Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

China spam?

1 view
Skip to first unread message

Peter Ceresole

unread,
Dec 6, 2009, 4:31:23 AM12/6/09
to
Anybody else seeing a sudden burst of Chinese spam making it through the
filters? Cialis and stuff... A picture attached for the address to go
and buy the stuff, with word wooze to reduce the repetition score.

It's not a huge splurge, and they're easy to delete, but I was just
curious, as recently spam levels have been pretty low here.
--
Peter

Denis McMahon

unread,
Dec 6, 2009, 4:55:10 AM12/6/09
to

Yeah, I got a pile of this stuff starting sometime yesterday I think.

The nerfed thunderbird junkmail detection and filtering doesn't help, I
have no idea why but junkmail and filters that thunderbird used to run
automatically on received pop3 mails don't seem to work any more, and
the only "explanation" I could find is that they don't work because they
can't work ... well they can, because they used to in earlier versions.

Rgds

Denis McMahon

Les

unread,
Dec 6, 2009, 4:57:42 AM12/6/09
to
In message <1jaaq78.1c1t6ac38ek28N%pe...@cara.demon.co.uk>, Peter
Ceresole <pe...@cara.demon.co.uk> writes

I thought it was just my turn for the barrel having been virtually spam
free for a while. Received about six yesterday and another six this
morning using old message IDs as the address, K9 filtered them out
for deletion unread.
--
Les

Adrian Simpson

unread,
Dec 6, 2009, 4:58:09 AM12/6/09
to
In article <1jaaq78.1c1t6ac38ek28N%pe...@cara.demon.co.uk>, Peter
Ceresole <pe...@cara.demon.co.uk> writes

I had four emails (all to spammer only addresses) rejected by my
filtering this morning. Certainly a deluge by recent standards.


Adrian
--
To Reply :
replace "news" with "adrian" and "nospam" with "ffoil"
Sorry for the rigmarole, If I want spam, I'll go to the shops
Every time someone says "I don't believe in trolls", another one dies.

Denis McMahon

unread,
Dec 6, 2009, 5:08:07 AM12/6/09
to

Guessing that some chinese spammer has resurrected / bought an old list
of "uk email domains" that contains a few [hundred] demon hosts ....
wonder how much spam is bouncing because the hosts don't exist any more.

Rgds

Denis McMahon

Stephen Wolstenholme

unread,
Dec 6, 2009, 5:13:42 AM12/6/09
to

Over the last three days I have noticed a few in my inbox and some in
the junk folder. I'm sure the junk detection will soon catch up.

Steve

--
Neural Planner Software Ltd www.NPSL1.com

Andy

unread,
Dec 6, 2009, 5:14:10 AM12/6/09
to
Ceresole <pe...@cara.demon.co.uk> wrote

Probably yes - they are self-evident spam so I forward them to 'missed'
unopened. About 10 today, which is 9 more than usual.
--
Andy Taylor [Editor, Austrian Philatelic Society].
Visit <URL:http://www.austrianphilately.com>

jasee

unread,
Dec 7, 2009, 6:33:29 AM12/7/09
to

"Andy" <an...@kitzbuhel.demon.co.uk> wrote in message
news:mkq4WlDy...@kitzbuhel.demon.co.uk...

> In message <1jaaq78.1c1t6ac38ek28N%pe...@cara.demon.co.uk>, Peter Ceresole
> <pe...@cara.demon.co.uk> wrote
>>Anybody else seeing a sudden burst of Chinese spam making it through the
>>filters? Cialis and stuff... A picture attached for the address to go
>>and buy the stuff, with word wooze to reduce the repetition score.

