Chris's Wiki :: blog/spam/DropFirstLetterSpammers

Today's odd spammer behavior for sender addresses

April 19, 2016

It's not news that spammers like to forge your own addresses into the MAIL FROMs of the spam that they're trying to send you; I've seen this here for some time. On the machine where I have my sinkhole server running, this clearly comes and goes. Some of the time almost all the senders will be trying a legitimate MAIL FROM (often what they seem to be trying to mail to), and other times I won't see any in the logs for weeks. But recently there's been a new and odd behavior.

Right now, a surprising number of sending attempts are using a MAIL FROM that is (or was) a real address, but with the first letter removed. If 'joey@domain' was once a real address, they are trying a MAIL FROM of 'oey@domain'. They're not just picking on a single address that is mutilated this way, as I see the pattern with a number of addresses.

(Some of the time they'll add some letters after the login name too, eg 'joey@domain' will turn into 'oeyn@domain'.)

So far I have no idea what specific spam campaign this is for because all of the senders have been in the Spamhaus XBL (this currently gets my sinkhole server to reject them as boring spam that I already have enough samples of).

What really puzzles me is what the spammers who programmed this are thinking. It's probably quite likely that systems will reject bad local addresses in MAIL FROMs for incoming email, which means that starting with addresses you think are good and then mutating them is a great way to get a lot of your spam sending attempts rejected immediately. Yet spammers are setting up their systems to deliberately mutate addresses and then use them as the sender address, and presumably this both works and is worthwhile for some reason.

(Perhaps they're trying to bash their way through address obfuscation, even when the address isn't obfuscated.)

(I suspect that this is a single spammer that has latched on to my now spamtrap addresses, instead of a general thing. Our general inbound mail gateway gets too much volume for me to pick through the 'no such local user' MAIL FROM rejections with any confidence that I'd spot such a pattern.)

Comments on this page:

By Sotiris Tsimbonis at 2016-04-19 02:42:09:

I think it's just bad programming, an off-by-one bug.

By Aristotle Pagaltzis at 2016-04-19 10:04:16:

I agree there is a decent chance that it is a mere bug.

But another, albeit remote, possibility that comes to mind is predicated on the question of how mail is treated if it has a valid MAIL FROM and another valid local recipient. With a very large mailer outfit, e.g. one of the free web mailers like GMail, the odds of ending up with a valid mutation seem not that low. Does a mail gain a significant score benefit from a valid combination of addresses? If so, maybe the idea is to increase the spammer’s own delivery efficiency by polarising the results: spam either gets rejected very quickly, or it has a high likelihood of getting delivered.

Is this hypothesis at all sensical?

(Curiously, that would make this (fairly literally!) analogous to scammers deliberately using typos and bad grammar in their mails as a way to increase their own efficiency by filtering for gullible recipients.)

By Tom at 2016-04-23 21:24:39:

I've seen this for years. Also popular: some nonsense followed by a legit user address like htmlbotUSER@OURDOMAIN, the string of junk frequently stays while various mail addresses are tried (and rejected). Obviously results from a poorly coded harvester.

Written on 19 April 2016.

«	Why your Apache should have mod_status configured somewhere

How to get Unbound to selectively add or override DNS records