Getting to watch a significant spam campaign recently
One of the interesting side effects of running a sinkhole SMTP server and occasionally looking at the SMTP command logs is that every so often I get to see the signs of what is clearly a significant spam campaign. Recently, for example, I noticed a whole pile of delivery attempts that all had a distinct signature, sufficiently distinct that I'm pretty sure they must have been from the same software and party.
The primary signature was an unusual
MAIL FROM, where it was
the same as the
RCPT TO. A typical session looked like:
EHLO host11.190-230-18.telecom.net.ar 250 [...] MAIL From:<ADDR@hawkwind.utcs.toronto.edu> 550 [...] RCPT To:<ADDR@hawkwind.utcs.toronto.edu> 503 Out of sequence command
(My server advertises
PIPELINING, so this run-ahead behavior by
the client is legitimate. Not all of the connections did it, so I
can't be entirely sure that they were going to
RCPT TO the same
address. It's a good bet, though; spammers seem to almost never
MAIL FROM of my own domain.)
Almost all of the hosts that I saw do this were in the PBL, the XBL,
or the CSS. Hosts
either their reverse DNS or with eg '
[188.8.131.52]' when they
had no rDNS (although not all of the names had forward DNS to go
with their rDNS). While this was happening, I often saw a significant
number of these connections one after another from all sorts of
A few messages of this sort got all the way to
DATA and so had
their contents logged. Based on that, the campaign seems to have
been pushing an offshore pharmacy hosted on an IP that Spamhaus
lists as part of
'Yambo Financials' aka 'RxMed pharma spam website hosting' (although
the domain name used in the spam is not one that's currently in the
SBL listing). That doesn't really surprise me, as I'd expect such a
spam campaign to come from one of the larger operations.
There are probably spam campaigns running all the time that my (now) spamtraps get hit by. It's just that usually they don't stand out this much, either by having a distinctive and unusual signature or by hammering on my addresses quite this hard. The latter puzzles me a bit, since it seems inefficient (and I do believe that spammers are generally efficient).