I Was, and Foxes the Wild Parents



  • While I'm sure we're all used to bizarre SPAM messages, I'm still scratching my head trying to figure out this set that arrived early yesterday morning. No links... no products advertised... no stocks to buy... perhaps, someone is trying to tell me something? Quack?


    ----- Message -----
    From: yahoohousema [mailto:uhdvgqwil@he.com]
    Sent: Friday, February 08, 2008 4:44 AM
    To: Alex Papadimoulis (WTF)
    Subject: yahoo house

    I thought about even know I thought by themselves things. up to done it. I still living accomplish still there.

     


    ----- Message -----
    From: usadogstay [mailto:uhnwfxnj@yahoo.com]
    Sent: Friday, February 08, 2008 4:44 AM
    To: Alex Papadimoulis (WTF)
    Subject: usa dog stay

    most pulled We need from the vast managed The hollow neighborhood were called it is a had to it

     

     

    ----- Message -----
    From: steventreesu [mailto:qbysiiuh@gmail.com]
    Sent: Friday, February 08, 2008 4:44 AM
    To: Alex Papadimoulis (WTF)
    Subject: steven tree

    turtle, I even even I got else then did came we just for kids I assumed were told let it go.

     


    ----- Message -----
    From: appleglobal [mailto:ycymvjmpwn@gmail.com]
    Sent: Friday, February 08, 2008 4:44 AM
    To: Alex Papadimoulis (WTF)
    Subject: apple global

    even playing snapping turtle, often I assumed them. in many to my parents I remember tree the dead to my parents

     


    ----- Message -----
    From: stonegofreek [mailto:bsbzynnawo@aol.com]
    Sent: Friday, February 08, 2008 4:44 AM
    To: Alex Papadimoulis (WTF)
    Subject: stone go fre

    community were called by year. by year. crown.

     


    ----- Message -----
    From: ibmmicrosoft [mailto:ellbpnrua@he.com]
    Sent: Friday, February 08, 2008 4:44 AM
    To: Alex Papadimoulis (WTF)
    Subject: ibm microsof

    It is what effect that I noticed

     


    ----- Message -----
    From: universityst [mailto:ydkzfxj@aol.com]
    Sent: Friday, February 08, 2008 4:44 AM
    To: Alex Papadimoulis (WTF)
    Subject: university s

    berries. were about for kids It is often chunk

     


    ----- Message -----
    From: globalgokitc [mailto:zhmgxggum@mail.com]
    Sent: Friday, February 08, 2008 4:44 AM
    To: Alex Papadimoulis (WTF)
    Subject: global go ki

    by year. to it where I spent tree from of my up to tree We need I got I assumed parents attempt.

     


    ----- Message -----
    From: globaltreegl [mailto:uvrbzgdj@aol.com]
    Sent: Friday, February 08, 2008 4:44 AM
    To: Alex Papadimoulis (WTF)
    Subject: global tree

    because We need took cutting off now

     


    ----- Message -----
    From: nightcanada [mailto:smujig@yahoo.com]
    Sent: Friday, February 08, 2008 4:44 AM
    To: Alex Papadimoulis (WTF)
    Subject: night canada

    else by helping places years later. stretching

     


    ----- Message -----
    From: freestayuniv [mailto:azfacsbpnb@he.com]
    Sent: Friday, February 08, 2008 4:44 AM
    To: Alex Papadimoulis (WTF)
    Subject: free stay un

    removing trees I was exploring and began I was and foxes the wild parents


     



  • I have a vague feeling about this: it might be to mis-train our spam filters. Once the filters recognize common text as spam, they will filter out most normal messages and they will have to be shut down, after which the spam will flow in abundance into our normal mail-box. I hope I'm wrong.



  • One way to make that tactic useless is to get people to use a code-word when they email you, I use three: Lingerance (not a real word, so it will possibly never be generated), the other two are my first and last name. I also make it so any email that comes from a known email is always passed through, it works great.



  • @TGV said:

    I have a vague feeling about this: it might be to mis-train our spam filters. Once the filters recognize common text as spam, they will filter out most normal messages and they will have to be shut down, after which the spam will flow in abundance into our normal mail-box. I hope I'm wrong.

