nanog mailing list archives
Re: Addresses for latest spam
From: Valdis.Kletnieks () vt edu
Date: Tue, 08 Jun 2004 11:44:50 -0400
On Tue, 08 Jun 2004 09:06:35 CDT, Adi Linden <adil () adis on ca> said:
Does anyone know how the latest email worms assemble the email addresses they use? I am getting a large amount of junk destined for non-existant (never existant) email accounts. So the address cannot be taken from the various address books on the compromised PC's.
I'll place bets on there being 'userA () domain1 net' and 'userB () domain2 com' in the address books, and the worm is creating all 4 combinations of left and right hand sides (and possibly other permutations too). So you're sitting at domain1.net and seeing 'userB () domain1 net' bouncing (and possibly 'userB () domain2 com' as well....) And of course, if it finds 200 addresses, you'll get the 1 valid LHS that was attached to your domain - and 199 LHS's that used to be attached to 199 other domain names and were probably never valid at your site. But since it's a compromised PC that belongs to somebody else and the spammer isn't paying for the bandwidth, they might as well try all 200x200, because they know 200 of them were valid, and maybe they'll get lucky and another 50 or 75 of the cross-product will happen to match too...
Attachment:
_bin
Description:
Current thread:
- Addresses for latest spam Adi Linden (Jun 08)
- Re: Addresses for latest spam Valdis . Kletnieks (Jun 08)
- <Possible follow-ups>
- Re: Addresses for latest spam Gregory Hicks (Jun 08)
- Re: Addresses for latest spam Valdis . Kletnieks (Jun 08)
- Re: Addresses for latest spam chuck goolsbee (Jun 08)
- Re: Addresses for latest spam Valdis . Kletnieks (Jun 08)