Re: Image SPAM Increase?

[Dave Koontz <dkoontz () MBC EDU>]

I am sure this is botnet traffic.  I have watched these connections and they
come from all kinds of different IP address ranges simultaneously.  Using
the SARE rules I mentioned before and changing the SARE_GIF_STOX scoring
should catch these.  In Addition, look at running SA DNSRBL and perhaps
install the  IXHash Plugin for SA (LOGINHASH1 and LOGINHASH2).  Scan results
for a similar message below:

X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13)
X-Spam-Level: ***************************
X-Spam-Status: Yes, score=27.1 required=5.0 tests=BAYES_50,EXTRA_MPART_TYPE,
        HTML_90_100,HTML_IMAGE_ONLY_08,HTML_MESSAGE,LOGINHASH2,
        
MESSAGE_SNIFFER,MIME_HTML_MOSTLY,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL,
        SARE_GIF_ATTACH,SARE_GIF_STOX autolearn=spam version=3.1.0
X-Spam-Report:
        *  5.0 MESSAGE_SNIFFER Flagged by message sniffer
(www.sortmonster.com)
        *  1.1 EXTRA_MPART_TYPE Header has extraneous Content-type:...type=
entry
        *  0.1 HTML_90_100 BODY: Message is 90% to 100% HTML
        *  1.1 MIME_HTML_MOSTLY BODY: Multipart message mostly text/html
MIME
        *  0.0 HTML_MESSAGE BODY: HTML included in message
        *  3.1 HTML_IMAGE_ONLY_08 BODY: HTML: images with 400-800 bytes of
words
        *  1.6 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
        *      [score: 0.5574]
        *  2.0 LOGINHASH2 BODY: mail has been classified as spam @ unknown
        *      company, Germany
        *  4.0 SARE_GIF_ATTACH FULL: Email has a inline gif
        *  2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP
address
        *      [84.139.36.150 listed in dnsbl.sorbs.net]
        *  1.9 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local
SMTP
        *      [84.139.36.150 listed in combined.njabl.org]
        *  5.0 SARE_GIF_STOX Inline Gif with little HTML



-----Original Message-----
From: Gary Flynn [mailto:flynngn () JMU EDU]
Sent: Wednesday, April 19, 2006 12:50 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Image SPAM Increase?

Gary Flynn wrote:

> Ken Connelly wrote:
>
> > Anything common about these messages that would help me find/identify
> > them?
>
>
> The only thing I've seen so far is that the X-mailer header in all of
> them is Microsoft Outlook Express. Different versions though. I wonder
> if this could be a sign the senders are BOTS.
>
> Subject, return path, source IP address, image name, image file, all
> vary.


One more thing. The mail headers I've seen always indicate two hops to us.
The sending IP address always seems to be a member of the same network as
the interim hop. I haven't tried to verify yet but it would lead me to
suspect they're sent by BOTS ( random clients -> clients' organizational
mail servers -> target ).

If so, I would assume something like SPF would be ineffective because the
e-mail would be coming from valid organizational servers.

--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security