Re: [Evolution] [OT / Meta] Evolution list as source of spam

[Jim Popovitch <jim k4vqc com>]

On Wed, 2019-01-16 at 02:26 +0100, Ángel wrote:
> For what it's worth… I am too receiving such msgid spam.
>
> Prompted by this thread, I did some analysis on the origin of these
> spams. Basically, extracting  *camel* > /tmp/spam-msgids.txt
> sed -i "s/$/@bar>/;s/^/Message-ID: </" /tmp/spam-msgids.txt
>
> Plus a bunch of fgrep -f /tmp/spam-msgids.txt -r . 
> and modifying that file with
> cut -d: -f 3- /tmp/a | sort -u | sed 's#^M.*#sed -i "s/&/bash\t&/"
> /tmp/spam-msgids.txt#e'
>
> The original emails come from several lists and, I should note,
> evolution list is *not* the one from which more message-ids were
> harvested (only three email addresses, they stopped being sent spam on
> 2017).
>
> poc mentioned the possibility that the emails were being harvested
> from the archives. While GNOME lists don't directly link to a mbox
> that would be easily findable to a naive email address crawler, I find
> evidence that some of these spammers are using archives from somewhere
> rather than subscribing a bot that adds people to the list on real
> time.
>
> For instance, there is the 727451.11377.1.camel "email address", which
> is a truncation of 1459727451.11377.1.camel sent to a ietf list on
> April 2016. The "short" email started being used on August *2018* for
> "investing in your country" scams, and the long one… on December 2018.
>
> I find unlikely that someone harvesting email addresses with a
> subscribed bot would have waited several years before starting to
> spam.
>
> That's not always the case, obviously. A Dec 14 message-id started
> getting spammed on Jan 1, and already "received" 84 spam mails by now.
> However, a "sibling" message-id from that same list also started
> getting spammed on Jan 1, but only a couple mails. (fwiw, the 86 mails
> are from @qq.com addresses)

Interesting. I primarily see these coming from posts I make to the
Mailman and Debian lists.


> This can be due to bots prepared for it, or, simply, that certain
> archive of this list was crawled more often (or at the right time).
> I would expect that if someone took the (not-that-big) effort of
> building a subscription bot, he should at least get the email
> addresses right!
>
> It has been interesting to look at these spams, their use of
> message-ids, given their role as identifiers, allows gathering some
> interesting information that would not be possible without them
> stupidly interpreting message-ids as if they were email addresses, and
> cannot be used with normal addresses, that are generally used in more
> contexts.
>
>
> In the context of this discussion, I am including the email-like
> strings 1547601230 4258 6 trap 16bits net as well as
> 1547601405 8896 3 trap 16bits net for the 'benefit' of those spambots
> reading us. :)

;-)

-Jim P.