Thanks Alex! :)
As Alex's rules imply, it switched over to 100% image spam
(in my spamtraps), and continued its excellent syncing.
Just on April 11, the volume more than tripled, and it hit many
different spamtraps than all previous days. Some of those traps
had never been hit before, and/or are of "esoteric" origin.
Today, it's completely gone.
Instead, I'm seeing what looks like another calibration run.
What's odd is that _ALL_ the Message-IDs are of the form:
<99999999999.9999999...@f99.my.com>
where "9" is a number.
Note that the "f99" is either one or two digits (mostly two).
As I mentioned, the image spams' generated Message-IDs were also
consistent. Whenever the next payload hits, there's a fair chance
there may a useful pattern in that field.
I've also seen at least three new waves of malware attachments,
all small, and hitting some of the rare traps that the
stock and calibration payloads have hit.
I have NEVER seen anything like this botnet.
- "Chip"
P.S. If it's of use to anybody, we maintain a list of
scammed stock symbols and scammer phone numbers:
http://puffin.net/software/spam/symbols.php
I'm planning to do some datamining to publish date ranges
just for the stock symbols.
That will have to wait until I've finished my MASSIVE Snowshoe
datamining and publishing effort. Stay tuned for that, probably
in dribs & drabs as my work schedule permits. :)
