Mass Joe Job

Matts on 2003-04-14T14:04:12

Some spammer is mass spewing emails with subjects like "<name>, Fuck their Faces then spurt chunks all over them!!!!" joe-jobbed against all sorts of domains that appear to have nothing in common. Friends have alerted me to their situation, and all I could say is "me too".

I'll post more details about the spammer in question as a response to this journal entry when I find out more details. Meanwhile, if you've been joe-jobbed by this spammer, post a response to this journal (I know there are at least two other journal entries here on use perl about this) containing the headers of the original email (assuming the bounce contained them) and I'll find out more details.

Re: Mass Joe Job

davorg on 2003-04-14T14:13:31

Here's an example of the mails I'm getting:

Return-path: <utashiro@dave.org.uk> Received: from crane-hp.pocket ([10.4.120.44] helo=crane) by volcano.mail.pas.earthlink.net with smtp (Exim 3.33 #1) id 1953dH-0003V9-00 for elnmall@corp.earthlink.net; Mon, 14 Apr 2003 06:04:23 -0700 X-MindSpring-Loop: elnmall@earthlink.net Received: from compuserve.com ([210.8.112.211]) by crane (EarthLink SMTP Server) with SMTP id 1953Dc2Bc3NZFjC0 for <fryan02@themall.net>; Mon, 14 Apr 2003 06:04:13 -0700 (PDT) Date: Mon, 14 Apr 2003 13:04:10 +0000 From: utashiro@dave.org.uk Subject: Fryan02, WoW!! To: Fryan02 <fryan02@themall.net> References: <@themall.net> In-Reply-To: <@themall.net> Message-ID: <06A8FF13HF3G03H6F@dave.org.uk> Sender: Phi <phi@winning.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_H74I4J.2CC527L4ELIF1_..J_"

Of course, now "utashiro@dave.org.uk" will be picked up by the spam robots and I'll start getting spam there :)

Here's another one

ajtaylor on 2003-04-14T14:26:54

Return-Path:
Received: (from mailnull@localhost) by drjimmy.it.northwestern.edu (8.12.9/8.12.9) id h3E4kqxG008069 for ; Sun, 13 Apr 2003 23:46:52 -0500 (CDT)
Received: from compuserve.com (unknown [211.147.1.109]) by drjimmy.it.northwestern.edu via smap (V2.0) id xma007813; Sun, 13 Apr 03 23:46:45 -0500
Date: Mon, 14 Apr 2003 04:00:19 +0000
X-Phforward: V2.5@drjimmy (nwu.edu)
From: kenn@drewtaylor.com
Subject: Hbnguyen, Fuck their Faces then spurt chunks all over them!!!!
To: Hbnguyen <hbnguyen@nwu.edu>
References: <2EBF32J9.23D890JD@nwu.edu>
In-Reply-To: <2EBF32J9.23D890JD@nwu.edu>
Message-ID: <H3KJLL..43B52L8A4@drewtaylor.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_NextPart_A.2_EK92211G_6EH7_4DA8_0."

Re:Here's another one

ajtaylor on 2003-04-14T14:28:22
Oops, the return path should have been:
Return-Path: <kenn@drewtaylor.com>

