[sniffer] Numeric spam source has been revealed
It was broken code in the latest Bagel/Beagle: http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.fc.ht ml Andrew 8) # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer] AW: [sniffer] Numeric spam source has been revealed
So now we know too that stock spam is send out by beagly infected zombies. Markus -Ursprüngliche Nachricht- Von: Message Sniffer Community [mailto:[EMAIL PROTECTED] Im Auftrag von Colbeck, Andrew Gesendet: Freitag, 9. Juni 2006 17:36 An: Message Sniffer Community Betreff: [sniffer] Numeric spam source has been revealed It was broken code in the latest Bagel/Beagle: http://securityresponse.symantec.com/avcenter/venc/data/w32.be agle.fc.ht ml Andrew 8) # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer]AW: [sniffer]Numeric spam
Today I've noticed that there is a relation between the recipient adresses that was used in the past 36 hours in the numeric spam messages and the following wave of stock-spam messages containing this png-graphic. After checking around 10 Mailboxes there is a correspondence of 100%. Or they have received both or none of this two messages. For example my personal mailbox "markus" who's well spread and destination of many other spams hasn't received it. Other mailboxes like "domain" and "internet" that are pretty unknown and rarely used has received both. Markus Von: Message Sniffer Community [mailto:[EMAIL PROTECTED] Im Auftrag von John T (Lists)Gesendet: Mittwoch, 7. Juni 2006 01:26An: Message Sniffer CommunityBetreff: Re: [sniffer]Numeric spam My thought is they are either building a db of valid names or testing delivery techniques. John T eServices For You "Seek, and ye shall find!" -Original Message-From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Steve GulukSent: Tuesday, June 06, 2006 3:46 PMTo: Message Sniffer CommunitySubject: Re: [sniffer]Numeric spam On Jun 6, 2006, at 7:51 AM, Steve Guluk wrote: We're getting the same and today it started hitting a different account (Domain). What are these things? I thought exploratory, maybe looking for replies to build a DB for a later spam wave? Their not malicious in content and look likesomeone's virus working incorrectly. But, I doubt they are really so benign. Any understand their purpose? On Jun 6, 2006, at 6:32 AM, Goran Jovanovic wrote: I started seeing these messages Monday (yesterday) morning EDT. The from and to are the same (ie you sent it to yourself). I am tagging it but there is not enough stuff to push it into DELETE territory. So no one has any idea what the purpose of these emails are? Random numbers for no apparent reason...? Regards, Steve Guluk SGDesign (949) 661-9333 ICQ: 7230769
[sniffer]Numeric spam
Mabe people at Sniffer are already aware of this new type of spam. Not the malformed mailfrom one but this with the short number and nothing else in subject and body) Attached are some examples from the last 8 hours. All has failed some other tests and all has reached a final weight in order to be marked in the subject line. However none of this messages was identified as spam by sniffer. There is also another type of spam (stock spam now with attached png image) this morning passing our filters. Here too some tests has had positive results (see mail headers of attached samples) but sniffer has also completely missed. Markus ---BeginMessage--- 5556 ---End Message--- ---BeginMessage--- 5556 ---End Message--- ---BeginMessage--- 6J---End Message--- ---BeginMessage--- 969 ---End Message--- ---BeginMessage--- M---End Message--- # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]Numeric spam
Hello Markus, Tuesday, June 6, 2006, 3:27:32 AM, you wrote: Mabe people at Sniffer are already aware of this new type of spam. Not the malformed mailfrom one but this with the short number and nothing else in subject and body) Thanks for those samples... I've coded an additional abstract for the ones you sent. There is also another type of spam (stock spam now with attached png image) this morning passing our filters. Here too some tests has had positive results (see mail headers of attached samples) but sniffer has also completely missed. It took a bit of work to generalize the pattern for the png stock spam but I've got a new family of rules in place for it now... I'm waiting on results to tally but I believe the rules will be effective. If not we will continue to work on them. Thanks, _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]Numeric spam topic change to png stock spam
