[unisog] Numeric SPAM

Chris Crowley ccrowley at tulane.edu
Tue Jun 6 17:42:57 GMT 2006


I've received two, to two different addresses.

The Subject # was the same, the body number was substantially larger in the second than in the
first.  The second message was sent to a domain that began in "w", the first to a domain that began
in "m".

I wonder if a spambot network is working on validating its list of recipients.

The IP address which sent the mail to these two accounts was in France, judging from the SOA for the
reverse lookup.

Just a thought.


Micheal Cottingham wrote:
> It was my understanding that the spammers were using the forged envelope
> sender as the person they were sending to. If I misread that, perhaps I
> should eat some more sugar to wake up. :D For my personal domains at
> least, I do use a -all for hardfail. I also use some filtering on my
> Exim install, SpamAssassin with some custom rulesets and the added bonus
> of teergrube, graylisting, and various other tricks, and soon I'll be
> adding DCC to the mix. So no, I don't add all my eggs to the SPF basket.
> :) That aside, I've still not seen anything come across work or personal
> domain or gmail account.
> 
> Valdis.Kletnieks at vt.edu wrote:
>> On Tue, 06 Jun 2006 11:23:39 EDT, Micheal Cottingham said:
>>   
>>> For my personal servers I use SPF, so I'll probably not see any of
>>> these.
>>>     
>> SPF will only block it if the spammer is using a purported From: that
>> actually has a published SPF value that ends with a -all hardfail.  Between
>> the 70% or more domains that don't publish an SPF, and the majority that
>> *do* publish but end it with a ~all softwail, SPF won't be making much of
>> a dent.
>>
>> And that's probably SPF's biggest problem - you can't really *rely* on it
>> to stop forgeries until a vast majority of sites publish a hardfail SPF,
>> including *all* the 800pound gorillas.  AOL has a ?all, Hotmail and MSN
>> both show a ~all.  And so on.
>>   
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> unisog mailing list
>> unisog at lists.sans.org
>> http://www.dshield.org/mailman/listinfo/unisog
>>   
> 
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog

-- 
Christopher Crowley
Network Administrator
Tulane Technology Services
ccrowley at tulane.edu
phone: (504) 324-2249


More information about the unisog mailing list