    That's a popular theory (for which I've never seen any evidence that it's actually what they're trying to do). It's also a load of crap: the standard algorithm is immune to this sort of attack, and I've never seen a spam filter which would fall for it. 



  • @TGV said:

    I have a vague feeling about this: it might be to mis-train our spam filters. Once the filters recognize common text as spam, they will filter out most normal messages and they will have to be shut down, after which the spam will flow in abundance into our normal mail-box. I hope I'm wrong.


    How much more likely is it that the spam-sending software simply has a bug?

    Whenever I get a completely nonsensical spam message, I figure that's one botnet that's just wasting CPU cycles due to a missing $ or {} somewhere...



  • The sender was validating your email address.

    There are more clever ways to do it, but the simplest way is to send nonsensical emails to a list of addresses and record the ones that did not get rejected.



  • I've seen a lot of them that come with nonsensical text, and an image attached telling me to buy whatever stock, etc.  Figured the ones that just have the text either lost the image because of a bug in their botnet, or because some spam filter deleted the image along the way.  Doesn't seem likely that a spam filter would just delete an image without telling you (and wouldn't delete the entire message), so I'm going for the first option.

    @Lingerance said:

    One way to make that tactic useless is to get people to use a code-word when they email you, I use three: Lingerance (not a real word, so it will possibly never be generated), the other two are my first and last name. I also make it so any email that comes from a known email is always passed through, it works great.
     

    Just make sure the code word isn't "/1agr4"



  • @TGV said:

    I have a vague feeling about this: it might be to mis-train our spam filters. Once the filters recognize common text as spam, they will filter out most normal messages and they will have to be shut down, after which the spam will flow in abundance into our normal mail-box. I hope I'm wrong.
     

    But why bother trying to send tons of garbage to mis-train the filters, when they can embed their spam message in the garbage in the first place? Most spammers won't give a damn as to how many addresses on their list are bad. It's not their bandwidth being wasted to ping the bad addresses. At most it's a bit of extra time spent renting the botnet in the first place, and with the spam message in there anyways, if something does bounce, they get the benefit of both options... filtering their list AND getting their message through. They're not going to rent the net for (say) $1000 to send a zillion one-liners to save themselves $10 later on by eliminating the 0.01% bad addresses.

    My best guess is a first-time spammer who can't read the instructions on his script-kiddy "Spamming For Completely Moronic Idiotic Dummies" and wasted his shot on a one-liner blast.



  • @MarcB said:

    But why bother trying to send tons of garbage to mis-train the filters, when they can embed their spam message in the garbage in the first place? Most spammers won't give a damn as to how many addresses on their list are bad. It's not their bandwidth being wasted to ping the bad addresses. At most it's a bit of extra time spent renting the botnet in the first place, and with the spam message in there anyways, if something does bounce, they get the benefit of both options...
     

    As somebody who's address occasionally gets used as the "from" address to a ton of spam, I have to agree with the first part.  Every couple months, I get a few days of non-stop "out of office", "your message has been marked as spam", and most importantly "that address doesn't exist" messages.

    As for them being able to tell if the actual spam bounces....they'll never know.  Like I said, it bounces to me and thousands of other innocent domain owners.  Which is why I don't buy the idea that the nonsense is a test for valid addresses.  They would havehad to solve a lot of CAPTCHAs to read any bounces from the messages Alex posted.

    On a side note, the only thing I love more than the automated "your message got spam filtered" replies, are the people who manually email me with "stop spamming me!"  I actually politely replied to one of them explaining that I'm not the one sending the mails and spammers use forged addresses, so she's only making the problem worse for me.  She replied back saying that they're always coming from my address, so maybe my computer got hacked or something.  Did she not freaking read what I just said about how easy it is to fake an email return address?   I'm sure i'm the one with spyware.



  • Send her an email that comes from herself to show her how easy it is to forge an email



  • I can only imagine her reaction.  She's either go get an exorcism, or call the FBI on my for hacking her... 



  • Speaking of forged return addresses, why can't antivirus administrators learn to not send "You have a virus!!!111oneoneone" autoreplies? Has there been an e-mail worm/virus in the last 5 years that actually used the real sender's address?