Murderers, Rapists and Spammers

ct on 2003-04-14T14:40:49

Return-Path: <dwmalone@cthompson.com> Received: from compuserve.com (pcp036474pcs.unl.edu [129.93.204.37]) by msgdirector3.onetel.net.uk (Mirapoint Messaging Server MOS 3.2.2-GA) with SMTP id AQC48679; Sun, 13 Apr 2003 22:36:39 +0100 (BST) From: <dwmalone@cthompson.com> Date: Sun, 13 Apr 2003 20:50:11 +0000 Subject: Hi, Tmunt, Nasty Girls Getting Down And Dirty!! Username: +downonthefarm, Password: horsespunk!! To: Tmunt <tmunt@onetel.net.uk> References: <LDJJFH483089JK638@onetel.net.uk> In-Reply-To: <LDJJFH483089JK638@onetel.net.uk> Message-ID: <07HC0EE30L4JFII6E@cthompson.com> MIME-Version: 1.0 Content-Type: multipart/mixed; +boundary="----=_NextPart_D68.KCH019.5FG5_1IAA_98_G" ------ -------------- And the ever popular -------------------- Sender: reports@cthompson.com Received: from compuserve.com (h24-76-235-111.vs.shawcable.net [24.76.235.111]) by siaag2aa.compuserve.com (8.12.9/8.12.7/SUN-2.6) with SMTP id +h3E0Md93019967 for <chcolinhandley@compuserve.com>; Sun, 13 Apr 2003 20:22:42 -0400 +(EDT) Date: Sun, 13 Apr 2003 23:36:14 +0000 From: reports@cthompson.com Subject: Chcolinhandley, Fuck their Faces then spurt chunks all over them!!!! To: Chcolinhandley <chcolinhandley@compuserve.com> References: <LEI5I6I951E2ADF25@compuserve.com> In-Reply-To: <LEI5I6I951E2ADF25@compuserve.com> Message-ID: <6D.DEI569DL.LAGC5@cthompson.com> MIME-Version: 1.0 Content-Type: multipart/mixed; +boundary="----=_NextPart_JK_1K6K.A48_56HC19_JD_A3D" ------ ------------------------- And you can't forget the viagra ------------------------------- Received: from microsoft.com ([220.77.142.206]) by mailin07.sul.t-online.com with smtp id 1951Qu-1E1kMzC; Mon, 14 Apr 2003 12:43:28 +0200 Date: Mon, 14 Apr 2003 09:57:02 +0000 From: srh@cthompson.com Subject: 970151, Massive, Rock-Solid Erections! For You.. To: 970151 <970151@t-online.de> References: <54LFK64F244IHJKCB@t-online.de> In-Reply-To: <54LFK64F244IHJKCB@t-online.de> Message-ID: <00CBI73JFK4KHLLGD@cthompson.com> MIME-Version: 1.0 Content-Type: multipart/mixed; +boundary="----=_NextPart__2B29H4_0K6DDF57_FBEIE__K" ------ ------------------------ Those three are the only ones that I have full headers for. Other Subject lines include: ------------------------------ Subject: username, Fuck their Faces then spurt chunks all over them!!!! Subject: Hi, username, NOTHING is too TABOO for these young sluts!!!!! Subject: Hi, username, Nasty Girls Getting Down And Dirty!! Username: downonthefarm, Password: horsespunk!! Subject: username, see Britney Spears insane France interview! (long random string)

another example:

chrimble on 2003-04-14T14:44:54

Received: from compuserve.com (58.muedb.lsan.la6ca01r1.dsl.att.net [12.98.205.58]) by rly-xg02.mx.aol.com (v93.6) with ESMTP id MAILRELAYINXG210-4563e9a121b30; Sun, 13 Apr 2003 21:42:53 -0400
Date: Mon, 14 Apr 2003 00:56:25 +0000
From: Thomas_Bolioli@carline.org
Subject: Dcboy4bm, Fuck their Faces then spurt chunks all over them!!!!
To: Dcboy4bm
References:
In-Reply-To:
Message-ID:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_NextPart_BD087I.FA9K.CHK_.J2HIJ0F7"

Super Matt, The Spam Avenger to the rescue

barbie on 2003-04-14T17:03:28

more for your tally....

Return-Path: <hilliard@missbarbell.co.uk> Received: (qmail 16840 invoked by uid 840); 14 Apr 2003 12:50:25 -0000 Received: from hilliard@missbarbell.co.uk by mail.seacove.net with qmail-scanner-1.01 (fsecure: 4.14/4062/2003-04-10/2002-12-17. 2003-04-09/. Clean. Processed in 1.475296 secs); 14 Apr 2003 12:50:25 -0000 Received: from unknown (HELO Microsoft.com) (61.4.77.74) by mail.seacove.net with SMTP; 14 Apr 2003 12:50:24 -0000 Date: Mon, 14 Apr 2003 12:04:00 +0000 From: hilliard@missbarbell.co.uk Subject: Strobel, I Got So Hard With This Product... To: Strobel <strobel@seacove.net> References: <49D84BB3.1HE8HBA5@seacove.net> In-Reply-To: <49D84BB3.1HE8HBA5@seacove.net> Message-ID: <AFKCH1H995CCCHHF7@missbarbell.co.uk> Return-path: <GST_BAILEY@missbarbell.co.uk> Received: from adsl-66-138-124-39.dsl.wchtks.swbell.net ([66.138.124.39] helo=compuserve.com) by granger.mail.mindspring.net with smtp (Exim 3.33 #1) id 194yX0-00058M-00 for jsutphen@mindspring.com; Mon, 14 Apr 2003 03:37:38 -0400 Date: Mon, 14 Apr 2003 06:51:10 +0000 From: GST_BAILEY@missbarbell.co.uk Subject: Jsutphen, Fuck their Faces then spurt chunks all over them!!!! To: Jsutphen <jsutphen@mindspring.com> References: <H0FI85294909JJHG6@mindspring.com> In-Reply-To: <H0FI85294909JJHG6@mindspring.com> Message-ID: <37GE15ECF4A75H2.9@missbarbell.co.uk>

