-12.dsl.sndg02.pacbell.net by xxxx.xxxx.xxxx;
           Thu, 13 Mar 03 22:18 CST

(9 + 1 = :, in this code.)

The receiving IP in question now has no SMTP receiver, so I'm not giving 
anything away.  I could have munged.

The spammers just grep the received email for the trigger string and then 
extract the IPs that did relay.  There is a spammer in Taiwan who sends 
spam to be relayed just because you accept the relay test: he doesn't wait 
for receipt.  It looks like most other spammers work from the received 
relay tests.

My "reply address" story is also interesting.




More information about the list mailing list