Yes, I'm surpised they're not caught (by the filters at Demon)
(posting from somewhere else)


--
Vista: the hd dvd player that thinks it's an operating system �JC 2009
Windows 7: a faster dvd player
All men are islands


Stephen Wolstenholme

unread,
Dec 7, 2009, 6:48:55 AM12/7/09
to
On Mon, 7 Dec 2009 11:33:29 -0000, "jasee" <ja...@btinternet.com>
wrote:

>
>"Andy" <an...@kitzbuhel.demon.co.uk> wrote in message
>news:mkq4WlDy...@kitzbuhel.demon.co.uk...
>> In message <1jaaq78.1c1t6ac38ek28N%pe...@cara.demon.co.uk>, Peter Ceresole
>> <pe...@cara.demon.co.uk> wrote
>>>Anybody else seeing a sudden burst of Chinese spam making it through the
>>>filters? Cialis and stuff... A picture attached for the address to go
>>>and buy the stuff, with word wooze to reduce the repetition score.
>
>Yes, I'm surpised they're not caught (by the filters at Demon)
>(posting from somewhere else)

Perhaps most of them are caught by Demon. I'm not going to switch the
filters off just to find out. About ten a day get through to me. Agent
has adapted to catch them all. It's interesting to see that all of the
ones that get through to Agent are sent by Thunderbird users.

Denis McMahon

unread,
Dec 7, 2009, 7:04:20 AM12/7/09
to
Stephen Wolstenholme wrote:

> It's interesting to see that all of the
> ones that get through to Agent are sent by Thunderbird users.

You mean:

It's interesting to see that all of the ones that get through to Agent

have a Thunderbird user agent header.

I can set that in emails sent from php, it's meaningless. I doubt that
thunderbird is being used to send these, much more likely to be a botnet.

Rgds
Denis McMahon

Peter Ceresole

unread,
Dec 7, 2009, 7:26:16 AM12/7/09
to
Stephen Wolstenholme <st...@tropheus.demon.co.uk> wrote:

> >Yes, I'm surpised they're not caught (by the filters at Demon)
> >(posting from somewhere else)
>
> Perhaps most of them are caught by Demon. I'm not going to switch the
> filters off just to find out.

Jeez... Neither am I.

> About ten a day get through to me.

Here it's more like 20, trickling in throughout the day. But hardly
enough even to be a nuisance and they are all caught by my Eudora
filters and sent to trash. Effectively no other spam at all is getting
through.

I expect that the filters will catch up with this new series soon.

I've forgotten who are providing the spamblocking service now. Is it
still Cloudmark? Or did Demon switch to somebody else? Why does the name
'Highwinds' come to my mind? Probably because I'm getting so ancient...

Either way, it seems to work pretty well.
--
Peter

Stephen Wolstenholme

unread,
Dec 7, 2009, 7:41:40 AM12/7/09
to

It is probably a fake header but it is unusual for botnets to use the
same headers for so many messages as that makes filtering so easy. The
only message I have tracked back to source was from a user of a
compromised machine who was using Thunderbird.

Denis McMahon

unread,
Dec 7, 2009, 9:04:51 AM12/7/09
to
Stephen Wolstenholme wrote:

> It is probably a fake header but it is unusual for botnets to use the
> same headers for so many messages as that makes filtering so easy. The
> only message I have tracked back to source was from a user of a
> compromised machine who was using Thunderbird.

Hmm, wonder if thunderbird exposes an api that allows sending of mail,
or querying of version info.

Maybe the spam malware is using the send-to api? Botnet the machine and
use the system send to api to spam. I guess that's more economical than
coding your own smtp sender.

