Keyserver spam experiment

Peter Lebbing peter at digitalbrains.com
Wed Jan 25 11:42:36 CET 2012 

Hello list,

The topic of keyserver spam came up again. This seemed like a good moment to
mention the results of a little experiment.

On March the 18th of 2011, a little under a year ago, I created a bogus OpenPGP
key and uploaded it to the keyserver. The UID of the key has an e-mail address
that is 42 random letters and numbers @digitalbrains.com. I wanted to see how
much spam it would attract.

Obviously, I could not tell anyone, because someone might disclose the address
to spammers for his or her own reasons. The experiment is now, by this mail,
tainted :).

I have received exactly one(!) spam mail. The headers will follow later. That's
only one spam mail in almost a year.

I chose 42 random letters and numbers to not get caught by an e-mail address
generator that generates likely e-mail addresses to spam. I only wanted it to
get picked up by a keyserver harvester. Now somebody might say: that harvester
might filter out a weird e-mail address with the local part a string of 42
letters. I don't think so; sending spam is dirt cheap, why filter when you might
miss a target for your spam?

Obviously I did not filter out spam for this address. But I forgot to turn off
two things:
 - If the SMTP envelope has a FROM address @digitalbrains.com that does not
exist (anymore), the mail is denied.
 - On Jun 16th, I started rejecting mails that had 4 or more recipients in the
SMTP envelope that did not exist (anymore).

Oh, and I also have no direct control over the backup mail relays for my domain;
they filter out spam as well. And I sometimes see spam coming in through a
backup mail relay while the primary mail server is online, so some spammers use
backup relays even when the main host is not down.

I think I addressed the most important things. So here come the headers of the
spam message I received on Jul 13th last year. I removed the e-mail address so
the experiment can keep running, albeit slightly tainted. Please don't mention
the address on the mailing list :).

------------8<--------------------cut here---------------------->8--------------
Return-path: <bexleylotto03 at yahoo.co.jp>
Envelope-to: [...]@digitalbrains.com
Delivery-date: Wed, 13 Jul 2011 23:18:09 +0200
Received: from Debian-exim by butters.digitalbrains.com with spam-scanned (Exim
4.75)
	(envelope-from <bexleylotto03 at yahoo.co.jp>)
	id 1Qh6om-0003sz-15
	for [...]@digitalbrains.com; Wed, 13 Jul 2011 23:18:09 +0200
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	butters.digitalbrains.com
X-Spam-Flag: YES
X-Spam-Level: *******************************************
X-Spam-Status: Yes, score=43.3 required=5.0 tests=ADVANCE_FEE_2_NEW_MONEY,
	ADVANCE_FEE_3_NEW,ADVANCE_FEE_3_NEW_MONEY,ADVANCE_FEE_4_NEW,
	ADVANCE_FEE_4_NEW_MONEY,ADVANCE_FEE_5_NEW,ADVANCE_FEE_5_NEW_MONEY,BAYES_50,
	DATE_IN_FUTURE_12_24,FM_LOTTO_YOU_WON,FORGED_MUA_OUTLOOK,
	FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,FREEMAIL_REPLYTO,FROM_MISSPACED,
	FROM_MISSP_EH_MATCH,FROM_MISSP_FREEMAIL,FROM_MISSP_MSFT,FROM_MISSP_REPLYTO,
	FROM_MISSP_URI,FROM_MISSP_USER,FSL_CTYPE_WIN1251,FSL_NEW_HELO_USER,FSL_UA,
	FSL_XM_419,HK_LOTTO,LOTS_OF_MONEY,LOTTO_AGENT,MISSING_MID,MONEY_FRAUD_3,
	MONEY_FRAUD_5,MONEY_FROM_MISSP,MONEY_LOTTERY,NSL_RCVD_FROM_USER,SPF_SOFTFAIL,
	SUBJ_ALL_CAPS,TO_NO_BRKTS_FROM_MSSP,TO_NO_BRKTS_MSFT,T_TO_NO_BRKTS_FREEMAIL,
	US_DOLLARS_3 autolearn=spam version=3.3.1
X-Spam-Report:
	*  0.8 FSL_CTYPE_WIN1251 Content-Type only seen in 419 spam
	*  0.0 FSL_XM_419 Old OE version in X-Mailer only seen in 419 spam
	*  2.4 NSL_RCVD_FROM_USER Received from User
	*  0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
	*      (bexleylotto03[at]yahoo.co.jp)
	*  0.7 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)
	*  1.5 SUBJ_ALL_CAPS Subject is all capitals
	*  3.2 DATE_IN_FUTURE_12_24 Date: is 12 to 24 hours after Received: date
	*  0.1 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in
	*      digit (bexleylotto03[at]yahoo.co.jp)
	*  0.0 LOTTO_AGENT BODY: Claims Agent
	*  1.8 US_DOLLARS_3 BODY: Mentions millions of $ ($NN,NNN,NNN.NN)
	*  0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
	*      [score: 0.5001]
	*  0.3 FSL_UA FSL_UA
	*  0.5 MISSING_MID Missing Message-Id: header
	*  0.0 LOTS_OF_MONEY Huge... sums of money
	*  1.5 FROM_MISSP_MSFT From misspaced + supposed Microsoft tool
	*  3.6 HK_LOTTO HK_LOTTO
	*  2.0 FSL_NEW_HELO_USER FSL_NEW_HELO_USER
	*  1.7 FROM_MISSP_USER From misspaced, from "User"
	*  1.4 FROM_MISSPACED From: missing whitespace
	*  1.5 MONEY_FROM_MISSP Lots of money and misspaced From
	*  2.4 FREEMAIL_REPLYTO Reply-To/From or Reply-To/body contain different
	*      freemails
	*  0.6 FROM_MISSP_REPLYTO From misspaced, has Reply-To
	*  2.1 TO_NO_BRKTS_FROM_MSSP Multiple formatting errors
	*  3.2 FROM_MISSP_EH_MATCH From misspaced, matches envelope
	*  1.4 MONEY_LOTTERY Lots of money from a lottery
	*  3.3 FM_LOTTO_YOU_WON Talks about lotto and you won!
	*  0.0 FROM_MISSP_URI From misspaced, has URI
	*  1.2 TO_NO_BRKTS_MSFT To: misformatted and supposed Microsoft tool
	*  0.0 ADVANCE_FEE_4_NEW Appears to be advance fee fraud (Nigerian 419)
	*  0.6 ADVANCE_FEE_5_NEW Appears to be advance fee fraud (Nigerian 419)
	*  1.9 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook
	*  0.0 ADVANCE_FEE_3_NEW Appears to be advance fee fraud (Nigerian 419)
	*  0.0 ADVANCE_FEE_4_NEW_MONEY Advance Fee fraud and lots of money
	*  0.0 ADVANCE_FEE_5_NEW_MONEY Advance Fee fraud and lots of money
	*  0.4 ADVANCE_FEE_3_NEW_MONEY Advance Fee fraud and lots of money
	*  1.5 ADVANCE_FEE_2_NEW_MONEY Advance Fee fraud and lots of money
	*  0.0 T_TO_NO_BRKTS_FREEMAIL To: misformatted and free email service
	*  0.0 MONEY_FRAUD_5 Lots of money and many fraud phrases
	*  0.2 FROM_MISSP_FREEMAIL From misspaced + freemail provider
	*  0.9 MONEY_FRAUD_3 Lots of money and several fraud phrases
Received: from mail.digitalbrains.com ([2001:980:141d::3])
	by butters.digitalbrains.com with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
	(Exim 4.75)
	(envelope-from <bexleylotto03 at yahoo.co.jp>)
	id 1Qh6ol-0003sw-Ug
	for [...]@digitalbrains.com; Wed, 13 Jul 2011 23:18:03 +0200
Received: from [118.224.1.233] (helo=entecnet.com)
	by mail.digitalbrains.com with smtp (Exim 4.72)
	(envelope-from <bexleylotto03 at yahoo.co.jp>)
	id 1Qh6ol-0001bG-3M
	for [...]@digitalbrains.com; Wed, 13 Jul 2011 23:18:03 +0200
Received: from User ([46.166.137.117])
	(envelope-sender <bexleylotto03 at yahoo.co.jp>)
	by 118.224.1.233 with ESMTP
	for <[...]@digitalbrains.com>; Thu, 14 Jul 2011 05:17:32 +0800
Reply-To: <bexleysweepstakes at yahoo.co.jp>
From: "BEXLEY LOTTERY"<bexleylotto03 at yahoo.co.jp>
To: [...]@digitalbrains.com
Subject: AWARD NOTIFICATION.
Date: Thu, 14 Jul 2011 05:21:11 -0700
MIME-Version: 1.0
Content-Type: text/plain;
	charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-Id: <E1Qh6om-0003sz-15 at butters.digitalbrains.com>
------------8<--------------------cut here---------------------->8--------------

I've left in the headers added by SpamAssassin; SpamAssassin still scans this
e-mail address, but no action is taken when the message is determined to be
spam. Unfortunately, the way SpamAssassin is set up means that Exim gets the
messages from SA in "submission mode". This means it fixes up messages to be
valid RFC822 messages. It added the Message-Id in the last line. I don't think
it changed any other headers.

Greetings,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt

More information about the Gnupg-users mailing list