[unisog] massive uptick in targeted spam this weekend and week

Joseph Brennan brennan at columbia.edu
Tue Oct 15 20:24:50 GMT 2002

This is what we've been seeing week after week.  

> 1.	Sources.  Many of the DNS hostnames used in the headers (e.g. From: lines)
> 	and some of the spam is coming directly from optingnow.com hosts :
> 	ns1.optingnow.com (aka exclusive.optingnow.com), IP #

This outfit has been spamming insanely since end of last week.  I don't
think we've seen any at all coming from their own hosts though.  It's
been relay-hijacked in from all over the world.  Easy enough to reject
all with from line optingnow.com... until they change it.

> 	We usually see yahoo.com used in the SMTP OOB dialog as the
> 	host named in the 'HELO' command (this is obviously not from Yahoo):
> 	Received: from yahoo.com (200-207-131-21.dsl.telesp.net.br [])
> 	Received: from yahoo.com ([])
> 	Received: from yahoo.com (squid@[])

This is very common.  Less so, but still common, other major names
like msn.com or juno.com.

> 2.	Topics of messages (many variations on these themes):
> 		Debt reduction
> 		Mortgate refinancing (Rates below 5%)
> 		Penis enlargement
> 		Hair loss / Baldness

Oh yeah.

> 	The message is in HTML format.  There are a number of URLs in the msg.

It is almost true that mail in text/html is always spam.  That is, not
multipart/alternative but text/html only.  However, almost is not good
enough.  But add another condition or two and it could be a good spam
trap.  I haven't worked it out yet.


Joseph Brennan                           postmaster at columbia.edu
Academic Technologies Group, Academic Information Systems (AcIS)

More information about the unisog mailing list