Wandering Thoughts archives

2016-12-17

Some conference spammers mutate to show they're definitely spammers

Years ago, I wrote about the peculiar case of people who spam us with conference announcements. This hasn't stopped in the time since then, of course, but the behavior of various clusters of these people have mutated since then as they move around network areas and spam methods and so on. Lately, one particular group has adopted some habits that make it absolutely, totally clear that they are active spammers and they know it.

For at least the past few months, these people have been sending their message from a constantly changing flux of domains with a consistent naming scheme of:

<user>@mail[0-9]+.<word1>-<word2>.com

The <user> portion is often but not always a letters-then-digits pattern like qhwtsh642 or lvjing348. The two words in the domain are randomly chosen dictionary words, so you get domains like dress-drop.com, proceed-wife.com, seed-rose.com, fashion-opening.com, include-sated.com, and so on. The hostnames all resolve (otherwise we wouldn't accept the messages, since they use this as their MAIL FROM), but the DNS-listed IP addresses for the hosts doesn't respond, resulting in various sorts of messages sitting in our queues trying to go there.

Sadly the spam they send is not recognized as spam by our commercial anti-spam package, so various things get triggered. It is recognized as spam by other people's mail systems, so we do a certain amount of accept-then-bounce of it. At least we're not delivering it to innocent third parties as far as I know, just winding up with it camped out in our queues until it times out.

(Turning off bounces to external addresses is not an option for us in general at the moment; if we think a message is good and we can't deliver it, we've got to send a bounce for it or our users would almost certainly object.)

I haven't extensively checked the source IPs of this or the IPs that the various hosts resolve to, but the ones I've done spot checks on are all in China. I'm not terribly surprised; for as long as I've been getting conference spam and looking into it, China has been a very active source of it (and often for 'conferences' that were to be held in China).

spam/DefiniteConferenceSpammers written at 00:57:43; Add Comment


Page tools: See As Normal.
Search:
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.