February 24, 2008
Spammers normally send mails directly from infected PCs, for which blacklists are a good defense. This may change in the future as currently a test run of a new method is underway. “Project xddo” and “xddo Casino” are the subjects of the German spam mails, which are not send via infected PCs but via cracked accounts of mail server users. These official mail servers have static IP addresses and are often white listed which guarantees that the spam is delivered successfully ;-).
They really look like test spam mails which are really simple and similar, so checksum spam detection methods should be able to easily detect them as spam. An other specialty of the mails are a second To: entry in the header.
This new kind of spam is a direct result of the blacklists which seems to be successful enough at blocking dynamic IP ranges and infected PCs. This is basically a good thing, but it is now time for mail server administrators (specially of internet service providers) to also check the mails their customers send. They should also start checking the amount of undeliverable mails a users sends and if it goes over a specified amount the account should be disabled. The implementation of such a feature should be a priority as otherwise the danger of being added to a blacklist will rise otherwise dramatically.