Ongoing topic - spammer-generated sg addressses

General discussion re sg.

Ongoing topic - spammer-generated sg addressses

Postby sg-since03 » Sun Sep 02, 2007 9:53 am

"SG users getting mail on addresses they did not create"; most times this is reported, someone suggests using watchwords. Watchwords aren't worth the effort for my infrequent occurrences, but they sure are weird.

Here's two examples with dates. First address is my own "creation," others are spammer-generated "copies." Both were to entities I judged "likely to spam," although the spam came from other sources. ("Affiliates"??)

All the following precede "<myusername>@xoxy.net":

2004-07-19: toto.1.
2006-08-03: ttoto.1.

2004-07-25: getstuffed.at.
2006-08-07: tgetstuffed.at.
2006-11-20: stuffed.at.
2007-09-01: |getstuffed.at.

Notes:
1. The last address is not a typo. The fiend really did use the delimiter [?] character [the character above the backslash].
2. I stopped using numbers and letters-as-numbers [eg "at"] in mid-2005, so these copycat addresses are easy to spot.

The time lag is what I find most interesting, next to the odd parsing. Any updates on how this works, i.e., is it deliberate or an email program's glitch?
sg-since03
 
Posts: 46
Joined: Sun Sep 02, 2007 9:11 am

Postby josh » Tue Sep 04, 2007 2:49 pm

that doesn't look like a software glitch to me.
josh
 
Posts: 1371
Joined: Fri Aug 29, 2003 2:28 pm

Re: Ongoing topic - spammer-generated sg addressses

Postby vellire » Tue Sep 04, 2007 7:52 pm

sg-since03 wrote:Notes:
1. The last address is not a typo. The fiend really did use the delimiter [?] character [the character above the backslash].


As I mentioned in another thread, just today I received one with the same formatting - |freecycle - but I was using recursor.net.
vellire
 
Posts: 27
Joined: Tue Jan 27, 2004 7:42 pm

Re: replies/other thread

Postby sg-since03 » Tue Sep 04, 2007 9:15 pm

Thanks Josh & vellire for your replies, and thanks vellire for pointing me to a thoughtful thread on this subject.

SysKoll's comment on the trickiness of pattern matching is a good one; warrenn's suggestion of "Anti-watchwords" in the form of "-<someword you've already used>" - i.e. "blacklist all new email addresses with <someword>" - works well enough, unless <someword> is so generic that you'd want to use it again.

Nuts. These miscreants are a real pain. Is the site still under attack?

OK Josh et al, we can close this thread in favor of warrenn's. Thanks again.
sg-since03
 
Posts: 46
Joined: Sun Sep 02, 2007 9:11 am

virus writers too

Postby Jim27106 » Thu Sep 20, 2007 5:02 pm

I've seen messages generated like 8dFreeCycle.safe.jim at dfgh net from FreeCycle.safe.jim at dfgh net.
There were a number like that and they had virus attachments.

I drew the conclusion that people who right a virus are programmers not smart enough to get the details right.
Jim27106
 
Posts: 92
Joined: Sun Mar 05, 2006 8:07 am

Re: virus writers too

Postby de552 » Tue Sep 25, 2007 3:29 pm

If you use static watchwords it wont help. You'll need to have only one or two "open ones" which you change very regularly. And it's better to open account by sending one email to your self to new address. And then change those watchwords.

Because if you just simply add something to start of address it'll go trough you watchwords.

watchword
awatchword
bwatchword
rndwatchword
my2watchword

Yep.. If watchword was watchword then it kind a sucks.

But I still hope there aren't spammers out there doing routines just form spamgourmet.

Edit: Typo, from should be naturally for.
Last edited by de552 on Wed Sep 26, 2007 3:23 am, edited 1 time in total.
de552
 
Posts: 48
Joined: Mon May 29, 2006 12:28 am

Postby sg-since03 » Tue Sep 25, 2007 7:18 pm

[quote]But I still hope there aren't spammers out there doing routines just for spamgourmet.[/quote]

Actually, of late they are. Please see my post in the "Allow disabling a keyword pattern" thread.
sg-since03
 
Posts: 46
Joined: Sun Sep 02, 2007 9:11 am

Postby enginecapt » Sun Nov 04, 2007 10:58 pm

I average 2 to 4 of these spammer created addresses a month. Almost all of them are a variation of a SG address I created way back in June of 2002. It's also the address that has the most deletions, some 27,000 pieces of spam.

As they pop up I zero them out and hide them.
enginecapt
 
Posts: 6
Joined: Sun Nov 04, 2007 10:51 pm

Postby vellire » Tue Nov 13, 2007 10:16 pm

There's probably just one spammer out of the lot that's using this technique (or experiencing this bug), but if they have a wide enough base of harvested spamgourmet accounts I imagine it's hitting a number of us simultaneously.

The Freecycle address I mentioned has had the following life cycle:

freecycle / 2004-08-23 15:12 / 4074 total
|freecycle / 2007-09-03 22:57 / 1 total
reecycle / 2007-11-02 01:02 / 8 total
eecycle / 2007-11-13 22:06 / 1 total

It's extremely poor "quality" spam, if such an idea exists. Obviously from a spam-bot and virtually nonsensical.
vellire
 
Posts: 27
Joined: Tue Jan 27, 2004 7:42 pm

Postby SysKoll » Wed Nov 14, 2007 10:00 pm

I also got spam on a few variations of one of my disposables, with either missing letters or the pipe ( | ) symbol as a prefix.

I think this pipe appears in our disposables because of accidents due to bugs in a spambot: Some Windows programs such as BounceStudio (a mailing list management tool) use the | char as an address separator, and when an address-collecting virus starts parsing files on a machine containing such a program, it picks the pipe as part of the next address.
-- SysKoll
SysKoll
 
Posts: 893
Joined: Thu Aug 28, 2003 9:24 pm

Postby mysticturner » Thu Nov 15, 2007 1:07 pm

After about 4 years of using SG, I finally am having to add a watchword. I've been hit with 4 spams on two new addresses since last night - total time span is about 9 hours. A question I have is this - are watchwords required to be in a particular word?

For example the layout of an address is (I may have the wrong terms here):

prefix . address . count . user (at sign) domainname

Could the watchword be in the count field, or does it have to be in the address? My thought is that I might be able to put the watchwords in the count field. For example -

junk.watchword.spamcowboy (at) domainname
mysticturner
 
Posts: 57
Joined: Sun Jun 12, 2005 6:38 am
Location: Dallas, TX

Postby Paranoid2000 » Fri Dec 07, 2007 10:36 am

Try a prefix rather than a watchword - that's worked for me so far.
Paranoid2000
 
Posts: 71
Joined: Wed Dec 15, 2004 10:48 am


Return to General Discussion

Who is online

Users browsing this forum: No registered users and 19 guests

cron