Re: [Evolution] [OT / Meta] Evolution list as source of spam

From: Ángel <angel 16bits net>
To: evolution-list gnome org
Subject: Re: [Evolution] [OT / Meta] Evolution list as source of spam
Date: Wed, 16 Jan 2019 02:26:03 +0100

For what it's worth… I am too receiving such msgid spam.

Prompted by this thread, I did some analysis on the origin of these
spams.
Basically, extracting *camel* > /tmp/spam-msgids.txt
sed -i "s/$/@bar>/;s/^/Message-ID: </" /tmp/spam-msgids.txt

Plus a bunch of fgrep -f /tmp/spam-msgids.txt -r .
and modifying that file with
cut -d: -f 3- /tmp/a | sort -u | sed 's#^M.*#sed -i "s/&/bash\t&/" /tmp/spam-msgids.txt#e'

The original emails come from several lists and, I should note,
evolution list is *not* the one from which more message-ids were
harvested (only three email addresses, they stopped being sent spam on
2017).

poc mentioned the possibility that the emails were being harvested from
the archives. While GNOME lists don't directly link to a mbox that would
be easily findable to a naive email address crawler, I find evidence
that some of these spammers are using archives from somewhere rather
than subscribing a bot that adds people to the list on real time.

For instance, there is the 727451.11377.1.camel "email address", which
is a truncation of 1459727451.11377.1.camel sent to a ietf list on April
2016.
The "short" email started being used on August *2018* for "investing in
your country" scams, and the long one… on December 2018.

I find unlikely that someone harvesting email addresses with a
subscribed bot would have waited several years before starting to spam.

That's not always the case, obviously. A Dec 14 message-id started
getting spammed on Jan 1, and already "received" 84 spam mails by now.
However, a "sibling" message-id from that same list also started getting
spammed on Jan 1, but only a couple mails. (fwiw, the 86 mails are from
@qq.com addresses)

This can be due to bots prepared for it, or, simply, that certain
archive of this list was crawled more often (or at the right time).
I would expect that if someone took the (not-that-big) effort of
building a subscription bot, he should at least get the email addresses
right!

It has been interesting to look at these spams, their use of
message-ids, given their role as identifiers, allows gathering some
interesting information that would not be possible without them stupidly
interpreting message-ids as if they were email addresses, and cannot be
used with normal addresses, that are generally used in more contexts.

In the context of this discussion, I am including the email-like strings
1547601230 4258 6 trap 16bits net as well as
1547601405 8896 3 trap 16bits net for the 'benefit' of those spambots
reading us. :)

Best regards

Follow-Ups:
- Re: [Evolution] [OT / Meta] Evolution list as source of spam
  - From: Jim Popovitch

References:
- [Evolution] [OT / Meta] Evolution list as source of spam
  - From: Pete Biggs
- Re: [Evolution] [OT / Meta] Evolution list as source of spam
  - From: Patrick O'Callaghan

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]