[TriLUG] Sudden uptick in SPAM

matt at noway2.thruhere.net matt at noway2.thruhere.net
Tue Aug 26 14:15:46 EDT 2014 

Follow up:

This link: http://absolutelyaeron.blogspot.com/2014_08_01_archive.html

Which seems to be someone's blog page has lots of examples of these
messages in case anyone is interested seeing what I am trying to describe.

> Over the last couple of weeks, I've been noticing what appears to be a new
> SPAM bot on the loose and it seems to have really been intensifying over
> the last few days.
>
> The messages are all following a common pattern with a few tell tale
> signature items, such as:
> having an ID number, typically 7 (sometimes 8 or 6) digits, often included
> in the subject as well as the message body with a word like offer, promo,
> inv, etc, usually with a # sign, but not always.  The one in the body is
> bordered by lines of the '-' character.  The format of text and numbers is
> always the same with two links to click and at the bottom of the list are
> a set of numbers.  The numbers are typically lines of 8 decimal digits,
> and / or a combination of 8 and 32 hexadecimal (typically two, to three
> groups) numbers with a . or - between them.  I assume these are some sort
> of index to track on should you be stupid enough to click the link.  In
> any case, they are the one of the signature items of whatever is
> generating these messages.
>
> The messages arrive in bunches, typically 7 to 8 of them at a time a few
> minutes apart, and the groups are separated by periods of several hours.
>
> Also curious is that during this same time frame, I have been getting a
> VERY high number of port scans and more recently, UDP port sweeps.  The
> UDP scans started shortly after I was able successfully block some of the
> messages during receipt.
>
> I've been reporting the messages to Spamcop, but so far non of them have
> shown up as being on any of the RBL lists, at least at the time of my
> reporting.
>
> I've recently added filters on the subject and number combinations and
> that seems to have blocked most of it at the SMTP level.  I am hoping that
> after a few days of reject codes they will go away, but I am seeing some
> early signs of adapting (e.g. changes in the signature items).
>
> Has anyone else noticed this and if so, what measures have you taken to
> counter act it?
>
> --
> This message was sent to: Matt Flyer <matt at noway2.thruhere.net>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that
> address.
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web	:
> http://www.trilug.org/mailman/options/trilug/matt%40noway2.thruhere.net
> Welcome to TriLUG: http://trilug.org/welcome
>

More information about the TriLUG mailing list