Re: [sniffer]Numeric spam

[Colbeck, Andrew]

> So no one has any idea what the purpose of these emails are?   The bad guys aren't telling.  The good guys have lots of theories, such as:   http://isc.sans.org/diary.php?storyid=1384   and also:   http://www.f-secure.com/weblog/archives/archive-062006.html#00000894   which in turn points to this UseNet thread:   http://groups.google.com/group/Gmail-Problem-solving/browse_thread/thread/3c6e2fec311e89c7/f752311f6db05dfb?lnk=st&q=1545453&rnum=2&fwc=2   which has a rather low signal to noise ratio.  Suffice it to say that in that thread, they eventually come up with "spammers fake the from address on a regular basis, yes, even yours" and "hey, we don't know what this is".   The bad guys have certainly spewed out broken junk before, which doesn't seem to suit their purpose; all I can see it accomplishing is exposing previously clean IP addresses as zombies with no commercial gain.   (Hmm... ok, to follow that previous sentence you need to share my understanding that the bad guys regularly burn many previously clean IP addresses at one go by using the zombies on those machines to pump out a new spam run, thus evading the IP based blacklists until those blacklists catch up.  Since their commercial messages gets through to mailboxes in the meantime, that is a good tradeoff from their point of view.  No payload in the numeric spam means no commercial gain.)   The only theories that I can get behind revolve around information-gathering.  Since the MAILFROM is not an address under their control, the bad guys could glean a little information to clean their address lists by collecting 500-level SMTP error messages from each of their zombies.   That would only give them partial information and would require that they co-ordinate the data back from their many zombies.  And it supposes that the bad guys care about list scrubbing.  The greatest supposition is that they would do this without commercial gain; after all, they could have done this without a special spam run.   I think they just screwed up again.   Andrew 8)       From: Message Sniffer Community [mailto:[EMAIL PROTECTED] On Behalf Of Steve Guluk Sent: Tuesday, June 06, 2006 3:46 PM To: Message Sniffer Community Subject: Re: [sniffer]Numeric spam On Jun 6, 2006, at 7:51 AM, Steve Guluk wrote: We're getting the same and today it started hitting a different account (Domain). What are these things? I thought exploratory, maybe looking for replies to build a DB for a later spam wave? Their not malicious in content and look like someone's virus working incorrectly. But, I doubt they are really so benign.  Any understand their purpose? On Jun 6, 2006, at 6:32 AM, Goran Jovanovic wrote: I started seeing these messages Monday (yesterday) morning EDT. The from and to are the same (ie you sent it to yourself). I am tagging it but there is not enough stuff to push it into DELETE territory. So no one has any idea what the purpose of these emails are? Random numbers for no apparent reason...? Regards,  Steve Guluk SGDesign (949) 661-9333 ICQ: 7230769