Jump to content
Sign in to follow this  
Farelf

Strange spamming tactic

Recommended Posts

Received 7 "identical" spam (apart from originating IP address, Message-ID: and Date:) in 7 minutes and 49 seconds which seems like a "human" sort of effort, as opposed to robot.

Typical is http://www.spamcop.net/sc?id=z5227873458z5...fff1f4dbc9be17z

Origin and time differences:

94.76.100.139 (UA) Thu, 19 Jan 2012 16:42:19 +0100

200.125.187.254 (VE) Thu, 19 Jan 2012 16:45:43 +0100

188.240.59.86 (RO) Thu, 19 Jan 2012 16:46:05 +0100

78.153.43.59 (SI) Thu, 19 Jan 2012 16:47:24 +0100

91.191.36.50 (BA) Thu, 19 Jan 2012 16:47:32 +0100

109.107.0.210 (PL) Thu, 19 Jan 2012 16:49:50 +0100

189.74.65.27 (BR) Thu, 19 Jan 2012 16:50:08 +0100

Another oddity is in the time zones - most of those (well, four of them) are wrong for the origin (and those times all tie in closely with the received stamps from my provider). I suppose someone affiliated with de.generic4all.com is trying out some sort of snow-shoeing mass mailer?

I've never seen anything quite like it before. More than usually annoying and ineffectual if the actual mission is to coax sad souls to the target website. Oh well, who can know the mind of the spammer? Is that even "proper" idiomatic German in the message body? The Subject:, by the way (since the parser doesn't render it from Base64), is "Bist Du schlecht im Bett?". Spammers lie.

Share this post


Link to post
Share on other sites

Interesting to note that the parse spotted that 94.76.100.139 is an open proxy and is also listed in cbl.abuseat.org

Share this post


Link to post
Share on other sites

Well spotted. Only 109.107.0.210 (Homenet Softlab, Gdansk, Poland) was not shown as open relay and not listed in CBL, all the others were the same as 94.76.100.139. No matter what, each of them seems to have operated as an outgoing SMTP terminal and was trustingly accepted by iiNet - like "Received: from unknown (HELO generic4all.com) ([109.107.0.210])" which is a nonsense. Oh well, I have spam filtering turned off at the account level anyway, I suppose a goodly proportion of the little spam I still get comes through with issues like that, I don't think I've ever really looked.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×