Jump to content

"New" spammer ploy


Farelf
 Share

Recommended Posts

I'm getting a few fake NDRs (probably) from botnets sailing through my home-system filtering lately (that's OK, I would feel entirely marginalized with none at all) - example http://www.spamcop.net/sc?id=z2487219743z0...40ef2527db0a8fz

Variable subjects such as "Returned mail: User unknown", "Returned mail: see transcript for details" (but no transcript) and "his mail is refused message". These have my address as "From:", "To:" and "Return-Path:" (which sort of spoils the NDR illusion) and a Base64 encoded bit of HTML with the standard ""Having trouble viewing this email? Click here to view as a webpage." and a CNC-hosted wesite (variable domains with cheesy names like "beautycrease") on IP addresses 119.39.239.39 and 119.39.236.88 (so far), all with a remote image at same - the infamous 8dvs9.jpg (webbug?).

Now, while these are properly declared "Content-Type: base64" I'm not at all sure how readable these things might be to the average e-mail client with typical configuration options. Certainly the encoding is enough to stop SC getting to the links. Not that CNC Group is going to restrict spamming efforts (or worse) from its domains. In fact, with the PRC's much-vaunted "control" of the internet within its borders, one could almost assume it is state policy to spam (predominantly) the USA and thus attack the citizens therein - certainly such efforts directed at Chinese citizens would just about be worth a bullet in the back of the neck (with cost debited to surviving family). Still, the money trail probably leads back to the USA - most do, it is said.

Incidentally, I see the "From:" and "Return-Path:" addresses (mine) are munged these days. There was a time when (though munging optioned in reports) that did not happen. Or did I just dream that? Can't seem to reference any discussion along those lines but thought Don confirmed it once? No matter, munged they now are.

Link to comment
Share on other sites

Reply a bit delayed .. watching a black & white Roy Orbison concert filmed at Festival Hall, Melbourne, AU, back in 1972. No idea how large the Festival Hall is (was) bit, dang, brings back memories of playing back in the day ... guitar running through an amp with two 12" speakers, a bass running through a four 10" speaker cabinet, etc. Basically, everything that went on stage could fit into a single van, to include the band members <g>

Now, while these are properly declared "Content-Type: base64" I'm not at all sure how readable these things might be to the average e-mail client with typical configuration options.

It's been quite a while since I've seen one of those, base64 usually used only for the graphics and such in an HTML encrusted e-mail.

(changed channel to catch KT Tunstall performing in New York ... )

Incidentally, I see the "From:" and "Return-Path:" addresses (mine) are munged these days. There was a time when (though munging optioned in reports) that did not happen. Or did I just dream that? Can't seem to reference any discussion along those lines but thought Don confirmed it once? No matter, munged they now are.

I believe the conversation you're looking for dealt with the fact that when the parser results are 'committed to storage' that data is munged for sure. Generically described as anything that duplicates the To: line content, the contents of the CC: line get munged .... the issue was that someone could 'see' the addresses, but I believe that this was while the parse was live.

Link to comment
Share on other sites

...Reply a bit delayed .. watching a black & white Roy Orbison concert filmed at Festival Hall, Melbourne, AU, back in 1972. No idea how large the Festival Hall is (was) bit, dang, brings back memories of playing back in the day ... guitar running through an amp with two 12" speakers, a bass running through a four 10" speaker cabinet, etc. Basically, everything that went on stage could fit into a single van, to include the band members <g>...
Ah, the "Big O", eh - always have a soft spot for him, memories. Festival Hall can handle anything from 1,000 to near 5,500, depending on arrangement. For a big ticket entertainer it would generally be set up for the upper end of the range. Heck of a lot for a few 12" speakers in any event, though I think our hearing was more acute in those days, having nothing worse than full-calibre firearms (7.62x51mm), grenades and demolition charges to contend with :D. I lived in Melbourne for some years but somehow never got to that venue.
...I believe the conversation you're looking for dealt with the fact that when the parser results are 'committed to storage' that data is munged for sure. Generically described as anything that duplicates the To: line content, the contents of the CC: line get munged .... the issue was that someone could 'see' the addresses, but I believe that this was while the parse was live.
Yes, I recall that now that you mention it (certainly caused a few people some anxious moments until explained). But I thought there was something else ... that Don explained as munging 'never' happening when the address was in the From:, etc. I'm probably wrong but anyway it certainly is munged 'now'.

Thanks ... not the least for evoking the memories. :)

Link to comment
Share on other sites

Ah, the "Big O", eh - always have a soft spot for him, memories. Festival Hall can handle anything from 1,000 to near 5,500, depending on arrangement. For a big ticket entertainer it would generally be set up for the upper end of the range. Heck of a lot for a few 12" speakers in any event,

Contrast to the Beatles playing in a baseball stadium back in that day, pretty much the same issue .... one amp per instrument running though a couple of multi-speaker cabinets. Of course, they also admitted that they couldn't even hear themselves over all the screaming (girls) ....

though I think our hearing was more acute in those days, having nothing worse than full-calibre firearms (7.62x51mm), grenades and demolition charges to contend with :D.

