One of the more contemptible things that spammers do is to forge other people's addresses onto their spams. The appeal for spammers is obvious: using someone else's address means that they can't be traced, their spam passes a certain class of anti-spam tests commonly implemented by SMTP servers, and someone else gets to deal with all the backscatter.

Ratware seems to take two approaches when it comes to forging addresses. One kind just picks an address at random from the spammer's mailing list: I get a fairly steady trickle of backscatter from those. The other kind picks a domain at random and sends out whole batches of that spam using invented (i.e. randomly-generated) accounts at that domain in the 'From:' line. For some reason, the software is designed to use the same domain continuously for a week or two, rather than switching domains from message to message, so this kind generates massive amounts of backscatter for the person unlucky enough to own the domain that gets picked.

As a side note, the first time this happened to a domain that I administered, the spammer was Thom Cowles, and he went to prison shortly afterwards. Nothing to do with me, but the abrupt termination of his spam run meant that I never got the chance to unleash some truly scary corporate lawyers on him. Spammers who use this tactic would be well advised not to pick domains belonging to multinationals.

There are problems with the tactic, though. For one thing, using the same domain over and over again increases the chance that that domain will get added to someone's spam filters (which sucks for the legitimate owner of the domain, but doesn't help the spammer either). The other is that if Sender Policy Framework gains ground, the tactic will become nearly worthless. SPF isn't a magic bullet, but this is one of the things that it's good for. Any spam that claims to be from a domain that publishes an SPF record can be dropped instantly. There are no false positives and no misses in this case.

But evidently SPF hasn't caught on yet, and the spammers know this. That would explain why one particular pump-and-dump spammer feels confident in forging one of my domains into his message headers, even though that domain publishes an SPF record specifying that mail from that domain will only ever originate from a single mail server.

The spammer in question is currently pushing three stocks - BDWT.PK, LBWR.PK, and - starting today - SWNM.PK. The last of these is a perennial favorite, that has been being spamvertised since 2004. LBWR.PK was briefly spammed last year before being picked up by this spammer. BDWT.PK is the newest arrival, making its debut with a couple of 'press releases' sent out by bandwidthnoc, and then moving to the currently-popular 'embedded GIF' style of delivery (where the message text is carried as an embeddded image to defeat filtering systems).

The embedded GIFs produced by this spammer are fairly distinctive, and he's been a busy little pump-and-dumper lately. One good thing about this incident is that it does let me confirm that the same spammer is responsible for spamming all three stocks. I tend to assume that spams that have a similar style originate from a single sender, but it's hard to be certain. The fact that three sets of spams that closely resemble each other are all going out with the same forged addresses suggests that stylistic similarities are actually quite a good basis for assuming that similar spams originate from the same sender.

Based on stylistic similarity, it looks as if this sender is also responsible for spams promoting AAPM.PK, ADYE.OB, CWTD.OB, CXN, DKDY.OB, DMSI.OB, FEKY.PK, FMII.PK, GARS.PK, IVHN.PK, NNFC.PK, PGCN.OB, SBBD.PK, WNCP.PK and ZLDV.OB. That's quite an impressive list for a single operation. Evidently Spammy is doing quite a lot of buying and selling. I wonder how long it'll be before his activities catch the eye of the SEC and he gets to deal with some backscatter of his own?