Unfortunately I've killed all my AOL and Compuserve ones this morning.

me too

jbisbee on 2003-04-14T17:05:48

Here's a recent one

Received: from rcpt-impgw.biglobe.ne.jp by biglobe.ne.jp (RCPT_GW) id AAA27215; Tue, 15 Apr 2003 00:42:17 +0900 (JST) Received: from microsoft.com ([211.115.209.218]) by rcpt-impgw.biglobe.ne.jp (nkrw/3410050802) with SMTP id h3EFgE727185 for <gons@mte.biglobe.ne.jp>; Tue, 15 Apr 2003 00:42:15 +0900 (JST) Date: Mon, 14 Apr 2003 14:55:51 +0000 From: btr --AT-- jbisbee.com Subject: Gondou Youichi, Christina Aguilera's infamous topless video! +i1g5UUczUBbx4WDIlhWU5HNoE1qfKNb4 To: Gondou Youichi <gons@mte.biglobe.ne.jp> References: <3CBJAG1E9LF0B8L5A@mte.biglobe.ne.jp> In-Reply-To: <3CBJAG1E9LF0B8L5A@mte.biglobe.ne.jp> Message-ID: <FE8DE8BDH90IG4H5G --AT-- jbisbee.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_G9DJAI0LDD_5_JE_8__A_F.61"

Note: (changed @ to --AT-- for jbisbee.com)

Yet More.

ct on 2003-04-14T17:36:30

This just arrived... Received: from mx11.airmail.net from [209.196.77.108] by mail.airmail.net (/\##/\ Smail3.1.30.16 #30.56) with esmtp sender: <edv@cthompson.com> id <mO/1956Sn-001gFRO@mail.airmail.net>; Mon, 14 Apr 2003 11:05:45 -0500 +(CDT) Received: from danapris.kw.ua ([195.177.71.30] helo=microsoft.com) by mx11.airmail.net with smtp (Exim 4.10) id 1956Se-000JYG-00 for sh3010@airmail.net; Mon, 14 Apr 2003 11:05:37 -0500 Date: Mon, 14 Apr 2003 15:19:12 +0000 From: edv@cthompson.com Subject: Paul Davidson, Christina Aguilera's infamous topless video! +RdthDyKJnVt1lHUT7hXvyJtQ2jAvdOh6 To: Paul Davidson <sh3010@airmail.net> References: <7A0ALCH3K.AHA5HF6@airmail.net> In-Reply-To: <7A0ALCH3K.AHA5HF6@airmail.net> Message-ID: <@cthompson.com> MIME-Version: 1.0 Content-Type: multipart/mixed; +boundary="----=_NextPart_JB.K92.KBHFIAJ7FFHIH._H9F" ------ ------------------------- And a new subject, no headers ------------------------------- Subject: Hi, username, NOTHING is too TABOO for these young sluts!!!!!

