poisoned spamlists?

Forum for getting help with Project Gamera, Spamassassin, Clamav, qmail-scanner and other anti-spam tools.
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

poisoned spamlists?

Unread post by faris »

90% of the spam that's hitting our servers is from botnets
99% of that spam seems to be to addressed to (random string)@domain.tld and sent in groups of mostly first-letter alphabetic order and mostly in groups of no more than 9 messages, each group from a different IP:

Here are some examples of the random string addresses I'm talking about:

Code: Select all

iygbib65@
iyycf874@
izbalo858@
izerlhwih532@
jacjzevr648@
iqfubjm830@
isrsmbzav133@
iwpbyfpa550@
ixfwqajej579@

jhadtlzp132@
jhkvywid969@
jeykdojlg226@

juobcg529@ 
juvicpy850@
jwocqpx855@
jwtmuicwd108@
jxzeubab180@ 
The examples above include a numeric element, but this isn't always the case. More often than not there are no numerics. However, when there is a numeric element, it is ALWAYS at the end of the string, like in the examples above. In addition, no address string ever seems to be longer than 12 characters long.

Initially I thought that these strings may in fact be encoded addresses (e.g. base64 or something) that the spammers had accidentally not decoded. I've tried every decoding option I could find on the internet and have not been able to generate any meaningful addresses. If anyone would like to try their hand at decoding them, it might be fun? I could easily have missed an obvious decoding method.

However, given that the numeric element is always at the end of the string, and that no string I've seen is longer than 12 characters, I've started to think that maybe something else is going on. Specifically, I'm wondering if what we're seeing is a poisoned list.

I had a quick look at some of the spam poisoning code that's out there, but couldn't find anything that specifically said it generated X character random-alpha string with a maximum of Y numeric etc. But It certainly seems like this may well be a case of a very successful spamlist poisoning.

What do people think? Possible?

Do any of you know of any forum or mailing list where this sort of thing gets discussed? I'm very interested in the spam trends and delivery methodology.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8330
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: poisoned spamlists?

Unread post by scott »

Definitely the kind of thing Id use for poisoning and/or honeypots. We have lots of hidden email addresses embedded all over various pages here to route spam & malware to our honeypots.

Another thing it could be is cover traffic for valid email addresses. Spammers prey on other spammers for data as well. Perhaps this is to make that data more worthless.
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: poisoned spamlists?

Unread post by faris »

I don't quite get what you are saying, I'm afraid. Sorry for being a bit dense today.

Another bit of data to add: this has been going on for months. You'd think someone somewhere would have noticed that they are getting 0 return on their "investment"?
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
Post Reply