[Scspamcop] Re: Fake emails claiming to be from support circulating.
Mike Easter
MikeE at ster.invalid
Thu Jul 10 10:07:21 EDT 2008
Geoffrey Hyde wrote:
<tracker to bogus bigpond support email with zipped executable attached>
> What I'd like to know is this: Is there anything I can do about a scam
> email that is so obviously fake it can't ever be real, besides
> reporting it to SpamCop?
... for some value of 'anything I can do'...
To me, 'anything I can do' is anything of interest or curiosity to me.
For those values, you could 'explore' elements of the propagation to see
if anything of particular interest pops up.
You could determine whether or not SC's notify is 'good' or accurate/best
for the target sourceIP -- it is. It is sourced from the S. African ISP
SAIX. You could look and see how the afrinic RIR lists the .za addresses.
Pretoria isn't very 'interesting' or unusual, except for how .za handles
its capitals, having 3, one for each executive, judicial and legislative
and Pretoria is one of those, the executive. None of the capitals are the
largest city, which is Johannesburg. Of course it is currently winter in
Pretoria -- I wondered how cold it gets there. A little below freezing.
You could wonder whereall the IP is listed -- answer sorbs, cbl, and the
offspring of that such as spamhaus zen.
You could wonder how well saix responds, does it have much listed in
spamhaus.
You could determine what the viral propagation is and whether or not it is
of any interest in terms of its strategy or otherwise. The attachment
message.zip is a .com executable structured to look like Message.doc by
putting the .com part way over yonder. Maybe some wouldn't even see the
.com, maybe some wouldn't know that .com is executable.
The payload is the delivery of the MyDoom virm. MyDoom is of some
interest because of the records it set when it came out, besting SoBig in
terms of alltime fastest spreading, and for the research which went into
how and why and bywhom it was constructed. Why did it contain the message
"andy; I'm just doing my job, nothing personal, sorry,"
You could be curious about how well the various AV agents did at
recognizing it -- naturally they did pretty well, since the template has
been around a long time, but one of the 32 tested at VirusTotal didn't
recognize it for some reason.
> I've come to the conclusion that SpamCop is losing it's effectiveness,
> as these compromised systems are always out there trying to infect or
> spam someone.
SC is doing its job of processing spam, maintaining the very useful SCbl.
The notification business is probably of some value except for
spamvertiser providers, which this item doesn't reflect.
> I feel that my interests in spam email
What exactly /are/ your interests in spam?
> would be better
> served by some effort designed to reduce the zombie pools.
Hmm. That's an interesting concept. Such as what?
> However,
> the only way any such effort will work is if the entire internet gets
> up off it's collective butt and actually does something about the
> zombies.
Do something such as what?
--
Mike Easter
kibitzer, not SC admin
More information about the SCspamcop
mailing list