Rgds

Denis McMahon

Andy

unread,
Dec 7, 2009, 9:10:23 AM12/7/09
to
In message <iI-dnQ2dBb2edYHW...@bt.com>, jasee
<ja...@btinternet.com> wrote

>
>"Andy" <an...@kitzbuhel.demon.co.uk> wrote in message
>news:mkq4WlDy...@kitzbuhel.demon.co.uk...
>> In message <1jaaq78.1c1t6ac38ek28N%pe...@cara.demon.co.uk>, Peter Ceresole
>> <pe...@cara.demon.co.uk> wrote
>>>Anybody else seeing a sudden burst of Chinese spam making it through the
>>>filters? Cialis and stuff... A picture attached for the address to go
>>>and buy the stuff, with word wooze to reduce the repetition score.
>
>Yes, I'm surpised they're not caught (by the filters at Demon)
>(posting from somewhere else)
>
I've had a look at what my own filters would have rejected. Nearly all
purport to be from dot nl senders, and are addressed to harvested Usenet
posting 'addresses'. For example (the 'finger' report has truncated the
data):

patic...@ouwestomp.nl rqzu8obm...@kitzbuhel.demo
cli...@thebitterend.nl 7644an...@kitzbuhel.demon.co
produ...@gk.net.mx lup...@kitzbuhel.demon.co.uk
tail...@feijngezicht.nl rspxn...@kitzbuhel.demon.co.
ferti...@musicgallery.ca 7690an...@kitzbuhel.demon.co
dedu...@mail-bericht.nl 3txhj5pz...@kitzbuhel.demo
silve...@royalsmilde.nl tzbhbvog...@kitzbuhel.demo

Looks like someone's got their Xmas pressy early :(

Nicholas D. Richards

unread,
Dec 7, 2009, 12:14:05 PM12/7/09
to
In article <iI-dnQ2dBb2edYHW...@bt.com>, jasee
<ja...@btinternet.com> on Mon, 7 Dec 2009 at 11:33:29 awoke Nicholas
from his slumbers and wrote

>--
>Vista: the hd dvd player that thinks it's an operating system �JC 2009
>Windows 7: a faster dvd player
>All men are islands

In the same vein, how would you describe Windows XP, Windows ME and
Windows 98?

:-)
--
Nicholas David Richards -

"O� sont les neiges d'antan?"

hugh

unread,
Dec 7, 2009, 1:23:59 PM12/7/09
to
In message <1jacrv8.bl1q671ja14phN%pe...@cara.demon.co.uk>, Peter
Ceresole <pe...@cara.demon.co.uk> writes
Interesting thread. I've had TP set to reject unrecognised addresses for
some time and the spam rate has dropped virtually to zero. Friday I
unticked the box and spam began to increase slowly at first but
yesterday and today is about 40+. Is this just coincidence?
--
hugh
It may be more complicated but is it better?

jasee

unread,
Dec 7, 2009, 1:31:17 PM12/7/09
to
Nicholas D. Richards wrote:
> In article <iI-dnQ2dBb2edYHW...@bt.com>, jasee
> <ja...@btinternet.com> on Mon, 7 Dec 2009 at 11:33:29 awoke Nicholas
> from his slumbers and wrote

>> Vista: the hd dvd player that thinks it's an operating system �JC


>> 2009 Windows 7: a faster dvd player

>


> In the same vein, how would you describe Windows XP, Windows ME and
> Windows 98?

I can't, they're not in the same vein anyway, vista was such a very radical
departure from the nt line from nt3.5, nt4, windows 2000, xp, vista, windows
7 (I've omitted a few servers) whereas windows me and windows 98 are
directly descended from dos.


Paul Terry

unread,
Dec 7, 2009, 1:46:41 PM12/7/09
to
In message <P2jKHyJ$gUHL...@raefell.demon.co.uk>, hugh
<hugh@[127.0.0.1]> writes

>Interesting thread. I've had TP set to reject unrecognised addresses
>for some time and the spam rate has dropped virtually to zero. Friday I
>unticked the box and spam began to increase slowly at first but
>yesterday and today is about 40+. Is this just coincidence?

No coincidence at all: most spam is sent to "unknown" addresses, so by
unticking this option you should expect to receive some spam (a bit more
than usual at the moment, for reasons mentioned in this thread).

