Full Disclosure mailing list archives
Re: Empty emails example
From: "Erik van Straten" <emvs.fd.3FB4D11C () cpo tn tudelft nl>
Date: Sun, 29 Feb 2004 00:10:28 +0100
Bill, Rory, Looks like a typical spammer dictionary attack to me. I'm not sure why Bill is getting a lot of these messages (perhaps Bill has a large number of aliases, or the spammers are trying to avoid blacklists or some other detection schemes). On Sat, 28 Feb 2004 15:23:47 -0500 Bill Royds wrote:
Return-Path: <ZVIFHFGZRZI () yahoo com> The return path is an obvious fake
Depends. I'm not sure how fep02-mail.bloor.is.net.cable.rogers.com handles incoming mail for <SomeRogersUserID_at_rogers.com>: (1) Accepts the mail and sends a Delivery Status Notification if "SomeRogersUserID" does not exist. In this case, the return path <ZVIFHFGZRZI () yahoo com> very likely exists. It may have been stolen from a legitimate user. (2) Upon receipt of envelope RCPT TO checks if "SomeRogersUserID" exists; if not, rejects the mail. In this case, the return path <ZVIFHFGZRZI () yahoo com> may be fake. If not, then it probably does not belong to spammers, but to someone they dislike. Bill receiving mail in case 2 doesn't seem to make sense, but spammers may be sending mail anyway to avoid ISP's detecting these type of attacks (e.g. MAIL FROM: <fake>, followed by a lot of RCPT TO: attemps). This is a valid Received header:
Received: from h0010b59bf977.ne.client2.attbi.com ([24.147.39.6]) by fep02-mail.bloor.is.net.cable.rogers.com (InterMail vM.5.01.05.12 201-253-122-126-112-20020820) with SMTP id <20040228195530.WTUH244767.fep02-mail.bloor.is.net.cable.rogers.com () h0010b59bf977 ne client2 attbi com>; Sat, 28 Feb 2004 14:55:30 -0500
The following header is typically added by spammers. I've seen *a lot* like these. Source IP's 4 random bytes (I've even observed 255.*.*.* and 0.*.*.*). Note that this one is obviously fake for experienced spam fighters (regular MTA's don't just mention IP-addresses like this, and +0500 is not a likely timezone for a USA-based IP-address):
Received: from 80.76.205.232 by 24.147.39.6; Sun, 29 Feb 2004 00:46:57 +0500
More details: Sender is 24.147.39.6, which is known to be a spam-bot/spam-proxy: | http://cbl.abuseat.org/lookup.cgi?ip=24.147.39.6&.submit=Lookup | IP Address 24.147.39.6 was found in the CBL. | It was detected at 2004-02-27 06:00 GMT (+/- 30 minutes). Or: | http://www.spamcop.net/w3m?action=checkblock&ip=24.147.39.6 | 24.147.39.6 listed in bl.spamcop.net (127.0.0.2) | Since SpamCop started counting, this system has been reported about | 550 times by about 150 users. It has been sending mail consistently | for at least 47.9 days. In the past 43.9 days, it has been listed 3 | times for a total of 39.5 days [snip]
Are others seeing this pattern?
I've seen them before but not recently. Here's one from January: -------------------------------------------------- | Return-Path: <ujglygsyjs () s-mail com> | -- skipping irrelevant local headers -- | Received: from 130.161.180.14 (unknown [81.73.185.210]) | by mailhost3.tudelft.nl (Postfix) with SMTP id 506B6B416 | for <*munged* @cpo.tn.tudelft.nl>; Mon, 19 Jan 2004 21:40:44 +0100 (MET) | Message-Id: <20040119204044.506B6B416 () mailhost3 tudelft nl> | Date: Mon, 19 Jan 2004 21:40:44 +0100 (MET) | From: ujglygsyjs () s-mail com | To: undisclosed-recipients: ; | -------------------------------------------------- Note that the spammers have not added an extra Received header, but instead try to fool us by: EHLO 130.161.180.14 (which really is the IP of the receiving host, mailhost3.tudelft.nl). The sender was 81.73.185.210 (which is still/again listed on CBL, was listed by SpamCop before, but is currently not listed; however, I've seen *a lot* of junk originate from interbusiness.it customer PC's). Bill, kind request: next time please do not write abuse-handler email addresses unmunged to maillists - in particular those of cooperative abuse handlers, this one was working on Saturday! Reason: email addresses are being harvested from maillists by spammers and viruses, and abuse-handlers get enough junk-mail already. P.S. I've sent a BCC to Rory. Cheers, Erik _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Empty emails example Bill Royds (Feb 28)
- Re: Empty emails example Erik van Straten (Feb 28)
- Re: Empty emails example gabriel rosenkoetter (Feb 29)
- RE: Re: Empty emails example Bill Royds (Feb 29)
- <Possible follow-ups>
- Re: Empty emails example Bill Royds (Feb 28)
- RE: Empty emails example Remko Lodder (Feb 28)
- RE: Empty emails example Bill Royds (Feb 28)