A spammer’s dozen
As noted in my last post about email spidering, I changed the email contact for Impossibly Stupid to be a simple mailto: link. Here it is just over 12 days later, and I'm spammed already! Quite a bit sooner than the corporate email. Let's examine the data, starting with the important email headers:
Received: from mail.kz (frontend03n.mail.kz [22.214.171.124]) by homiemail-mx7.g.dreamhost.com (Postfix) with ESMTP id 18F6CCF3EF for <firstname.lastname@example.org>; Sat, 13 Feb 2010 04:54:54 -0800 (PST) Received: from [126.96.36.199] (account email@example.com) by backend01n.mail.kz (CommuniGate Pro WEBUSER 5.2.13) with HTTP id 2954844; Sat, 13 Feb 2010 18:54:56 +0600 From: "mrszenila" <firstname.lastname@example.org> Subject: I NEED YOUR ASSISTANCE TO INVEST IN YOUR COUNTRY
Reading backwards, we have this mrszenila user account that is associated with an IP 188.8.131.52 which is, surprise, located in Africa (the Dakar, Senegal area). The actual mail server IP 184.108.40.206 looks to be out of Almaty, Kazakhstan, using what is likely a free email provider.
That's all good and fine, but it doesn't directly shine any light on how they got our email. A simple mailto: doesn't log anything on the server, so we have to dig at the logs a bit to find anything relevant to the above:
220.127.116.11 - - [12/Feb/2010:21:32:16 -0800] "GET / HTTP/1.1" 200 38080 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent"
That's it. That's the only hit from the entire 18.104.22.168/16 since I made my previous post. No site referral, no images were loaded, no links were followed, no indication of any kind points to a human actually looking at the page. Just the index grabbed, and then the spam a few hours later.
The conclusion is that spammers are still spidering for email addresses, just not very deeply. At least this site, anyway, which is already an oddly large target for comment spammers. The results might be different if I had chosen to run this experiment on the index page of the corporate site. I may still do that, but I don't suggest you do unless you use some of the same techniques I do (e.g., disposable addresses).