bbs.spamgourmet.com

[JosLeas]

Hi,

I'm new to the forums but have been using Spamgourmet constantly for nearly 5 years and it has saved me from over 36,000 spam messages.

A spammer has started using one of my Spamgourmet addresses when sending out spam, but they are not just using the original address I created. They are adding a letter or two to the beginning of the address and creating their own new addresses using my Spamgourmet account. I received over 200 bounced/return-to-sender emails this morning. It's hopefully no longer a problem for me because I've followed the advice in the FAQ and have added and enforced a watch word. However,

1) Will this cause problems for Spamgourmet, or xoxy.net as that's the address I usually use and is currently being used by the spammers? Will this get them added to black lists?

2) Do I need to report this to anyone at Spamgourmet?

3) Is this an existing, know issue or possibly the beginning of a new problem?

Thanks,
Jos

[josh]

We've seen some of that recently. I'm not worried about winding up on blacklists, because the list managers are smart enough to see that the spam messages are not being sent through our server -- as you know, anyone can put anything they want as the "from" address for email, so it's the sending server that folks look at.

I'm not sure why they're doing this (maybe to try and fake out sender-callback-verification on the receiving servers? I thought no one was using that anyway, because of it's vulnerability to abuses like this one) - watchword protection does stop it from happening.

[JosLeas]

Hi Josh, thanks for your reply. It's good to hear that it's unlikely to be a problem for Spamgourmet. I think Spamgourmet is a brilliant idea and use it all the time. It's also great that there was a solution ready and waiting. Just have to remember to use my watch word now...

Thanks again,
Jos

[kevins10]

Just wanted to note that this happened to me just a few hours ago, all of a sudden I had bounces coming in for tons of addresses. I too turned on watchwords to stop it.

On another note, isn't backscatter spam annoying?

[JosLeas]

Yes, very annoying. I had to abandon a personal domain email address because of this. At it's worst I was receiving over 5,000 bounce messages a day!!! It's one of the main reasons I started using spamgourmet and have also disguised email addresses on my business web site. You would think there would be some way for software to recognise forged sender addresses by now, possibly by comparing the originating IP address with the senders domain IP address?

[Trashpicker]

I've been seeing the same thing on my account - at an equivalent volume as reported above. it looks like the same strategy - prefixing a few numbers or letters in front of a common base string.

IE:

6csysopt: message 1 of 20
zhsysopt: message 1 of 20
qzsysopt: message 1 of 20

and so on...

[kevins10]

I should add that in my case they're building off an actual legit address, I'm guessing that the site that address was for got hacked. I find it a bit disturbing that it sounds like this is being done to Spam Gourmet addresses spammers have gathered from different sites. TrashPicker's address portion (sysopt) sounds unlikely to be from the same site as the address they used on me (freefor.catholics) so this apparently isn't a case of one spammer compromising one site and deciding to essentially attack Spam Gourmet users. In my case the address was created 2004-02-17 20:06, and has 3,297 spams eaten. I suspect a good chunk of those were from yesterday. I can even tell you exactly which site that address was for, who I may contact and ask exactly how the hell spammers got the address that only THEY ever saw. That might be worth the entertainment value to hear their explanation.

It definitely appears to be quite deliberate, they obviously know they're dealing with Spam Gourmet addresses and for the most part every address they created before I shut them down has had exactly one message received at it. I have no clue what they're up to as it's NOT helping them get spam delivered, most of the bounces I received were actually rejections of the messages as spam. I'm seriously thinking they're doing it just to lash out at Spam Gourmet users because we're making their lives difficult. (Of course overlooking the fact that we wouldn't buy their (probably illegal and deadly) crap anyway.)

Spam Gourmet's great though, I've been using it since 2003 and it's blocked nearly 189,000 spams for me so far. Sadly three addresses (corresponding to three sites) account for around 90% of that total. (Of course I suspected those sites would spam me when I signed up, boy was I right! )

[JosLeas]

This is more or less what happened with my personal email address (they just used random characters before the @) so I suppose it was just a matter of time before it happened to SG addresses. It's good that SG already have a strategy to stop it being an issue (watchwords), though it's a shame it's necessary.

Is there any risk to SG if the number of these emails increased dramatically? As mentioned before, I was receiving 5000+ bounce messages a day from a single address at one point. Would this level of emails for multiple accounts overstretch the system?

[Trashpicker]

If anyone's interested, here's a grab of the spammer addresses. I first started noticing this a couple of days ago and looked around for a breach with Gmail, my primary account. Turns out there had been someting going on with their CAPTCHA being cracked (click below for more on this), but it seems doubtful that the two are related, unless Gmail is a common thread..?

