I'm fine, thanks!

Published: 2010-09-18
Last Updated: 2010-09-21 22:43:34 UTC
by Rick Wanner (Version: 1)
21 comment(s)

I woke up this morning to my Spam box full of email from a variety of people, to a variety of my email boxes, greeting me and checking into my well being.  One example of this is

From: Luella Winkler <sacrilegioush@real-time-vision.com>
Date: Sat, Sep 18, 2010 at 1:03 PM
Subject: hello

how are you?


To Luella and the other 54 email addresses that checked up on me...I would just like to thank all of you for caring so much and reassure you that I am quite well.

Seriously though, there is no solicitation, no attempt at phishing, and no embedded crap, just warm regards.  Is this a dry run for something big to come?


UPDATE 2010-09-21:  Today the same IP addresses are delivering emails with subjects such as "Deposit", "demands for payment", "schedule of bridging loan payments", and "June Voice".  They each have a .html attachment and lots of bad English.  I haven't had time to look into the attachment, but if any of you has, safely of course, I would love to hear what you found.

-- Rick Wanner - rwanner at isc dot sans dot org - http://rwanner.blogspot.com/

Keywords: Spam
21 comment(s)


Could it be a way to verify email addresses? Make sure they don't bounce?
My company is also getting these emails. They appear to be going to addresses that normally receive a fair amount of spam (and I mean spam, not annoying UCE). This includes invalid addresses that I regularly see spammed.
They're doing quite well at getting through our spam filters as well - about 60% of the emails got through.
I think Steve could be right. An innocuous email designed to evade filters and elicit bouncebacks on the invalid addresses.
However I can't see spammers ever actually removing email addresses from their lists. I have enough trouble getting email marketers to remove addresses for people who have left or died.
Steve, that was my first thought. Validating emails through bounces, out of office replies, and the occasional reply. But the question still remains...to what longer-term end.

I agree with Rabbi. With email essentially being free why go to the cost and effort of cleaning up the list?
Just a guess.. but the thing about the scattergun directory harvesting attacks that botnets do is that they are quite easy to detect. This could be an attempt to find valid mailboxes so that directory harvesting is not needed, leading to increased deliverability.

My first thought would be poisoning Bayesian filters by pumping stuff through initially to lower their score and get whitelisted.
My second thought would be mapping IP block policy blockages. By mapping out what address blocks produce delivery rejections and which do not you could target future deliveries to a server to come only from the unblocked IP address ranges.
About half the originating IPs from the spam I just checked were from Russia or the Ukraine. The seems to be an unusually high proportion, so perhaps it IS IP address mapping
I just started seeing these as well. Last week, there was a lot of the folks who liked my profile asking if I wanted to see their pic with an email address to request it.
Or.. perhaps it is looking for the responses from the mail server in order to find vulnerable servers? Enumerate them now.. attack them all later.

Or.. it's just a prank.
.. or there is a TRY IT NOW / LIVE DEMO button on the marketing pages of a new spam tool that is just too tempting to click on ..

.. or a new spammers 101 course that people are following too literally ..

Well - either way I wish they'd all just roll over and get a proper job. I don't mind them making money, but why not deserve them?

Diary Archives