Well, I got my first ever Spamgourmet related spam.
Came to 13.someword.myuser at neverbox.com (originally I forgot to mention the someword and just wrote here 13.myuser).
Why 13 and why neverbox? Kind of scary...
Spamgourmet specific spam?
11 posts
• Page 1 of 1
Spamgourmet specific spam?
by lwc » Mon Sep 25, 2006 9:27 am
Last edited by lwc on Mon Sep 25, 2006 6:44 pm, edited 1 time in total.
- lwc
- Posts: 455
- Joined: Sat Aug 28, 2004 9:09 am
by LowKey » Mon Sep 25, 2006 3:00 pm
Looks like it could be a truncation of another SG addres. Do you have any other addresses like "someword.13.myusername@neverbox.com" out there? Drop the first word by some software bug, and it's a whole new address.
- LowKey
- Posts: 6
- Joined: Mon Sep 25, 2006 2:43 pm
by lwc » Mon Sep 25, 2006 6:42 pm
That's the thing. I don't think I have ever even used a number in my addresses and certainly not 13.
But you just made me realize I was wrong and it used 13.word.myuser. That means 13 was actually the trigger and not the number. "word" was the number and "word" started with "L" (low capital) which stands for "12". I guess I did use this word in the past, but maybe like a year ago. So basically I think it took word.myuser and just added "13." in front of it thus turning "word" from the trigger into the number. Do you still think it's a Spamgourmet specific spam?
Again, the original address must have been:
word.myuser
The spam created address was:
13.word.myuser
But you just made me realize I was wrong and it used 13.word.myuser. That means 13 was actually the trigger and not the number. "word" was the number and "word" started with "L" (low capital) which stands for "12". I guess I did use this word in the past, but maybe like a year ago. So basically I think it took word.myuser and just added "13." in front of it thus turning "word" from the trigger into the number. Do you still think it's a Spamgourmet specific spam?
Again, the original address must have been:
word.myuser
The spam created address was:
13.word.myuser
- lwc
- Posts: 455
- Joined: Sat Aug 28, 2004 9:09 am
by lwc » Tue Sep 26, 2006 12:12 am
Damn, 2 more spams!
This time to:
10.companythatsoldmeout.myuser
10 companythatsoldmeout.myuser
Yes, that's a space in the latter one! How did it even work? Stranger still, Spamgourmet translated the "to" field to 10.companythatsoldmeout.myuser (that is, just like the former address) and wrote in the subject:
Some spam subject (10: message 1 of 12) (10 companythatsoldmeout: message 1 of *my default*)
(It's 12 again because companythatsoldmeout starts with "L")
I only know about the space because unlike the "to" field inside the site it's shown clearly.
This time to:
10.companythatsoldmeout.myuser
10 companythatsoldmeout.myuser
Yes, that's a space in the latter one! How did it even work? Stranger still, Spamgourmet translated the "to" field to 10.companythatsoldmeout.myuser (that is, just like the former address) and wrote in the subject:
Some spam subject (10: message 1 of 12) (10 companythatsoldmeout: message 1 of *my default*)
(It's 12 again because companythatsoldmeout starts with "L")
I only know about the space because unlike the "to" field inside the site it's shown clearly.
- lwc
- Posts: 455
- Joined: Sat Aug 28, 2004 9:09 am
by Thragor » Tue Sep 26, 2006 4:47 am
Hello,
just wanted to add that one of my already banned email-adresses got hacked this way, too. You can try for yourself just using an existing spamgourmet-email of yours and add e. g.
"20 " (20 space)
in front. Testing this way I got even two emails... Strange thing.
Well, I think the actual problem is, that if you know spamgourmet it is quite easy to hack it: Just change the name in front of the first dot in some way, e. g. by prepending "20 " or I even got mails with "20\n" (i. e. number followed by newline) and such.
If this continues it will be the death of spamgourmet, I think
.
I currently don't have an idea how to get around this problem.
Kind Regards,
Thragor
just wanted to add that one of my already banned email-adresses got hacked this way, too. You can try for yourself just using an existing spamgourmet-email of yours and add e. g.
"20 " (20 space)
in front. Testing this way I got even two emails... Strange thing.
Well, I think the actual problem is, that if you know spamgourmet it is quite easy to hack it: Just change the name in front of the first dot in some way, e. g. by prepending "20 " or I even got mails with "20\n" (i. e. number followed by newline) and such.
If this continues it will be the death of spamgourmet, I think
.
I currently don't have an idea how to get around this problem.
Kind Regards,
Thragor
- Thragor
- Posts: 2
- Joined: Tue Sep 26, 2006 4:27 am
- Location: Hamburg, Germany
I got hit too
by mysticturner » Tue Sep 26, 2006 12:13 pm
The SG address I got hit with was a d f g h dot n e t domain and the evil ones hit by creating two new addrs. They were in the following forms:
10.userid at domain
10.sg.userid at domain
Like lwc above, the subject line additions kind of mislead you as to what the real full address being used was. I did a double take and had to review them carefully. The original base sg.userid is one dedicated to a single yahoo group. When we had the server issue, I moved some of my newsgroup workload over to the German server and it looks like I need to accelerate that effort.
I just shutdown the two new addresses, but It looks like this devil has my name. Time to get another level of sophisication.
10.userid at domain
10.sg.userid at domain
Like lwc above, the subject line additions kind of mislead you as to what the real full address being used was. I did a double take and had to review them carefully. The original base sg.userid is one dedicated to a single yahoo group. When we had the server issue, I moved some of my newsgroup workload over to the German server and it looks like I need to accelerate that effort.
I just shutdown the two new addresses, but It looks like this devil has my name. Time to get another level of sophisication.
- mysticturner
- Posts: 57
- Joined: Sun Jun 12, 2005 6:38 am
- Location: Dallas, TX
by Thragor » Tue Sep 26, 2006 4:40 pm
LowKey wrote:Weird. I wouldn't think a spammer would bother. But we do have prefixes and watchwords we can use, so no real harm done.
Thanks for the hint... (I forgot about that). But I think watchwords (german: Kennworte?) won't work if the spammer works in the suggested way just prepending a number. At least as soon as the spammer gets hold of a mail which contains a watchword.
Prefixes at least would help to block spammers as those mentioned here. I just set one... hopefully I won't forget to set it next time
Kind Regards,
- Thragor
- Thragor
- Posts: 2
- Joined: Tue Sep 26, 2006 4:27 am
- Location: Hamburg, Germany
by josh » Tue Sep 26, 2006 8:55 pm
Watchwords are the preferred method -- the prefix is older and still included because some people still use it and swear by it.
The watchwords *will* work if you remember two things:
1) change them every so often. This way, an older address won't provide clues. You can have more than one watchword, obviously, which allows you to phase them in and out, if necessary.
2) if you're geeky like me, realize that you can use regular expression syntax in the watchwords (e.g., ^ means match at the beginning of the "word", $ means match at the end, etc.) - you can come up with approaches that defy any hamhanded approach to overcoming them (but don't get too sophisticated, since you'll have to remember how to make a new address work )
The watchwords *will* work if you remember two things:
1) change them every so often. This way, an older address won't provide clues. You can have more than one watchword, obviously, which allows you to phase them in and out, if necessary.
2) if you're geeky like me, realize that you can use regular expression syntax in the watchwords (e.g., ^ means match at the beginning of the "word", $ means match at the end, etc.) - you can come up with approaches that defy any hamhanded approach to overcoming them (but don't get too sophisticated, since you'll have to remember how to make a new address work
)- josh
- Posts: 1371
- Joined: Fri Aug 29, 2003 2:28 pm
11 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 114 guests