Wish I could say I didn't know what you were talking about <g> Content with the memory that outgoing sounded 'prettier' than incoming <G>

Yes, I recall that now that you mention it (certainly caused a few people some anxious moments until explained). But I thought there was something else ... that Don explained as munging 'never' happening when the address was in the From:, etc. I'm probably wrong but anyway it certainly is munged 'now'.

I'm of the thought that he said that very recently over in the newsgroups. I recall wanting to respond, but talked myself out of it. He's back to using the X-NoArchive: bit in his posts, so if you want to search, you need to hit the active newsgroups somewhat quickly.

Link to comment
Share on other sites

... only Beatles comment would be Wazoo's Hard Days Night, thanks for getting the Forum back

[...]

I thought there was something else ... that Don explained as munging 'never' happening when the address was in the From:, etc. I'm probably wrong but anyway it certainly is munged 'now'.

[...]

There is a 23 Dec thread in the newsgroups in which "wariat" said "From: " items were not munged and Ellen posted that it was allowable to munge them before reporting.

I provided an example where From: was munged but it seems unclear when it is and when it isn't

Here is your TRACKING URL -

http://www.spamcop.net/sc?id=z2484463441z9...2a02210d10c6daz

for x; Sun, 28 Dec 2008 22:32:25 +0000

To: <x>

Subject: {...}

From: <x>

[...]

X-SpamCop-Checked:

X-SpamCop-Disposition: Blocked SpamAssassin=18

X-SpamCop-Disposition: Blacklist x

=====

Nothing from Don.

Link to comment
Share on other sites

... only Beatles comment would be Wazoo's Hard Days Night, thanks for getting the Forum back

There is a 23 Dec thread in the newsgroups in which "wariat" said "From: " items were not munged and Ellen posted that it was allowable to munge them before reporting. ...

Thanks michaelanglo. Seems it is a bit variable then. Old (forum) posts from Don make it clear the "To:" field (and one or two others) is/are always munged, so it seems others may be dependent on other things (we've even seen apparently different parser behavior from different SC servers though not specifically in that regard).

At the end of the day, with spam predominantly from botnets, there is not a lot of 'official' concern if unmunged addresses are in reports, there being no regular route to the actual spammer. Reporters are free to feel differently about that so I guess any with concerns will still need to check their reports before sending. One downside to that being that any comments need to be added after reviewing (or they seem to get lost). The other (main one) being the inordinate amount of time taken to check. Complicating factor is that nothing looks munged while the parse is still 'live' as raised by Wazoo (for some value of 'live', I've seen addresses apparently persist past submission, but that's probably just a 'refresh' thing) - as Wazoo also says, once they're stored they're munged. To whatever degree they're munged.

Oh well - sometimes the From: address is munged in the parsing process even when it's your own address. Sorry I can't research this a little more thoroughly just now.

Link to comment
Share on other sites

Thanks michaelanglo. Seems it is a bit variable then. Old (forum) posts from Don make it clear the "To:" field (and one or two others) is/are always munged, so it seems others may be dependent on other things (we've even seen apparently different parser behavior from different SC servers though not specifically in that regard).

At the end of the day, with spam predominantly from botnets, there is not a lot of 'official' concern if unmunged addresses are in reports, there being no regular route to the actual spammer. Reporters are free to feel differently about that so I guess any with concerns will still need to check their reports before sending. [...]

Oh well - sometimes the From: address is munged in the parsing process even when it's your own address. Sorry I can't research this a little more thoroughly just now.

Yep. Here's a tracker when the From: addie didn't get munged to give those who are smarter that I am a chance to tell us what the relevent difference is.

I first munged all the email addies to ele.phant[at]g.invalid so as not to reveal what 'wariat''s email addie was

Here is your TRACKING URL - 19:21 31Dec08

http://www.spamcop.net/sc?id=z2492063280z5...6f1dc118143167z

And yes, the parser output can be munged as it stands though I always check the reports too.

HTH

http://www.spamcop.net/sc?id=z2492063280z5...6f1dc118143167z

Link to comment
Share on other sites

...Yep. Here's a tracker when the From: addie didn't get munged to give those who are smarter that I am a chance to tell us what the relevent difference is.
Thanks again michaelanglo - I can see this is a real concern for some (and I admit I use the 'munge' option in my own reports while being more relaxed about anything that might 'leak' which is sort of illogical of me - the intended 'gelding' being a 'rig' sort of thing).

A big factor here is that there has been a huge upswing (widely remarked) in the incidence of spam spoofing the recipient address as the 'From:' for whatever nefarious spammerly purposes - [soapbox] almost certainly to exploit any whitelisting of 'own name' which seems a most frequent user configuration though mostly pointless [/soapbox].

Whatever, it is a worrying time for those who want their munging entire ( :D that phrase doesn't work with the gelding metaphor but you know what I mean). If they have the ability to filter their mail they can at least (turn off the whitelisting and) easily pass inwards mail with such addressing to one side for 'different' attention.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...