Gmail CAPTCHA: http://news.google.com/news?q=gmail+captcha

Screen Cap of my Spammer addresses: http://images.yetiwisdom.multiply.com/image/3/photos/1/orig/2/2008-04-12_150753.jpg?et=77dI0TknEZXt5KO%2B%2CVi%2BnQ&nmid=89899086

[JosLeas]

I'm not using Gmail. The screen shot of the addresses created by the spammer is exactly how mine appears too.

I think this is the header of one of the spam messages, it was included as an attachment in one of the bounce messages. I don't suppose it includes any useful information, but just in case... I've changed my address (to my_SG_ac) and the address of the person who received the spam and sent the bounce message to me (to receivingcompany). The received from IP address at the top is registered to:

OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU

The address the spammer added the characters too was used on a web forum and Spamgourmet has saved me from 3210 spam messages to that address so far.

==========================

Received: from 60.254.57.190 ([60.254.57.190]) by townexch.receivingcompany.com with Microsoft SMTPSVC(6.0.3790.1830);
Thu, 3 Apr 2008 22:57:34 -0500
Message-ID: <000501c89609$038ad076$dc0eef8c@bdafvx>
From: "gregg hee" <f7glutenfree.j.my_SG_ac@xoxy.net>
To: <enr@receivingcompany.com>
Subject: To: enr
Date: Fri, 04 Apr 2008 02:20:24 +0000
MIME-Version: 1.0
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
Return-Path: postmaster@receivingcompany.com <+f7glutenfree+my_SG_ac+83431a7707.postmaster#receivingcompany.com@spamgourmet.com>
X-OriginalArrivalTime: 04 Apr 2008 03:57:35.0346 (UTC) FILETIME=[04246D20:01C89608]
X-TM-AS-Product-Ver: SMEX-7.0.0.1526-5.0.1023-15828.004
X-TM-AS-Result: Yes-29.600400-4.000000-3
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0002_01C89609.038A0CE4"

------=_NextPart_000_0002_01C89609.038A0CE4
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

[munge]

The same thing has happened to me twice (to two different long-dead addresses that have each received thousands of eaten spams). The first time was in March--about 70 new addresses showed up in my spamgourmet acct that day. The second time was today--about 20 new addreses have shown up today. It hasn't been a big problem because most of the bounces are going straight to my trash (I put a filter on e-mails with the phrase "message 1 of 20" in the subject line).

If the people who are sending the spam continue with the same tactics, I don't think a watchword would be a long-term solution unless I change the watchword every once in a while as suggested in the spamgourmet FAQ. The spammers would be adding random characters to the left of an address that included the watchword, so the bounces would be sent to addresses that contain the watchword. For example, if my watchword was soap, then bounces addressed to:

1aqsaddlesoap.4.spamcowboy@spamgourmet.com

or

_czsaddlesoap.4.spamcowboy@spamgourmet.com

would get through.

Wouldn't a prefix be a better solution? If I used the prefix
currentprefix

then all these newly-created spam addresses would be something like:

1aqcurrentprefix.someword.4.spamcowboy@spamgourmet.com

or

_czcurrentprefix.someword.4.spamcowboy@spamgourmet.com

and the bounces would therefore be eaten. Or am I missing something? Thanks for any advice anyone can give.

[JosLeas]

That would work until the spammers realised and started adding random strings just before the @. I think you will need to change the watch word periodically.

I removed my watch word last week and haven't had a repeat of the problem. Hopefully it's not going that's going to become a regular occurrence. Watch words are OK but I sometimes forget to use it. I can't see what benefit they gain from doing this.

[Trashpicker]

It's happening again on my account:


