[antispam-f] Re: What have they got against Deborah anyway?
- From: Steven Pampling <steve.pampling@xxxxxxxxxxxxx>
- To: antispam@xxxxxxxxxxxxx
- Date: Sun, 19 Nov 2006 17:34:58 +0000 (GMT)
On 18 Nov, Harriet Bazley <lists@xxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
> On 10 Nov 2006 as I do recall,
> Harriet Bazley wrote:
> > We have been under massive Debora[h] attack for several days - somebody
> > is generating messages from a vast number of names all claiming to be
> > from <deboraholiveir@xxxxxxxxxxxxxxxxxx>,
> > <deborars1@xxxxxxxxxxxxxxxxx>, <deborajrh@xxxxxxxxxxxxxxxxxxx> etc, none
> > of them actually called "Deborah"! It's got to the stage where I've
> > finally put in a high-priority block on *any* message with the string
> > *debora* in the Message-Id: I've checked messages from genuine
> > Deborahs, and they all seem to use their surnames in the Message-Id
> > field, if not just 'hotmail.com' etc.
> >
> I don't know if this helps:
> from http://permalink.gmane.org/gmane.mail.virus.mailscanner/46471
> "I've found that a lot of the "debora" spam, as well as a fair amount
> of other spam, matches /6c822ecf/ in one or more of Message-ID and
> Content-ID headers. I have yet to see a false positive."
> According to my logs this seems to be true; picks up all the deboras and
> a few other things along the way.
Possibly significant is that the deboras and the single subject spams
currently around seem to have a specific pattern of hex-derived digits a
dollar sign 8 hex digits and then a dollar sign then more hex until the @
Common in the first block is 01c70
I'm wondering if the numbers represent something in the botnet they are
part of...
--
Steve Pampling
Other related posts:
