Permanent Links


What should be the topic for the next Impossibly Stupid poll?

A Town Square Poll Space

Tech Corner

See Also

[ICO]NameLast modifiedSizeDescription

[PARENTDIR]Parent Directory  -  
[TXT]README.html2016-03-30 14:08 2.5K 
[   ]info.json2014-12-09 01:41 40  
[   ]tags=logged2015-03-26 18:30 0  
[   ]tags=play2015-03-26 18:30 0  

A spammer’s dozen

As noted in my last post about email spidering, I changed the email contact for Impossibly Stupid to be a simple mailto: link. Here it is just over 12 days later, and I'm spammed already! Quite a bit sooner than the corporate email. Let's examine the data, starting with the important email headers:

Received: from ( [])
	by (Postfix) with ESMTP id 18F6CCF3EF
	for <>; Sat, 13 Feb 2010 04:54:54 -0800 (PST)
Received: from [] (account
  by (CommuniGate Pro WEBUSER 5.2.13)
  with HTTP id 2954844; Sat, 13 Feb 2010 18:54:56 +0600
From: "mrszenila" <>

Reading backwards, we have this mrszenila user account that is associated with an IP which is, surprise, located in Africa (the Dakar, Senegal area). The actual mail server IP looks to be out of Almaty, Kazakhstan, using what is likely a free email provider.

That's all good and fine, but it doesn't directly shine any light on how they got our email. A simple mailto: doesn't log anything on the server, so we have to dig at the logs a bit to find anything relevant to the above: - - [12/Feb/2010:21:32:16 -0800] "GET / HTTP/1.1" 200 38080 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent"

That's it. That's the only hit from the entire since I made my previous post. No site referral, no images were loaded, no links were followed, no indication of any kind points to a human actually looking at the page. Just the index grabbed, and then the spam a few hours later.

The conclusion is that spammers are still spidering for email addresses, just not very deeply. At least this site, anyway, which is already an oddly large target for comment spammers. The results might be different if I had chosen to run this experiment on the index page of the corporate site. I may still do that, but I don't suggest you do unless you use some of the same techniques I do (e.g., disposable addresses).