Emails with strange numbers coming inbound

[tekinfmgr]

Has anyone experienced emails coming from the same sender and the recipient. The subject line will read 57657 and the body will contain 5556?

 

[erikhertzel]

Yes, I have seen them just today (spoofed from your domain I imagine). Just filter them with your spam filter or whatever means you use.

Regards.

Erik

 

[eyec]

DON NOT REPLY TO ANY OF THEM - that only confirms your email address as valid and it can then be used to spoof other spam emails.

just delete them without opening any attachment they carry and go on.

 

[eyec]

i got one this morning and did a trace route on it.

it originated from 81.57.150.183.fbx.proxad.net @ Boulogne-Billancourt (48.783N 2.333E) near Paris.

 

[Primis]

ISC is watching it:

http://isc.sans.org/diary.php?storyid=1384

Published: 2006-06-06,
Last Updated: 2006-06-06 15:49:07 UTC by Swa Frantzen

A new twist in spammer tactics is being reported, although we're not sure what their goal is at the moment.

Some of our readers report receiving messages apearing to originate from themselves, with only numbers as subject and body.

The body does apears to be HTML encoded, but it's so basic as to not pose a threat so far.

It would be a good idea to investigate if you can drop email that apears to be from your own organization while originating outside of it. If your users do not send such email (e.g. because they use a VPN to connect back to the inside while on the road), dropping that email might cut down on a few spams.

UPDATE

Some guesses as to what the cause of the spam might be have been received by now and I'd like to point out a few:

* Today's date is the number of the beast, it might attract some old style hackers.
* There is a possible link to Bagle seeding as it was done in the past and we might need to expect a new variant of it soon.

They're originating from everywhere according to reports. Many will contain "969" in the body instead of the strings you mentioned.

 

[tekinfmgr]

It does appear to me SPAM made to order. I wonder if it could be tied anyway also to a host infected with spyware/malware.

 

[kmcferrin]

I was suprised when I saw ISC referring to it as a "new twist" in spamming. People have been spamming using the same address for the sender and recipient for a long time. My anti-spam software has been configured from day one to drop any email message that comes from an external system but is addressed from my domain. After all, my email server is the only one that should be using my domain name. Anything else must be fraudulent.

Granted, this will cause a problem with users who like to visit web sites that have a "tell a friend" or "forward this to a friend" link on them. Usually those will spoof the senders address into the message. Of course, anyone who uses those links is basically handing out their email address, and their friend's email address, to someone who could decide to spam the crap out of them, so I'm not concerned if that functionality doesn't work for them anyways.

 

[Primis]

kmcferrin -

I think the "new twist" they referred to was primarily the fact that the subject and body were numbers, and there was no other content. They found that rather bizarre (as did most of us here).

 

[sidmickmol]

DON NOT REPLY TO ANY OF THEM - that only confirms your email address as valid and it can then be used to spoof other spam emails."

For some spammers, not getting an error message that your account doesn't exists is already confirmation that your address is valid. Damned if you do........

 

[cmeagan656]

My anti-spam software has been configured from day one to drop any email message that comes from an external system but is addressed from my domain.

So has mine.

Granted, this will cause a problem with users who like to visit web sites that have a "tell a friend" or "forward this to a friend" link on them.

Most of the legitimate stuf that I've seen blocked of this type has been personal not business related. Since our policies limit personal use of our corporate email it doesn't bother me when that type of mail is blocked. After a couple of months the users knew better than to complain. If it is business related then I have a generic email account that is exempt from the spam filter.

Cheers.