1hcritmass 20 19 1 0 05/05/08 03:36 PM
j8critmass 20 19 1 0 05/05/08 03:18 PM
6critmass 20 19 1 0 05/05/08 12:35 PM
vicritmass 20 19 1 0 05/05/08 10:36 AM
hbcritmass 20 19 1 0 05/05/08 10:27 AM
2fcritmass 20 19 1 0 05/05/08 10:20 AM
yccritmass 20 19 1 0 05/05/08 09:55 AM
crcritmass 20 19 1 0 05/05/08 09:32 AM
licritmass 20 19 1 0 05/05/08 09:24 AM
nccritmass 20 19 1 0 05/05/08 09:18 AM
jlcritmass 20 19 1 0 05/05/08 09:10 AM
1kcritmass 20 19 1 0 05/05/08 09:06 AM
9fcritmass 20 19 1 0 05/05/08 09:00 AM
akcritmass 20 19 1 0 05/05/08 08:57 AM
prcritmass 20 18 2 0 05/05/08 08:33 AM
mfcritmass 20 19 1 0 05/05/08 08:30 AM
tdcritmass 20 19 1 0 05/05/08 08:11 AM
zicritmass 20 19 1 0 05/05/08 08:07 AM
sgcritmass 20 18 2 0 05/05/08 08:04 AM
f2critmass 20 19 1 0 05/05/08 08:01 AM
ttcritmass 20 19 1 0 05/05/08 08:01 AM
pdcritmass 20 18 2 0 05/05/08 07:58 AM
50critmass 20 19 1 0 05/05/08 07:52 AM
cacritmass 20 19 1 0 05/05/08 07:52 AM
owcritmass 20 19 1 0 05/05/08 07:51 AM
s7critmass 20 19 1 0 05/05/08 07:50 AM
ldcritmass 20 19 1 0 05/05/08 07:47 AM
ricritmass 20 19 1 0 05/05/08 07:41 AM
vfcritmass 20 18 2 0 05/05/08 07:39 AM
x7critmass 20 19 1 0 05/05/08 07:34 AM
focritmass 20 19 1 0 05/05/08 07:33 AM
fbcritmass 20 19 1 0 05/05/08 07:31 AM
vbcritmass 20 19 1 0 05/05/08 07:20 AM
_-rcritmass 20 19 1 0 05/05/08 06:25 AM
2critmass 20 18 2 0 05/05/08 06:09 AM
ncritmass 20 14 6 0 05/05/08 05:46 AM
_-dcritmass 20 19 1 0 05/05/08 05:44 AM
fcritmass 20 19 1 0 05/05/08 05:27 AM
8critmass 20 17 3 0 05/05/08 05:11 AM
rcritmass 20 18 2 0 05/05/08 05:07 AM
dcritmass 20 17 3 0 05/05/08 04:38 AM
zcritmass 20 18 2 0 05/05/08 03:58 AM
7critmass 20 19 1 0 05/05/08 03:51 AM
vcritmass 20 16 4 0 05/05/08 03:34 AM
gcritmass 20 15 5 0 05/05/08 02:36 AM
ycritmass 20 18 2 0 05/05/08 02:20 AM
jcritmass 20 18 2 0 05/05/08 02:18 AM
355critmass 20 19 1 0 05/05/08 02:17 AM
ucritmass 20 16 4 0 05/05/08 02:06 AM
5critmass 20 18 2 0 05/05/08 01:20 AM
tcritmass 20 13 7 0 05/05/08 01:19 AM
kcritmass 20 17 3 0 05/05/08 01:17 AM
ccritmass 20 18 2 0 05/05/08 01:09 AM
_-fcritmass 20 19 1 0 05/05/08 12:55 AM
scritmass 20 17 3 0 05/05/08 12:49 AM
pcritmass 20 14 6 0 05/04/08 11:45 PM
bcritmass 20 19 1 0 05/04/08 11:42 PM
tccritmass 20 19 1 0 05/04/08 11:34 PM
3critmass 20 19 1 0 05/04/08 11:22 PM
1critmass 20 19 1 0 05/04/08 11:17 PM
ocritmass 20 14 6 0 05/04/08 11:05 PM
icritmass 20 16 4 0 05/04/08 10:51 PM
ecritmass 20 18 2 0 05/04/08 10:51 PM
652critmass 20 19 1 0 05/04/08 10:34 PM
wcritmass 20 14 6 0 05/04/08 10:24 PM
lcritmass 20 14 6 0 05/04/08 10:24 PM
8ycritmass 20 19 1 0 05/04/08 10:10 PM
1ecritmass 20 19 1 0 05/04/08 10:08 PM
d9critmass 20 19 1 0 05/04/08 10:05 PM
1mcritmass 20 18 2 0 05/04/08 10:01 PM
9critmass 20 15 5 0 05/04/08 10:00 PM
qcritmass 20 17 3 0 05/04/08 10:00 PM
bncritmass 20 19 1 0 05/04/08 09:56 PM
xcritmass 20 14 6 0 05/04/08 09:55 PM
ppcritmass 20 19 1 0 05/04/08 09:41 PM
4critmass 20 17 3 0 05/04/08 09:39 PM
kgcritmass 20 18 2 0 05/04/08 09:38 PM
mcritmass 20 15 5 0 05/04/08 09:38 PM
z2critmass 20 19 1 0 05/04/08 09:36 PM
hcritmass 20 17 3 0 05/04/08 09:36 PM
acritmass 20 18 2 0 05/04/08 09:34 PM
fncritmass 20 19 1 0 05/04/08 09:34 PM
ascritmass 20 19 1 0 05/04/08 09:34 PM
mk0critmass 20 19 1 0 05/04/08 09:34 PM
wmcritmass 20 19 1 0 05/04/08 09:32 PM
205critmass 20 19 1 0 05/04/08 09:20 PM
ubicritmass 20 19 1 0 05/04/08 09:17 PM
445critmass 20 19 1 0 05/04/08 09:15 PM
757critmass 20 19 1 0 05/04/08 09:01 PM
830critmass 20 19 1 0 05/04/08 09:00 PM
906critmass 20 19 1 0 05/04/08 09:00 PM
169critmass 20 19 1 0 05/04/08 08:59 PM
996critmass 20 19 1 0 05/04/08 08:59 PM
166critmass 20 19 1 0 05/04/08 08:56 PM
831critmass 20 19 1 0 05/04/08 08:55 PM
865critmass 20 19 1 0 05/04/08 08:53 PM
540critmass 20 19 1 0 05/04/08 08:53 PM
938critmass 20 19 1 0 05/04/08 08:52 PM
054critmass 20 19 1 0 05/04/08 08:50 PM
183critmass 20 14 6 0 05/04/08 08:50 PM
633critmass 20 19 1 0 05/04/08 08:47 PM
825critmass 20 19 1 0 05/04/08 08:47 PM
825critmass 20 16 4 0 05/04/08 08:47 PM
126critmass 20 19 1 0 05/04/08 08:46 PM
573critmass 20 19 1 0 05/04/08 08:44 PM
cucritmass 20 19 1 0 05/04/08 08:27 PM
t6critmass 20 19 1 0 05/04/08 08:23 PM
wccritmass 20 19 1 0 05/04/08 08:07 PM
kncritmass 20 19 1 0 05/04/08 08:07 PM
uccritmass 20 19 1 0 05/04/08 08:07 PM
r0critmass 20 19 1 0 05/04/08 08:00 PM
dycritmass 20 19 1 0 05/04/08 08:00 PM
zjcritmass 20 19 1 0 05/04/08 07:42 PM
cvcritmass 20 18 2 0 05/04/08 07:35 PM
m0critmass 20 19 1 0 05/04/08 07:33 PM
ffcritmass 20 19 1 0 05/04/08 07:30 PM
nzcritmass 20 19 1 0 05/04/08 07:21 PM
jmcritmass 20 19 1 0 05/04/08 07:16 PM
_-critmass 20 7 13 0 04/22/08 06:24 PM
|critmass 20 14 6 0 07/13/07 05:47 AM
critmass. 10 9 1 0 03/13/05 08:02 AM

