Quoting Justin Mason <[EMAIL PROTECTED]>:
Per Jessen writes:
Check this out
http://jessen.ch/files/spam55.txt
It's a typical spam-email with a single gif advertising drugs. The gif
is loaded from a website which is listed by uribl.com.
The emails has hrefs to the following 'nnnn.com' domains:
MUNGEDjuxl.com - contents named 'NAMESRENTER.COM'
MUNGEDnkhs.com - some online information portal.
MUNGEDarpd.com - leads to website searchportal.information.com
MUNGEDtobp.com - The Opinionated Beer Page
MUNGEDbgys.com - for sale at sedo.com
MUNGEDqrnn.com - ditto.
MUNGEDgzny.com - "No web site is configured at this address."
Does any have an idea about the purpose in using these domains in this
way? Are they random?
yes -- they cause you to waste time looking them up, cause
SpamAssassin to waste time performed URIBL lookups against uribl.com
and surbl, and cause those services to waste time dealing with lookups
in turn and performing QA to ensure they don't get listed as spammy.
Given that the decoy domains are 4 or 5 letters and the actual payload
domain often isn't, could that be made into some kind of rule to help
ignore the decoys:
1. See many domains with 4 or 5 letters
2. See one domain with other than 4 or 5 letters
3. Check the one domain (preferentially, first, etc.)
Naturally as soon as such a rule were written the storm template
authors would change their template, but still, it could be useful for
a while.
Cheers,
Jeff C.
