Burst spamrun
I was minding my own business, tweaking my mail servers. Then suddenly the active queue was up significantly. I thought, what the…?
So I grepped for the domain that had the most mail waiting, and found several transactions originating at the same IP number:
84.60.208.31
dslb-084-060-208-031.pools.arcor-ip.net
When I grepped for that IP number, I found that the whole spamrun was initiated at 14:44 and ended at 14:52 today.
All of that spam was for one domain, and I believe a significant portion of the 36 mails ended up in active inboxes.
Some addresses were broken, and in a fashion I’ve seen a lot of lately. This is a fictional example that illustrates how an address might be broken. Let’s say we’ve got a user with the address susan.nobody@domain.com.
The broken address could take this form:
domain.comsusan.nobody@domain.com
domain.comsmtpsusan.nobody@domain.com
smtpsusan.nobody@domain.com
usan.nobody@domain.com
san.nobody@domain.com
osan.nobody@domain.com
I’ve seen a lot of misspelled addresses in general. Usually mising one or two initial characters. Sometimes stuff is prepended, like 0.
All mails came from different addresses, and had different Message-ID domains.
The mail was sent to the secondary mail server. Not one message came in to the primary one. That’s fairly typical. Spammers hope the secondary server is less likely to have good anti-spam protection.
———
So I check the queue again. Nooo! It’s full again. This time one of the offenders is:
200.118.9.171
But this time only 12 mails from that system. I did find several IP addresses involved in spamruns. I can’t say if it’s the same spamrun or not, but chances are excellent that it was one spamrun.
Here’s another IP address:
148.221.134.77
—————–
I found an earlier spamrun today, from
59.10.183.23
And these mails ended in the spam-bin. I fished out one, and it was for s0ftware (all messages had the subject line: Software). My guess is this is a specific bulk mailer with a very recognizeable MO. I found several runs from different IP addresess, and have done some filtering and coloring of messages in my spambin to identify them. I’ll hang on to them and see what I can find out.
For those that ended in my spam-bin, that I fished out and looked at, every single one pointed to the same URL, with this whois info:
Registrant / Admin Contact :
PERSON
Glenn ESTUS (ESTUS2-BMN-PE)
PO Box 51, Westport
12993 NY
UNITED STATES
phone : +48 22 3895469
fax :
e-mail : glenn_estus@yahoo.com
Domain servers :
one.offletea.com (OOC2-BMN-HST)
two.offletea.com (TOC2-BMN-HST)
Created on 12/30/2005 09:45:58
Updated on 01/04/2006 17:57:33
Expires on 12/30/2006 04:45:58
Registrar : BookMyName
The domain pings this IP:
211.144.147.202
Which is in this (surprise..) IP block:
Beijing Xiao Xiang Commerce Co.,Ltd
The e-mail address was registered at 12/30/2005
The spammer switches domains quite often, according to the NANAS thread I found concerning this spammer MO.
Whois info is different probably with a few domains sharing the same info, but the same IP pool and registrar is used. DNS servers are different, but they’re vanity domains and are from the same pool of IP numbers.
———
E-mail headers:
I found some anomalies in the message headers. Here’s a munged example:
Received: from 144899528 (unknown [59.10.183.23])
by munged.ourserver (Postfix) with SMTP id EDAF517BA9
for
Received: from givingtreegifts.com (144848872 [146990032])
by grahamrichardson.com (Qmailv1) with ESMTP id D674021FAF
for
I noticed that most of the messages had 144899528 or similar as the domain name, and it of course doesn’t match the sending IP number. The secondary recipient line seems forged, and doesn’t include an IP number at all, but the 144899528 or similar is given as a server in the chain. The headers are completely broken and forged, except for the server mine received the mail from. And that’s probably a zombie.
Guys: There are ways to make your mail server check for mismatch between HELO and IP name. Policyd-weight is one such package that works with Postfix.