Today's odd spammer behavior for sender addresses
It's not news that spammers like to forge your own addresses into
MAIL FROMs of the spam that they're trying to send you; I've
seen this here for some time.
On the machine where I have my sinkhole server running, this clearly comes
and goes. Some of the time almost all the senders will be trying a
MAIL FROM (often what they seem to be trying to mail
to), and other times I won't see any in the logs for weeks. But
recently there's been a new and odd behavior.
Right now, a surprising number of sending attempts are using a
MAIL FROM of 'oey@domain'. They're not just picking on a single
address that is mutilated this way, as I see the pattern with a
number of addresses.
(Some of the time they'll add some letters after the login name too, eg 'joey@domain' will turn into 'oeyn@domain'.)
So far I have no idea what specific spam campaign this is for because all of the senders have been in the Spamhaus XBL (this currently gets my sinkhole server to reject them as boring spam that I already have enough samples of).
What really puzzles me is what the spammers who programmed this are
thinking. It's probably quite likely that systems will reject bad
local addresses in
MAIL FROMs for incoming email, which means
that starting with addresses you think are good and then mutating
them is a great way to get a lot of your spam sending attempts
rejected immediately. Yet spammers are setting up their systems to
deliberately mutate addresses and then use them as the sender
address, and presumably this both works and is worthwhile for some
(Perhaps they're trying to bash their way through address obfuscation, even when the address isn't obfuscated.)
(I suspect that this is a single spammer that has latched on to my
now spamtrap addresses, instead of a general thing. Our general
inbound mail gateway gets too much volume for me to pick through
the 'no such local user'
MAIL FROM rejections with any confidence
that I'd spot such a pattern.)