My Theory on Spam

(Let’s hope my internet connection doesn’t die while i’m doing this…)

As I previously stated, I have gotten a bunch of emails from a few different hosts. They all obviously have something in common, but I cannot be sure what. The content is similar, but ips never correspond and they even go to differnt emails of mine. I apparently am not alone. What this reminds me of is spam list checks. That refers to hacker/crackers/phishers going through lists of email addresses to see which ones are valid and what gets through. This appears to be another, but with a twist.

Ok, let’s start with what we know: the ips. This is always a good place to start. If you take the ips and go back, you’ll find residential ips. These don’t have much in common that I can see except they all are residential (one was from Spain, another from Isreal, so you can see location varies). The sites themselves that are being “used” seem to be your average, everyday crappy web site. (1-tek.com has been under construction from 2002.) This implies that there is probably a weak smtp server (outgoing mail) on those sites that is just being used to bounce messages. So we have messages coming from a random house and going to a random server and then coming to me. Here’s where we start noticing little things.

Ok, on all of the messages, the headers are pretty limited. Only one of them contains an X-mailer header which is of The Bat! (v 2.02). The Bat! is a valid client program, but there’s something else you should realize: The Bat! is up to 3.5 or 3.8 (can’t remember which). Also, a piece of software called Advanced Mass Sender by kbbsoftware will use that mailer as one of the defaults for sending out massive amounts of mail. Hm… so random clients are using a mass mailer (for Windows including 98) to hit weak and non-existant servers to send out lists. Why?

This is where I start to really theorize/guess. Any good hacker doesn’t send out anything from a computer that can be tracked back. You make “zombies” and use those. These tend to be random civilians that can be exploited. These civilians run Windows, frequently old and unpatched and little to no internet security software. Also, some security firms have started stumbling upon these caches of user data. They need to be tested and sorted. What better way than random zombies?

The difference in headers leads me to think that the domains that are being used are a means of categorizing the data. Other than that, they could just be what was available to distribute the load. Anyway, that’s my thoughts on the subject. Please contribute yours below. I’m quite aware that I could be wrong.

Spam and damn

First, you can be amused by the fact that I just complimented my MacBook… and had to reformat it last night. Note to users: don’t put your computer to sleep (close lid) when it’s doing an update of the operating system. I’d love to send that message to apple, but I don’t know who to send it to. That was fun. That takes care of “damn.”

Also, I’ve been getting a bunch of random (spam?) messages at a bunch of my email addresses. I know I am on just about every spam list known to man, but these are just weird. The subject is always 3 characters long. It’s always uppercase letters (ISO-8859-1 encoding) and might contain a number (like Y7V). The message is a bunch of random phrases together separated by line breaks and tabs. They seem to be relayed from various domains (like 0451.com 1-tek.com and mail.ru). If anyone knows what this is, i’d love to know. This is one sent to quad341@quad341.com (which i bounce to my gmail account).
X-Gmail-Received: 6298d862a38bfcb18ae605eb0f55f8fdee66edd2
Delivered-To: quad341@gmail.com
Received: by 10.78.29.5 with SMTP id c5cs13622huc;
Wed, 12 Jul 2006 10:18:16 -0700 (PDT)
Received: by 10.54.93.15 with SMTP id q15mr1081664wrb;
Wed, 12 Jul 2006 10:18:15 -0700 (PDT)
Return-Path: <abcd8355633 @0451.com>
Received: from host.qqnx.com ([216.120.255.149])
by mx.gmail.com with ESMTP id 6si1609978wrh.2006.07.12.10.18.15;
Wed, 12 Jul 2006 10:18:15 -0700 (PDT)
Received-SPF: neutral (gmail.com: 216.120.255.149 is neither permitted nor denied by domain of abcd8355633@0451.com)
Received: from [196.202.85.188] (helo=brmail1.brassring.com)
by host.quad341.com with esmtp (Exim 4.52)
id 1G0iLZ-0007xn-QG
for quad341@quad341.com; Wed, 12 Jul 2006 12:18:08 -0500
Message-ID: <662161c8060436r0gr8rhvq2pc7s9r2cwvrelnel2zel345@mail.0451.com>
Date: Wed, 12 Jul 2006 18:21:15 -0060
From: "Bonita Sierra" <bonitasierra @0451.com>
To: quad341@quad341.com
Subject: XI5
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
X-Spam: Not detected
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - host.qqnx.com
X-AntiAbuse: Original Domain - quad341.com
X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [47 12]
X-AntiAbuse: Sender Address Domain - 0451.com
X-Source:
X-Source-Args:
X-Source-Dir:

scientific community when questions come up on implementing UN decisions
in ten thousand years. The Law said stay; Jonathan said go; and by now he
So I decided the hell with it. The last time I had gone into the Zone at
"I do " he said softly.

Anyone know anything or getting something similar?