Hi Markus - Markus Gufler wrote: There is also another type of spam (stock spam now with attached png image) this morning passing our filters. I am catching these fairly easily - a combo filter - #combo-stockspammer-png.txt SKIPIFWEIGHT26 TESTSFAILEDENDNOTCONTAINSEXTERNAL.REGEX.STOCKSPAMMER.BODY BODY5CONTAINSContent-Type: image/png; # The body regex is this: src=cid:[a-z0-9]{12}\$[a-z0-9]{8}\$[a-z0-9]{8}@ -Nick # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer]Re[2]: [sniffer]Numeric spam topic change to png stock spam
Hello Nick, What is your false positive rate with that pattern? _M Tuesday, June 6, 2006, 10:05:18 AM, you wrote: Hi Markus - Markus Gufler wrote: There is also another type of spam (stock spam now with attached png image) this morning passing our filters. I am catching these fairly easily - a combo filter - #combo-stockspammer-png.txt SKIPIFWEIGHT26 TESTSFAILEDENDNOTCONTAINSEXTERNAL.REGEX.STOCKSPAMMER.BODY BODY5CONTAINSContent-Type: image/png; # The body regex is this: src=cid:[a-z0-9]{12}\$[a-z0-9]{8}\$[a-z0-9]{8}@ -Nick # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
[sniffer]Re[2]: [sniffer]Numeric spam topic change to png stock spam
Hello Jonathan, I urge caution from experience... png images are not entirely rare, and the cid: tag format in the regex is also common. I'd love to be wrong - but I recall false positives with similar attempts in the past. Is there more to this than the two elements I just described - something I'm not seeing? _M Tuesday, June 6, 2006, 10:19:36 AM, you wrote: Nick, very good method. I have added that to my configuration as well now. - Original Message - From: Nick Hayer [EMAIL PROTECTED] To: Message Sniffer Community sniffer@sortmonster.com Sent: Tuesday, June 06, 2006 10:05 AM Subject: Re: [sniffer]Numeric spam topic change to png stock spam Hi Markus - Markus Gufler wrote: There is also another type of spam (stock spam now with attached png image) this morning passing our filters. I am catching these fairly easily - a combo filter - #combo-stockspammer-png.txt SKIPIFWEIGHT26 TESTSFAILEDENDNOTCONTAINSEXTERNAL.REGEX.STOCKSPAMMER.BODY BODY5CONTAINSContent-Type: image/png; # The body regex is this: src=cid:[a-z0-9]{12}\$[a-z0-9]{8}\$[a-z0-9]{8}@ -Nick # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]Re[2]: [sniffer]Numeric spam topic change to png stock spam
Pete McNeil wrote: Hello Nick, What is your false positive rate with that pattern? Hmm lets go to the MDLP for yesterday :) SS HH HS SH SA SQ REGEX.STOCK.BODY 331 0 0 66 0.667506 0.445565 COMBO.STOCK_PNG 16 0 0 1 0.882353 0.778547 The regex alone will fp; I score it with a 3 [hold on 10; delete on 24] The png combo I just did it last night when I first saw the spam. So far I have not see any fp. [ I combo it (the regex) with other tests as well - which makes it much more reliable.] -Nick _M Tuesday, June 6, 2006, 10:05:18 AM, you wrote: Hi Markus - Markus Gufler wrote: There is also another type of spam (stock spam now with attached png image) this morning passing our filters. I am catching these fairly easily - a combo filter - #combo-stockspammer-png.txt SKIPIFWEIGHT26 TESTSFAILEDENDNOTCONTAINSEXTERNAL.REGEX.STOCKSPAMMER.BODY BODY5CONTAINSContent-Type: image/png; # The body regex is this: src=""moz-txt-link-freetext" href="">cid:[a-z0-9]{12}\$[a-z0-9]{8}\$[a-z0-9]{8}@ -Nick # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]Numeric spam
We're getting the same and today it started hitting a different account (Domain).What are these things? I thought exploratory, maybe looking for replies to build a DB for a later spam wave? Their not malicious in content and look like someone's virus working incorrectly. But, I doubt they are really so benign. Any understand their purpose?On Jun 6, 2006, at 6:32 AM, Goran Jovanovic wrote:I started seeing these messages Monday (yesterday) morning EDT. The from and to are the same (ie you sent it to yourself). I am tagging it but there is not enough stuff to push it into DELETE territory. Regards, Steve GulukSGDesign(949) 661-9333ICQ: 7230769
[sniffer]Re[2]: [sniffer]Re[2]: [sniffer]Numeric spam topic change to png stock spam
