bbs.spamgourmet.com

"SG users getting mail on addresses they did not create"; most times this is reported, someone suggests using watchwords. Watchwords aren't worth the effort for my infrequent occurrences, but they sure are weird.

Here's two examples with dates. First address is my own "creation," others are spammer-generated "copies." Both were to entities I judged "likely to spam," although the spam came from other sources. ("Affiliates"??)

All the following precede "<myusername>@xoxy.net":

2004-07-19: toto.1.
2006-08-03: ttoto.1.

2004-07-25: getstuffed.at.
2006-08-07: tgetstuffed.at.
2006-11-20: stuffed.at.
2007-09-01: |getstuffed.at.

Notes:
1. The last address is not a typo. The fiend really did use the delimiter [?] character [the character above the backslash].
2. I stopped using numbers and letters-as-numbers [eg "at"] in mid-2005, so these copycat addresses are easy to spot.

The time lag is what I find most interesting, next to the odd parsing. Any updates on how this works, i.e., is it deliberate or an email program's glitch?

that doesn't look like a software glitch to me.

sg-since03 wrote:Notes:
1. The last address is not a typo. The fiend really did use the delimiter [?] character [the character above the backslash].

As I mentioned in another thread, just today I received one with the same formatting - |freecycle - but I was using recursor.net.

Thanks Josh & vellire for your replies, and thanks vellire for pointing me to a thoughtful thread on this subject.

SysKoll's comment on the trickiness of pattern matching is a good one; warrenn's suggestion of "Anti-watchwords" in the form of "-<someword you've already used>" - i.e. "blacklist all new email addresses with <someword>" - works well enough, unless <someword> is so generic that you'd want to use it again.

Nuts. These miscreants are a real pain. Is the site still under attack?

OK Josh et al, we can close this thread in favor of warrenn's. Thanks again.

I've seen messages generated like 8dFreeCycle.safe.jim at dfgh net from FreeCycle.safe.jim at dfgh net.
There were a number like that and they had virus attachments.

I drew the conclusion that people who right a virus are programmers not smart enough to get the details right.

If you use static watchwords it wont help. You'll need to have only one or two "open ones" which you change very regularly. And it's better to open account by sending one email to your self to new address. And then change those watchwords.

Because if you just simply add something to start of address it'll go trough you watchwords.

watchword
awatchword
bwatchword
rndwatchword
my2watchword

Yep.. If watchword was watchword then it kind a sucks.

But I still hope there aren't spammers out there doing routines just form spamgourmet.

Edit: Typo, from should be naturally for.

[quote]But I still hope there aren't spammers out there doing routines just for spamgourmet.[/quote]

Actually, of late they are. Please see my post in the "Allow disabling a keyword pattern" thread.

I average 2 to 4 of these spammer created addresses a month. Almost all of them are a variation of a SG address I created way back in June of 2002. It's also the address that has the most deletions, some 27,000 pieces of spam.

As they pop up I zero them out and hide them.

There's probably just one spammer out of the lot that's using this technique (or experiencing this bug), but if they have a wide enough base of harvested spamgourmet accounts I imagine it's hitting a number of us simultaneously.

The Freecycle address I mentioned has had the following life cycle:

freecycle / 2004-08-23 15:12 / 4074 total
|freecycle / 2007-09-03 22:57 / 1 total
reecycle / 2007-11-02 01:02 / 8 total
eecycle / 2007-11-13 22:06 / 1 total

It's extremely poor "quality" spam, if such an idea exists. Obviously from a spam-bot and virtually nonsensical.

I also got spam on a few variations of one of my disposables, with either missing letters or the pipe ( | ) symbol as a prefix.

I think this pipe appears in our disposables because of accidents due to bugs in a spambot: Some Windows programs such as BounceStudio (a mailing list management tool) use the | char as an address separator, and when an address-collecting virus starts parsing files on a machine containing such a program, it picks the pipe as part of the next address.

After about 4 years of using SG, I finally am having to add a watchword. I've been hit with 4 spams on two new addresses since last night - total time span is about 9 hours. A question I have is this - are watchwords required to be in a particular word?

For example the layout of an address is (I may have the wrong terms here):

prefix . address . count . user (at sign) domainname

Could the watchword be in the count field, or does it have to be in the address? My thought is that I might be able to put the watchwords in the count field. For example -

junk.watchword.spamcowboy (at) domainname

Try a prefix rather than a watchword - that's worked for me so far.