Re: [Mimedefang] [OT?] Random Word Spam
Mike wrote on 02/10/2012 12:23:52 PM: On Thu, 9 Feb 2012 14:49:39 -0500 David F. Skoll d...@roaringpenguin.com wrote: Do they all have message IDs starting CHILKAT-MID? That appears to be the format of a Message-ID inserted by legitimate software, so it was probably a coincidence. Yes, but every message I have checked contains that type of message-id. Just for giggles, I grepped for that string in my logs. None of the hits looked like they would be missed if they were blocked - Dynamic IP, salesy-sounding domains, etc. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] [OT?] Random Word Spam
Richard Laager rlaa...@wiktel.com wrote: check the Message-ID format before. Sendmail logs that, so if you still have the logs... Joseph Brennan Columbia University Information Technology ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] [OT?] Random Word Spam
Richard Laager wrote: We've got a customer who is receiving 1 message per second! that consists solely of random English words stuck together (both subject and body). This has been happening for 24-36 hours. As far as I can see, it's coming from hijacked accounts all over the place (hundreds or thousands of servers) with varying sender addresses. Is anyone else seeing this sort of thing? We had a compromised account doing this last weekend! CanIt caught a few of the outgoing messages, and I soon blocked the account. The email were initially all going to a single gmail and a single ebay account. Later messages (all blocked) branched out to hotmail, and a few others. No idea what is up with this? I am curious, is there a reason the customer might be harassed in this way? Mike -- Michael D. Sofka sof...@rpi.edu CMT Sr. Systems Programmer, Email, HPC, TeX, Epistemology Rensselaer Polytechnic Institute, Troy, NY. http://www.rpi.edu/~sofkam/ ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] [OT?] Random Word Spam
Michael wrote on 02/09/2012 12:20:46 PM: We had a compromised account doing this last weekend! CanIt caught a few of the outgoing messages, and I soon blocked the account. The email were initially all going to a single gmail and a single ebay account. Later messages (all blocked) branched out to hotmail, and a few others. No idea what is up with this? I am curious, is there a reason the customer might be harassed in this way? I suspect that the customer wasn't being harassed per se. My experience as recipient from several hacked accounts has been that some compromised accounts are only used to send to contacts in the address book. Perhaps this user only had the two entries. Of course they can also send to external lists of addresses as you've seen. Having the user change their password is usually enough to shut down the abuse. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] [OT?] Random Word Spam
wbr...@e1b.org wrote: Michael wrote on 02/09/2012 12:20:46 PM: We had a compromised account doing this last weekend! CanIt caught a few of the outgoing messages, and I soon blocked the account. The email were initially all going to a single gmail and a single ebay account. Later messages (all blocked) branched out to hotmail, and a few others. No idea what is up with this? I am curious, is there a reason the customer might be harassed in this way? I suspect that the customer wasn't being harassed per se. My experience as recipient from several hacked accounts has been that some compromised accounts are only used to send to contacts in the address book. Perhaps this user only had the two entries. Of course they can also send to external lists of addresses as you've seen. But the messages and subject were literally (as in literally) random strings of words. There were no email addresses or links that could be used to sell any product. I could see no purpose in the outgoing messages except to harass the recipients. Having the user change their password is usually enough to shut down the abuse. Yes, our compromised account had the password changed. But this does not help the recipient of the messages. Mike -- Michael D. Sofka sof...@rpi.edu CMT Sr. Systems Programmer, Email, HPC, TeX, Epistemology Rensselaer Polytechnic Institute, Troy, NY. http://www.rpi.edu/~sofkam/ ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] [OT?] Random Word Spam
On Thu, 09 Feb 2012 14:24:18 -0500 Michael D. Sofka sof...@rpi.edu wrote: But the messages and subject were literally (as in literally) random strings of words. There were no email addresses or links that could be used to sell any product. I could see no purpose in the outgoing messages except to harass the recipients. Huh. I haven't seen any of those. Would it be possible to receive a sample or two off-list (d...@roaringpenguin.com)? I have in the past seen spams sent by incompetent spammers that looked like this literally: Subject: %SUBJECT Dear %FIRST %LAST, :) Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] [OT?] Random Word Spam
David F. Skoll wrote: Huh. I haven't seen any of those. Would it be possible to receive a sample or two off-list (d...@roaringpenguin.com)? I just sent you three (out of nearly 400 blocked) with the subject/s Random Spam Sample 1/2/3. I have in the past seen spams sent by incompetent spammers that looked like this literally: Subject: %SUBJECT Dear %FIRST %LAST, :) I've seen these as well. Mike -- Michael D. Sofka sof...@rpi.edu CMT Sr. Systems Programmer, Email, HPC, TeX, Epistemology Rensselaer Polytechnic Institute, Troy, NY. http://www.rpi.edu/~sofkam/ ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] [OT?] Random Word Spam
On Thu, 09 Feb 2012 14:45:46 -0500 Michael D. Sofka sof...@rpi.edu wrote: I just sent you three (out of nearly 400 blocked) with the subject/s Random Spam Sample 1/2/3. Thanks. All three were trapped with 99% Bayes score, but I've released them. Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] [OT?] Random Word Spam
Hi, again, The random word spams: Do they all have message IDs starting CHILKAT-MID ? The three samples Michael sent me had that, and I found this on Google: http://www.google.com/support/forum/p/gmail/thread?tid=7aa0d643adde28a1hl=en Anyway... might be worth a rule if it turns out that Message-ID format is consistent. Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] [OT?] Random Word Spam
Self-followup #2: On Thu, 9 Feb 2012 14:49:39 -0500 David F. Skoll d...@roaringpenguin.com wrote: Do they all have message IDs starting CHILKAT-MID? That appears to be the format of a Message-ID inserted by legitimate software, so it was probably a coincidence. Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] [OT?] Random Word Spam
Am Dienstag Februar 7 2012 22:20 schrieb Richard Laager: We've got a customer who is receiving 1 message per second! that consists solely of random English words stuck together (both subject and body). This has been happening for 24-36 hours. As far as I can see, it's coming from hijacked accounts all over the place (hundreds or thousands of servers) with varying sender addresses. Is anyone else seeing this sort of thing? Any idea how I might combat this? I'd love to bulk submit these messages and report them back to the admins of the compromised servers, if that might do some good. Do you use greylisting? (for example milter-greylist http://hcpnet.free.fr/milter-greylist/ ) Do the mails indeed come from real mailservers or do they come from compromised dial-in computers? If coming from real mailservers, greylisting would not really help in most cases, but worth a try... Depending on your mailserver you could increase throttling, though this would affect legitimate mail also... Feeding the mails to spamassassin's bayes database could perhaps help, in spite of the random words. But you should keep an eye on it for the risk of false positives. Everything in the headers is different? Nothing common in them? Reporting is never bad, but it depends on the admins whether it will help... had quite different experience with this over the years. Wondering what other ideas will come up :-) Regards Juergen -- Diese E-Mail wurde klimafreundlich und atomstromfrei erzeugt: http://www.atomausstieg-selber-machen.de/ ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] [OT?] Random Word Spam
On Wed, 2012-02-08 at 10:03 +0100, Juergen Kleff wrote: Do you use greylisting? Yes. Do the mails indeed come from real mailservers or do they come from compromised dial-in computers? Real mail servers Feeding the mails to spamassassin's bayes database could perhaps help, in spite of the random words. But you should keep an eye on it for the risk of false positives. Everything in the headers is different? Nothing common in them? As far as I could tell, nothing was common. They were incredibly minimal. The X-Mailer field was full of random (real mail client) values. -- Richard ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang