funsec mailing list archives
Re: Mailer Software that inserts "X-NSCC" header?
From: Rich Kulawiec <rsk () gsp org>
Date: Fri, 28 Jun 2013 07:42:39 -0400
On Thu, Jun 27, 2013 at 12:02:15AM -0400, Jeffrey Walton wrote:
Spam to follow in case you need the sample in your database.
Got it -- thanks, this is most useful. Here's my best guess as to what these mean: X-NSCC-CustomerSegment: XXXX X-NSCC-FileID: YYYY X-NSCC-CampaignId: ZZZZ X-NSCC-Tracking-Header: Email Campaign Manager X-NSCC-EmailID: XXXXXXXXXX X-NSCC-MeterId: YYYYYY I suspect that "NS" is "Network Solutions". I suspect that "CC" is "Customer Care", which is what corporations often like to call the department responsible for treating customers like dirt. (But I have less confidence in that guess than the first one.) These headers probably serve the purpose as these other (quasi-common) ones, found exclusively (AFAIK) in spam samples: X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - server.forexu.info X-AntiAbuse: Original Domain - XXXXXXXXXX X-AntiAbuse: Originator/Caller UID/GID - [YYY Y] / [YYY Y] X-AntiAbuse: Sender Address Domain - ZZZZZZZZZZZZZZZZZZZZZ The identifying information encoded in all of these enables the spammer to process complaints efficiently...where "efficiently" means, variously, "to remove the complainer and keep right on spamming" (listwashing), "to target the complainer for further abuse", and/or "to sell the complainer's address to other abusers". Other uses include tracking "deliverability" and computing billing for the spammer's client. [1] In other words, the numeric values encode which victim database was used, what mail system actually sent the spam, which spam payload was included, and so on. This enables the spammers to work out the best methods for evading blocking by performing statistical analysis that correlates the SMTP logs with the methodology used. Some of the major spammers-for-hire are quite good at this. One way to run experiments on them is to set up fake addresses and then manipulate the acceptance/rejection of email traffic to them. Even simplistic approaches sometimes yield tangible results: address A, which accepts all incoming email, will continue to get it via the same methodology; address B, which rejects all incoming email from methodology 1, will eventually be targeted by methodologies 2, 3 and 4 in an attempt to evade the blocking. And address C, which availed itself of whatever bogus "unsubscribe" facility they offer, will eventually be targeted by methodology 5 or 6. ---rsk [1] Speaking of reliable indicators, anyone who uses the terms "campaign" or "blast" in conjunction with their email activities is almost certainly a spammer (and will almost certainly deny it). So the presence of X-NSCC-CampaignId: in the header of the spam sent to you is telling. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Mailer Software that inserts "X-NSCC" header? Jeffrey Walton (Jun 23)
- Re: Mailer Software that inserts "X-NSCC" header? PsychoBilly (Jun 24)
- Re: Mailer Software that inserts "X-NSCC" header? Rich Kulawiec (Jun 25)
- Re: Mailer Software that inserts "X-NSCC" header? Valdis . Kletnieks (Jun 25)
- Re: Mailer Software that inserts "X-NSCC" header? Jeffrey Walton (Jun 26)
- Re: Mailer Software that inserts "X-NSCC" header? Rich Kulawiec (Jun 28)