Bursts of identicall spams from time to time.

[elind]

Recently I have received several bursts of hundreds of the same spam message. Last time this happened it continued for a few days then petered out. Typically I get about 50 or so spams per day (only one or two that don't get caught, but they come to a little used unfiltered email).

Today I received 290 titled "Check it out!!!!!!!!" all at once. Looking at spamcop reports they came from all over the planet, although the usual sources were prominent.

I can't figure out the logic in these. Why use up all those resources on hundreds of the same message to the targets? Surely the idiots who respond will do for one or two. Hundreds will piss off baboons even.

Any explanations?

[Wazoo]

1. some ISPs have filters that work, some are leaky .. so multiple spew 'might' end up allowing some of the spew to bypass the filters due to the different "names" involved ....

2. stupid newbie signs the contract, sends the money for 2.5 million spams to be sent on his behalf, but fails to read the fine print to note that it wasn't specifically stated "2.5 million unique" addresses, so the spammer only fired up half the botnet to send the repeated spew through the associated zombies ...

3. silly newbie spammer buys that "guaranteed" software that turns out not to work as advertised, or he/she can't figure it out ....

Just a few quick possibilities .... but the bottom line is still that the spammer is abusing the net, there are too many idiots out there with compromised machines connected ... and not enough ISPs dropping the big hammer ...

[petzl]

Today I received 290 titled "Check it out!!!!!!!!" all at once. Looking at spamcop reports they came from all over the planet, although the usual sources were prominent.

I can't figure out the logic in these. Why use up all those resources on hundreds of the same message to the targets? Surely the idiots who respond will do for one or two. Hundreds will piss off baboons even.

Any explanations?

Same here, today's was "Check it out!!!!!!!!" from open proxies world wide

Hopefully SpamCop abuse report will close these holes

None get past my VER (spam) folder Don't see the spammers point either It's as if they want these open proxies closed. All are on multitudes of blacklists, SpamCop email not only blocks them but notifies the various ISP's, most email blocklists do not sort spam, just deletes it.

Wondering if this spammer is targeting SpamCop addresses as SpamCop email and VER does close security links?

[btech]

Today I received 290 titled "Check it out!!!!!!!!" all at once. Looking at spamcop reports they came from all over the planet, although the usual sources were prominent.

I get that on occassion, all targeting one of my sites. I have a 'catch all', so I get all those delivered to me, but I've never seen this happen that wasn't caught by the catch-all.

[elind]

I get that on occassion, all targeting one of my sites. I have a 'catch all', so I get all those delivered to me, but I've never seen this happen that wasn't caught by the catch-all.

Not sure of the meaning of "catch-all".

Spamcop caught all of mine.

[Wazoo]

Not sure of the meaning of "catch-all".

"CatchAll Account" definition added to the SpamCop Dictionary, found at http://forum.spamcop.net/dict/

"CatchAll Account" definition added to the SpamCop Glossary, found at http://forum.spamcop.net/forums/index.php?showtopic=4473

[btech]

A catch-all is something you have to set up server side to send all email addressed to anything that ends in your domain, to go to a certain pre-determined address. Note that you have to set this all up through your control panel or whatever you use.

for example:

info[at]mydomain.com

billing[at]mydomain.com

sales[at]mydomain.com

even

dfhsdjkfhjk[at]mydomain.com

47sh834j[at]mydomain.com

Will all be sent to the email I set up to accept these messages, which I keep as webmaster[at]mydomain.com

What has boggled me about the burst spams are when I check the IP address in SenderBase, I find that it's not a high volume sender and sometimes negative.. which I would expect to see high volume, because I can't be the only one that's receiving these bursts of spam...

[Wazoo]

A catch-all is something you have to set up server side to send all email addressed to anything that ends in your domain, to go to a certain pre-determined address. Note that you have to set this all up through your control panel or whatever you use.

for example:

info[at]mydomain.com

billing[at]mydomain.com

sales[at]mydomain.com

even

dfhsdjkfhjk[at]mydomain.com

47sh834j[at]mydomain.com

Will all be sent to the email I set up to accept these messages, which I keep as webmaster[at]mydomain.com

I agree with the first part of your definition, must disagree with your second part with examples ....

Wondering what you found wrong with the additions to the Glossary and Dictionary in the previous post.

What has boggled me about the burst spams are when I check the IP address in SenderBase, I find that it's not a high volume sender and sometimes negative.. which I would expect to see high volume, because I can't be the only one that's receiving these bursts of spam...

??? not sure I follow the logic there .... a compromised computer wouldn't be seen as a "high-volume" spew source until it got picked up by enough 'sensor points' to kick up the point value ..... just an example ...

[Farelf]

.... a compromised computer wouldn't be seen as a "high-volume" spew source until it got picked up by enough 'sensor points' to kick up the point value ..... just an example ...

The SenderBase stats on the IP addresses of half the spam I see these days comes up as -100% change for both last 24 hours and the week. This means something like a drop to zero detections (I half remember a NG discussion about it once). I'm thinking this -100% thing is a characteristic of the diffuse botnet elements and the way they're wielded. I was thinking then that the prospects would be poor for these machines getting listed (if SpamCop and SenderBase results have any similarity or corespondence), but obviously a lot of them *do* get listed. I'm not seeing the picture somehow.

[Wazoo]

I was thinking then that the prospects would be poor for these machines getting listed (if SpamCop and SenderBase results have any similarity or corespondence), but obviously a lot of them *do* get listed. I'm not seeing the picture somehow.

Details as such have been deemed 'classified' .. but, the easy part of your dilemma is .. the "math" involved ... it's the comparison between e-mail traffic seen as compared to e-mail traffic reported ..... and the first item is also qualified as the traffic 'seen' is only that as 'reported' by the systems defined in the marketing blurb; Over 100,000 organizations participate in the SenderBase Network, enabling the world's largest email traffic monitoring system. ...... SenderBase collects data from more than 100,000 ISPs, universities, and corporations around the world. SenderBase measures more than 110 different parameters for any email server on the Internet. This massive database receives more than 5 billion queries per day, with real-time data streaming in from every continent and network providers large and small.

In the past, there was a 2% threshold, that is now a factor in the nebulous thing called 'reputation points' .. and that's as far as I can go with the details ...

[Farelf]

... In the past, there was a 2% threshold, that is now a factor in the nebulous thing called 'reputation points' .. and that's as far as I can go with the details ...

Thanks for that Wazoo! Casts some light, indeed. Presumably reputation points are related to the Ironport reputation score - which I have referred to in these precincts before - http://forum.spamcop.net/forums/index.php?...indpost&p=39669

from the side panel (RH) at http://www.ironport.com/toc/toc_viruses.html