Stories
Slash Boxes
Comments
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

use Perl Log In

Log In

[ Create a new account ]

Matts (1087)

Matts
  (email not shown publicly)

I work for MessageLabs [messagelabs.com] in Toronto, ON, Canada. I write spam filters, MTA software, high performance network software, string matching algorithms, and other cool stuff mostly in Perl and C.

Journal of Matts (1087)

Monday April 14, 2003
09:04 AM

Mass Joe Job

[ #11640 ]

Some spammer is mass spewing emails with subjects like "<name>, Fuck their Faces then spurt chunks all over them!!!!" joe-jobbed against all sorts of domains that appear to have nothing in common. Friends have alerted me to their situation, and all I could say is "me too".

I'll post more details about the spammer in question as a response to this journal entry when I find out more details. Meanwhile, if you've been joe-jobbed by this spammer, post a response to this journal (I know there are at least two other journal entries here on use perl about this) containing the headers of the original email (assuming the bounce contained them) and I'll find out more details.

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.
  • Here's an example of the mails I'm getting:

    Return-path: <utashiro@dave.org.uk>
    Received: from crane-hp.pocket ([10.4.120.44] helo=crane)
    by volcano.mail.pas.earthlink.net with smtp (Exim 3.33 #1)
    id 1953dH-0003V9-00
    for elnmall@corp.earthlink.net; Mon, 14 Apr 2003 06:04:23 -0700
    X-MindSpring-Loop: elnmall@earthlink.net
    Received: from compuserve.com ([210.8.112.211])
    by crane (EarthLink SMTP Server) with SMTP id 1953Dc2Bc3NZFjC0
    for <fryan02@themall.net>; Mon, 14 Apr 2003 06:04:13 -0700 (PDT)
    Date: Mon,

  • Return-Path:
    Received: (from mailnull@localhost) by drjimmy.it.northwestern.edu (8.12.9/8.12.9) id h3E4kqxG008069 for ; Sun, 13 Apr 2003 23:46:52 -0500 (CDT)
    Received: from compuserve.com (unknown [211.147.1.109]) by drjimmy.it.northwestern.edu via smap (V2.0) id xma007813; Sun, 13 Apr 03 23:46:45 -0500
    Date: Mon, 14 Apr 2003 04:00:19 +0000
    X-Phforward: V2.5@drjimmy (nwu.edu)
    From: kenn@drewtaylor.com
    Subject: Hbnguyen, Fuck their Faces then spurt chunks all over them!!!!
    To: Hbnguyen <hbnguyen@nwu.

    --
    "Perl users are the Greatful Dead fans of computer science." --slashdot comment
  • Return-Path: <dwmalone@cthompson.com>
    Received: from compuserve.com (pcp036474pcs.unl.edu [129.93.204.37])
            by msgdirector3.onetel.net.uk (Mirapoint Messaging Server MOS 3.2.2-GA)
            with SMTP id AQC48679;
            Sun, 13 Apr 2003 22:36:39 +0100 (BST)
    From: <dwmalone@cthompson.com>
    Date: Sun, 13 Apr 2003 20:50:11 +0000
    Subject: Hi, Tmunt, Nasty Girls Getting Down And Dirty!! Username:
    +downonthefarm, Password: horsespunk!!
    To: Tmunt
  • Received: from compuserve.com (58.muedb.lsan.la6ca01r1.dsl.att.net [12.98.205.58]) by rly-xg02.mx.aol.com (v93.6) with ESMTP id MAILRELAYINXG210-4563e9a121b30; Sun, 13 Apr 2003 21:42:53 -0400
    Date: Mon, 14 Apr 2003 00:56:25 +0000
    From: Thomas_Bolioli@carline.org
    Subject: Dcboy4bm, Fuck their Faces then spurt chunks all over them!!!!
    To: Dcboy4bm
    References:
    In-Reply-To:
    Message-ID:
    MIME-Version: 1.0
    Content-Type: multipart/mixed; boundary="----=_NextPart_BD087I.FA9K.CHK_.J2HIJ0F7"
  • more for your tally....

