Forum Discussion

MarkJFine's avatar
MarkJFine
Professor
8 years ago

Zombie spam

If you've heard me use the term 'zombie spam'. Well, here's a great example of it (just checked my spam log):

[Thu Sep 28 18:47:47 2017 GMT] "Tasha" <Tashadsm@bestel.com.mx> [189.204.161.48, bestel.com.mx, xxxxxxxPYxx], Subject: hey
[Thu Sep 28 19:01:14 2017 GMT] "Tasha" <Tashaywhz@redcotel.bo> [190.103.68.103, redcotel.bo, xxxxxxxPNxx], Subject: hey
[Thu Sep 28 19:10:40 2017 GMT] "Tasha" <Tasharg@vnpt-hanoi.com.vn> [113.190.240.220, vdc.com.vn, xxxxxxxxNxx], Subject: hey
[Thu Sep 28 19:28:56 2017 GMT] "Tasha" <Tashayw@dmrcom.com> [199.21.155.170, dmrcom.com, xxxxxxxxNxx], Subject: hey

In the square brackets are the IP of the email server that sent it to me (can't be forged), the parent domain, and some SpamAssassin flags that I look for. In this case N = RDNS_NONE, Y = RDNS_DYNAMIC, P = HELO_DYNAMIC_SPLIT_IP (I look for about ten different signatures to determine if it's spam).

For me, they usually hit in groups of four, in a short period of time, from geographically disparate places.

Usually has a forged email address with a common name (Tasha, here) and the domain of the parent email server in order to fake SPF and RDNS detection.

 

This happens when someone sends a signal to those with infected computers, which in turn send these out completely without the host user even knowing it.

Lately these have been used as a precursor to massive bursts of activity for a couple of days, promoting some ridiculous stock that nobody's ever heard of. I saw two of these test bursts yesterday.

 

Hold onto your hats, it should be a fun weekend.

    • MarkJFine's avatar
      MarkJFine
      Professor
      8 years ago

      The Stock Zombie is back, using open relays from Vietnam, Indonesia, India and Brazil:

      [Thu Oct 19 07:11:33 2017 GMT] "Gregory Fischer" <Fischervsei@static.vnpt.vn> [14.171.160.232, vnpt.vn, xxxxxxxxNxx], Subject: Seriously... What if this company went tenfold by tomorrow?
[Thu Oct 19 07:20:39 2017 GMT] "Peggy Hurst" <Hurstiolve@cc-kft.com> [103.19.109.112, netciti.co.id, xxxxxxxxNxx], Subject: Seriously... What if this company went tenfold by tomorrow?
[Thu Oct 19 07:27:07 2017 GMT] "Constance Berg" <Bergak@ezfreecoupons.com> [103.233.116.142, upinfomax.in, xxxxxxxxNxx], Subject: Seriously... What if this company went tenfold by tomorrow?
[Thu Oct 19 08:29:05 2017 GMT] "Ila Sloan" <Sloanklwhs@static.vnpt.vn> [222.254.238.121, vnpt.vn, xxxxxxxxNxx], Subject: Seriously... What if this company went tenfold by tomorrow?
[Thu Oct 19 09:48:13 2017 GMT] "Anderson Calderon" <Calderonvumz@static.vnpt.vn> [14.237.11.80, vnpt.vn, xxxxxxxxNxx], Subject: Seriously... What if this company went tenfold by tomorrow?
[Thu Oct 19 10:14:07 2017 GMT] "Nelson Mcmillan" <Mcmillanmxdsj@ondernemersgala.nl> [189.60.86.139, virtua.com.br, xxxxxxxxNxx], Subject: Seriously... What if this company went tenfold by tomorrow?

       Hate these guys.

      • MarkJFine's avatar
        MarkJFine
        Professor
        8 years ago

        Overall spam count for Nov: 1738, mostly from China, which is basically one massive spamhaus.

         

        Edit: I should point out that this is what my trap caught. Only 9 actually made it through to my junk box, which also happens to illustrate why I wrote the trap to begin with.