Some conference spammers mutate to show they're definitely spammers
Years ago, I wrote about the peculiar case of people who spam us with conference announcements. This hasn't stopped in the time since then, of course, but the behavior of various clusters of these people have mutated since then as they move around network areas and spam methods and so on. Lately, one particular group has adopted some habits that make it absolutely, totally clear that they are active spammers and they know it.
For at least the past few months, these people have been sending their message from a constantly changing flux of domains with a consistent naming scheme of:
<user>@mail[0-9]+.<word1>-<word2>.com
The <user> portion is often but not always a letters-then-digits
pattern like qhwtsh642
or lvjing348
. The two words in the domain
are randomly chosen dictionary words, so you get domains like
dress-drop.com
, proceed-wife.com
, seed-rose.com
,
fashion-opening.com
, include-sated.com
, and so on. The hostnames
all resolve (otherwise we wouldn't accept the messages, since they
use this as their MAIL FROM
), but the DNS-listed IP addresses for
the hosts doesn't respond, resulting in various sorts of messages
sitting in our queues trying to go there.
Sadly the spam they send is not recognized as spam by our commercial anti-spam package, so various things get triggered. It is recognized as spam by other people's mail systems, so we do a certain amount of accept-then-bounce of it. At least we're not delivering it to innocent third parties as far as I know, just winding up with it camped out in our queues until it times out.
(Turning off bounces to external addresses is not an option for us in general at the moment; if we think a message is good and we can't deliver it, we've got to send a bounce for it or our users would almost certainly object.)
I haven't extensively checked the source IPs of this or the IPs that the various hosts resolve to, but the ones I've done spot checks on are all in China. I'm not terribly surprised; for as long as I've been getting conference spam and looking into it, China has been a very active source of it (and often for 'conferences' that were to be held in China).
|
|