Random musing about words and spam
Thomas Shaddack
shaddack at ns.arachne.cz
Thu Sep 4 10:15:33 PDT 2003
On Wed, 3 Sep 2003, John Kozubik wrote:
> I must reiterate that, given the relentless efficiency of spam-spiders,
> merely publishing a shadow email address on all web documents that your
> real email address reside on, and deleting all email sent to both accounts
> is my current favorite anti-spam mechanism. Simple to DIY, and requires
> no centralization.
There is a high potential to falsely block innocent addresses. The most
common reason these days will be a worm activity.
To quote from spamNEWS 09/02/03:
ooooo
SOBIG.F OBESERVATION - Lockergnome 8/31/2003
http://click.wh5.com/redirect.php?c=17825&u=46r9niwjatrv4g6m
I observed back on Tuesday that my Symantec SMTP gateway was stopping SoBig.F
subject lines coming from spammers (i.e., blocked via DNSBL) at over 3 times the
rate that I was seeing them from Joe user types. Further, I noticed that they
were sending even more SoBig.F emails than they were spam. So, why would
spammers who make their living be generating emails allow their servers to be
compromised? They didn't. They are doing this on purpose and I have a theory for
this. I call it my echo theory.
Say that, as a spammer, you know one or more of the addresses in your database
is to a spam trap - but you don't know which one. You generate LOTS of SoBig.F
emails on purpose, using your database for the forged-from addresses. Now,
JoeUser has his server or client antivirus filter setup to send a reply when it
encounters a virus (which is a very BAD thing, after Klez taught us about the
virtues of forged addresses).
Dutifully, JoeUser's email server or client automatically sends a helpful note
off to "SpamTrap," informing them that they are infected. Often these replies
even extol how much smarter they are than "SpamTrap" because they caught it, but
"SpamTrap" did not. Heck, let's even send an email to the postmaster at
SpamBait's ISP, telling him / her how much better the BrandX filter is that
JoeUser is using... but I digress.
The email server at SpamBait's ISP sees an email to SpamTrap and says "Ah hah,
JoeUser's ISP must obviously be a spammer, so load his IP address into our DNSBL
servers."
JoeUser now sends a legitimate email to me SmartUser at IuseDNSBL.com and it, of
course, bounces. JoeUser now calls me and asks why he was blacklisted. After
some diligent effort on my part, I find that DNSBL.SpamBait.com is saying half
of my customers and suppliers are spammers. I have a business to run, so I turn
off DNSBL on my gateway and - lo and behold - all of the spammers emails that
were being blocked due to DNSBL are no allowed to come though. That is my echo
theory. That is why spammers are using half their bandwidth to send SoBig.F.
[Thanks to reader Stephen Whitis for the tip - ed.]
More information about the cypherpunks-legacy
mailing list