Forum Discussion
Zombie spam
If you've heard me use the term 'zombie spam'. Well, here's a great example of it (just checked my spam log):
[Thu Sep 28 18:47:47 2017 GMT] "Tasha" <Tashadsm@bestel.com.mx> [189.204.161.48, bestel.com.mx, xxxxxxxPYxx], Subject: hey [Thu Sep 28 19:01:14 2017 GMT] "Tasha" <Tashaywhz@redcotel.bo> [190.103.68.103, redcotel.bo, xxxxxxxPNxx], Subject: hey [Thu Sep 28 19:10:40 2017 GMT] "Tasha" <Tasharg@vnpt-hanoi.com.vn> [113.190.240.220, vdc.com.vn, xxxxxxxxNxx], Subject: hey [Thu Sep 28 19:28:56 2017 GMT] "Tasha" <Tashayw@dmrcom.com> [199.21.155.170, dmrcom.com, xxxxxxxxNxx], Subject: hey
In the square brackets are the IP of the email server that sent it to me (can't be forged), the parent domain, and some SpamAssassin flags that I look for. In this case N = RDNS_NONE, Y = RDNS_DYNAMIC, P = HELO_DYNAMIC_SPLIT_IP (I look for about ten different signatures to determine if it's spam).
For me, they usually hit in groups of four, in a short period of time, from geographically disparate places.
Usually has a forged email address with a common name (Tasha, here) and the domain of the parent email server in order to fake SPF and RDNS detection.
This happens when someone sends a signal to those with infected computers, which in turn send these out completely without the host user even knowing it.
Lately these have been used as a precursor to massive bursts of activity for a couple of days, promoting some ridiculous stock that nobody's ever heard of. I saw two of these test bursts yesterday.
Hold onto your hats, it should be a fun weekend.
- GabeUDistinguished Professor IV
Tasha likes you! :p
- MarkJFineProfessor
The Stock Zombie is back, using open relays from Vietnam, Indonesia, India and Brazil:
[Thu Oct 19 07:11:33 2017 GMT] "Gregory Fischer" <Fischervsei@static.vnpt.vn> [14.171.160.232, vnpt.vn, xxxxxxxxNxx], Subject: Seriously... What if this company went tenfold by tomorrow? [Thu Oct 19 07:20:39 2017 GMT] "Peggy Hurst" <Hurstiolve@cc-kft.com> [103.19.109.112, netciti.co.id, xxxxxxxxNxx], Subject: Seriously... What if this company went tenfold by tomorrow? [Thu Oct 19 07:27:07 2017 GMT] "Constance Berg" <Bergak@ezfreecoupons.com> [103.233.116.142, upinfomax.in, xxxxxxxxNxx], Subject: Seriously... What if this company went tenfold by tomorrow? [Thu Oct 19 08:29:05 2017 GMT] "Ila Sloan" <Sloanklwhs@static.vnpt.vn> [222.254.238.121, vnpt.vn, xxxxxxxxNxx], Subject: Seriously... What if this company went tenfold by tomorrow? [Thu Oct 19 09:48:13 2017 GMT] "Anderson Calderon" <Calderonvumz@static.vnpt.vn> [14.237.11.80, vnpt.vn, xxxxxxxxNxx], Subject: Seriously... What if this company went tenfold by tomorrow? [Thu Oct 19 10:14:07 2017 GMT] "Nelson Mcmillan" <Mcmillanmxdsj@ondernemersgala.nl> [189.60.86.139, virtua.com.br, xxxxxxxxNxx], Subject: Seriously... What if this company went tenfold by tomorrow?
Hate these guys.
- MarkJFineProfessor
Overall spam count for Nov: 1738, mostly from China, which is basically one massive spamhaus.
Edit: I should point out that this is what my trap caught. Only 9 actually made it through to my junk box, which also happens to illustrate why I wrote the trap to begin with.
Related Content
- 5 years ago
- 4 years ago
- 4 years ago
- 2 years ago