On 18 Nov, Harriet Bazley <lists@xxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote: > On 10 Nov 2006 as I do recall, > Harriet Bazley wrote: > > We have been under massive Debora[h] attack for several days - somebody > > is generating messages from a vast number of names all claiming to be > > from <deboraholiveir@xxxxxxxxxxxxxxxxxx>, > > <deborars1@xxxxxxxxxxxxxxxxx>, <deborajrh@xxxxxxxxxxxxxxxxxxx> etc, none > > of them actually called "Deborah"! It's got to the stage where I've > > finally put in a high-priority block on *any* message with the string > > *debora* in the Message-Id: I've checked messages from genuine > > Deborahs, and they all seem to use their surnames in the Message-Id > > field, if not just 'hotmail.com' etc. > > > I don't know if this helps: > from http://permalink.gmane.org/gmane.mail.virus.mailscanner/46471 > "I've found that a lot of the "debora" spam, as well as a fair amount > of other spam, matches /6c822ecf/ in one or more of Message-ID and > Content-ID headers. I have yet to see a false positive." > According to my logs this seems to be true; picks up all the deboras and > a few other things along the way. Possibly significant is that the deboras and the single subject spams currently around seem to have a specific pattern of hex-derived digits a dollar sign 8 hex digits and then a dollar sign then more hex until the @ Common in the first block is 01c70 I'm wondering if the numbers represent something in the botnet they are part of... -- Steve Pampling