[Discuss] Torrent of new spam

[richb at pioneer.ci.net (Rich Braun)]

Daniel Barrett pondered:
> Hmm... how does that work when Craigslist anonymizes all addresses
> (e.g., abcde-5950223588 at sale.craigslist.org)? Do they ... somehow
> discover your real address?

It's a possibility they've created bots that seem real enough to engage you in
conversation outside Craigslist (for example, I'm apartment-hunting now, and
20-30% of the postings are scam ads that I thought were targeted at suckers
who might foolish put down deposits for applications on places they've never
been to, but might just be harvesting email addresses). But I doubt that this
is the origin of the spam I'm seeing.

> ... my approach to spam is to run spastic (spastic.sourceforge.net)
> and spamassassin in sequence.

I'm not familiar with spastic; its description at sourceforge doesn't provide
much of a clue as to how it would complement spamassassin.

The new torrent of messages is coming in bursts, about 50 a day, and they seem
to rotate IP source addresses: there are patterns of multiple messages on a
given IP but I haven't yet figured out a pattern for how they're doing it. One
thing that's pretty clear is that most of these have a message body that their
"client" has paid to distribute, followed by a screenful of blank lines,
followed by several paragraphs of Bayesian-buster text typed by hand
(Mechanical Turk or the like) or by a sufficiently-clever algorithm. Whatever
firm is behind this obviously has an outbound server farm that has all the
same spam-busting tools that we try to use for defense: their messages pass
existing tests with flying colors. Tools like sa-learn are no match for them.

-rich