[unisog] massive uptick in targeted spam this weekend and week
brennan at columbia.edu
Tue Oct 15 20:24:50 GMT 2002
This is what we've been seeing week after week.
> 1. Sources. Many of the DNS hostnames used in the headers (e.g. From: lines)
> and some of the spam is coming directly from optingnow.com hosts :
> ns1.optingnow.com (aka exclusive.optingnow.com), IP # 188.8.131.52
This outfit has been spamming insanely since end of last week. I don't
think we've seen any at all coming from their own hosts though. It's
been relay-hijacked in from all over the world. Easy enough to reject
all with from line optingnow.com... until they change it.
> We usually see yahoo.com used in the SMTP OOB dialog as the
> host named in the 'HELO' command (this is obviously not from Yahoo):
> Received: from yahoo.com (200-207-131-21.dsl.telesp.net.br [184.108.40.206])
> Received: from yahoo.com ([220.127.116.11])
> Received: from yahoo.com (email@example.com)
This is very common. Less so, but still common, other major names
like msn.com or juno.com.
> 2. Topics of messages (many variations on these themes):
> Debt reduction
> Mortgate refinancing (Rates below 5%)
> Penis enlargement
> Hair loss / Baldness
> The message is in HTML format. There are a number of URLs in the msg.
It is almost true that mail in text/html is always spam. That is, not
multipart/alternative but text/html only. However, almost is not good
enough. But add another condition or two and it could be a good spam
trap. I haven't worked it out yet.
Joseph Brennan postmaster at columbia.edu
Academic Technologies Group, Academic Information Systems (AcIS)
More information about the unisog