lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <6CDD95AD0FF2D311BC6A009027DC6B9903DD3542@MAIL1>
From: jlay at ameriben.com (James Lay)
Subject: Empty emails?

What was a question turned out to be an interesting excersize.  Here's a
header just recieved:

Message-Id: <20040225203416.C37033FD03@...eway.ameriben.com>
Date: Wed, 25 Feb 2004 13:34:16 -0700 (MST)
From: styykbqzmr@...oo.com
To: undisclosed-recipients:;

What's interesting is that the To: undisclosed-recipients:; line is tagged
only by my exchange server.  It looks like just as some people have
said...looks like it's spammers trying to verify the email address.  But
they send via BCC...with BCC there simply isn't a To: line (least not the
ones I tested).  I've looked at blocking via postfix, but no go.  What I MAY
be able to do is use anomy tools to do a double-check..IE:

if message To: == null and body == null then block/nuke/something like that.

I'll keep ya posted ;-)

James

-----Original Message-----
From: randall perry [mailto:lists@...ain-logic.com]
Sent: Wednesday, February 25, 2004 9:12 AM
To: Full-Disclosure (E-mail)
Subject: Re: [Full-Disclosure] Empty emails?


At 10:13 AM 2/25/2004 -0500, you wrote:
>yup...been getting quite a few as of late.  Based on some quick googles, it
>appears to have been around for quite some time.... not sure if it's some
>kind of probe to see if my address exists..but they're annoying.
You are right that it is a verification process.
What you do is have your mail bot send out spam with a twist.
As each message is composed and sent, it contains an embedded image
of a random name (in fact, it doesn't really exist) that is really a 
reference number.

For example <img src=http://logging.microsoft.com/verify/123451.jpg border=0
>

Your web server error log will identify every time one of those images was
tried and then that gets matched automatically to your database of names.

Now you have:
1. A verified email address
2. An originating IP (can narrow down to what continent they are on or if 
broadband customers)
3. What OS you are running
4. Possibly what email client or web browser you use.

This is worth big bucks in the form of "email leads" sold by geographic
regions
and whether they are dialup, cable customers, business, etc.


*:-.,_,.-:*'``'*:-.,_,.-:*'``'*:-.,_,.-:*'``'*:-.,_,.-:*'``'*:-.
       Randall Perry
       Domain Logic Technology Solutions
       http://www.domain-logic.com

Every problem has a solution. If there is no solution, there is no problem..

*:-.,_,.-:*'``'*:-.,_,.-:*'``'*:-.,_,.-:*'``'*:-.,_,.-:*'``'*:-.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