To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- A year or so ago when the pump-and-dump spams started up in earnest (who else remembers the sudden nightmare of TXHE?), there was a similar pattern in that most of the Message-ID headers in those spams contained "6c822ecf."
This was well before Storm was on the scene as an identified botnet, but we sat around and watched a similar evolution, with the spammers making similar "mistakes" and gradually changing the heuristics of their spam every few days, just like Storm is doing now. I have to wonder if there's been some code re-use in Storm from that old stock-spamming engine, or if - perhaps more likely - the same folks are behind both incidents. I (again) posit that the responsible parties are intentionally giving clueful mail admins an easy way to filter, hoping that we'll do just that, because it's simpler than following up with abuse reports or other action. There's no other reason that I can come up with for having a static, readily identifiable string present in a large number of these emails. To do so by accident would be an amateur gaffe, and whoever's in control of Storm is no amateur. -s On Tue, 18 Sep 2007 17:03:17 -0400 Jonathan Yarden <[EMAIL PROTECTED]> wrote: > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > ---------- > I have a spamtrap getting 80-100k messages/day and noted a pattern that > repeats in the Message-ID field: > > Message-ID: <[EMAIL PROTECTED]> > Message-ID: <[EMAIL PROTECTED]> > Message-ID: <[EMAIL PROTECTED]> > Message-ID: <[EMAIL PROTECTED]> > Message-ID: <[EMAIL PROTECTED]> > Message-ID: <[EMAIL PROTECTED]> > Message-ID: <[EMAIL PROTECTED]> > Message-ID: <[EMAIL PROTECTED]> > Message-ID: <[EMAIL PROTECTED]> > Message-ID: <[EMAIL PROTECTED]> > Message-ID: <[EMAIL PROTECTED]> > > Obviously in this subset, you can clearly see the pattern...01c7fa > > My question to the list is whether this pattern appears in some of the > Storm Botnet email others are getting. > -- > Jon > > Those who make peaceful revolution impossible will make violent > revolution inevitable. > -- John F. Kennedy > _______________________________________________ > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > All list and server information are public and available to law enforcement > upon request. > http://www.whitestar.linuxbox.org/mailman/listinfo/botnets _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets