Hello Markus, Wednesday, June 7, 2006, 7:43:36 AM, you wrote:
> > > Today I've noticed that there is a relation between the recipient > adresses that was used in the past 36 hours in the numeric spam > messages and the following wave of stock-spam messages containing > this png-graphic. After checking around 10 Mailboxes there is a > correspondence of 100%. Or they have received both or none of this > two messages. For example my personal mailbox "markus" who's well > spread and destination of many other spams hasn't received it. > Other mailboxes like "domain" and "internet" that are pretty > unknown and rarely used has received both. It's a good possibility that the "probe" was a broken version of the stock spam, that the errors were corrected and the campaign was re-sent. A second possibility is that the "probe" was truly a probe and that it was used to clean rejected addresses from the list prior to sending the stock spam in an effort to maximize the effectiveness of the burst. -- as far fetched as that may sound, the blackhats do have a virtually unlimited (all be it stolen) computing resource at their disposal and it would not be unreasonable to expect them to leverage that system to maximize their impact. The way they are shaping their deliveries these days clearly indicates that they are taking steps to maximize their impact. _M -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. ############################################################# This message is sent to you because you are subscribed to the mailing list <sniffer@sortmonster.com>. To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>