Blog

August 30, 2003

Why are the Spammers sending out SoBig.F virus?

Lockergnome has a theory and it isn't good.
I observed back on Tuesday that my Symantec SMTP gateway was stopping SoBig.F subject lines coming from spammers (i.e., blocked via DNSBL) at over 3 times the rate that I was seeing them from Joe user types. Further, I noticed that they were sending even more SoBig.F emails than they were spam. So, why would spammers who make their living be generating emails allow their servers to be compromised? They didn't. They are doing this on purpose and I have a theory for this. I call it my echo theory.

Say that, as a spammer, you know one or more of the addresses in your database is to a spam trap - but you don't know which one. You generate LOTS of SoBig.F emails on purpose, using your database for the forged-from addresses. Now, JoeUser has his server or client antivirus filter setup to send a reply when it encounters a virus (which is a very BAD thing, after Klez taught us about the virtues of forged addresses).

Dutifully, JoeUser's email server or client automatically sends a helpful note off to "SpamTrap," informing them that they are infected. Often these replies even extol how much smarter they are than "SpamTrap" because they caught it, but "SpamTrap" did not. Heck, let's even send an email to the postmaster at SpamBait's ISP, telling him / her how much better the BrandX filter is that JoeUser is using... but I digress.

The email server at SpamBait's ISP sees an email to SpamTrap and says "Ah hah, JoeUser's ISP must obviously be a spammer, so load his IP address into our DNSBL servers."

JoeUser now sends a legitimate email to me SmartUser at IuseDNSBL.com and it, of course, bounces. JoeUser now calls me and asks why he was blacklisted. After some diligent effort on my part, I find that DNSBL.SpamBait.com is saying half of my customers and suppliers are spammers. I have a business to run, so I turn off DNSBL on my gateway and - lo and behold - all of the spammers emails that were being blocked due to DNSBL are no allowed to come though. That is my echo theory. That is why spammers are using half their bandwidth to send SoBig.F
I don't even like to think about this. Spammers are the scum of the matrix.

Labels:

12:59 PM ::

0 Comments:

Post a Comment

<< Home

welcome
jordoncooper.com is a weblog about faith, culture, & technology edited by Jordon Cooper since 2001. You can read about me and the site here. If you've got feedback or something interesting to tell me, you can find me here.

Follow the site via RSS , see what I'm up to on Twitter, my upcoming events, or view my Flickr photostream.

You may also be interested in my thoughts on what I am reading, the emerging church, or what contextless things I am linking to.

currently enjoying
» AKMA
» Adam Klein
 » Alan Creech
» Andrew Jones

» Beyond Magazine
» Bill Millar
» BLDG Blog

» Calgary Grit
» Charlie Wear

» Daniel Miller
» Dan Sheffield
» Dave King
» Darren Friesen
» Darryl Dash
» David Fitch
» Dooce

» Gloria Reimer
» Guy Kawasaki

» Jamie Arpin-Ricci
» Jason Evans
» Jason Kottke
» Joi Ito
» Jonny Baker

» Karen Ward
» Kester Brewin

» Len Hjalmarson
» Linea Lanoie

» Mark Scandrette
» Mike DeVries

» Nathan Colquhoun

» One House

» Pernell Goodyear

» Randall Friesen
» Rebecca Blood
 » Rick Bennett
» Rudy Carrasco

» Scott Williams
» Stephen Shields
» Steve Collins
» Steve Taylor
» Steven Johnson

» The Homeless Guy
» Today at the Mission
» Tony Jones

» Warren Kinsella
» Wendy Cooper

www.flickr.com

ancient history
June 2001
 July 2001
 August 2001
 September 2001
 December 2001
 January 2002
 February 2002
 March 2002
 April 2002
 May 2002
 June 2002
 July 2002
 August 2002
 September 2002
 October 2002
 November 2002
 December 2002
 January 2003
 February 2003
 March 2003
 April 2003
 May 2003
 June 2003
 July 2003
 August 2003
 September 2003
 October 2003
 November 2003
 December 2003
 January 2004
 February 2004
 March 2004
 April 2004
 May 2004
 June 2004
 July 2004
 August 2004
 September 2004
 October 2004
 November 2004
 December 2004
 January 2005
 February 2005
 March 2005
 April 2005
 May 2005
 June 2005
 July 2005
 August 2005
 September 2005
 October 2005
 November 2005
 December 2005
 January 2006
 February 2006
 March 2006
 April 2006
 May 2006
 June 2006
 July 2006
 August 2006
 September 2006
 October 2006
 November 2006
 December 2006
 January 2007
 February 2007
 March 2007
 April 2007
 May 2007
 June 2007
 July 2007
 August 2007
 September 2007
 October 2007
 November 2007
 December 2007
 January 2008
 February 2008
 March 2008
 April 2008
 May 2008
 June 2008

Hosted by Dreamhost & This blog is powered by Blogger
jordoncooper.com
 Thanks for stopping by!
web
 blog | wiki | upcoming events | resonate | rss
social media
 flickr | del.icio.us | twitter | last.fm | library thing | facebook | linkedin | youtube
content
 writing | resources | emerging church | quote library
info
 biography | contact | disclosure

Creative Commons License This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 2.5 Canada License, though the work this blog incorporates may be separately licensed.