Peter H. Lemieux writes: > From this article at eWeek: > http://www.eweek.com/print_article2/0,1217,a=194218,00.asp > > "The recent surge in e-mail spam hawking penny stocks and penis > enlargement pills is the handiwork of Russian hackers running a botnet > powered by tens of thousands of hijacked computers. > > "Internet security researchers and law enforcement authorities have > traced the operation to a well-organized hacking gang controlling a > 70,000-strong peer-to-peer botnet seeded with the SpamThru Trojan."
Definitely. As far as I can tell, the SpamThru upsurge: that's the "FHARMACY economize more with http://URL"; stuff -- is hitting HDR_ORDER_FTSDMCXX*, MID_START_001C, and XBL and URIBL rules. There's also another spammer who's creating another very large batch, separately: the C*na Petroleum stock spammer, hitting RCVD_FORGED_WROTE and TVD_STOCK1. The two sets are quite distinct and on a large scale, and if you look at the rules freqs by contributor, various people have massively differing hitrates on their corpora. For example, HDR_ORDER_FTSDMCXX3 (SpamThru traffic) is 56% of Daryl's corpus, but only 3.4% of zmi's: http://ruleqa.spamassassin.org/20061116-r475642-n/HDR_ORDER_FTSDMCXX3/detail#DETAILS_all_mass_check_date_rev_20061116_r475642_n And RCVD_FORGED_WROTE, the stock spammer, is 6.3% of my corpus and only 0.42% of Michael's: http://ruleqa.spamassassin.org/20061116-r475642-n/RCVD_FORGED_WROTE/detail#DETAILS_all_mass_check_date_rev_20061116_r475642_n Interesting. Not quite sure what that implies though. ;) --j.