They just keep coming.

ct on 2003-04-14T17:38:29
Received: from bryson.student.princeton.edu ([140.180.144.5] +helo=compuserve.com) by dragon.relcom.ru with smtp id 1957GI-000JSL-00 for dmk@ru.net; Mon, 14 Apr 2003 20:56:55 +0400 Date: Mon, 14 Apr 2003 16:56:46 +0000 From: jbnivoit@cthompson.com Subject: \325\356\360\356\370\345\345 \361\340\354\356\367\363\342\361\362\342\350\345 To: Dmk <dmk@ru.net> References: <HEFG.3H92BDH7EAJ.@ru.net> In-Reply-To: <HEFG.3H92BDH7EAJ.@ru.net> Message-ID: <DLG79C9DI.DLIGA38@cthompson.com> MIME-Version: 1.0 Content-Type: multipart/mixed; +boundary="----=_NextPart_D_._LH.4._7.1KI_8J_I_IA0B"

$name! Gr0w a larger p3n1z

dws on 2003-04-14T17:57:32

I've been getting this things for months, though the combination of my name plus my domain is recent. A procmail rule to deep-six emails that are HTML-only catches half of them.

And a good thing I just check my spam file. There was a rather important false positive.

False positives

vsergu on 2003-04-14T21:22:57
Yes, you really should remind your family, friends, and clients not to use the word "p3n1z" in e-mail to you.

Conspiracy theory

jordan on 2003-04-14T19:44:05

Spammers are attacking the Perl community because the Perl community has done so much to attack SPAM.

The battle has been joined!

Re:Conspiracy theory

jbisbee on 2003-04-14T19:57:21
Yes it would appear that they screen scraped use.perl.org's member list somehow and used it to seed the 'From:' email header. I've been relatively spam free up until this point to. I guess I'm not getting spam at this point, just bounces, but it still sucks. :(

Another

garth on 2003-04-15T01:43:52

Return-Path: 
Received: from compuserve.com ([142.59.85.193])

                by southgate.starhub.net.sg (8.12.5/8.12.5) with SMTP id h3F0wQXC013985

                for ; Tue, 15 Apr 2003 08:58:27 +0800 (SST)
Date: Tue, 15 Apr 2003 00:12:05 +0000
From: markn@rubberband.org
Subject: FW: Rajen, Check this out, :)
To: Rajen 
References: 
In-Reply-To: 
Message-ID: 
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_NextPart_617_6D.H2H_DL9J__8_C6K.D3"

I don't think it's use.perl.org they've scraped

wickline on 2003-04-15T01:46:28

My theory...

On or before March 28th, someone harvested some addresses They pulled from several technical mailing lists (or possibly from NNTP interfaces to those lists) Those included perl lists, but were not exclusively perl. Around March 28th, that list was used (to send the 'Swiss Group' spam) By around April 5th that list saw wider distribution (probably sold to some other spammers) Around April 5th, someone used the list in their spamming software to generate bogus From headers and presumably genuine To headers. I've been the victim of having an address of mine used in the From: header of a spam message, and on that occasion I received hundreds of bounces and complaints. From what I'm seeing, I'd say that their software is generating a new bogus From: header for each recipient.

I've been getting these since at least April 5th. The From: header seems to be my domain name (wickline dot org) with some semi-random username on the front of it. Some of the usernames lead me to suspect that perhaps user names are being harvested from some perl source. For example, here are a few user names from today: Koenig, guntermann, iandstanley, tbekel, xpix, artis, tzoompy, giegerich, leonvs, fila, Boubaker, jkeen, tori, palmieri.

Yes. Those are all from today. Each of those users at my domain was used in the From: header of a bounced spam message. Also, a Google search for each of those usernames and perl (ie "Koenig perl") will turn up hits. So, it seems likely that some perlish source was harvested. However, I'm not sure it's use.perl.org. Some other spam I've seen has left me thinking that someone recently harvested a variety of geeky mailing lists.

Shortly before all this started, I saw spam on previously unspammed addresses used to post to various mailing lists. The spam was sent March 28th, and always had a subject which read

Re: user@example.com, Swiss Group Switzerland ! Earn up to 2 daily in the Swish Stock Exchange !

and the email addresses were those I'd used to post to various geeky lists (not the user@example.com above). They were usernames (at my domain) like the following:

m_module_authors m_perltrainers_digest m_libwww_digest m_pause m_listbox m_ to-validatorlist-re_tagclosing

Note that the last username was never used in a perl-specific list. The first four were perl-specific, and the penultimate username was used in many contexts some years ago. At about the same time (March 28th), I also saw this same form of spam at several work email addresses. Some of those had been used to post to mailing lists, and others were not.

