A spammer that is not the brightest light in the box

December 28, 2012

I'm fond of saying that spammers are generally not stupid; they do what works and they're quite good at figuring out what that is. However, every so often a spammer comes along who quite clearly challenges or outright breaks this view.

Here's a snippet from a recent SMTP conversation that one of my machines logged:

remote from [208.86.167.19]
HELO postoffice.wieck.com
250 Hello postoffice.wieck.com
MAIL FROM:<REDACTED@wieck.com>
250 Ok (verified)
RCPT TO:<"d..."@REDACTED.org>
554 no such local user

What makes this stand out is the RCPT TO address. For those who've never run into this, this (without the quotes) is how Google's Usenet interface has presented poster email addresses for quite a while. Such addresses are deliberately obfuscated and have never worked; we can see how badly broken they are by the fact that they have to be quoted to make them RFC-legal even as RCPT TO addresses. Any vaguely smart spammer would not be dealing with these addresses.

Despite this, this spammer has wasted time and effort collecting these addresses and sending spam to them. This is a genuine waste; someone has carefully scraped and stored these addresses, someone else may have purchased them, and now someone is wasting resources attempting to deliver email to them (resources which could have been spent delivering spam to more viable addresses, ones that at least potentially could pay off). All of this is objectively stupid and worse, it's obviously so.

Comments on this page:

From 121.44.20.195 at 2012-12-28 04:00:19:

You assume it's more cost efficient for the spammer to fix his system rather than just have a slightly higher percentage of broken addresses in his list than otherwise. I'd guess the broken addresses cos the spammer virtually nothing in resources or time.

By cks at 2012-12-30 02:34:45:

My reply got long so I put it in an entry, SpamAttemptsAndWaste.

From 78.52.146.137 at 2013-01-21 09:23:52:

I've seen worse. Or similarly stupid - hard to say. Lots of it, anyway. Obviuosly many harvesting bots are not exactly written by regex experts. Or by someone who would invest too much time and work into them. What I found much more amazing is how long these failed addresses keep going around. There's a handful of poorly grabbed addresses (first letters missing, addresses beginning with "mailto" or "html") that have been spammed (or tried to) for more than eight years now without a single mail ever having been accepted by the server.

Written on 28 December 2012.
« Why I somewhat irrationally have a distrust of ZFS on Linux
Why I think that stupid spamming is actively wasteful »

These are my WanderingThoughts
(About the blog)

Full index of entries
Recent comments

This is part of CSpace, and is written by ChrisSiebenmann.
Mastodon: @cks
Twitter @thatcks

* * *

Categories: links, linux, programming, python, snark, solaris, spam, sysadmin, tech, unix, web
Also: (Sub)topics

This is a DWiki.
GettingAround
(Help)

Search:
Page tools: View Source, View Normal, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.
Last modified: Fri Dec 28 02:54:01 2012
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.