Premier Services Spam Signatures

Although Premier Services has multiple spammers working for them, one of them I believe to be Rodona Garst has an easily detectable spam signature. The spam signature is;

  1. "Received: from mail. " line in each spam send. That is "Received: from 'mail-dot-space' ".
  2. The lack of a "To:" header
  3. The presence of a blank "Bcc:" header.
  4. "Content-Type: TEXT/PLAIN; charset="US-ASCII"
  5. Content-Transfer-Encoding: 7bit
  6. The lack of an "X-Mailer" header
  7. Return-Path: <> or a "From:" address of several letters, random numbers, and a forged domain
  8. If a website is spamvertised Premier Services prefers to use a long obfuscated URL. Rodona apparently paid $500 to someone for the dummyware to encode the URL's for the other spammers. Many of the ICQ chat logs show an employee sending Rodona a URL, and Rodona responds with the same URL encoded.

The spam mailer being predominately used by Premier Services is "First Class Email", but they do use other mailers as well. UFO, Backdoor, Super Server, E Merge, Bulk Mate and others.