[josh]

I don't think the spammers really care whether you get any of the bounces.

They *may* be trying to hurt spamgourmet by flooding the server with bounces and creating a bunch of new addresses, but if they really wanted to hurt spamgourmet that way, seems like they'd just point a script directly at the server instead of waiting for bounces to do the job (yes a single source would be easy to block, but presumably the spammers control botnets, or they wouldn't be delivering anything to anyone anyway). Using watchwords doesn't help with the flood of email, but helps a lot with the creation of addresses, so *thanks* to anyone who's using them.

What I *think* is happening, especially in light of the fact that the same method is being used for non-spamgourmet addresses, is that a number of legit servers have implemented sender call-back checks (which attempt to validate the address in the "From" field by initiating a dialog with the SMTP server of the address and seeing whether they get an error that the user's not found) -- since spamgourmet (and other servers) are pretty liberal with regard to the address forms we'll accept (provided you stick to the prescribed syntax), they're probably using us to merely not error out when their victim server does a call-back.

This sucks -- sender callback is not a recommended approach for just this issue -- it doesn't slow down the spammers at all, because they can simply use valid or catchall addresses as their "From" addresses - they couldn't care less whether anyone responds to the spam message positively or otherwise, since they really want their victims to follow links) and so they'll happily redirect any replies - positive or otherwise - to some unsuspecting victim who's mail server will simply not error out when the spam recipient's server does a callback. Call it "constructive-joe-jobbing" -- the owner of the "From" address isn't an intended victim like in the original Joe Job, but his/her SMTP server is an unwitting participant in the spammer's activity, and both the server and the user are collateral victims.

Not much getting around this until things change -- hopefully whoever's using callbacks will stop, and the spammers will stop going to the trouble of constructive-joe-jobbing like they are now.

[foo-bar]

The watchword trick is not working for me. Spammers are taking one of my spamgourmet addresses (rules.x.foo-bar@spamgourmet.com) and adding various single letters, character, and digits to the front of the address. I get the rejected mails, regardless of watchwords, from all such addresses that have already been created (at least fifty of them).

The best fix, the easiest fix, would be to have anti-watchword. It would be nice if I could have anything with the word "rules" in it eliminated.

Failing that, I'd like to eliminate my account and create a new one.

I've been using spamgourmet since 2005, and I love it. It's pure genius. Of course it won't be defeated in this silly way, but these rejected mails are annoying.