    Return-Path: <hilliard@missbarbell.co.uk>
    Received: (qmail 16840 invoked by uid 840); 14 Apr 2003 12:50:25 -0000
    Received: from hilliard@missbarbell.co.uk by mail.seacove.net with qmail-scanner-1.01 (fsecure: 4.14/4062/2003-04-10/2002-12-17. 2003-04-09/. Clean. Processed in 1.475296 secs); 14 Apr 2003 12:50:25 -0000
    Received: from unknown (HELO Microsoft.com) (61.4.77.74)
      by mail.seacove.net with SMTP; 14 Apr 2003 12:50:24 -0000
    Date: Mon, 14 Apr 2003 12:04:00 +0000
    From: hill

  • Here's a recent one

    Received: from rcpt-impgw.biglobe.ne.jp by biglobe.ne.jp (RCPT_GW)
            id AAA27215; Tue, 15 Apr 2003 00:42:17 +0900 (JST)
    Received: from microsoft.com ([211.115.209.218])
            by rcpt-impgw.biglobe.ne.jp (nkrw/3410050802) with SMTP id h3EFgE727185
            for <gons@mte.biglobe.ne.jp>; Tue, 15 Apr 2003 00:42:15 +0900 (JST)
    Date: Mon, 14 Apr 2003 14:55:51 +0000
    From: btr --AT-- jbisbee.com
    Subject: Gondou Youichi, Christina

    --

    -biz-

  • This just arrived...

    Received: from mx11.airmail.net from [209.196.77.108] by mail.airmail.net
    (/\##/\ Smail3.1.30.16 #30.56) with esmtp  sender: <edv@cthompson.com>
            id <mO/1956Sn-001gFRO@mail.airmail.net>; Mon, 14 Apr 2003 11:05:45 -0500
    +(CDT)
    Received: from danapris.kw.ua ([195.177.71.30] helo=microsoft.com)
            by mx11.airmail.net with smtp (Exim 4.10)
            id 1956Se-000JYG-00
            for sh3010@airm
    • Received: from bryson.student.princeton.edu ([140.180.144.5]
      +helo=compuserve.com)
              by dragon.relcom.ru with smtp
              id 1957GI-000JSL-00 for dmk@ru.net; Mon, 14 Apr 2003 20:56:55 +0400
      Date: Mon, 14 Apr 2003 16:56:46 +0000
      From: jbnivoit@cthompson.com
      Subject: \325\356\360\356\370\345\345
      \361\340\354\356\367\363\342\361\362\342\350\345
      To: Dmk <dmk@ru.net>
      References: <HEFG.3H92BDH7EAJ.@ru.net>
      In-Reply-To: <HEFG.3H92BDH7EAJ.@ru.net>
      Message-ID:
  • I've been getting this things for months, though the combination of my name plus my domain is recent. A procmail rule to deep-six emails that are HTML-only catches half of them.

    And a good thing I just check my spam file. There was a rather important false positive.

  • Spammers are attacking the Perl community because the Perl community has done so much to attack SPAM.

    The battle has been joined!

    • Yes it would appear that they screen scraped use.perl.org's member list somehow and used it to seed the 'From:' email header. I've been relatively spam free up until this point to. I guess I'm not getting spam at this point, just bounces, but it still sucks. :(
      --

      -biz-

  • Return-Path:
    Received: from compuserve.com ([142.59.85.193])
                    by southgate.starhub.net.sg (8.12.5/8.12.5) with SMTP id h3F0wQXC013985
                    for ; Tue, 15 Apr 2003 08:58:27 +0800 (SST)
    Date: Tue, 15 Apr 2003 00:12:05 +0000
    From: markn@rubberband.org
    Subject: FW: Rajen, Check this out, :)
    To: Rajen
    References:
    In-Reply-To:
    Message-ID:
    MIME-Version: 1.0
    Content-Type: multipart/mixed; boundary="----=_NextPart_617
  • My theory...

