Re: Empty emails example

["Erik van Straten" <emvs.fd.3FB4D11C () cpo tn tudelft nl>]

Bill, Rory,

Looks like a typical spammer dictionary attack to me. I'm not sure
why Bill is getting a lot of these messages (perhaps Bill has a large
number of aliases, or the spammers are trying to avoid blacklists
or some other detection schemes).

On Sat, 28 Feb 2004 15:23:47 -0500 Bill Royds wrote:
> Return-Path: <ZVIFHFGZRZI () yahoo com>
> The return path is an obvious fake

Depends. I'm not sure how fep02-mail.bloor.is.net.cable.rogers.com
handles incoming mail for <SomeRogersUserID_at_rogers.com>:

(1) Accepts the mail and sends a Delivery Status Notification if
"SomeRogersUserID" does not exist. In this case, the return path
<ZVIFHFGZRZI () yahoo com> very likely exists. It may have been stolen
from a legitimate user.

(2) Upon receipt of envelope RCPT TO checks if "SomeRogersUserID"
exists; if not, rejects the mail. In this case, the return path
<ZVIFHFGZRZI () yahoo com> may be fake. If not, then it probably does
not belong to spammers, but to someone they dislike.

Bill receiving mail in case 2 doesn't seem to make sense, but spammers
may be sending mail anyway to avoid ISP's detecting these type of
attacks (e.g. MAIL FROM: <fake>, followed by a lot of RCPT TO: attemps).

This is a valid Received header:

> Received: from h0010b59bf977.ne.client2.attbi.com ([24.147.39.6])
>   by fep02-mail.bloor.is.net.cable.rogers.com
>   (InterMail vM.5.01.05.12 201-253-122-126-112-20020820) with SMTP
>   id <20040228195530.WTUH244767.fep02-mail.bloor.is.net.cable.rogers.com () h0010b59bf977 ne client2 attbi com>;
>   Sat, 28 Feb 2004 14:55:30 -0500

The following header is typically added by spammers. I've seen *a lot*
like these. Source IP's 4 random bytes (I've even observed 255.*.*.* and
0.*.*.*). Note that this one is obviously fake for experienced spam
fighters (regular MTA's don't just mention IP-addresses like this, and
+0500 is not a likely timezone for a USA-based IP-address):

> Received: from 80.76.205.232 by 24.147.39.6; Sun, 29 Feb 2004 00:46:57 +0500

More details:

Sender is 24.147.39.6, which is known to be a spam-bot/spam-proxy:
| http://cbl.abuseat.org/lookup.cgi?ip=24.147.39.6&.submit=Lookup
|  IP Address 24.147.39.6 was found in the CBL.
|  It was detected at 2004-02-27 06:00 GMT (+/- 30 minutes).
Or:
| http://www.spamcop.net/w3m?action=checkblock&ip=24.147.39.6
|  24.147.39.6 listed in bl.spamcop.net (127.0.0.2)
|  Since SpamCop started counting, this system has been reported about
|  550 times by about 150 users. It has been sending mail consistently
|  for at least 47.9 days. In the past 43.9 days, it has been listed 3
|  times for a total of 39.5 days
[snip]

> Are others seeing this pattern?

I've seen them before but not recently. Here's one from January:
--------------------------------------------------
| Return-Path: <ujglygsyjs () s-mail com>
| -- skipping irrelevant local headers --
| Received: from 130.161.180.14 (unknown [81.73.185.210])
|   by mailhost3.tudelft.nl (Postfix) with SMTP id 506B6B416
|   for <*munged* @cpo.tn.tudelft.nl>; Mon, 19 Jan 2004 21:40:44 +0100 (MET)
| Message-Id: <20040119204044.506B6B416 () mailhost3 tudelft nl>
| Date: Mon, 19 Jan 2004 21:40:44 +0100 (MET)
| From: ujglygsyjs () s-mail com
| To: undisclosed-recipients: ;
|
--------------------------------------------------
Note that the spammers have not added an extra Received header, but
instead try to fool us by: EHLO 130.161.180.14 (which really is the
IP of the receiving host, mailhost3.tudelft.nl).
The sender was 81.73.185.210 (which is still/again listed on CBL, was
listed by SpamCop before, but is currently not listed; however, I've
seen *a lot* of junk originate from interbusiness.it customer PC's).

Bill, kind request: next time please do not write abuse-handler email
addresses unmunged to maillists - in particular those of cooperative 
abuse handlers, this one was working on Saturday! Reason: email
addresses are being harvested from maillists by spammers and viruses,
and abuse-handlers get enough junk-mail already.

P.S. I've sent a BCC to Rory.

Cheers,
Erik

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html