A lose is yolk despotism

[Negative]

OK... that title doesn't make any sense, but that's kind of the point

For about two months now, we've been getting spam. Not that unusual, but the details are...

- The spam comes to Comcast e-mail accounts. We have three of them (all set up on different computers - two using Outlook Express, one using Thunderbird as the e-mail client), and all three accounts are getting the spam.

- The "To:" field is never one of our addresses, and is always different (it's always a @comcast.net addy, though).

- Each of our addresses gets around 3 to 5 spam messages per day.

- Titles of spam include:
"i'll cathy that diagonal banquet"
"some indonesia a handkerchief"
"you break a catholic walking"
"totemic a myocardial but dwelt away"
"I'll humboldt my countenance"

Sounds like that surrealist word generator someone here (aspman?) has in his signature... it's obviously the same "thing"...

- The "From:" field is always different, and also sounds like a random (name) generator:
"Bethany Silve <P_vbah@cnetco.com>"
"Buddy Stewart <YHouser2@emtds1.nsc.com>"
"Buddy Jernigan <QLawanda@merr.com>"
"Casey Stapleton <EN.zqc@ezy.net>"

- The message: there seem to be three categories:

1. A simple link - here's literally what one of those says:

1,22
V L X A P V C A e a m r I I L v n b o A A I i a i z G L U t x e a R I M ra
n c A S
3,32 3,75
http://www.ericasometi.com

2. A picture that doesn't show (because the source is screwed up) with a weird url like

http://\atexq%2enet%2e<.4w4okap1%2ego2zchoice.info/#terioq.info followed by a bunch of cr*p like the following

Why you see we wasnt aware sir returned the waiter still apologetically as
if we can help it I think we had better take a little breathing time In the meanwhilethe intimacy between her and Alec and to watch it with uneasiness And now I must confess
calculated to overturn the augustuss plans Padgetts plans said the cameraman stroking his face
with a handsome purse of moneyand a portmanteau and tenderly dismissed upon my expedition
Mr Neely was anyways particular We can give Mr Nickerson seventy two sir if placid satisfaction Now I have found it "You may not be surprised to hear Annie "
I had no pleasure in thinking any more of the grave old broad leaved aloe trees which remained
That aint a sort of man to see sitting behind a coach box is it though said Mabel in my ear
but the days of my inhabiting there were gone and the old time was past I was heavier at
Aint you said the waiter Young gentlemen is generally tired of beef and mutton
Yes she said I think he does himself no good by the habit that has increased upon him since I first came here
and having an immense four post personnel in it which was quite a little landed saltwater
you should like it And I am very well persuaded that whatever you do Brittney will always be By the by and letters from Mr Jack Molina said the datum
of me appeared so deserving of my gratitude and my old love for him overflowed Then I saw as though all the intervening time had been cancelled and I were still standing
for nobody stood in any awe of me at all the chambermaid being utterly indifferent
wSOCdJbvlKlTivA39v09y5Ps5NM17XRFYXduHAsp7ARZmpdio9ucPG1sZ1BjgFUU9xd9DYe4sra59xAnSlqYsdm3yg
easy negligence which I have reason to remember very well became a real presence to me

3. "Genuine spam" (links to sites selling fake stuff... rolex21.com... that kinda crap)
The thing here is that the gibberish text is similar to the one in the previous case, but the picture seems to have been scanned in... part of the text looks like it was ripped out of the printer/fax/whatever before it could print properly...


I haven't really looked into all of it (because it's too much ), but I was just wondering if anyone else has recently seen anything like this... I'd be happy to forward some of the crap for analysis...

[KublaiKhan]

Never heard of that before. Perhaps it's a new way they're trying to get past spam filters?

[zencoder]

Neg,
I've been receiving this sort of Spam into my spambait accounts for a few years now. I've a few unsubstantiated theories on what is it...
[list=1][*]"Background noise" junk spam (lol) with the intention of skewing or confusing hueristic spam detection systems[*]"Recon spam" sent to determine if an email account is valid[/list=1]

When I was still a common user of POP3 based email providers, I was a big fan of MailWasher from Firetrust. I used it to delete spam on the server, and send bounce messages to the origination point of spam. After a few weeks of this, I started seeing these spam messages you describe. I would also get messages of the sort that were supposed to look like legitimate correspondence with a subject or opening sentence like "Why did you bounce my message?"

I have no doubt that many of the international spam groups subscribe to all the anti-spam products and services, just as users do, so they can get an inside track on how they are being tracked and defeated. I assume these spammers do this as some form of business, so it would be stupid NOT to reconoiter the enemy, as it where.

I've never heard of an acceptable explanation for this sort of spam. But I can tell you I get a bunch of it.

[IKnowNot]

I've noticed something wrong with Comcast's SMPT servers for a while now.

I get “ similar “ addressed emails to me, but not actually addressed to me.

Example:
if my email address was nospam_ at_comcast_dot_net,
I would get emails addressed to nospasm_at_comcast_dot_net

I receive this from other email servers, but never before on Comcast.

They used to be good at filtering this stuff out, only giving a person email destined for the actual email account it was sent to. But for the fast few months a lot of the above type garbage gets through.

Somebody at Comcast is dropping the ball!

[Tiger Shark]

Neg:

The big bit you quoted is there to mess with Bayesian filters. It ups the word count with normally acceptable words thus reducing the overall spam score of the message.

We too have started getting messages that have bill@mydomain.com in the To: field, (who doesn't exist), but they are delivered to Joe@mydomain.com, (who does exist and receives the mail). I haven't bothered to look into why because there is a secondary To: field IIRC and have to this point assumed that it was being delivered by this field yet showing the other one. I will probably have to look into this now....

I am also seeing a lot of spam from names that appear to be generated by a word generator. I saw one yesterday that was from "Redistributes O. Perspiring"..... WTF???? This has become noticable in the last 2 weeks or so and whatever they are doing now it is beating the spam filter more often.

[alleyCat]

Originally posted here by IKnowNot
Example:
if my email address was nospam_ at_comcast_dot_net,
I would get emails addressed to nospasm_at_comcast_dot_net

They used to be good at filtering this stuff out, only giving a person email destined for the actual email account it was sent to. But for the fast few months a lot of the above type garbage gets through.

Is this stuff easily avoidable by using the SPF DNS entries and SPF checking? Wouldn't that be standard to implement on big networks???

Why arm the alarm on your car if you aren't even going to lock the doors?

Al

[rapier57]

Originally posted here by alleyCat
Is this stuff easily avoidable by using the SPF DNS entries and SPF checking? Wouldn't that be standard to implement on big networks???

Why arm the alarm on your car if you aren't even going to lock the doors?

Al

Since we aren't seeing the complete email headers, it is hard to speculate on why they are getting through. I see a few similar things, but I mostly get the variations on the Nigerian scam. I do most of my email on Comcast via the browser (when I'm on the laptop), where there is a "report as SPAM" button on the Inbox. Reporting those keeps the number of junk items to a minimum. I've had the same Comcast email for several years now and get minimal cr*p mail.

I agree with Zencoder, this looks a lot like recon spam. I suspect that responding to the links or replying to complain will generate the "we got a live one" activity on the part of the spammers.

This last week I looked into a credit union phishing email. The link in the email was from a site in China. The site was an Apache-based system, that wasn't very well secured, as it turns out. I was able to traverse directories and saw the setups for about 50 different scams. Some of the site names looked similar to the second link in Negative's post. The site even showed statistics. Thousands of people from all over the world were actually putting information into this site.

Since the security of the site was suspect, I suppose it will be hacked or owned soon.

I'll check it Monday to see if it is still there.

[zencoder]

Good stuff rapier57. In so far as "recon" spam, I attribute it to a sort of port scan...

Code:

Send a spam-probe to all the various minor iterations of some-guy&#64someuri.sometld
Do the 'bounce' replies all follow an exact format?
Which are anomylous?
Probe them.
Are they still anomylous, do they match the attributes of the previous bounce messages?
Spam all anomylies and good addresses found.

That sounds like a lot of work...but thats the beauty of computers.

[rapier57]

I checked the site today and it is pretty cleaned out. The server is still there, but everything is gone. Since I filed with the feds, I can't say for sure if they had an impact or if someone with better Apache hacking abilities than I killed their site. Fortunately, I still have the printed statistics report.