The option to reject email to unrecognised addresses has a downside -
any genuine email from a contact who mistypes your address will be
rejected. Only you can be the arbiter of that risk. Most people select
addresses from their address book or click on a link, neither of which
ought to cause a problem. But some people manually type addresses, and
that's where the risk lies.

For that reason, I prefer to limit my email rejection to a few addresses
that I know are only used by spammers. K9 classifies the rest, so I can
browse through the spam list at intervals in order to check that nothing
important has been overlooked.
--
Paul Terry

hugh

unread,
Dec 7, 2009, 3:54:42 PM12/7/09
to
In message <E0qYrqAR2UHLFAc$@musonix.demon.co.uk>, Paul Terry
<ne...@nospam.demon.co.uk> writes

>In message <P2jKHyJ$gUHL...@raefell.demon.co.uk>, hugh
><hugh@[127.0.0.1]> writes
>
>>Interesting thread. I've had TP set to reject unrecognised addresses
>>for some time and the spam rate has dropped virtually to zero. Friday
>>I unticked the box and spam began to increase slowly at first but
>>yesterday and today is about 40+. Is this just coincidence?
>
>No coincidence at all: most spam is sent to "unknown" addresses, so by
>unticking this option you should expect to receive some spam (a bit
>more than usual at the moment, for reasons mentioned in this thread).
>
I don't quite follow your argument. With the reject active I would still
get spam but it would appear as rejected in the Connect dialogue box -
and I have been getting just a few. If it is not a coincidence that the
spam increased when I stop rejecting that would imply some monitoring of
rejects by the spammer would it not? So I suppose I was really asking if
they actually would do that

>The option to reject email to unrecognised addresses has a downside -
>any genuine email from a contact who mistypes your address will be
>rejected. Only you can be the arbiter of that risk. Most people select
>addresses from their address book or click on a link, neither of which
>ought to cause a problem. But some people manually type addresses, and
>that's where the risk lies.
>
Yes I am aware of that but on the other hand if their e-mail is rejected
hopefully they would examine their typing very carefully.

>For that reason, I prefer to limit my email rejection to a few
>addresses that I know are only used by spammers. K9 classifies the
>rest, so I can browse through the spam list at intervals in order to
>check that nothing important has been overlooked.
When not rejecting I dump mine into a spam folder and have a quick scan
through but it would be easy to overlook a mis-typed valid one amongst
all the junk - and then the sender thinks you have received their
e-mail, which is probably a worse scenario than having it positively
rejected.

David Bolt

unread,
Dec 7, 2009, 8:08:02 PM12/7/09
to
On Monday 07 Dec 2009 20:54, while playing with a tin of spray paint,
hugh painted this mural:

> In message <E0qYrqAR2UHLFAc$@musonix.demon.co.uk>, Paul Terry
> <ne...@nospam.demon.co.uk> writes

> If it is not a coincidence that the

> spam increased when I stop rejecting that would imply some monitoring of
> rejects by the spammer would it not?

It's most likely to be a coincidence. Virtually all spam is sent using
forged sender addresses, which means that any bounces end up in an
innocent users mailbox because the spammer forged their address. And,
if the supposed senders address is completely made up, a bounce gets
rejected and the double-bounce ends up going to the postmaster.

This is what happens when you receive mail by SMTP, accept the mail and
then your server decides it can't actually deliver it[0]. With POP3,
rejecting the mail doesn't send back a bounce and the rejected mail is
just deleted.

> So I suppose I was really asking if
> they actually would do that

I don't think the majority of spammers have done that for over a
decade.

>>The option to reject email to unrecognised addresses has a downside -
>>any genuine email from a contact who mistypes your address will be
>>rejected. Only you can be the arbiter of that risk. Most people select
>>addresses from their address book or click on a link, neither of which
>>ought to cause a problem. But some people manually type addresses, and
>>that's where the risk lies.
>>
> Yes I am aware of that but on the other hand if their e-mail is rejected
> hopefully they would examine their typing very carefully.

Only if they know that their mail wasn't received. Receiving mail using
POP3 won't let them know their mail wasn't received.

>>For that reason, I prefer to limit my email rejection to a few
>>addresses that I know are only used by spammers. K9 classifies the
>>rest, so I can browse through the spam list at intervals in order to
>>check that nothing important has been overlooked.
> When not rejecting I dump mine into a spam folder and have a quick scan
> through but it would be easy to overlook a mis-typed valid one amongst
> all the junk - and then the sender thinks you have received their
> e-mail, which is probably a worse scenario than having it positively
> rejected.

Unless you're receiving the mail using POP3, or using Turnpikes
"Reject mail"[1] after it's been received, they won't know if it's
arrived or not. Once it's placed into the POP3 mailbox, it's been
delivered whether you received it, rejected it, or dumped it into
a spam folder and then erroneously deleted it.


[0] This also happens with Demons servers. If mail collection is only
for specific users, those that aren't collected after 30 days results
in a bounce being sent back to the purported sender. Three guesses who
those are most likely to be.

[1] Not sure on the exact name of it, but the effect is to fake a
bounce and send it back to the purported sender.

Regards,
David Bolt

--
Team Acorn: www.distributed.net OGR-NG @ ~100Mnodes RC5-72 @ ~1Mkeys/s
openSUSE 11.0 32b | | openSUSE 11.2 32b |
openSUSE 11.0 64b | openSUSE 11.1 64b | openSUSE 11.2 64b |
TOS 4.02 | openSUSE 11.1 PPC | RISC OS 4.02 | RISC OS 3.11

jasee

unread,
Dec 8, 2009, 2:42:48 AM12/8/09
to
David Bolt wrote:

>
> [0] This also happens with Demons servers. If mail collection is only
> for specific users, those that aren't collected after 30 days results
> in a bounce being sent back to the purported sender. Three guesses who
> those are most likely to be.
>
> [1] Not sure on the exact name of it, but the effect is to fake a
> bounce and send it back to the purported sender.

Surely this is extremely unwise of Demon, do they really do this? it's
likely to be some innocent person or go no-where generating another bounce,
just going to increase the enormous quantity of spam. I can't believe they
do this. If it does actually get to the person responsible, they'll figure
out that there is someone at home, rather than a black hole.


David Bolt

unread,
Dec 8, 2009, 4:04:41 AM12/8/09
to
On Tuesday 08 Dec 2009 07:42, while playing with a tin of spray paint,
jasee painted this mural:

> David Bolt wrote:
>
>>
>> [0] This also happens with Demons servers. If mail collection is only
>> for specific users, those that aren't collected after 30 days results
>> in a bounce being sent back to the purported sender. Three guesses who
>> those are most likely to be.
>>
>> [1] Not sure on the exact name of it, but the effect is to fake a
>> bounce and send it back to the purported sender.
>
> Surely this is extremely unwise of Demon, do they really do this?

As far as I know, they still do. It's still mentioned in their help
documents:

http://www.demon.net/helpdesk/technicallibrary/misc/general/pop3smtp.html

<quote>
Demon's mail servers hold your mail for 30 days, after which it will be
returned to the sender as non deliverable and deleted from the Demon server.
</quote>

> it's
> likely to be some innocent person or go no-where generating another bounce,
> just going to increase the enormous quantity of spam.

I couldn't say which is the more likely to happen but it's still a bad
idea as there are many people out there that consider backscatter as
spam and they may blacklist the IP address sending them the bounce. By
definition a bounce received for a mail that the user didn't send
themselves, or authorise someone to send on their behalf, is spam. It's
unsolicited, most likely to be bulk, and definitely email.

> I can't believe they
> do this.

It's easy to confirm if you don't collect mail for every address at
$host.demon.co.uk. You just need to send a mail to an address at your
host, one that you don't usually collect, but using a different one as
the sender. As long as the sender address is one that you would
normally collect mail for, after 30 days you should end up with a
bounce for the "undelivered" email.

hugh

unread,
Dec 8, 2009, 6:02:45 AM12/8/09
to
In message <5508512.T...@dev.null.davjam.org>, David Bolt
<blackl...@davjam.org> writes
Thanks for your explanation David

jasee

unread,
Dec 8, 2009, 3:40:59 PM12/8/09
to
David Bolt wrote:
> On Tuesday 08 Dec 2009 07:42, while playing with a tin of spray paint,
> jasee painted this mural:
>
>> David Bolt wrote:
>>
>>>
>>> [0] This also happens with Demons servers. If mail collection is
>>> only for specific users, those that aren't collected after 30 days
>>> results in a bounce being sent back to the purported sender. Three
>>> guesses who those are most likely to be.
>>>
>>> [1] Not sure on the exact name of it, but the effect is to fake a
>>> bounce and send it back to the purported sender.
>>
>> Surely this is extremely unwise of Demon, do they really do this?
>
> As far as I know, they still do. It's still mentioned in their help
> documents:
>
> http://www.demon.net/helpdesk/technicallibrary/misc/general/pop3smtp.html
>
> <quote>
> Demon's mail servers hold your mail for 30 days, after which it will
> be returned to the sender as non deliverable and deleted from the
> Demon server. </quote>

I must say I had thought they did this only for legitimate mail not for mail
which they classed as spam

Andy

unread,
Dec 8, 2009, 4:24:18 PM12/8/09
to
jasee <ja...@btinternet.com> and David Bolt wrote
[

>> <quote>
>> Demon's mail servers hold your mail for 30 days, after which it will
>> be returned to the sender as non deliverable and deleted from the
>> Demon server. </quote>
>
>I must say I had thought they did this only for legitimate mail not for mail
>which they classed as spam
>
My belief is that if THEY think it's spam they bin it at once. If not,
it stays on their system for 30 days and is then returned. This will
happen if (a) you don't collect any mail for 30 days - eg you're abroad
(b) you have set your TP not to collect mail of certain types - eg you
only collect mail for specific addys, leaving the rest with Demon. I am
not sure what happens if you're using mirroring.
Message has been deleted

Denis McMahon

unread,
Dec 8, 2009, 5:24:17 PM12/8/09
to
Mike Henry wrote:

> Mail which Demon's system detects as spam doesn't arrive in the first
> place, so it's not sitting in your email box for anything between 0
> seconds-30 days and therefore the issue doesn't arise. It's rejected
> before the sender has a chance to send any of the message body.

So demons spam filtering is based solely on delivering mta and rcpt-to?

Rgds

Denis McMahon

David Bolt

unread,
Dec 8, 2009, 6:42:03 PM12/8/09
to
On Tuesday 08 Dec 2009 20:40, while playing with a tin of spray paint,
jasee painted this mural:

> David Bolt wrote:

The spam filters aren't perfect, and never will be, and so some spam
manages to get past them. Just looking at the comments here shows some
users receive several spams per day that manage to get through the
defences, although considerably less than they would receive if the
filtering wasn't in place[0]. It's these that are going to result in
a bounce if they aren't deleted using POP3, or some other method of
deleting spams[2].


[0] Before my change of service[1], and the subsequent change of host
name, I was receiving upwards of 12,000 spams per day to my unfiltered
host with a fair few number of days where this exceeded 15,000. With
the filtering in place, was often less than 140 per day. At the time, I
was receiving significantly more than the more normal users, similar
amounts to others who were/are still active Usenet users, but still
only around a quarter of RC's spam load.

[1] I ran an old dial-up account in parallel with an ADSL account, both
of which were closed almost two years ago when I moved on to the
present business account.

[2] Soruk, or Michael McConnell, wrote a very useful application called
pop3clean. If it's run and provided with a list of known addresses, it
goes through of a Demon POP3 mailbox and deletes those mails sent to
addresses not specified. If it's run without the list of valid
addresses, it provides a list of all the destination addresses. It's
fast at what it does. When i was using it, up to roughly a year and a
half ago, I clocked it at about 18.5 deletions per second. If the
POP3 servers have since been updated for faster machines, this could
even be higher as, at the time, the main rate limiter was waiting for
the server to process the DELE commands upon exiting. You can find a
copy of it here:

<URL:http://www.eridani.co.uk/pop3clean/>

David Bolt

unread,
Dec 8, 2009, 7:10:28 PM12/8/09
to
On Tuesday 08 Dec 2009 22:24, while playing with a tin of spray paint,
Denis McMahon painted this mural:

As far as I know, Cloudmark uses content filtering as (a part of?) it's
method of spam determination. I don't know if there's an element of
DNSBL use to it, but it'd be surprising if there wasn't some notice
taken about where the spam originates. Unfortunately, or fortunately,
the methodology behind it is kept secret so there's no way to know for
end users to know for certain. Or, at least not without someone in the
know actually giving some of the broader details. I'd very much expect
specifics to stay secret so as to prevent spammers working around them
and quicker than they already trying to do.

Denis McMahon

unread,
Dec 9, 2009, 7:18:53 AM12/9/09
to
David Bolt wrote:
> On Tuesday 08 Dec 2009 22:24, while playing with a tin of spray paint,
> Denis McMahon painted this mural:
>
>> Mike Henry wrote:
>>
>>> Mail which Demon's system detects as spam doesn't arrive in the first
>>> place, so it's not sitting in your email box for anything between 0
>>> seconds-30 days and therefore the issue doesn't arise. It's rejected
>>> before the sender has a chance to send any of the message body.
>> So demons spam filtering is based solely on delivering mta and rcpt-to?
>
> As far as I know, Cloudmark uses content filtering as (a part of?) it's
> method of spam determination. I don't know if there's an element of
> DNSBL use to it, but it'd be surprising if there wasn't some notice
> taken about where the spam originates.

Yeah, I'd have thought that spam detection at the isp level would use a
combination of:

1) The overall pattern of emails being received
2) Where they're coming from
3) What they contain

(3) would require accepting the emails to analyse content. If (3) was
working I'd expect these mass mailings from multiple addresses to
multiple users all containing similar items (especially the image files)
to detect it.

I guess Cloudmark has dropped the ball on this one.

Rgds

Denis McMahon

James Coupe

unread,
Dec 10, 2009, 5:55:12 AM12/10/09
to
Denis McMahon <denis.m....@gmail.com> wrote:
>Yeah, I'd have thought that spam detection at the isp level would use a
>combination of:
>
>1) The overall pattern of emails being received
>2) Where they're coming from
>3) What they contain

I think it was Brightmail (the people before Cloudmark) who also ran a
number of honey-pots that were never used for anything legitimate at
all. Mail going to those was always spam, so they could use that to
tweak their spam detection too.

--
James Coupe
PGP Key: 0x5D623D5D YOU ARE IN ERROR.
EBD690ECD7A1FB457CA2 NO-ONE IS SCREAMING.
13D7E668C3695D623D5D THANK YOU FOR YOUR COOPERATION.

Denis McMahon

unread,
Dec 10, 2009, 7:57:11 AM12/10/09
to
James Coupe wrote:
> Denis McMahon <denis.m....@gmail.com> wrote:
>> Yeah, I'd have thought that spam detection at the isp level would use a
>> combination of:
>>
>> 1) The overall pattern of emails being received
>> 2) Where they're coming from
>> 3) What they contain
>
> I think it was Brightmail (the people before Cloudmark) who also ran a
> number of honey-pots that were never used for anything legitimate at
> all. Mail going to those was always spam, so they could use that to
> tweak their spam detection too.

Yeah, just a bit concerned that after 4 days (I think) this latest pile
of spams is still making it through.

