[9fans] wierd spam

[9fans] wierd spam

[erik quanstrom]

i noticed some bizarre spam sent to these addresses

rb2 Nov 26 16:58:02 Disallowed mx.coraid.com!postmaster (mx.coraid.com/65.14.39.130) to blocked name coraid.com!060008d17dc9d5acc8afc6045f4e68fc
rb2 Nov 26 16:58:23 ehlo from 65.14.39.130 as barracuda.coraid.com
rb2 Nov 26 16:58:23 Disallowed mx.coraid.com!postmaster (mx.coraid.com/65.14.39.130) to blocked name coraid.com!09f65e2191201eb38304af55f15ad810

a quick google of them shows 060008d17dc9d5acc8afc6045f4e68fc and
09f65e2191201eb38304af55f15ad810 to be message ids from email i sent
to the list in july.

does anyone know what the exploit here is?
some sort of outlook thing?

- erik

Re: [9fans] wierd spam

[William Josephson]

On Mon, Nov 26, 2007 at 05:08:55PM -0500, erik quanstrom wrote:
> does anyone know what the exploit here is?
> some sort of outlook thing?

Probably some spammer mistaking message IDs like
<5a07215f3e7e896f4b528a1838e78757@quanstro.net>
for addresses.

Re: [9fans] wierd spam

[erik quanstrom]

now that you mention it, it's pretty obvious.
for some reason i was hung up on the fact that
one would think Message-ID: would be a clue that
this is not an email address.

- erik

On Mon Nov 26 17:20:31 EST 2007, jkw@eecs.harvard.edu wrote:
> On Mon, Nov 26, 2007 at 05:08:55PM -0500, erik quanstrom wrote:
> > does anyone know what the exploit here is?
> > some sort of outlook thing?
> 
> Probably some spammer mistaking message IDs like
> <5a07215f3e7e896f4b528a1838e78757@quanstro.net>
> for addresses.

Re: [9fans] wierd spam

[Lyndon Nerenberg]

On 2007-Nov-26, at 14:14 , William Josephson wrote:

> Probably some spammer mistaking message IDs like
> <5a07215f3e7e896f4b528a1838e78757@quanstro.net>
> for addresses.

Makes sense.  The address harvesters are pretty stupid.  E.g., I use  
plus-detail addresses on my internet draft submissions, and regularly  
see spam sent to rfc-crammd5@orthanc.ca as a result of harvesters not  
parsing lyndon+rfc-crammd5@orthanc.ca correctly.

I'm slowly moving my mailing list subscriptions over to lyndon+@orthanc.ca 
, to take advantage of the spammers lack of RE-fu :-)  Sadly, there is  
still quite a bit of list management software that also doesn't grok  
full RFC[2]822 address syntax.

While the '+' hack helps circumvent the harvesting, bayesian filters  
are your only practical defense.

--lyndon

Re: [9fans] wierd spam

[sqweek]

On Nov 27, 2007 7:08 AM, erik quanstrom <quanstro@quanstro.net> wrote:
> i noticed some bizarre spam sent to these addresses

 Speaking of weird email:
http://9fans.net/archive/2007/11/803
http://9fans.net/archive/2007/11/804
http://9fans.net/archive/2007/11/847
-sqweek