Re: wow(spammed for posting)

[Valdis.Kletnieks () vt edu]

On Thu, 21 Apr 2005 06:47:26 EDT, Chris Brenton said:
> On Wed, 2005-04-20 at 00:05, Jonas Yorg wrote:
> > I have already got 2 spams to this address since posting just earlier 
> > today (I know they're both related to this and not general spam 
> > because the subject line had my post title in it)...has anyone experienced 
> > similar from being on this list?
>
> Its not just this list. I'm on about five different SecurityFocus
> mailing lists and posting to any of them results in an increase in spam.
> I think the problem is they get archived in so many places that its
> inevitable they're going to get trolled by one or more spammers. :(

Even more devious - I came across the debris left behind by a *very* interesting
spamming backdoor a while ago.  Basic method of operation:

1) I post to a mailing list..
2) Copy arrives at infected machine..
3) It snarfs the From:/Date:/Subject: headers from that mail, and uses them
to construct a new set of RFC822 headers
4) It then spams to addresses scraped from the hard drive.

And it did this *in near-real time*

I found it because I got back a "Filtered for questionable content" rejection
from a site - it was nice enough to return at least partial headers, which
clearly identified it as a posting I *had* made several minutes before (and in
fact, I hadn't even gotten my *own* copy of my post back from the list yet -
thus the near-real time).

I contacted the site's postmaster, and sure enough - what they had actually
quarantined was something with my headers, but a body advertising a supplement
that promised to alter certain bodily proportions, and received from someplace
that was neither my system nor the mailing list server....

Unfortunately, we didn't find enough logging info to find the compromised
machine and identify the malware responsible....

Attachment: _bin
Description: