[TriLUG] Sudden uptick in SPAM

[matt at noway2.thruhere.net]

Over the last couple of weeks, I've been noticing what appears to be a new
SPAM bot on the loose and it seems to have really been intensifying over
the last few days.

The messages are all following a common pattern with a few tell tale
signature items, such as:
having an ID number, typically 7 (sometimes 8 or 6) digits, often included
in the subject as well as the message body with a word like offer, promo,
inv, etc, usually with a # sign, but not always.  The one in the body is
bordered by lines of the '-' character.  The format of text and numbers is
always the same with two links to click and at the bottom of the list are
a set of numbers.  The numbers are typically lines of 8 decimal digits,
and / or a combination of 8 and 32 hexadecimal (typically two, to three
groups) numbers with a . or - between them.  I assume these are some sort
of index to track on should you be stupid enough to click the link.  In
any case, they are the one of the signature items of whatever is
generating these messages.

The messages arrive in bunches, typically 7 to 8 of them at a time a few
minutes apart, and the groups are separated by periods of several hours.

Also curious is that during this same time frame, I have been getting a
VERY high number of port scans and more recently, UDP port sweeps.  The
UDP scans started shortly after I was able successfully block some of the
messages during receipt.

I've been reporting the messages to Spamcop, but so far non of them have
shown up as being on any of the RBL lists, at least at the time of my
reporting.

I've recently added filters on the subject and number combinations and
that seems to have blocked most of it at the SMTP level.  I am hoping that
after a few days of reject codes they will go away, but I am seeing some
early signs of adapting (e.g. changes in the signature items).

Has anyone else noticed this and if so, what measures have you taken to
counter act it?