Mailing List CGatePro@mail.stalker.com Message #97187
From: Wiley Sanders <wms2@stmarys-ca.edu>
Subject: Spam sent by rooms full of clones using a web browser?
Date: Tue, 03 Feb 2009 07:20:27 -0800
To: <CGatePro>
It's a fact of life that a few of our 4000+ users get phished from time to time. When this happens, there is generally a tsunami of outgoing spam that sets off all kinds of alarm bells so we can close the floodgates and hunt down the unfortunate user and "interrogate them aggressively" (actually, we don't do that.)

Anyway, the spam in an incident of this type is sent via SMTP relay, or "SMPTI" if you are familiar with that from the CommuniGate logs.

Lately, I've seen a few attacks where the username/password is phished, and for all I can tell the spam is sent out via the phished user's Web interface. The volume of outgoing spam is much smaller, and no incoming SMTP connections are logged! It's a little harder to detect since the outgoing queue doesn't grow very fast, and stays fairly small.

I envision a room full of minimum wage slaves (the logins come via Saudi Arabia or Nigeria), all logged into the HTMLclient, cutting and pasting spam messages and 0-30 recipients, one message at a time. I guess, if labor is dirt cheap, why not do it this way?

Anybody else seen this? The alternative theory is that there are bots specifically designed to interface with CG's web GUI.

-w

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster