[prev in list] [next in list] [prev in thread] [next in thread] 

List:       evolution
Subject:    Re: [Evolution] [OT / Meta] Evolution list as source of spam
From:       Jim Popovitch via evolution-list <evolution-list () gnome ! org>
Date:       2019-01-16 4:45:54
Message-ID: 1547613954.1730.1.camel () k4vqc ! com
[Download RAW message or body]

On Wed, 2019-01-16 at 02:26 +0100, Ángel wrote:
> For what it's worth… I am too receiving such msgid spam.
> 
> Prompted by this thread, I did some analysis on the origin of these
> spams. Basically, extracting  *camel* > /tmp/spam-msgids.txt
> sed -i "s/$/@bar>/;s/^/Message-ID: </" /tmp/spam-msgids.txt
> 
> Plus a bunch of fgrep -f /tmp/spam-msgids.txt -r . 
> and modifying that file with
> cut -d: -f 3- /tmp/a | sort -u | sed 's#^M.*#sed -i "s/&/bash\t&/"
> /tmp/spam-msgids.txt#e'
> 
> The original emails come from several lists and, I should note,
> evolution list is *not* the one from which more message-ids were
> harvested (only three email addresses, they stopped being sent spam on
> 2017).
> 
> poc mentioned the possibility that the emails were being harvested
> from the archives. While GNOME lists don't directly link to a mbox
> that would be easily findable to a naive email address crawler, I find
> evidence that some of these spammers are using archives from somewhere
> rather than subscribing a bot that adds people to the list on real
> time.
> 
> For instance, there is the 727451.11377.1.camel "email address", which
> is a truncation of 1459727451.11377.1.camel sent to a ietf list on
> April 2016. The "short" email started being used on August *2018* for
> "investing in your country" scams, and the long one… on December 2018.
> 
> I find unlikely that someone harvesting email addresses with a
> subscribed bot would have waited several years before starting to
> spam.
> 
> That's not always the case, obviously. A Dec 14 message-id started
> getting spammed on Jan 1, and already "received" 84 spam mails by now.
> However, a "sibling" message-id from that same list also started
> getting spammed on Jan 1, but only a couple mails. (fwiw, the 86 mails
> are from @qq.com addresses)

Interesting. I primarily see these coming from posts I make to the
Mailman and Debian lists.


> This can be due to bots prepared for it, or, simply, that certain
> archive of this list was crawled more often (or at the right time).
> I would expect that if someone took the (not-that-big) effort of
> building a subscription bot, he should at least get the email
> addresses right!
> 
> It has been interesting to look at these spams, their use of
> message-ids, given their role as identifiers, allows gathering some
> interesting information that would not be possible without them
> stupidly interpreting message-ids as if they were email addresses, and
> cannot be used with normal addresses, that are generally used in more
> contexts.
> 
> 
> In the context of this discussion, I am including the email-like
> strings 1547601230.4258.6.trap@16bits.net as well as
> 1547601405.8896.3.trap@16bits.net for the 'benefit' of those spambots
> reading us. :)

;-)

-Jim P. 


_______________________________________________
evolution-list mailing list
evolution-list@gnome.org
To change your list options or unsubscribe, visit ...
https://mail.gnome.org/mailman/listinfo/evolution-list

[prev in list] [next in list] [prev in thread] [next in thread]