Hello Nick, Thanks. That's all good then :-) _M Tuesday, June 6, 2006, 10:46:55 AM, you wrote: Pete McNeil wrote: Hello Nick, What is your false positive rate with that pattern? Hmm lets go to the MDLP for yesterday :) SS HH HS SH SA SQ REGEX.STOCK.BODY 331 0 0 66 0.667506 0.445565 COMBO.STOCK_PNG 16 0 0 1 0.882353 0.778547 The regex alone will fp; I score it with a 3 [hold on 10; delete on 24] The png combo I just did it last night when I first saw the spam. So far I have not see any fp. [ I combo it (the regex) with other tests as well - which makes it much more reliable.] -Nick _M Tuesday, June 6, 2006, 10:05:18 AM, you wrote: Hi Markus - Markus Gufler wrote: There is also another type of spam (stock spam now with attached png image) this morning passing our filters. I am catching these fairly easily - a combo filter - #combo-stockspammer-png.txt SKIPIFWEIGHT26 TESTSFAILEDENDNOTCONTAINSEXTERNAL.REGEX.STOCKSPAMMER.BODY BODY5CONTAINSContent-Type: image/png; # The body regex is this: src=cid:[a-z0-9]{12}\$[a-z0-9]{8}\$[a-z0-9]{8}@ -Nick # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED]To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED]To switch to the INDEX mode, E-mail to [EMAIL PROTECTED]Send administrative queries to [EMAIL PROTECTED] -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]Re[2]: [sniffer]Numeric spam topic change to png stock spam
Because a small amount of weight is added, it is still sufficient for tilting the scales on more occurrences than other image types. - Original Message - From: Pete McNeil [EMAIL PROTECTED] To: Message Sniffer Community sniffer@sortmonster.com Sent: Tuesday, June 06, 2006 10:44 AM Subject: [sniffer]Re[2]: [sniffer]Numeric spam topic change to png stock spam Hello Jonathan, I urge caution from experience... png images are not entirely rare, and the cid: tag format in the regex is also common. I'd love to be wrong - but I recall false positives with similar attempts in the past. Is there more to this than the two elements I just described - something I'm not seeing? _M Tuesday, June 6, 2006, 10:19:36 AM, you wrote: Nick, very good method. I have added that to my configuration as well now. - Original Message - From: Nick Hayer [EMAIL PROTECTED] To: Message Sniffer Community sniffer@sortmonster.com Sent: Tuesday, June 06, 2006 10:05 AM Subject: Re: [sniffer]Numeric spam topic change to png stock spam Hi Markus - Markus Gufler wrote: There is also another type of spam (stock spam now with attached png image) this morning passing our filters. I am catching these fairly easily - a combo filter - #combo-stockspammer-png.txt SKIPIFWEIGHT26 TESTSFAILEDENDNOTCONTAINSEXTERNAL.REGEX.STOCKSPAMMER.BODY BODY5CONTAINSContent-Type: image/png; # The body regex is this: src=cid:[a-z0-9]{12}\$[a-z0-9]{8}\$[a-z0-9]{8}@ -Nick # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED] # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]Numeric spam
On Jun 6, 2006, at 7:51 AM, Steve Guluk wrote:We're getting the same and today it started hitting a different account (Domain).What are these things? I thought exploratory, maybe looking for replies to build a DB for a later spam wave? Their not malicious in content and look like someone's virus working incorrectly. But, I doubt they are really so benign. Any understand their purpose?On Jun 6, 2006, at 6:32 AM, Goran Jovanovic wrote:I started seeing these messages Monday (yesterday) morning EDT. The fromand to are the same (ie you sent it to yourself). I am tagging it butthere is not enough stuff to push it into DELETE territory. So no one has any idea what the purpose of these emails are?Random numbers for no apparent reason...?Regards, Steve GulukSGDesign(949) 661-9333ICQ: 7230769
Re: [sniffer]Numeric spam
So no one has any idea what the purpose of these emails are? The bad guys aren't telling. The good guys have lots of theories, such as: http://isc.sans.org/diary.php?storyid=1384 and also: http://www.f-secure.com/weblog/archives/archive-062006.html#0894 which in turn points to this UseNet thread: http://groups.google.com/group/Gmail-Problem-solving/browse_thread/thread/3c6e2fec311e89c7/f752311f6db05dfb?lnk=stq=1545453rnum=2fwc=2 which has a rather low signal to noise ratio. Suffice it to say that in that thread, they eventually come up with "spammers fake the from address on a regular basis, yes, even yours" and "hey, we don't know what this is". The bad guys have certainly spewed out broken junk before, which doesn't seem to suit their purpose; all I can see it accomplishing is exposing previously clean IP addresses as zombies with no commercial