On Monday 20 November 2006 19:06, Rick Macdougall wrote: > John Andersen wrote: > ... the spammers are not actually > storing the email addresses on the infected machines, they just send an > email to go out). > > I'm not saying they won't do it, I'm saying they aren't doing it currently.
Actually they have been for some time as an anti-botnet surveillance measure. The newer spambots do a bulk download of recipients and payload, then some time later (hours/days?) start the run after having been disconnected from the controlling irc channel/web page. By the time the spam run is noticed all that's left is a autonomous zombie with nothing but smtp traffic. In fact I would guess that passive spam-relays, that the spammer just connects to as an open relay, are less common due to a large percentage of broadband users being behind NATs. I'm also starting to see more "behave like a real MTA" as well slowly making greylisting less effective.
