Saturday, May 01, 2004

Well, it's happened - a whole ton of mails for "ciallais", all sent to a different word at my domain. I don't know how they know that it works, but blah. Interestingly, it looks like it happened in 3 stages:

  1. Each mail sent to random words @ different domains (,, etc.)

  2. Each mail sent to a set of random words @ my domain.

  3. Each mail sent to ONE random word @ my domain.

Interesting things of note:

  • The mails are sent in alphabetical order, e.g. "a...@mydomain", "b...@mydomain", "c...@", etc.

  • But the mails come from a variety of domains and IP addresses, in no particular order - I think this is a result of having an "army of drones" through virus-owned PCs, via IRC or similar.

  • Random things include the "mailer version", the URL being printed (at least, the domain seems to consist of a random subdomain + one of a selection of domains, but the address after that is the same). The message body is the same for all, by the looks of it.

  • There are 2 (different) X-Message-Info fields. One still has a command to the spam parser that hasn't been replaced: "%ND_LC_CHAR[1-3]" - I've seen this before.

I can think that it'd be easy to rip out the post-domain URL and check future messages for it, which would stop me getting 100+ e-mails again. But otherwise, more thought is needed. Maybe Mozilla Coffee will help!

No comments: