spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Cole" <sausers-20150...@billmail.scconsult.com>
Subject Re: Spam URLs based on my email address!
Date Fri, 30 Sep 2016 03:59:47 GMT
On 29 Sep 2016, at 8:16, Mark London wrote:

> This was a email message sent to my markrlondon@gmail.com account.  
> Note the hostname of markrlondon23474.seksizlex.co! - Mark
>
> <html>
> <img flipkart.com 
> SrC="markrlondon23474.seksizlex.co/PFDWKUMKLVZ-NNHSLPKXP!uvobp/ralzgcsh~v/

Nothing new and easily done with a DNS wildcard:

$ host markrlondon23474.seksizlex.co
markrlondon23474.seksizlex.co is an alias for metrakareemlak.co.uk.
metrakareemlak.co.uk has address 192.187.104.254
metrakareemlak.co.uk mail is handled by 10 metrakareemlak.co.uk.

$ host babblebabblefoobarbaz.seksizlex.co
babblebabblefoobarbaz.seksizlex.co is an alias for metrakareemlak.co.uk.
metrakareemlak.co.uk has address 192.187.104.254
metrakareemlak.co.uk mail is handled by 10 metrakareemlak.co.uk.

More interesting to me:

There are weird patterns in the HTML you posted which match patterns I 
have in quite strong and rather old custom rules that I use on my own 
mail systems and systems I manage for others. Those rules are almost 
pointless *for those sites* these days, hitting a few times per month on 
average in 2016 across a half dozen systems with many thousands of 
messages reaching content filters daily. Those systems also reject the 
overwhelming majority of SMTP sessions at RCPT or earlier well before 
content filtering. This makes me wonder: where did that mail come from? 
I know that content, I've known that content for a decade, so I have to 
believe that most mail admins who don't have my level of narcissism have 
also noticed it and quietly have been tossing it for years. Apparently 
that does not include the geniuses at Google...

So, anyway, where did that crap come from?

Mime
View raw message