| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20040228231028.F005797B44@cpo.tn.tudelft.nl> From: emvs.fd.3FB4D11C at cpo.tn.tudelft.nl (Erik van Straten) Subject: Empty emails example Bill, Rory, Looks like a typical spammer dictionary attack to me. I'm not sure why Bill is getting a lot of these messages (perhaps Bill has a large number of aliases, or the spammers are trying to avoid blacklists or some other detection schemes). On Sat, 28 Feb 2004 15:23:47 -0500 Bill Royds wrote: > Return-Path: <ZVIFHFGZRZI@...oo.com> > The return path is an obvious fake Depends. I'm not sure how fep02-mail.bloor.is.net.cable.rogers.com handles incoming mail for <SomeRogersUserID_at_rogers.com>: (1) Accepts the mail and sends a Delivery Status Notification if "SomeRogersUserID" does not exist. In this case, the return path <ZVIFHFGZRZI@...oo.com> very likely exists. It may have been stolen from a legitimate user. (2) Upon receipt of envelope RCPT TO checks if "SomeRogersUserID" exists; if not, rejects the mail. In this case, the return path <ZVIFHFGZRZI@...oo.com> may be fake. If not, then it probably does not belong to spammers, but to someone they dislike. Bill receiving mail in case 2 doesn't seem to make sense, but spammers may be sending mail anyway to avoid ISP's detecting these type of attacks (e.g. MAIL FROM: <fake>, followed by a lot of RCPT TO: attemps). This is a valid Received header: > Received: from h0010b59bf977.ne.client2.attbi.com ([24.147.39.6]) > by fep02-mail.bloor.is.net.cable.rogers.com > (InterMail vM.5.01.05.12 201-253-122-126-112-20020820) with SMTP > id <20040228195530.WTUH244767.fep02-mail.bloor.is.net.cable.rogers.com@...10b59bf977.ne.client2.attbi.com>; > Sat, 28 Feb 2004 14:55:30 -0500 The following header is typically added by spammers. I've seen *a lot* like these. Source IP's 4 random bytes (I've even observed 255.*.*.* and 0.*.*.*). Note that this one is obviously fake for experienced spam fighters (regular MTA's don't just mention IP-addresses like this, and +0500 is not a likely timezone for a USA-based IP-address): > Received: from 80.76.205.232 by 24.147.39.6; Sun, 29 Feb 2004 00:46:57 +0500 More details: Sender is 24.147.39.6, which is known to be a spam-bot/spam-proxy: | http://cbl.abuseat.org/lookup.cgi?ip=24.147.39.6&.submit=Lookup | IP Address 24.147.39.6 was found in the CBL. | It was detected at 2004-02-27 06:00 GMT (+/- 30 minutes). Or: | http://www.spamcop.net/w3m?action=checkblock&ip=24.147.39.6 | 24.147.39.6 listed in bl.spamcop.net (127.0.0.2) | Since SpamCop started counting, this system has been reported about | 550 times by about 150 users. It has been sending mail consistently | for at least 47.9 days. In the past 43.9 days, it has been listed 3 | times for a total of 39.5 days [snip] > Are others seeing this pattern? I've seen them before but not recently. Here's one from January: -------------------------------------------------- | Return-Path: <ujglygsyjs@...ail.com> | -- skipping irrelevant local headers -- | Received: from 130.161.180.14 (unknown [81.73.185.210]) | by mailhost3.tudelft.nl (Postfix) with SMTP id 506B6B416 | for <*munged* @cpo.tn.tudelft.nl>; Mon, 19 Jan 2004 21:40:44 +0100 (MET) | Message-Id: <20040119204044.506B6B416@...lhost3.tudelft.nl> | Date: Mon, 19 Jan 2004 21:40:44 +0100 (MET) | From: ujglygsyjs@...ail.com | To: undisclosed-recipients: ; | -------------------------------------------------- Note that the spammers have not added an extra Received header, but instead try to fool us by: EHLO 130.161.180.14 (which really is the IP of the receiving host, mailhost3.tudelft.nl). The sender was 81.73.185.210 (which is still/again listed on CBL, was listed by SpamCop before, but is currently not listed; however, I've seen *a lot* of junk originate from interbusiness.it customer PC's). Bill, kind request: next time please do not write abuse-handler email addresses unmunged to maillists - in particular those of cooperative abuse handlers, this one was working on Saturday! Reason: email addresses are being harvested from maillists by spammers and viruses, and abuse-handlers get enough junk-mail already. P.S. I've sent a BCC to Rory. Cheers, Erik
Powered by blists - more mailing lists