[Mimedefang] Massive spam with randon subjects

Joseph Brennan brennan at columbia.edu
Fri Dec 19 15:28:58 EST 2003


>> Re: IAANWBC, what's this now?'
>> Re: VE, this taletelling about
>>
>> 	And some unwise spammer, show me part of the construction method of
>> the line:
>>
>> Re: %RND_UC_CHAR[2-8], the two quarrelling


I happen to have a very large sample of these.

It imitates numerous email clients including Outlook, Outlook Express,
The Bat!, eGroups Message Poster, and "mPOP Web-Mail" whatever that is.

Its Message-ID varies, but about half are like this:

Message-Id: <YYQH_____________5347 at waist>
Message-Id: <MQDZ_____________6183 at intermit>
Message-Id: <XWYF_____________9082 at small>
Message-Id: <YCSP_____________5628 at salvation>

It always has both From: and Reply-to:.  They are always the same
address inside < >, but the name part varies like these examples.
It always has " quotes around the name.

From: "Manley Cesar" <zkqtavgbfkyyx at hongkong.com>
Reply-To: "Manley" <zkqtavgbfkyyx at hongkong.com>

From: "Puckett" <rnkiv at china.com>
Reply-To: "Puckett Jeffry" <rnkiv at china.com>

From: "Mclain Houston" <sioztew at yahoo.com.hk>
Reply-To: "Houston Mclain" <sioztew at yahoo.com.hk>

The Date: header seems to be in the timezone of the compromised PC
and seems to show the correct time within a few minutes (probably
the PC clock drift).

The HTML body obfuscation uses bad closing tags.  Each of these is
from a different message.  It looks like the master copy sets where
the obfuscation bits go and the variation is limited to what
strings are inserted.  But there are too many varying messages
to trap the message text.  Three are shown below.

<p>Ban</pleistocene>ned C</beer>D Gov</constrict>ernment d</vicar>on't

<p>Ban</crow>ned C</camera>D Gov</grisly>ernment d</bedroom>on't

<p>Ban</atlantic>ned C</prosaic>D Gov</rothschild>ernment d</include>on't

<p>Th</callisto>e ul</nomenclature>timate d</siegmund>igital

<p>Th</therein>e ul</later>timate d</protactinium>igital

<p>Th</administratrix>e ul</tycoon>timate d</antaeus>igital

<p>Fr</ella>ee Ca</guess>bleTV!N</fayetteville>o mo</crucial>re

<p>Fr</afterimage>ee Ca</colette>bleTV!N</cholesterol>o mo</tuttle>re


The pattern /^<p>[A-Za-z]{2,3}</  hits only spam and no legit
mail, in four months of my mail (thousands of messages).  But I
am not totally happy with that either.

Joseph Brennan         Columbia University in the City of New York
Academic Technologies Group                   brennan at columbia.edu



























More information about the MIMEDefang mailing list