    On or before March 28th, someone harvested some addresses
     
    They pulled from several technical mailing lists
        (or possibly from NNTP interfaces to those lists)
     
    Those included perl lists, but were not exclusively perl.
     
    Around March 28th, that list was used
        (to send the 'Swiss Group' spam)
     
    By around April 5th that list saw wider distribution
        (probably sold to some other spammers)
     
    Around April 5th, someone used the list in their spamming
        software to generate bogus From headers and presumably
        genuine To headers. I've been the victim of having an
        address of mine used in the From: header of a spam
        message, and on that occasion I received hundreds of
        bounces and complaints. From what I'm seeing, I'd say
        that their software is generating a new bogus From:
        header for each recipient.

    I've been getting these since at least April 5th. The From: header seems to be my domain name (wickline dot org) with some semi-random username on the front of it. Some of the usernames lead me to suspect that perhaps user names are being harvested from some perl source. For example, here are a few user names from today: Koenig, guntermann, iandstanley, tbekel, xpix, artis, tzoompy, giegerich, leonvs, fila, Boubaker, jkeen, tori, palmieri.

    Yes. Those are all from today. Each of those users at my domain was used in the From: header of a bounced spam message. Also, a Google search for each of those usernames and perl (ie "Koenig perl") will turn up hits. So, it seems likely that some perlish source was harvested. However, I'm not sure it's use.perl.org. Some other spam I've seen has left me thinking that someone recently harvested a variety of geeky mailing lists.

    Shortly before all this started, I saw spam on previously unspammed addresses used to post to various mailing lists. The spam was sent March 28th, and always had a subject which read

    Re: user@example.com,  Swiss Group Switzerland ! Earn up to 2 daily in the Swish Stock Exchange !

    and the email addresses were those I'd used to post to various geeky lists (not the user@example.com above). They were usernames (at my domain) like the following:

    m_module_authors
    m_perltrainers_digest
    m_libwww_digest
    m_pause
    m_listbox
    m_ to-validatorlist-re_tagclosing

    Note that the last username was never used in a perl-specific list. The first four were perl-specific, and the penultimate username was used in many contexts some years ago. At about the same time (March 28th), I also saw this same form of spam at several work email addresses. Some of those had been used to post to mailing lists, and others were not.

    Most of my mailing list addresses have been safe. Those are all older email addresses. All of my more recent subscriptions have been with usernames (at my domain) in the form m-list-subscribe-list_name_here. The 'list' and 'subscribe' in the address seem to scare off the address harvesting spiders.

    So, I've been getting joe-jobbed bounce messages since about April 5th. I also got a small batch of joe-jobbed spam on April 7th. The following usernames (which I've never used from my domain, so I'm assuming must be joe jobbed) appeared in the To: headers of spam messages: gerald_bahorich, losing, gregory_adams, jeff_richmond. The joe jobbed To: headers may or may not be related to the From: header situation. My hunch is that they're two separate things.

    On April 12, the St. Louis perl hackers mailing list got a couple bits of spam, but those may not be related. That list hadn't seen spam previously (for around a year that I'm aware of). My cpan address gets a few bits of spam each day, but that's nothing new.

    Matt, if you want full headers o

  • Received: from adsl-34-234-38.bct.bellsouth.net ([67.34.234.38]:10253 "HELO
                    compuserve.com" ident: "NO-IDENT-SERVICE[2]" smtp-auth:
                    TLS-CIPHER: TLS-PEER-CN1: ) by gnome07.net.rol.ru
                    with SMTP id ; Tue, 15 Apr 2003 20:15:57 +0400
    Date: Tue, 15 Apr 2003 16:18:09 +0000
    From: eragigr@clueball.com
    Subject: ??????????? ????????????? ????????? ??
  • It seems like many people who have put modules on CPAN are in the same boat. Perhaps the existence of the next file can be part of the problem:
    Can somebody explain to me why this file even exists?