Weird "Ghost Spam" Testing Addresses

The messages are unusual in that the send and from fields are the recipient's own address, and the subject heading is a number.

June 8, 2006

2 Min Read
NetworkComputing logo in a gray background | NetworkComputing

A wave of strange e-mails with strings of numbers as their only message are most likely a spammer's or hacker's test of his mailing list, several security companies concluded Thursday, and may presage a junk mail campaign or a malware attack.

The messages, which Panda Software characterized as "ghost mail," are unusual in that the send and from fields are the recipient's own address, that the subject heading is a number -- 455, 557, 56757, 586876, or 1545453 -- and the message body is a mix of HTML and apparently random numbers.

Unlike most malicious mail or spam, these do not include a file attachment (the usual way e-mail is used to deliver worms or Trojan horses), nor do they include an embedded link, as do phishing messages.

"The most likely scenario is that a group of hackers are checking the validity of e-mail address databases," said Luis Corrons, director of Panda's research, in a statement. "By sending these messages they can determine if the addresses are active or not and remove those that are no use."

If that's the case, Corrons went on, it implies that the cyber crook is cleaning up list mailing list prior to sending phishing spam or to distribute known or unknown malware.Rival security company Symantec provided more detail in an alert issued to customers of its DeepSight Threat Management System.

In the warning, Symantec researchers said that the messages were being cranked out by a new version of "Tooso," a Trojan first discovered in February 2005.

"Tooso, like many other families of malicious code, contains an update mechanism that consists of polling a set of hardcoded URLs for a file to be downloaded and executed," Symantec wrote in its alert. "Shortly before these spam messages were received, the Tooso author made an update live on several of the URLs that Tooso has been polling."

Symantec's researchers said that they had confirmed that the new Tooso generated spam in the number-based format of the mail wave.

"It is clear that Tooso is attempting to verify harvested email addresses," the warning continued. "Upon infection, it is polling a several web sites for email addresses to test. It then attempts to spam these addresses, and reports all addresses that did not result in an SMTP error to another script."Users of Gmail -- the free e-mail service run by Google -- have theorized that the attack was directed at them since because the mail is spoofed to appear to be from the recipient, it's slipping past the filters and ending up in the "Sent messages" folder.

Symantec countered, saying that it was unlikely because the spam is also being received by non-Gmail users.

SUBSCRIBE TO OUR NEWSLETTER
Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like


More Insights