  • As somebody who's address occasionally gets used as the "from" address to a ton of spam, I have to agree with the first part. Every couple months, I get a few days of non-stop "out of office", "your message has been marked as spam", and most importantly "that address doesn't exist" messages.

    Yeah, same... Once I got ~500 bounce messages to one of my domains.

    I have a similar screenshot, from June 2007... This wasn't as bad as the 500 bounce messages, but it was still quite bad (this screenshot is after deleting a whole heap of them):
    Evolution Mail - Spam listing



  • @vt_mruhlin said:

    As somebody who's address occasionally gets used as the "from" address to a ton of spam, I have to agree with the first part. Every couple months, I get a few days of non-stop "out of office", "your message has been marked as spam", and most importantly "that address doesn't exist" messages.

    I had to end up turning off my catchall address at my domain name because spammers had started forging random usernames at it. And even still, I occasionally see spams where they've forged an actual existent address at my domain...



  • @vt_mruhlin said:

    I can only imagine her reaction.  She's either go get an exorcism, or call the FBI on my for hacking her... 

    I only wish I could spoof a reply. I used to run into that issue all of the time (people accusing me of spamming/virusing them). But, all of my mail providers validate my account against the address(es) used. I haven't dealt with sending mail outside of using a hosted account.

    @codeman38 said:

    I had to end up turning off my catchall address at my domain name because spammers had started forging random usernames at it.

    Same here. I had left mine on so people could e-mail "support", "administrator", "webmaster", etc, and it still reach me. But, as you experienced, spammers take advantage of it. I didn't even create real accounts for any of those names. Instead, I provided atypical ones that a spambot would probably not guess.



  • I used to have trouble with forged return addresses coming back to my domain. I set up an SPF record, and while the bounce messages haven't gone away completely, they've dropped off a lot. The trick is to use a hard fail (-all) instead of a soft fail (~all) so that mail servers will just reject the forged message out of hand, instead of flagging it, but allowing it to pass.

    If you have trouble with people forging mail from subdomains, make sure that any subdomains have an SPF record. If they don't send mail, just make it a no-op record (v=spf1 -all).

    SPF might not be perfect, but it sure cut down on the bounce messages that I received.



  •  Think they forgot to attach the virus, or maybe your filter killed the attachment but let the text through ... I've seen a bunch of this creative prose myself.



  • @AbbydonKrafts said:

    @codeman38 said:
    I had to end up turning off my catchall address at my domain name because spammers had started forging random usernames at it.

    Same here. I had left mine on so people could e-mail "support", "administrator", "webmaster", etc, and it still reach me. But, as you experienced, spammers take advantage of it. I didn't even create real accounts for any of those names. Instead, I provided atypical ones that a spambot would probably not guess.

    Thirded. The first domain I bought was monkeycrap.com, which a lot of people tend to use as a fake address. There was one guy who kept signing up for sites under limpbizkit@monkeycrap.com, so I just kept changing his passwords.



  • @vt_mruhlin said:

    As for them being able to tell if the actual spam bounces....they'll never know.  Like I said, it bounces to me and thousands of other innocent domain owners.  Which is why I don't buy the idea that the nonsense is a test for valid addresses

    Actually, for a lot of servers they will know.  When a message is sent to a mail server the server will commonly respond immediately with one of 3 possibilities:
    1) Mailbox not found or similiar
    2) OK
    3) Greylist response message

    It doesn't matter what the return email address is set to because the response is immediate.  You'll notice that at one point spammers used to send CC messages to autogenerated email addresses.  The purpose was to ferret out good addresses.

    If the server responds with 1, they can pretty much bet it's a bad address and cull it from their list.  If the server responds with 2, then, depending on the server itself, it may be valid or still unknown.  If the server responds with 3, then there is a probability that the address is good. 

    Note, that this all happens during the initial transfer of the message to the mail server.  Once the transfer occurs, the spammer is uninterested in what happens to the message after that.  They have what they want, a good guess on the status of the recipient email address and, more importantly, a way to rate the quality of their mass mailing list.

    The thing to bear in mind is that not all mail servers are programmed the same; spammers know this.  There is a definite way of fingerprinting a mail server just like you can with the OS of an improperly secured machine. 

    NOTE: I am not a spammer; but I have acquired a fair amount of in depth security knowledge in my career in order to combat those people.

    Chris.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.