[antispam-f] Re: Recent Spam
- From: Dave Barnett <as10@xxxxxxxxxxxxxxxxx>
- To: antispam@xxxxxxxxxxxxx
- Date: Sun, 02 Dec 2007 18:49:49 GMT
In a recent message Jeremy Nicoll - freelists
<jn.flists.73@xxxxxxxxxxxxxxxxxxxx> wrote:
> Harriet Bazley <lists@xxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
>
[...]
> initial so here in the UK I'm often addressed as: "Jeremy C. Nicoll".
>
>> Unless he has a great many American correspondents in the habit of
>> sending e-mail to one another and BCCing him in on the exchange, he
>> should be safe enough under the circumstances he describes.
>
> I don't agree. I don't see the name format as exclusively US at all.
>
>> For what it's worth, after checking my current logs, the only legitimate
>> e-mail I have on record from such a poster consists of mailing list
>> traffic from one "David J. Ruck". :-)
>
> I had a quick look at people's names elsewhere, and found some others.
>
As the To: header is always of the form:
"Jeremy C. Nicoll" <qwerty@mydomain> ;-) I have added another 'And'
to Harriet's earlier suggestion. The rule is now:
Header From: @ weirdinitials
And To: @ weirdinitials
And To: = *@mydomain*
This now catches mail with the headers (I hope, only) of the form:
From: "Bill F. Gates" <bill@xxxxxxxxxxxxxxxxx>
To: "Joseph B. Loggs" <qwerty@mydomain>
Interestingly, the From: first name and user have always been the
same. The To: user is always a random letter sequence.
This has caught nearly 100 today, with no false positives. They
started promptly at 1200 UTC, just as the US East coast woke up and
havn't stopped yet. Each variant of names has, essentially, the same
set of other header lines and they are all of the same generic form.
This implies that just one variety of bot is sending this spam and
that it is quite widespread amongst US Mucky$oft Muppets. The From:
addys have included a couple with .edu TLDs.
I'll run it 'as is' for another day and, if no funnies crop up, then
upgrade to 'Delete'.
Thank You Devil's advocate.
--
Dave
Keep GMT all year
Other related posts:
