Flavors of spam, or, today my name is Joe
Not too long ago, the moderation queue for the managers list at the Phoenyx filled up with dozens of backscatter posts. This was, far as I could tell, from a spam campaign that randomized the sending address as well as the recipient address out of its database of target addresses. Most places that reject the spam (like us) do so properly (at SMTP time) rather than causing backscatter. (Actually, because it's a bot itself, the Phoenyx occasionally causes backscatter of a different flavor: when it *accepts* spam because it didn't recognize it as such, and then tries to helpfully autorespond. That's regrettable, but sometimes unavoidable.) But a small percentage of stuff gets accepted from the botnet, then rejected later - sometimes because the filtering is just plain happening in the wrong place (after the SMTP transaction is complete and the botnet has moved on), sometimes because it's a forwarded post and the final recipient is (1) stricter about filtering and (2) too lazy to check to see whether it's a forwarded post, which it should always accept.
We got hit with a more unpleasant flavor of botnet software today, though: one in which the sending addresses are randomized usernames tacked onto a real domain name.
In this case, the real domain name was fudgefactor.org. It's gotten about twenty thousand bounces in the last three hours, which kind of tells you the sheer volume of any given spam campaign (remember: these are *only* the bounces from the small percentage of places who are rejecting after the fact). Early on, they came in fast enough to saturate all the connections on our mail receiver, even though all we're doing is promptly rejecting the connection because it's not a valid fudgefactor.org address.
I'm thinking we should accept a few just so we can get a copy of the spams, so I know on whom to declare open season. I guess I'll just chalk it up to 202.86.221.60 again.
We got hit with a more unpleasant flavor of botnet software today, though: one in which the sending addresses are randomized usernames tacked onto a real domain name.
In this case, the real domain name was fudgefactor.org. It's gotten about twenty thousand bounces in the last three hours, which kind of tells you the sheer volume of any given spam campaign (remember: these are *only* the bounces from the small percentage of places who are rejecting after the fact). Early on, they came in fast enough to saturate all the connections on our mail receiver, even though all we're doing is promptly rejecting the connection because it's not a valid fudgefactor.org address.
I'm thinking we should accept a few just so we can get a copy of the spams, so I know on whom to declare open season. I guess I'll just chalk it up to 202.86.221.60 again.