spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Neil Schwartzman" <n...@cauce.org>
Subject Re: Interesting Spam Trap Idea - Fake Authentication
Date Tue, 11 Jun 2013 21:57:31 GMT
419ers tend to use Sendsafe. obviously, they need to check back into the compromised account
(which often isn't the one used to *send* the email, but is a payload collector).

http://www.send-safe.com
http://www.spamhaus.org/rokso/evidence/ROK3175/ruslan-ibragimov-send-safe.com/www.send-safe.com

On Jun 11, 2013, at 2:53 PM, Dave Warren <davew@hireahit.com> wrote:

>> no, really, it's a bot.
> 
> 
> No really, it's not /always/ just a bot. I've seen a compromised account login to webmail
and set a signature that contained their spam, then what looked like a bot took over and started
spamming "blank" messages (with the signature). This was a 419er, if that's relevant, and
they later logged back in to check their replies and attempted to engage a couple victims
before the account was shut down.
> 
> From what I could tell the account was cracked via SMTP or POP3, but after that, they
switched to webmail.
> 
> I know that many/most such attacks are totally automated, especially when it comes to
cracking SMTP credentials. But even when SMTP credentials are cracked, the time between the
first few test messages and when the spam starts makes it look like there is a human involved
somewhere (if only to grab the list of validated credentials from one bot and load them into
the spam-sending bot)
> 
> I doubt they put much time into a typical hack when the goal is just an SMTP relay in
general, but the 419er did.
> 
> Also remember that I'm *very* small-fry. Attacks against gorillas probably have a different
profile than attacks against very small mail servers.


Mime
View raw message