gain. (Hmm... ok, to follow that previous sentence you need to share my understanding that the bad guys regularly burn many previously clean IP addressesat one go byusing the zombies on those machines to pump out a new spam run, thus evading the IP based blacklists until those blacklists catch up. Since their commercial messages gets through to mailboxes in the meantime, that is a good tradeoff from their point of view. No payload in the numeric spam means no commercial gain.) The only theories thatIcan get behindrevolve around information-gathering. Since the MAILFROM is not an address under their control, the bad guys could glean a little information to clean their address lists by collecting 500-level SMTP error messages from each of their zombies. That would only give them partial information and would require that they co-ordinate the data back from their many zombies. And it supposes that the bad guys care about list scrubbing. The greatest supposition is that they would do this without commercial gain; after all, they could have done this without a special spam run. I think they just screwed up again. Andrew 8) From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Steve GulukSent: Tuesday, June 06, 2006 3:46 PMTo: Message Sniffer CommunitySubject: Re: [sniffer]Numeric spam On Jun 6, 2006, at 7:51 AM, Steve Guluk wrote: We're getting the same and today it started hitting a different account (Domain). What are these things? I thought exploratory, maybe looking for replies to build a DB for a later spam wave? Their not malicious in content and look likesomeone's virus working incorrectly. But, I doubt they are really so benign. Any understand their purpose? On Jun 6, 2006, at 6:32 AM, Goran Jovanovic wrote: I started seeing these messages Monday (yesterday) morning EDT. The from and to are the same (ie you sent it to yourself). I am tagging it but there is not enough stuff to push it into DELETE territory. So no one has any idea what the purpose of these emails are? Random numbers for no apparent reason...? Regards, Steve Guluk SGDesign (949) 661-9333 ICQ: 7230769
Re: [sniffer]Numeric spam
You know we are dealing with some pretty sick puppies when it comes to these spammers. It would be ironic if one is just doing this to play with our heads. John C -- Original Message -- From: Colbeck, Andrew [EMAIL PROTECTED] Reply-To: Message Sniffer Community sniffer@sortmonster.com Date: Tue, 6 Jun 2006 16:07:25 -0700 So no one has any idea what the purpose of these emails are? The bad guys aren't telling. The good guys have lots of theories, such as: http://isc.sans.org/diary.php?storyid=1384 and also: http://www.f-secure.com/weblog/archives/archive-062006.html#0894 which in turn points to this UseNet thread: http://groups.google.com/group/Gmail-Problem-solving/browse_thread/threa d/3c6e2fec311e89c7/f752311f6db05dfb?lnk=stq=1545453rnum=2fwc=2 which has a rather low signal to noise ratio. Suffice it to say that in that thread, they eventually come up with spammers fake the from address on a regular basis, yes, even yours and hey, we don't know what this is. The bad guys have certainly spewed out broken junk before, which doesn't seem to suit their purpose; all I can see it accomplishing is exposing previously clean IP addresses as zombies with no commercial gain. (Hmm... ok, to follow that previous sentence you need to share my understanding that the bad guys regularly burn many previously clean IP addresses at one go by using the zombies on those machines to pump out a new spam run, thus evading the IP based blacklists until those blacklists catch up. Since their commercial messages gets through to mailboxes in the meantime, that is a good tradeoff from their point of view. No payload in the numeric spam means no commercial gain.) The only theories that I can get behind revolve around information-gathering. Since the MAILFROM is not an address under their control, the bad guys could glean a little information to clean their address lists by collecting 500-level SMTP error messages from each of their zombies. That would only give them partial information and would require that they co-ordinate the data back from their many zombies. And it supposes that the bad guys care about list scrubbing. The greatest supposition is that they would do this without commercial gain; after all, they could have done this without a special spam run. I think they just screwed up again. Andrew 