[Scspamcop] Re: Fake emails claiming to be from support circulating.

Twayne nobody at devnull.spamcop.net
Thu Jul 10 18:52:54 EDT 2008 

> Geoffrey Hyde wrote:
> <tracker to bogus bigpond support email with zipped executable
> attached>
>
>> What I'd like to know is this:  Is there anything I can do about a
>> scam email that is so obviously fake it can't ever be real, besides
>> reporting it to SpamCop?
>
> ... for some value of 'anything I can do'...
>
> To me, 'anything I can do' is anything of interest or curiosity to me.
> For those values, you could 'explore' elements of the propagation to
> see if anything of particular interest pops up.
>
> You could determine whether or not SC's notify is 'good' or
> accurate/best for the target sourceIP -- it is.  It is sourced from
> the S. African ISP SAIX.  You could look and see how the afrinic RIR
> lists the .za addresses.
>
> Pretoria isn't very 'interesting' or unusual, except for how .za
> handles its capitals, having 3, one for each executive, judicial and
> legislative and Pretoria is one of those, the executive.  None of the
> capitals are the largest city, which is Johannesburg.  Of course it
> is currently winter in Pretoria -- I wondered how cold it gets there.
> A little below freezing.
>
> You could wonder whereall the IP is listed -- answer sorbs, cbl, and
> the offspring of that such as spamhaus zen.
>
> You could wonder how well saix responds, does it have much listed in
> spamhaus.
>
> You could determine what the viral propagation is and whether or not
> it is of any interest in terms of its strategy or otherwise.  The
> attachment message.zip is a .com executable structured to look like
> Message.doc by putting the .com part way over yonder.  Maybe some
> wouldn't even see the .com, maybe some wouldn't know that .com is
> executable.
>
> The payload is the delivery of the MyDoom virm.  MyDoom is of some
> interest because of the records it set when it came out, besting
> SoBig in terms of alltime fastest spreading, and for the research
> which went into how and why and bywhom it was constructed.  Why did
> it contain the message "andy; I'm just doing my job, nothing
> personal, sorry,"
>
> You could be curious about how well the various AV agents did at
> recognizing it -- naturally they did pretty well, since the template
> has been around a long time, but one of the 32 tested at VirusTotal
> didn't recognize it for some reason.
>
>> I've come to the conclusion that SpamCop is losing it's
>> effectiveness, as these compromised systems are always out there
>> trying to infect or spam someone.
>
> SC is doing its job of processing spam, maintaining the very useful
> SCbl. The notification business is probably of some value except for
> spamvertiser providers, which this item doesn't reflect.
>
>> I feel that my interests in spam email
>
> What exactly /are/ your interests in spam?
>
>> would be better
>> served by some effort designed to reduce the zombie pools.
>
> Hmm.  That's an interesting concept.  Such as what?
>
>> However,
>> the only way any such effort will work is if the entire internet gets
>> up off it's collective butt and actually does something about the
>> zombies.
>
> Do something such as what?

It IS interesting how the WAL (sorry, World At Large) just doesn't give 
a schlitz about spam period, let alone the dangerous and bombastic types 
mired in social engineering.  I fequent and have frequented quite a few 
groups, even some forums in my time on this planet and have never seen a 
single one except here and a few wanna-be's like here, where anyone gave 
it so much as a passing thought.
   I've personally watched three specific newsgroups disappear down the 
tubes, non-binaries at that, simply because no one wanted to bother with 
the spam and trolling that brought the group to its knees.  One of the 
three just went empty (I think it was alt.something.foster-care) and the 
other two became havens for spammers and trollers for their own 
purposes.
   Those 3 particular groups are moot now since many ISPs joined the 
alt.* rape, but it's happening even in some moderated groups and going 
full steam where the alt.*'s still are available.  I've always thought 
education was the key to defending against and beating a lot of these 
bass turds, but over the last few months I've changed my mind; there is 
something, I don't know what, that has to come first, before the 
education, so people *will* decide the education is worth having.  It's 
sure not being made easily available to any newbie or even a lot of 
experienced newbies, for that matter.

As for teaming up against the zombie bots, I would *love* to!  But 
historically I've never even been able to engage anyone knowledgeable to 
even discuss the isssues.  But, I'm not even sure anymore how to tell 
who's a zombie and who isn't, or even how to guess at it.
   IF there is ever a legal and mostly ethical attack begun against 
zombies, I'm there! All I need is an invite.    But I seriously doubt 
I'll see anything happening more effective than the toothless stuff I 
saw about a year ago when I tried to research the area.
   Too bad there can't be a zombie.spamcop group.

Cheers,
Twayne

More information about the SCspamcop mailing list