From Russia With Love

For most people with decent spam protection, you should not see these types of spam, as they are mostly from compromised Iot (Internet of Things) devices, on home style connections, and not coming from normal email servers, but it is interesting because of how wide spread it is. This is a typical catfish type spam, trying to take advantage of poor lonely hearts.

Hello, Dear!
How is it going?
I'm Marie, may I ask your name?
I see you frequently visit this site, so I wanted to talk to you today but you had already left the chat.
I guess you would like to chat with me too, wouldn't you?..
Write me a few lines some time – believe me, you won't regret it, I guarantee.
I look forward to get a sweet e-mail from you.
My email (address)

Yours faithfully,
Maria

Now filtering rules should also treat that as suspicious of course, and you might wonder how someone could fall for this, but not everyone is internet savvy, and for some of the older generation, who don’t use email a lot, and tried to use the internet to find true love, might think that they are just lucky.

However, this is a large scale wide spread bot, and while we have seen them before, it must be working for the spammers to still be at it.  And of course ‘catfish’ farming is still big business in some countries.

In this particular bot, there are some easy to see markers.  Aside from the content itself, the messages are mostly directly from an infected device on a home style connection, eg..

Received: from 185-136-92-45.cybergrota.com.pl (HELO 185-136-92-45.cybergrota.com.pl) (185.136.92.45)

Typically, they are identified as windows devices, however it is more likely to be a CPE device, and/or firewall. (And this is supported by nmap probes)

Millions of these emails are being sent out everyday.

Just one more reason for ISP’s to block port 25 on egress from all their dynamic IP Space.

 

 

This entry was posted in Informative and tagged , , , , . Bookmark the permalink.

One Response to From Russia With Love

  1. MagicMail says:

    #fromrussiawithlove bot started again this morning, this time #spamvertising qwedating [dot] ru, blocking with a good #rbl that blocks #dynamic IP space is the answer, eg #spamrats RATS-DYNA

Leave a Reply