store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Sat Aug 17, 2019 1:35 pm

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 3 posts ] 
Author Message
 Post subject: poisoned spamlists?
Unread postPosted: Thu Aug 22, 2013 10:27 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2321
90% of the spam that's hitting our servers is from botnets
99% of that spam seems to be to addressed to (random string)@domain.tld and sent in groups of mostly first-letter alphabetic order and mostly in groups of no more than 9 messages, each group from a different IP:

Here are some examples of the random string addresses I'm talking about:

Code:
iygbib65@
iyycf874@
izbalo858@
izerlhwih532@
jacjzevr648@
iqfubjm830@
isrsmbzav133@
iwpbyfpa550@
ixfwqajej579@

jhadtlzp132@
jhkvywid969@
jeykdojlg226@

juobcg529@
juvicpy850@
jwocqpx855@
jwtmuicwd108@
jxzeubab180@


The examples above include a numeric element, but this isn't always the case. More often than not there are no numerics. However, when there is a numeric element, it is ALWAYS at the end of the string, like in the examples above. In addition, no address string ever seems to be longer than 12 characters long.

Initially I thought that these strings may in fact be encoded addresses (e.g. base64 or something) that the spammers had accidentally not decoded. I've tried every decoding option I could find on the internet and have not been able to generate any meaningful addresses. If anyone would like to try their hand at decoding them, it might be fun? I could easily have missed an obvious decoding method.

However, given that the numeric element is always at the end of the string, and that no string I've seen is longer than 12 characters, I've started to think that maybe something else is going on. Specifically, I'm wondering if what we're seeing is a poisoned list.

I had a quick look at some of the spam poisoning code that's out there, but couldn't find anything that specifically said it generated X character random-alpha string with a maximum of Y numeric etc. But It certainly seems like this may well be a case of a very successful spamlist poisoning.

What do people think? Possible?

Do any of you know of any forum or mailing list where this sort of thing gets discussed? I'm very interested in the spam trends and delivery methodology.

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
Reply with quote  
 Post subject: Re: poisoned spamlists?
Unread postPosted: Fri Aug 23, 2013 9:12 am 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 8329
Location: earth
Definitely the kind of thing Id use for poisoning and/or honeypots. We have lots of hidden email addresses embedded all over various pages here to route spam & malware to our honeypots.

Another thing it could be is cover traffic for valid email addresses. Spammers prey on other spammers for data as well. Perhaps this is to make that data more worthless.


Top
 Profile  
Reply with quote  
 Post subject: Re: poisoned spamlists?
Unread postPosted: Fri Aug 23, 2013 2:46 pm 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2321
I don't quite get what you are saying, I'm afraid. Sorry for being a bit dense today.

Another bit of data to add: this has been going on for months. You'd think someone somewhere would have noticed that they are getting 0 return on their "investment"?

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 3 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group