Thursday, September 18, 2008

Are spammers data mining the spamtraps and troublesome addresses?

A while back blogspot became a major headache for spam filtering. Spammers were using the free accounts to redirect hapless victims to their scam/pills/phising sites, bypassing the URIBL by using this whitelisted domain.

Thankfully, the URIBL added blogspot to the Grey list and allowed submitters to include the sub-domains in the Black list. The problem subsided, but the spammers had discovered a new source of really annoying URI and they were not going to give up that easily.

The spammers have since spread out to a number of free hosters, the most annoying for me is livefilestore.com. A unique sub-domain turns up in one of my spamtraps at the rate of around 1 per 5 minutes. Most of the domains or emails that turn up in my traps have already been submitted to the lists so I don't have to do much, however these livefilestore domains are always unique and no one else seems to submit the same ones as me.

This brings me back to a previous thought I had regarding these unilimited, unique sub-domains. Back when blogspot spams where at their peak, I noticed that within a day of submiting a sub-domain to the URIBL, the amount of spam received by that trap was reduced to a crawl.

I conducted an experiment at the time of only submitting blodpost sub-domains on a subset of the total spamtraps and was gobsmacked at the fall in the spam load on only the addresses from which I had reported. Just to make sure I wasn't seeing things, I submitted all the domains from all the spamtraps and observed the same dramatic fall on them all.

As a result of this, I stopped submitting blogspot domains to the URIBL for a while and wrote a script that clicked the "flag" button in the navigation bar instead. Spammers being what they are, the spam load on all the spamtraps (and quite a few new ones that still have me scratching my head) increased to the previous load over the next few months. The blogspot staff were relatively swift at removing the offending sites, and I still got my spam to train filters with ;)

Warp forward to the current day and the livefilestore sub-domains (the main domain of which has been listed in Black for over a month now). I seem to have an unlimited supply of spamtraps over quite a few domains since some moron decided to pick up the message ids in my posts to mailing lists and newsgroups as email addresses! For every email I have ever sent to a public forum, I get at least 5 distinct traps. I ended up configuring my mail server to just trap anything sent to an address that looks like a message id. They aren't even close to any legitimate email addresses on the domain so there is no possibility of a typo finding its way into a spamtrap.

The end result of which is that I have a lot of unique traps. Over the past few weeks, those traps have been getting mostly unique livefilestore sub-domains delivered to each of them. There have been a few repeats, but they mostly happen when an email is dilvered to more than one address in a single connection. Upon submission of these sub-domains, there was an increase in the spam load over all, but to different traps. By now, most of the addresses I had seen already, had a reported URI on them. It almost seemed like a systematic delivery to every single address to feel them out.

Following the weekend lull, the livefilestore domains started comming thick and fast across all the traps again. They still seem to end up in traps that have never seen spam before, but there are a larger quantity heading to previously well known addresses too. Tentatively probing further addresses while dumping crap on known "working"#1 addresses.

If only they knew that I only get a daily summary and everything else is handled by computer, never to be read by a human and hopefully helping countless humans from seeing their crap :P

So are spammers using unique sub-domains to data mine the location of the email addresses that report them? Are they using this to help increase the effectiveness of their spam runs by avoiding those who would report them? I probably haven't put my story forward well enough to tell, especially since I don't provide raw figures to play with (I don't have the metrics in place to gague things properly). Hopefully, I've put enough of an idea forward for someone to have a think about this and look at their data to see if the same idea fits there too.

... of course, that only works if someone reads this ;) As if!

#1 I permanently reject all messages sent to spamtraps

Monday, July 28, 2008

The crawlies have found my hooks

The seeded address that I lost back in March (Lost in the ether) turned out to be hidden in the most straightforward place - on my home page for the first domain I ever registered.

It has turned out to be one the most successful spamtrap seeds, considerably out-doing the dynamically generated email address present on the same page.

The dynamic address includes a static component as well as the day and IP address of the computer that accessed the page encrypted with a simple Caesar cipher to make it look like a long english address. Enough information to find the all related accesses in the web server logs. Every different host getting a different email address must make it look too fishy for the spammers as I've only recieved one spam on that type of address, while the static address has been getting progressively more emails as the months go on.

Since starting this adventure, only 4 of 50 seeded addresses have given any results at all and only one has received multiple messages. The email addresses I have actually used in the past to subscribe to published mailing lists, bug trackers, and forums have been a consistently strong source of spamtraps. The best ones have always been on well indexed on a number of sites, or included in the source code.

There are a number of other locations I have considered planting seed addresses that I haven't had the opportunity to explore yet, but I expect to play with them in the coming months. They should provide a significantly better success rate.

Tuesday, April 1, 2008

died in a blogging accident

http://xkcd.com/369/

Oh come on .. it's funny! Thousands of people writing the sentence "died in a blogging accident" all because of an amusing comic and not a chance in hell of finding what happened to the 2 people that died :P

I feel dirty for posting it on a fake blog

don't ever email
aadamrandome@atarandomdotcom.com

Tuesday, March 25, 2008

Lost in the ether

Darn it, I seeded an address onto the net somewhere but I can't figure out where! I have been keeping a record of where I put each address and when I did it so I can find the best avenues for growing as many seeds as I want.

Regardless I'm still rather displeased with the amount of crud I'm getting. In the 2 months since I started this, there have been 2 unsolicited mails to two different addresses and that's it. Either they're getting smarter and more discerning about where they pick up the addresses, or I'm just not putting them in the right place any more. It's probably a mix of the two. It is rather frustrating.

Today I will add a link from the atarandomdotcom.com webpage and see if that helps at all. Perhaps I should start posting my blog in other peoples' blogs when I find something useful to comment about .. urh .. seems so wrong and evil.

Doing something I detest to help pick up people doing things I detest. Seems I'm heading towards the grey.

The ultimate irony of it all? No one on the planet except me is ever going to read this crap :P

Thursday, March 6, 2008

Why?

Well, I've been trying to get a few email addresses out there where anything and everything can pick them up for the purpose of getting crap. Not just any crap though, I want crap that someone doing illegal activities to obtain the address thinks that I might be daft enough to be interested in and read. Then I want that same person to pass it on to all this pals.

Oh well, here goes nothing.

The following site is really boring and only serves the above mentioned goal.
AtARandomDotCom

May as well put an address here as well and hope that something picks it up. aadamblogspot@atarandomdotcom.com !
Don't email anything to that address.