Getting to watch a significant spam campaign recently

January 8, 2016

One of the interesting side effects of running a sinkhole SMTP server and occasionally looking at the SMTP command logs is that every so often I get to see the signs of what is clearly a significant spam campaign. Recently, for example, I noticed a whole pile of delivery attempts that all had a distinct signature, sufficiently distinct that I'm pretty sure they must have been from the same software and party.

The primary signature was an unusual MAIL FROM, where it was the same as the RCPT TO. A typical session looked like:

EHLO host11.190-230-18.telecom.net.ar
250 [...]
MAIL From:<ADDR@hawkwind.utcs.toronto.edu>
550 [...]
RCPT To:<ADDR@hawkwind.utcs.toronto.edu>
503 Out of sequence command

(My server advertises PIPELINING, so this run-ahead behavior by the client is legitimate. Not all of the connections did it, so I can't be entirely sure that they were going to RCPT TO the same address. It's a good bet, though; spammers seem to almost never attempt a MAIL FROM of my own domain.)

Almost all of the hosts that I saw do this were in the PBL, the XBL, or the CSS. Hosts EHLO'd with either their reverse DNS or with eg '[39.112.245.8]' when they had no rDNS (although not all of the names had forward DNS to go with their rDNS). While this was happening, I often saw a significant number of these connections one after another from all sorts of different IPs.

A few messages of this sort got all the way to DATA and so had their contents logged. Based on that, the campaign seems to have been pushing an offshore pharmacy hosted on an IP that Spamhaus lists as part of 'Yambo Financials' aka 'RxMed pharma spam website hosting' (although the domain name used in the spam is not one that's currently in the SBL listing). That doesn't really surprise me, as I'd expect such a spam campaign to come from one of the larger operations.

There are probably spam campaigns running all the time that my (now) spamtraps get hit by. It's just that usually they don't stand out this much, either by having a distinctive and unusual signature or by hammering on my addresses quite this hard. The latter puzzles me a bit, since it seems inefficient (and I do believe that spammers are generally efficient).

Written on 08 January 2016.
« The format of strings in early (pre-C) Unix
The convenience of having keyboard controls for sound volume »

These are my WanderingThoughts
(About the blog)

Full index of entries
Recent comments

This is part of CSpace, and is written by ChrisSiebenmann.
Mastodon: @cks
Twitter @thatcks

* * *

Categories: links, linux, programming, python, snark, solaris, spam, sysadmin, tech, unix, web
Also: (Sub)topics

This is a DWiki.
GettingAround
(Help)

Search:
Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.
Last modified: Fri Jan 8 00:52:13 2016
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.