poisoned spamlists?
Posted: Thu Aug 22, 2013 10:27 am
90% of the spam that's hitting our servers is from botnets
99% of that spam seems to be to addressed to (random string)@domain.tld and sent in groups of mostly first-letter alphabetic order and mostly in groups of no more than 9 messages, each group from a different IP:
Here are some examples of the random string addresses I'm talking about:
The examples above include a numeric element, but this isn't always the case. More often than not there are no numerics. However, when there is a numeric element, it is ALWAYS at the end of the string, like in the examples above. In addition, no address string ever seems to be longer than 12 characters long.
Initially I thought that these strings may in fact be encoded addresses (e.g. base64 or something) that the spammers had accidentally not decoded. I've tried every decoding option I could find on the internet and have not been able to generate any meaningful addresses. If anyone would like to try their hand at decoding them, it might be fun? I could easily have missed an obvious decoding method.
However, given that the numeric element is always at the end of the string, and that no string I've seen is longer than 12 characters, I've started to think that maybe something else is going on. Specifically, I'm wondering if what we're seeing is a poisoned list.
I had a quick look at some of the spam poisoning code that's out there, but couldn't find anything that specifically said it generated X character random-alpha string with a maximum of Y numeric etc. But It certainly seems like this may well be a case of a very successful spamlist poisoning.
What do people think? Possible?
Do any of you know of any forum or mailing list where this sort of thing gets discussed? I'm very interested in the spam trends and delivery methodology.
99% of that spam seems to be to addressed to (random string)@domain.tld and sent in groups of mostly first-letter alphabetic order and mostly in groups of no more than 9 messages, each group from a different IP:
Here are some examples of the random string addresses I'm talking about:
Code: Select all
iygbib65@
iyycf874@
izbalo858@
izerlhwih532@
jacjzevr648@
iqfubjm830@
isrsmbzav133@
iwpbyfpa550@
ixfwqajej579@
jhadtlzp132@
jhkvywid969@
jeykdojlg226@
juobcg529@
juvicpy850@
jwocqpx855@
jwtmuicwd108@
jxzeubab180@ Initially I thought that these strings may in fact be encoded addresses (e.g. base64 or something) that the spammers had accidentally not decoded. I've tried every decoding option I could find on the internet and have not been able to generate any meaningful addresses. If anyone would like to try their hand at decoding them, it might be fun? I could easily have missed an obvious decoding method.
However, given that the numeric element is always at the end of the string, and that no string I've seen is longer than 12 characters, I've started to think that maybe something else is going on. Specifically, I'm wondering if what we're seeing is a poisoned list.
I had a quick look at some of the spam poisoning code that's out there, but couldn't find anything that specifically said it generated X character random-alpha string with a maximum of Y numeric etc. But It certainly seems like this may well be a case of a very successful spamlist poisoning.
What do people think? Possible?
Do any of you know of any forum or mailing list where this sort of thing gets discussed? I'm very interested in the spam trends and delivery methodology.