All the Perl that's Practical to Extract and Report

Quack

jhi on 2003-09-05T15:33:47

Anyone else been getting this? I've got it now three times.

From: "a duck" Date: Fri, 05 Sep 2003 08:11:01 -0700 Message-Id: To: Quack: Quack quack quack. Quack quack quack. Quack quack Quack-Quack quack quack. Quack quack quack. Quack quack quack. Quack quack quack. Quack "quack quack" quack. Quack quack quack? Quack Quack! Quack quack quack. Quack

Yeah

pudge on 2003-09-05T16:10:49

I got it once, and then cmd-J'd it in Eudora, so it is now filtered automatically ... lemme see ... yeah, I got it the first time, and then once more.

Yep

Elian on 2003-09-05T17:19:20

Seen it twice so far. Definitely odd -- no sign of an attachment or anything, so if it's a real virus or worm, someone's got a really pathetically put-together mail client out there...

Re:Yep

jordan on 2003-09-05T17:47:56

I bet anything that this is a spam harvester. Is it HTML mail? If it is, look for an image embedded in it, or any offsite href. Those hrefs are typically generated uniquely for every recipient and if you open or preview the email in a browser-like viewer, then the remote site knows which email addresses they are hitting are live.

Even if it's not HTML mail, I think it's written to attempt to illicit a response from you and if you do, bang, they've got a "verified" email for their spam databases.

Re:Yep

Elian on 2003-09-05T17:57:33

The ones I got didn't show these characteristics either. No HTML, no web bugs, no multipart, no nothing. The received headers even looked unforged -- if it was a forgery it was a darned good one, better than any of the spammers I've seen so far.

Re:Yep

jordan on 2003-09-05T18:03:28

Huh.

Could still be trying to get you to respond to harvest your address.

I wonder if someone modified one of the worms to generate this as a joke.... Kinda funny, actually.

Me too

grantm on 2003-09-05T20:19:06

Yes, I got it once. No attachments. No HTML body. No obvious point.

Ah, I see.

ethan on 2003-09-06T08:04:12

So those are the little things that slow you down in your efforts to release and maintain 5.8.1. :-)

I am not sure whether I got it. I no longer look too closely into my spam-inbox. And the times when I actually read some of the spam (for having a good laugh) have long passed.

Re:Ah, I see.

jhi on 2003-09-07T09:20:11

Well, this "duck" dodged my spam filters, and I was kind of curious of what's up with that, since as people noted, there was no viral payload or address-harvesting links in it...

I spent much of Friday and Saturday retuning my spam filters for the "you have a virus" bounce storm of SoBig.F (still going at the rate of 400-600/day for me...)

Re:Ah, I see.

jhi on 2003-09-07T09:28:00

> still going at the rate of 400-600/day

Ummm. I don't know where I got that number from. About 200/hour is the right ballpark, so about 2400/day.

Re:Ah, I see.

jhi on 2003-09-07T21:17:12

Argh, it seems that I have completely lost my arithmetics these days. Those who were paying attention noticed that there was no sense in my calculation since there are in fact 24 hours a day, not 12... let's try once again: it looks like I get 1600-2400 spam/virus/bounce messages a day. In the beginning of August I "only" got 200-400 a day.

Sobig.F bounces

ethan on 2003-09-07T10:49:41

That must be a real plague (I now heard it from you, from Nick Clark...from many people). I only get about two or so bounces each week.

I guess my email addresses just don't show up often enough in public (although I took no measures at all to protect them). Maybe my university already filters them out.

Gosh, only thinking about it makes me sick...I wonder whether my machine could deal with it at all.

Found it!

Elian on 2003-09-09T18:47:43

I think this is a sobig side-effect. There's an autoresponder on quack@airportloungemusic.com -- send it mail and it sends you a message from a duck. (No, I don't know why. But, then, I can't think of a reason why not either) I bet there's someone out there with both your e-mail address and that one (it's on http://www.airportloungemusic.com, so it's probably in someone's cache) as well as our pal sobig. Mail forged as from you goes to the autoresponder, and you get messages from ducks.

Could be worse--"I email dead people!" :)

Re:Found it!

jhi on 2003-09-10T20:51:51

Bah. I was kind of hoping for a sentient duck with email access.