Security Incidents mailing list archives
Re: Massive SPAM Increase
From: jim barchuk <jb () jbarchuk com>
Date: Mon, 9 Oct 2006 01:01:08 -0400 (EDT)
Hi Alex!
I don't know if I'm a target of some SPAM attack or if it is just business as usual.
I think it's business as usual, on new millenium designer steroids. :)First, I must say that I *never* even glance at headers any more. I don't have the slightest interest or care where they came from, pro, amateur, cracked box, whatever.
Second, I don't keep any kinds of recorded stats on anything, so everything I talk about is based on constant monitoring and memory. Not particularly reliable for hard number documentation, but I do have a good feel for the general ebbs and flows.
But I do study spam *content* very intently. The purpose of course is to either steal or sell stuff. The stealers are the 419/ID thefts/other scams, and the sellers are the mortgage/pharm/porn vendors. (There are two other kinds, viruses/malignant email (which return no profit except to gain new spam broadcast machines,) and 'broken spam generators' (which are simply faulty software,) and although there are *tons* of faulty spam neither of those two are profit -generators- for the spammer so I tend to discount them in importance.) (And whether a particular 'sell' spam really is a scam in sheeps clothing is a separate but moot topic because it's undetectable at the email level.)
I do notice a couple of things over the past week or so.One is, yes, a drastic *spike* to a new higher plateau in sheer volume did happen. I can't recall an exact date, but it did happen very suddenly. If I did have to pin a date on it it would be 10/2 or 10/3. Normally spammers 'go to work' on Thursday, to hit the 'weekend surfers.' (Used to be Friday but they moved it up earlier this year.) But it ocurred to me one day that it was waaaaaay too early in the week for the usual weekend flood. And it wasn't just a day earlier, Wednesday, which is why I think it was Monday or Tuesday. Tuesday sticks in my head a little stronger but not sure.
The other thing I notice is that there was little *variation* in the *kinds* of spam I get. No unusual increases in bounces, (joesjobs,) or sellers or stealers, just a larger volume overall.
By spike --> new plateau, I mean I went from a usual 500/day to 700/800. 50% is a *ton* more to happen so suddenly.
I *think*, (that is, an intiutive guess,) that I've seen these kinds of increases before. (Again, I don't keep any kinds of stats on this stuff that would help to objectively demonstrate a theory.) I think it happens generally early in the month. I *think* this happens actually for *business* (the business of spam) reasons. I have a feeling that the spammers tend to operate on a monthly cycle. They gather new orders during the month, and start firing off their product at the start of the next month. I'm guessing that it's probably simply easier to do things this way, different process steps in order -during- the month, rather than to do 'everything every day.' The weekly cycles certainly do exist, so there's no reason that there aren't month;y cycles too. All businesses work that way. Why Sept might have been a hot 'new orders' month that leads to hotter than average Oct volume is another story. :)
There's another possibility, that you've finally gotten into the 'millions of email addresses' lists that the spammers use. I sure remember when *that* happened to me many years ago, when spam suddenly shot from 'a couple' to 'dozens --> scores --> hundreds' a day. Once you're tagged as a 'reliable addess,' eventually they put you in the From: and other header lines so you can collect the bounces as well as the original spam. I'm particularly tickled by all the instances I get of 'receive several bounces *before* the original spam' because that means I have a *very* reliable address and am -highly- -regarded- by the spam software that generates it. LOL!
Have a :) day! jb -- jim barchuk jb () jbarchuk com ------------------------------------------------------------------------------ This List Sponsored by: Black HatAttend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas. World renowned security experts reveal tomorrow's threats today. Free of vendor pitches, the Briefings are designed to be pragmatic regardless of your security environment. Featuring 36 hands-on training courses and 10 conference tracks, networking opportunities with over 2,500 delegates from 40+ nations.
http://www.blackhat.com ------------------------------------------------------------------------------
Current thread:
- Re: ***SPAM*** Re: Massive SPAM Increase {-2.6} {-2.6}, (continued)
- Re: ***SPAM*** Re: Massive SPAM Increase {-2.6} {-2.6} gabriel rosenkoetter (Oct 17)
- Re: ***SPAM*** Re: Massive SPAM Increase {-2.6} {-2.6} Valdis . Kletnieks (Oct 16)
- Re: ***SPAM*** Re: Massive SPAM Increase {-2.6} {-2.6} Paul Schmehl (Oct 16)
- Re: ***SPAM*** Re: Massive SPAM Increase {-2.6} {-2.6} gabriel rosenkoetter (Oct 17)
- Re: ***SPAM*** Re: Massive SPAM Increase {-2.6} {-2.6} Valdis . Kletnieks (Oct 17)
- Re: ***SPAM*** Re: ***SPAM*** Re: Massive SPAM Increase {-2.6} {-2.6} Paul Schmehl (Oct 17)
- Re: ***SPAM*** Re: Massive SPAM Increase {-2.6} {-2.6} benfell (Oct 16)
- Re: ***SPAM*** Re: Massive SPAM Increase {-2.6} {-2.6} Dude VanWinkle (Oct 17)
- RE: Massive SPAM Increase Vince Valenti (Oct 17)
- Re: ***SPAM*** Re: Massive SPAM Increase {-2.6} {-2.6} Jamie Riden (Oct 17)
- Re: Massive SPAM Increase Graeme Fowler (Oct 09)