Re: Pointless email spam

[Curtis McNay <cmcnay () GMU EDU>]

We are seeing messages coming from the "yourschoolemail.net and myschoolemail.net" domain, same random, no payload, no 
link messages.

The domains are register by same generic person and hosted by the same provider in France.    The volume is not 
substantial enough to  represent a  DOS on email systems or filters. I also think these are probes that phishers are 
using to manage and clean their email databases.



```````````````````````````````````````````````````````````````
Curtis McNay
Director of IT Security
IT Security and Project Management Office
George Mason University
Email: cmcnay () gmu edu
Web: http://itsecurity.gmu.edu

```````````````````````````````````````````````````````````````



From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () listserv educause edu] On Behalf Of Heath 
Barnhart
Sent: Monday, April 15, 2013 1:09 PM
To: SECURITY () listserv educause edu
Subject: Re: [SECURITY] Pointless email spam

A probe maybe? The messages don't contain anything a filter would jump on, like images or links. Just some random text. 
I'm not as familiar with SMTP headers as I probably should be, but would the response headers from a successful 
transaction glean any information about the receiving mail system?


Heath Barnhart, CCNA

ITS Network Administrator

Washburn University

Topeka, KS

On 04/15/2013 10:46 AM, Dennis Bohn wrote:
We have been seeing these sort-of literary ones, like your sample #2.  No idea what purpose.
best,
Dennis Bohn
Manager of Network and Systems
Adelphi University
bohn () adelphi edu<mailto:bohn () adelphi edu>
5168773327

On Mon, Apr 15, 2013 at 7:34 AM, Gary Warner <gar () cis uab edu<mailto:gar () cis uab edu>> wrote:
Are other schools seeing a big uptick in "no purpose" spam messages?  Wondering if this is an enormous email address 
list cleanse/harvest? or what other motives anyone might theorize on this?

Here are three sample email bodies.  No attachment, no links.  Can't PROVE they are related, just coincidence of timing 
and pointlessness.


++++++++++++++++++++
(received from myschoolemail.net<http://myschoolemail.net> 173.246.104.97<tel:173.246.104.97>)
(from: hilda.barrett () myschoolemail net<mailto:hilda.barrett () myschoolemail net>)

Denise,

I wanted to know if you understand that you can't come to the super deli next Friday.

Cheers,

H.

++++++++++++++++++++
(envelope from waggishy08 () acm org<mailto:waggishy08 () acm org>)
(x-sender: ultrasug9 () gil com au<mailto:ultrasug9 () gil com au>)
(X-PHP-Script indicates it was sent via "afes.com/sendmail.php<http://afes.com/sendmail.php>" at request of 
186.87.28.58)
(Return-Path: suicidaloa53 () afes com<mailto:suicidaloa53 () afes com>)


CHAPTER XLI, Nor from ME, neither.
Why HE? I stopped.

+++++++++++++++++++++
(received from heattreatmentchina.ru<http://heattreatmentchina.ru> (37.255.60.4)
(from: stonehengeqq40 () trinity edu<mailto:stonehengeqq40 () trinity edu>)

Bofe un you claims it, But we didnt wait.
So Tom was satisfied.

++++++++++++++++++++++

----------------------------------------------------------

Gary Warner
Director of Research in Computer Forensics
The University of Alabama at Birmingham
Center for Information Assurance and Joint Forensics Research
205.422.2113<tel:205.422.2113>
gar () cis uab edu<mailto:gar () cis uab edu>

-----------------------------------------------------------