Having looked at a couple of the images, it seems that there's a limited
number of urls being used but that the image files are being generated
dynamically using some random params.

I guess it's a case of hunting down the websites.

Heh, surprise surprise, no contact information apart from a phone number
that I bet goes to a prepay mobile. From the website:

"Why is your product so cheap?
There is a number of reasons for that. We do not spend anything on
marketing, there are no taxes to be paid as the product comes into the
country unregistered, the manufacturer is located in an offshore zone
and the production costs are way lower. No child labor is used."

They forgot to add "the product is made from sugar, flour, water and
food colouring, with a random selection of waste industrial chemicals."

I see that the registrar and registrant are in china, as is the hosting,
although the website I looked at is "Canadian Pharmacy".

It's a pity the great firewall of china doesn't keep all their rubbish in.

Rgds

Denis McMahon

Darren Salt

unread,
Dec 10, 2009, 11:03:08 AM12/10/09
to
I demand that Denis McMahon may or may not have written...

[snip]


> I see that the registrar and registrant are in china, as is the hosting,
> although the website I looked at is "Canadian Pharmacy".

I recall a case, a month or two ago, in which a site was hacked such that if
you visited it normally, you'd see the normal content, but if you arrived
there from Google, you'd be redirected to a certain pharm-acy...

> It's a pity the great firewall of china doesn't keep all their rubbish in.

Agreed.

--
| Darren Salt | linux at youmustbejoking | nr. Ashington, | Doon
| using Debian GNU/Linux | or ds ,demon,co,uk | Northumberland | Army
| + http://www.youmustbejoking.demon.co.uk/ & http://tlasd.wordpress.com/

And don't start a sentence with a conjunction.

Richard Clayton

unread,
Dec 10, 2009, 4:20:06 PM12/10/09
to
In article <Q4adnW-sVIm6bb3W...@giganews.com>, Denis
McMahon <denis.m....@gmail.com> writes

>Yeah, just a bit concerned that after 4 days (I think) this latest pile
>of spams is still making it through.

the senders are competent...

... most pharmacies are run as affiliate schemes, so that any spammer
who wants can advertise the products, and if people buy then they get a
cut. Usually the website names you see are specific to a particular
spammer, whereas the backend site where the purchase is actually done is
rather more generic.

So if you have a good spam sending technology, this is the place to make
money with it whilst the filtering companies are still struggling and
you can crowd out competitors by being more in-your-face when people
decide they are going to purchase.

>Having looked at a couple of the images, it seems that there's a limited
>number of urls being used but that the image files are being generated
>dynamically using some random params.

as I said, competent. This type of email is very difficult for filters
to deal with...

>I guess it's a case of hunting down the websites.

... the websites are quite easy to find, but many are botnet hosted, so
that's not a very useful thing to do. The actual problem is persuading
the registrar to pull the domain name, and in general there's no-one
with significant resources trying to do that

>Heh, surprise surprise, no contact information apart from a phone number
>that I bet goes to a prepay mobile. From the website:
>
>"Why is your product so cheap?
>There is a number of reasons for that. We do not spend anything on
>marketing, there are no taxes to be paid as the product comes into the
>country unregistered, the manufacturer is located in an offshore zone
>and the production costs are way lower. No child labor is used."
>
>They forgot to add "the product is made from sugar, flour, water and
>food colouring, with a random selection of waste industrial chemicals."

not always -- it may be sourced from the third world, or time expired,
or home made from raw ingredients. For products like sleeping pills
there is no money in shipping placebo; since if you ship product with an
active ingredient you will get repeat orders -- and thereby continue to
make money. The journalists always seem to purchase and test the blue
pills (makes for a racier story I expect) and they generally find more
fakes... possibly because placebo is more likely to work :)

--
richard @ highwayman . com "Nothing seems the same
Still you never see the change from day to day
And no-one notices the customs slip away"

0 new messages