Forum Discussion
Zombie spam
If you've heard me use the term 'zombie spam'. Well, here's a great example of it (just checked my spam log):
[Thu Sep 28 18:47:47 2017 GMT] "Tasha" <[email protected]> [189.204.161.48, bestel.com.mx, xxxxxxxPYxx], Subject: hey [Thu Sep 28 19:01:14 2017 GMT] "Tasha" <[email protected]> [190.103.68.103, redcotel.bo, xxxxxxxPNxx], Subject: hey [Thu Sep 28 19:10:40 2017 GMT] "Tasha" <[email protected]> [113.190.240.220, vdc.com.vn, xxxxxxxxNxx], Subject: hey [Thu Sep 28 19:28:56 2017 GMT] "Tasha" <[email protected]> [199.21.155.170, dmrcom.com, xxxxxxxxNxx], Subject: hey
In the square brackets are the IP of the email server that sent it to me (can't be forged), the parent domain, and some SpamAssassin flags that I look for. In this case N = RDNS_NONE, Y = RDNS_DYNAMIC, P = HELO_DYNAMIC_SPLIT_IP (I look for about ten different signatures to determine if it's spam).
For me, they usually hit in groups of four, in a short period of time, from geographically disparate places.
Usually has a forged email address with a common name (Tasha, here) and the domain of the parent email server in order to fake SPF and RDNS detection.
This happens when someone sends a signal to those with infected computers, which in turn send these out completely without the host user even knowing it.
Lately these have been used as a precursor to massive bursts of activity for a couple of days, promoting some ridiculous stock that nobody's ever heard of. I saw two of these test bursts yesterday.
Hold onto your hats, it should be a fun weekend.
10 Replies
Tasha likes you! :p
The Stock Zombie is back, using open relays from Vietnam, Indonesia, India and Brazil:
[Thu Oct 19 07:11:33 2017 GMT] "Gregory Fischer" <[email protected]> [14.171.160.232, vnpt.vn, xxxxxxxxNxx], Subject: Seriously... What if this company went tenfold by tomorrow? [Thu Oct 19 07:20:39 2017 GMT] "Peggy Hurst" <[email protected]> [103.19.109.112, netciti.co.id, xxxxxxxxNxx], Subject: Seriously... What if this company went tenfold by tomorrow? [Thu Oct 19 07:27:07 2017 GMT] "Constance Berg" <[email protected]> [103.233.116.142, upinfomax.in, xxxxxxxxNxx], Subject: Seriously... What if this company went tenfold by tomorrow? [Thu Oct 19 08:29:05 2017 GMT] "Ila Sloan" <[email protected]> [222.254.238.121, vnpt.vn, xxxxxxxxNxx], Subject: Seriously... What if this company went tenfold by tomorrow? [Thu Oct 19 09:48:13 2017 GMT] "Anderson Calderon" <[email protected]> [14.237.11.80, vnpt.vn, xxxxxxxxNxx], Subject: Seriously... What if this company went tenfold by tomorrow? [Thu Oct 19 10:14:07 2017 GMT] "Nelson Mcmillan" <[email protected]> [189.60.86.139, virtua.com.br, xxxxxxxxNxx], Subject: Seriously... What if this company went tenfold by tomorrow?
Hate these guys.
Overall spam count for Nov: 1738, mostly from China, which is basically one massive spamhaus.
Edit: I should point out that this is what my trap caught. Only 9 actually made it through to my junk box, which also happens to illustrate why I wrote the trap to begin with.
