on Mon, Aug 30, 2004 at 08:57:53AM -0400, Rob McEwen wrote:
(2) savy spammers who manage to get significant amounts through in the first few minutes/hours BEFORE getting blocked by SURBL... in particular, the ones who already use the best strategies to get around all other types of filtering.
Yeah, like 'Sergey Katchenko' or 'Ivan Drozdof'; based on the joe job bounces I'm seeing here, he's using multiple new-to-me domains in a given day's spam run, and differentiating them based on whose domains are being forged into the spamrun. So, neverexisted@dhtml-guis.com might send spam pointing to alexkardonMUNGED.com, and neverexisted@otherdomain might send spam with yamatotakeruMUNGED.com, etc. All in the same overnight run.
Fortunately, he's also using a fairly easy to crack sender forging script, so once I figure out his wordlist (it's more sophisticated than the words/words2 that comes with Linux/OSX) he'll be gone from here, anyway.