Most of my mailing list addresses have been safe. Those are all older email addresses. All of my more recent subscriptions have been with usernames (at my domain) in the form m-list-subscribe-list_name_here. The 'list' and 'subscribe' in the address seem to scare off the address harvesting spiders.

So, I've been getting joe-jobbed bounce messages since about April 5th. I also got a small batch of joe-jobbed spam on April 7th. The following usernames (which I've never used from my domain, so I'm assuming must be joe jobbed) appeared in the To: headers of spam messages: gerald_bahorich, losing, gregory_adams, jeff_richmond. The joe jobbed To: headers may or may not be related to the From: header situation. My hunch is that they're two separate things.

On April 12, the St. Louis perl hackers mailing list got a couple bits of spam, but those may not be related. That list hadn't seen spam previously (for around a year that I'm aware of). My cpan address gets a few bits of spam each day, but that's nothing new.

Matt, if you want full headers of any of these, please reply to this message. Otherwise, I'll figure you have plenty to work with at this point. Besides, the full headers (from the bouncing MTAs) won't be all that useful.

here are a few likely looking snippets reported by the bouncing MTAs though. The ============= lines separate snips from different bounce messages

Received: from compuserve.com (c-24-125-58-3.va.client2.attbi.com [24.125.58.3]) by vmk.prodigy.net (8.12.9/8.12.3) with SMTP id h3EN2Uiu176762 for <mariuszwojciuk@prodigy.net>; Mon, 14 Apr 2003 19:02:30 -0400 Date: Mon, 14 Apr 2003 22:16:08 +0000 ============= Received: from w151.z064000245.lax-ca.dsl.cnc.net (64.0.245.151) by mail01h.rapidsite.net (RS ver 1.0.80vs) with SMTP id 4-310779139 for <efdr@ageless.com>; Mon, 14 Apr 2003 15:55:49 -0400 (EDT) Date: Mon, 14 Apr 2003 19:55:47 +0000 ============= Received: from [61.4.77.74] ([61.4.77.74]:17490 "HELO tccity.com" ident: "NO-IDENT-SERVICE[2]" whoson: "-unregistered-" smtp-auth: <none> TLS-CIPHER: <none> TLS-PEER-CN1: <none>) by gnome06.net.rol.ru with SMTP id <S9942136AbTDNSdG>; Mon, 14 Apr 2003 22:33:06 +0400 Date: Mon, 14 Apr 2003 18:32:56 +0000 ============= Received: from compuserve.com (6532116hfc40.tampabay.rr.com [65.32.116.40]) by relay.wplus.net (8.11.7/8.11.6/Wplus-RELAY) with SMTP id h3EESEH20570 for <cleoltd@mail.wplus.net>; Mon, 14 Apr 2003 18:28:16 +0400 (MSD) Date: Mon, 14 Apr 2003 14:28:10 +0000 ============= Received: from aar.alcatel-alsthom.fr ([203.177.63.185]) by mailin01.sul.t-online.com with smtp id 193KVD-11VTKGC; Wed, 9 Apr 2003 20:40:55 +0200 Date: Wed, 09 Apr 2003 17:54:04 +0000

-matt

Re:I don't think it's use.perl.org they've scraped

sneex on 2004-02-14T09:06:25

This is why I change addresses frequently.
=/
-Sx-

sheriff_p on 2003-04-15T16:24:07

Received: from adsl-34-234-38.bct.bellsouth.net ([67.34.234.38]:10253 "HELO
compuserve.com" ident: "NO-IDENT-SERVICE[2]" smtp-auth:
TLS-CIPHER: TLS-PEER-CN1: ) by gnome07.net.rol.ru
with SMTP id ; Tue, 15 Apr 2003 20:15:57 +0400
Date: Tue, 15 Apr 2003 16:18:09 +0000
From: eragigr@clueball.com
Subject: ??????????? ????????????? ????????? ????????
To: C8ler
References:
In-Reply-To:
Message-ID:
MIME-Version: 1.0
Content-Type: multipart/mixed;
+boundary="----=_NextPart_2_79ID_3H_717_7I4L831.3_4"

Addresses on CPAN

bart on 2003-04-16T20:23:46

It seems like many people who have put modules on CPAN are in the same boat. Perhaps the existence of the next file can be part of the problem:

authors/01mailrc.txt.gz

Can somebody explain to me why this file even exists?