Re: "postcard" spams.

[Alan Amesbury <amesbury () OITSEC UMN EDU>]

Theresa Semmens wrote:

> I'm seeing you have received a "BlueMountain.com greeting from a colleague"

Since June 29th, my home system has seen variety increase.  A quick log
analysis shows most subjects match these

        You've received {CARD} from {SENDER}!


where {CARD} is one of

        a postcard
        an ecard
        a greeting postcard
        a greeting card
        a greeting ecard


and {SENDER} is one of

        a family member
        a partner
        a mate
        a neighbor
        a colleague
        a school-mate
        a school friend
        a class mate
        a worshipper [my coworkers say this is an obvious fake]


The sending addresses are in the form of

        "{TEXTNAME}" <{ADDRESS}>


where {TEXTNAME} is one of

        vintagepostcards.com
        postcard.com
        netfuncards.com
        mypostcards.com
        greeting-cards.com
        funnypostcard.com
        freewebcards.com        
        e-cards.com
        Postcards.Org
        MyPostcards.com
        GreetingCards.Com
        Greeting-Cards.Com
        FunnyPostcard.Com
        FreeWebCards.Com
        E-Cards.Com


and {ADDRESS} has a very weak correlation to the domain in the PTR
record of the originating IP.

Good news:  Most of the originating IP addresses are in the CBL
(cbl.abuseat.org), so those of you using the CBL to help score this
garbage as spam (and hopefully reject it *before* you accept and queue
it!) may be able to block this trash before it reaches your end-users.
Greylisting may also help, as this occasionally has the tendency to
exert back pressure of sorts onto spam 'bots.  (It also occasionally can
provide insight into the organization of spam sources, i.e., you can
group them by controller based on common characteristics.  There's
probably a paper in there somewhere.)


--
Alan Amesbury
OIT Security and Assurance
University of Minnesota