-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Brett Cove writes: > Ryan L. Sun wrote: > > That explanation makes senses. > > Spammers show their scripts to us, lol. > > Yep, and if anyone was wondering, those ratware templates were supposto > generate one of our friendly (and increasingly common) geocities links. > > ex) 'http://uk.geocities.com/Freddie_Shuler/?ElxF8=US FDA approves all > of our' > > > > >> http://{%LOGWITHID:{%ROTF:E:\EveryDayDomain\all01.txt%}?{%RND:^<m8> > > >> %}={%ROTF:E:\EveryDayDomain\CompanyTest\pharrotates.txt%}%} interesting! BTW this google search: http://www.google.com/search?q=%22everydaydomain%22&filter=0 gives some more results along the same lines, including some more inputs and outputs. for example: http://mail.sarai.net/pipermail/aaj-ke-naam/2005-August/005316.html : http://{%LOGWITHID:{%RND:<m5>.<l5>%}.{%ROTF:E:\EveryDayDomain\all01.txt%}/{ %ROTF:E:\EveryDayDomain\GE\fold(TA).txt%}/ {%ROTF:E:\book1done.txt%} {%ROTF:E:\book4done.txt%} {%ROTF:E:\book2done.txt%} %} my notes: - - %LOGWITHID: my guess is that dumps the random data to a log file, so that list-washing is possible in response to bounces or domain lookups, even with all sorts of data scrubbed (even the URLs). - - bookNdone.txt: Project Gutenberg texts. this results in the lines like 'the beast of burden, which suffers blows and hunger, and works' and 'through the little grounds, and stopped for no other purpose than to say, ' in http://lists.ucc.gu.uwa.edu.au/pipermail/ucc/2005-August/012847.html . - - A very very good way to find patterns is to figure out the "random" patterns. In some other examples on that google search, and the example above, you can see "{%RND:<m5>.<l5>%}" producing e.g. "7KHq.ux", so I think <m5> means "mixed upper, lowercase and digits for up to 5 chars" and <l5> means "lowercase for up to 5 chars". - - My bet: it's the same spammer, possibly subcontracting to a few mail-sending guys. He/she has been producing a *lot* of spam, and certainly tries to get past SpamAssassin. - - "EveryDayDomain" doesn't appear in google at all, except in similar broken spam. So it's a spammer tool that's being kept very quiet (or else is very new). - - http://listes.tice.ac-caen.fr/pipermail/atelier12/2005-August.txt is an incredible collection of spam from this spammer ;) - --j. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Exmh CVS iD8DBQFC+oIMMJF5cimLx9ARAoTgAJwIUdQ48gCjtYknzwiROTIODDl8vQCfcxxw CTpW2XuZ+C0e1ipaT1JLYiY= =HtZd -----END PGP SIGNATURE-----