8) _ From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Steve Guluk Sent: Tuesday, June 06, 2006 3:46 PM To: Message Sniffer Community Subject: Re: [sniffer]Numeric spam On Jun 6, 2006, at 7:51 AM, Steve Guluk wrote: We're getting the same and today it started hitting a different account (Domain). What are these things? I thought exploratory, maybe looking for replies to build a DB for a later spam wave? Their not malicious in content and look like someone's virus working incorrectly. But, I doubt they are really so benign. Any understand their purpose? On Jun 6, 2006, at 6:32 AM, Goran Jovanovic wrote: I started seeing these messages Monday (yesterday) morning EDT. The from and to are the same (ie you sent it to yourself). I am tagging it but there is not enough stuff to push it into DELETE territory. So no one has any idea what the purpose of these emails are? Random numbers for no apparent reason...? Regards, Steve Guluk SGDesign (949) 661-9333 ICQ: 7230769 # This message is sent to you because you are subscribed to the mailing list sniffer@sortmonster.com. To unsubscribe, E-mail to: [EMAIL PROTECTED] To switch to the DIGEST mode, E-mail to [EMAIL PROTECTED] To switch to the INDEX mode, E-mail to [EMAIL PROTECTED] Send administrative queries to [EMAIL PROTECTED]
Re: [sniffer]Numeric spam
I thought that having an SPF record would prevent a spammer from forging your domain name, but our SPF record did not seem to help with these odd numeric E-mails which appear to be coming from our owndomain. Does anyone have any info about SPF records and if they really work to combat this type of junkmail? Michael SteinComputer House - Original Message - From: Colbeck, Andrew To: Message Sniffer Community Sent: Tuesday, June 06, 2006 7:37 PM Subject: Re: [sniffer]Numeric spam Both of which are reasonable, particularly given the recent Blue Security debacle that showed that it was possible for the spammers as well as the spammees to coordinate their information. It might be in a spammer's best interest to pursue either of your suggestions. However, I still think it is more credible to assume that this is a case of the spammer being simple-stupid instead of uber-clever. Andrew 8) From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists)Sent: Tuesday, June 06, 2006 4:26 PMTo: Message Sniffer CommunitySubject: Re: [sniffer]Numeric spam My thought is they are either building a db of valid names or testing delivery techniques. John T eServices For You "Seek, and ye shall find!" -Original Message-From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Steve GulukSent: Tuesday, June 06, 2006 3:46 PMTo: Message Sniffer CommunitySubject: Re: [sniffer]Numeric spam On Jun 6, 2006, at 7:51 AM, Steve Guluk wrote: We're getting the same and today it started hitting a different account (Domain). What are these things? I thought exploratory, maybe looking for replies to build a DB for a later spam wave? Their not malicious in content and look likesomeone's virus working incorrectly. But, I doubt they are really so benign. Any understand their purpose? On Jun 6, 2006, at 6:32 AM, Goran Jovanovic wrote: I started seeing these messages Monday (yesterday) morning EDT. The from and to are the same (ie you sent it to yourself). I am tagging it but there is not enough stuff to push it into DELETE territory. So no one has any idea what the purpose of these emails are? Random numbers for no apparent reason...? Regards, Steve Guluk SGDesign (949) 661-9333 ICQ: 7230769
Re: [sniffer]Numeric spam
They do, but you have to both specify that email for your domains only comes from your mail servers AND use a test in your spam filtering that checks SPF and pushes fails over your hold limit. Darin. - Original Message - From: Computer House Support To: Message Sniffer Community Sent: Tuesday, June 06, 2006 8:07 PM Subject: Re: [sniffer]Numeric spam I thought that having an SPF record would prevent a spammer from forging your domain name, but our SPF record did not seem to help with these odd numeric E-mails which appear to be coming from our owndomain. Does anyone have any info about SPF records and if they really work to combat this type of junkmail? Michael SteinComputer House - Original Message - From: Colbeck, Andrew To: Message Sniffer Community Sent: Tuesday, June 06, 2006 7:37 PM Subject: Re: [sniffer]Numeric spam Both of which are reasonable, particularly given the recent Blue Security