On Wed, 2019-01-16 at 02:26 +0100, Ángel wrote: > For what it's worth… I am too receiving such msgid spam. > > Prompted by this thread, I did some analysis on the origin of these > spams. Basically, extracting *camel* > /tmp/spam-msgids.txt > sed -i "s/$/@bar>/;s/^/Message-ID: </" /tmp/spam-msgids.txt > > Plus a bunch of fgrep -f /tmp/spam-msgids.txt -r . > and modifying that file with > cut -d: -f 3- /tmp/a | sort -u | sed 's#^M.*#sed -i "s/&/bash\t&/" > /tmp/spam-msgids.txt#e' > > The original emails come from several lists and, I should note, > evolution list is *not* the one from which more message-ids were > harvested (only three email addresses, they stopped being sent spam on > 2017). > > poc mentioned the possibility that the emails were being harvested > from the archives. While GNOME lists don't directly link to a mbox > that would be easily findable to a naive email address crawler, I find > evidence that some of these spammers are using archives from somewhere > rather than subscribing a bot that adds people to the list on real > time. > > For instance, there is the 727451.11377.1.camel "email address", which > is a truncation of 1459727451.11377.1.camel sent to a ietf list on > April 2016. The "short" email started being used on August *2018* for > "investing in your country" scams, and the long one… on December 2018. > > I find unlikely that someone harvesting email addresses with a > subscribed bot would have waited several years before starting to > spam. > > That's not always the case, obviously. A Dec 14 message-id started > getting spammed on Jan 1, and already "received" 84 spam mails by now. > However, a "sibling" message-id from that same list also started > getting spammed on Jan 1, but only a couple mails. (fwiw, the 86 mails > are from @qq.com addresses)
Interesting. I primarily see these coming from posts I make to the Mailman and Debian lists. > This can be due to bots prepared for it, or, simply, that certain > archive of this list was crawled more often (or at the right time). > I would expect that if someone took the (not-that-big) effort of > building a subscription bot, he should at least get the email > addresses right! > > It has been interesting to look at these spams, their use of > message-ids, given their role as identifiers, allows gathering some > interesting information that would not be possible without them > stupidly interpreting message-ids as if they were email addresses, and > cannot be used with normal addresses, that are generally used in more > contexts. > > > In the context of this discussion, I am including the email-like > strings 1547601230.4258.6.t...@16bits.net as well as > 1547601405.8896.3.t...@16bits.net for the 'benefit' of those spambots > reading us. :) ;-) -Jim P. _______________________________________________ evolution-list mailing list evolution-list@gnome.org To change your list options or unsubscribe, visit ... https://mail.gnome.org/mailman/listinfo/evolution-list