[71094] in North American Network Operators' Group
Re: Addresses for latest spam
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Tue Jun 8 11:45:22 2004
To: Adi Linden <adil@adis.on.ca>
Cc: nanog@merit.edu
In-Reply-To: Your message of "Tue, 08 Jun 2004 09:06:35 CDT."
<Pine.LNX.4.44.0406080904240.8183-100000@adibox.knet.ca>
From: Valdis.Kletnieks@vt.edu
Date: Tue, 08 Jun 2004 11:44:50 -0400
Errors-To: owner-nanog-outgoing@merit.edu
--==_Exmh_-1875794704P
Content-Type: text/plain; charset=us-ascii
On Tue, 08 Jun 2004 09:06:35 CDT, Adi Linden <adil@adis.on.ca> said:
>
> Does anyone know how the latest email worms assemble the email addresses
> they use? I am getting a large amount of junk destined for non-existant
> (never existant) email accounts. So the address cannot be taken from the
> various address books on the compromised PC's.
I'll place bets on there being 'userA@domain1.net' and 'userB@domain2.com'
in the address books, and the worm is creating all 4 combinations of left and
right hand sides (and possibly other permutations too). So you're sitting at
domain1.net and seeing 'userB@domain1.net' bouncing (and possibly
'userB@domain2.com' as well....)
And of course, if it finds 200 addresses, you'll get the 1 valid LHS that
was attached to your domain - and 199 LHS's that used to be attached
to 199 other domain names and were probably never valid at your site.
But since it's a compromised PC that belongs to somebody else and the
spammer isn't paying for the bandwidth, they might as well try all 200x200,
because they know 200 of them were valid, and maybe they'll get lucky
and another 50 or 75 of the cross-product will happen to match too...
--==_Exmh_-1875794704P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFAxd7ycC3lWbTT17ARAhJSAJoCzpYg/8+GOhFt71IFHFFR9zyr6gCgmWq4
6CCrwMS354MZ8nV2RiMMUD0=
=tQ3m
-----END PGP SIGNATURE-----
--==_Exmh_-1875794704P--