debacle that showed that it was possible for the spammers as well as the spammees to coordinate their information. It might be in a spammer's best interest to pursue either of your suggestions. However, I still think it is more credible to assume that this is a case of the spammer being simple-stupid instead of uber-clever. Andrew 8) From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists)Sent: Tuesday, June 06, 2006 4:26 PMTo: Message Sniffer CommunitySubject: Re: [sniffer]Numeric spam My thought is they are either building a db of valid names or testing delivery techniques. John T eServices For You "Seek, and ye shall find!" -Original Message-From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Steve GulukSent: Tuesday, June 06, 2006 3:46 PMTo: Message Sniffer CommunitySubject: Re: [sniffer]Numeric spam On Jun 6, 2006, at 7:51 AM, Steve Guluk wrote: We're getting the same and today it started hitting a different account (Domain). What are these things? I thought exploratory, maybe looking for replies to build a DB for a later spam wave? Their not malicious in content and look likesomeone's virus working incorrectly. But, I doubt they are really so benign. Any understand their purpose? On Jun 6, 2006, at 6:32 AM, Goran Jovanovic wrote: I started seeing these messages Monday (yesterday) morning EDT. The from and to are the same (ie you sent it to yourself). I am tagging it but there is not enough stuff to push it into DELETE territory. So no one has any idea what the purpose of these emails are? Random numbers for no apparent reason...? Regards, Steve Guluk SGDesign (949) 661-9333 ICQ: 7230769
Re: [sniffer]Numeric spam
Hi Darin, Thanks for your reply. Sure wish I understood what you're saying Michael SteinComputer House - Original Message - From: Darin Cox To: Message Sniffer Community Sent: Tuesday, June 06, 2006 8:10 PM Subject: Re: [sniffer]Numeric spam They do, but you have to both specify that email for your domains only comes from your mail servers AND use a test in your spam filtering that checks SPF and pushes fails over your hold limit. Darin. - Original Message - From: Computer House Support To: Message Sniffer Community Sent: Tuesday, June 06, 2006 8:07 PM Subject: Re: [sniffer]Numeric spam I thought that having an SPF record would prevent a spammer from forging your domain name, but our SPF record did not seem to help with these odd numeric E-mails which appear to be coming from our owndomain. Does anyone have any info about SPF records and if they really work to combat this type of junkmail? Michael SteinComputer House - Original Message - From: Colbeck, Andrew To: Message Sniffer Community Sent: Tuesday, June 06, 2006 7:37 PM Subject: Re: [sniffer]Numeric spam Both of which are reasonable, particularly given the recent Blue Security debacle that showed that it was possible for the spammers as well as the spammees to coordinate their information. It might be in a spammer's best interest to pursue either of your suggestions. However, I still think it is more credible to assume that this is a case of the spammer being simple-stupid instead of uber-clever. Andrew 8) From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists)Sent: Tuesday, June 06, 2006 4:26 PMTo: Message Sniffer CommunitySubject: Re: [sniffer]Numeric spam My thought is they are either building a db of valid names or testing delivery techniques. John T eServices For You "Seek, and ye shall find!" -Original Message-From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Steve GulukSent: Tuesday, June 06, 2006 3:46 PMTo: Message Sniffer CommunitySubject: Re: [sniffer]Numeric spam On Jun 6, 2006, at 7:51 AM, Steve Guluk wrote: We're getting the same and today it started hitting a different account (Domain). What are these things? I thought exploratory, maybe looking for replies to build a DB for a later spam wave? Their not malicious in content and look likesomeone's virus working incorrectly. But, I doubt they are really so benign. Any understand their purpose? On Jun 6, 2006, at 6:32 AM, Goran Jovanovic wrote: I started seeing these messages Monday (yesterday) morning EDT. The from and to are the same (ie you sent it to yourself). I am tagging it but there is not enough stuff to push it into DELETE territory. So no one has any idea what the purpose of these emails are? Random numbers for no apparent reason...? Regards, Steve Guluk SGDesign (949) 661-9333 ICQ: 7230769