== Today's odd spammer behavior for sender addresses

It's not news that spammers like to forge your own addresses into
the _MAIL FROM_s of the spam that they're trying to send you; I've
seen this here for [[some time CSLabRejectionStats-2011-04-26]].
On the machine where I have [[my sinkhole server
https://github.com/siebenmann/sinksmtp/]] running, this clearly comes
and goes. Some of the time almost all the senders will be trying a
legitimate _MAIL FROM_ (often what they seem to be trying to mail
to), and other times I won't see any in the logs for weeks. But
recently there's been a new and odd behavior.

Right now, a surprising number of sending attempts are using a _MAIL
FROM_ that is (or was) a real address, but with the first letter
removed. If 'joey@domain' was once a real address, they are trying
a _MAIL FROM_ of 'oey@domain'. They're not just picking on a single
address that is mutilated this way, as I see the pattern with a
number of addresses.

(Some of the time they'll add some letters after the login name
too, eg 'joey@domain' will turn into 'oeyn@domain'.)

So far I have no idea what specific spam campaign this is for because
all of the senders have been in the Spamhaus XBL (this currently
gets my sinkhole server to reject them as [[boring spam MySpamIsBoring]]
that I already have enough samples of).

What really puzzles me is what the spammers who programmed this are
thinking. It's probably quite likely that systems will reject bad
local addresses in _MAIL FROM_s for incoming email, which means
that starting with addresses you think are good and then mutating
them is a great way to get a lot of your spam sending attempts
rejected immediately. Yet spammers are setting up their systems to
deliberately mutate addresses and then use them as the sender
address, and presumably this both works and is worthwhile for some
reason.

(Perhaps they're trying to bash their way through address obfuscation,
even when the address isn't obfuscated.)

(I suspect that this is a single spammer that has latched on to my
now spamtrap addresses, instead of a general thing. Our general
inbound mail gateway gets too much volume for me to pick through
the 'no such local user' _MAIL FROM_ rejections with any confidence
that I'd spot such a pattern.)