On Fri, 20 Oct 2006 11:13:31 -0400, Chris Santerre <[EMAIL PROTECTED]> wrote:
> > >> -----Original Message----- >> From: Mark Johnson [mailto:[EMAIL PROTECTED] >> Sent: Friday, October 20, 2006 10:41 AM >> To: users@spamassassin.apache.org >> Subject: Re: Psst! >> >> >> Chris Santerre wrote: >> > >> > >> > Just curious, but how many people see spam being sent to usersnames >> > with the fisrt letter dropped? I see a ton in my logs. I believe >> > spammers figure [EMAIL PROTECTED] will also have a [EMAIL PROTECTED] Too >> > bad >> > for them...they do not. :) >> > >> I am noticing alot of this. Another thing I'm noticing and >> am getting a >> little nervous about is the amount of spam coming in that's basically >> directed towards us. It's physically coming from others >> countries, from >> the from addresses and reply-to addresses are from >> customers/suppliers/vendors of ours. It's like someone is gathering >> addresses that they KNOW will be in a whilelist table. >> >> Any idea how they could be coordinating something like this? There's >> too many to be a coincidence... > >Actually I've started seeing this as well. I believe its from trojans >grabbing the address books of those infected. Then putting a spidered "who >knows who" sort of thing together. > >Originally I saw it faked in alpha order. Like: > >From: ABC Widgets >To: Amazing Widgets Company > >I do NOT think that that top spammers are that dumb. I believe they are >hiring some very bright coders. Once a trojan owns a machine, there is no >tellnig what they can do. Hell they can go thru Sent Mail and pull the >addresses right from there. Viruses have been doing it forever, why wouldn't >zombies do it to get thru spam filters using whitelists. > >IMHO its the begining of the next evolution. > >Thanks, > >Chris Santerre >SysAdmin and Spamfighter >www.rulesemporium.com >www.uribl.com > > This is not new, we've been seeing this for a very long time. It seems to be aimed at failover servers mostly. That makes no odds here since we hold a valid list for all servers, if the addy aint on it then the mail gets 550'd. Maybe you folks are lucky; but we've been seeing this for well over a year. Nigel
