Shortly after I wrote about the Russian spam from Aleksandr the nature of the emails changed. They are now four attached Microsoft Word files. I'm not sure if they're infected or not, but it matters to me not, because I can't read the darned things since I am Microsoft free. Except for a small handful of emails where they appear to be missing the four Microsoft Word files and it seems they were never included in the email. It was weird enough to do a bit more investigation.
I have a stock pile of these emails now,
and I've notcied an interesting thing—all of them are addressed to one of just two addresses.
The first one is
a catch-all address that is mentioned in RFC-2142,
and the second one is
which I've only mentioned once on this blog and one would have to actively search for to even find it elsewhere.
So I have three options before me:
- nuke both the
firstname.lastname@example.org as they're not really used;
- setup a custom email filter rule that will tell my greylist daemon to reject emails from the IP address (which I did manually, but it changes quite often);
- setup a custom email filter rule that will tell the firewall to block the IP address from even connecting.
The first is easy, but I wonder how long until Aleksandr finds another address to spam. The other two are a bit more involved. I think I'll try the first one and see how long that lasts, and only if the spam returns will I mull over the other two options.