Nick Wilson found a disturbing want ad:
Dirty deeds done dirt cheap © 300km North of Moscow
Sort of the direction the net is heading: More and more webspam, by every means available.
Etanisla blogged a similar topic lately: Shill planting
Bad, eh?
I’m cleaning my spam-bin (collected from above my SpamAssassin threshold on the server, so pretty large).
The CAN-SPAM compliant stuff is pretty easy to find. The subject lines and senders are descriptive, in contrast to the “criminal” spammers who try to trick you into opening their mails, or advertize the three P’s.
The problem for CAN-SPAM compliant spammers (yes, I call them that, even though they themselves say they’re in the bulk e-mail business), is that mail server admins might implement content filters that look for specific patterns.
Like unsubscription links.
Privacy policy
Sometimes their attempts at being innovative, trying to avoid those filters, are kinda funny. Like this one:
“detach yourselves off this list”
“To remove your email from our database or unsubscribe”
“getmeoff” (a smart way to filter this one: getmeoff:http )
“To unsubscribe from this ADVERTISEMENT”
“Want to block this message then visit”
Doesn’t exactly sound idiomatic, does it?
I think I’ve uncovered a new type of spam. I don’t know if it works as intended, but I found something that must have been done on purpose.
Remember the Dorank spammer? He was just tossed from his webhost, and found a new one. So I was nosing around a bit.
He has some sort of affiliation with cs.rin.ru, and I was doing some searches when I came upon something that might be an experiment, or a spamming attempt.
Check this Google search:
inurl:cs.rin.ru -site:cs.rin.ru
You’ll find lots of indexed instances of cacheing or mirroring. What I’d term vulnerable PHP scripts.
Most of the instances are only in the Google cache. They don’t work live right now. But I tested one site that allowed me to cache spamhuntress. Brrrr…
Either way, I think some checking of PHP and Google coding is in order.
While setting up my mailservers, I’ve come across information about how you could retain a copy of EVERY e-mail that comes through the e-mail servers.
There are companies out there that do such things. Or they retain copies of mails to some people. It’s actually quite easy to do.
So here’s yet another warning: Don’t send embarassing or sensitive, or potentially damaging stuff through company e-mail. As a long time e-mail administrator, I’ve seen my share of very embarassing stuff. And that was mostly due to e-mail getting lost somehow.
I’ve seen love letters and randy suggestions I wasn’t supposed to see. And I knew the people involved.
I’m saying this to make people understand that this happens REGULARLY. And it’s not the e-mail administrator’s fault. These things just happen.
Today I’m blessed with being the administrator of a large and well functioning operation, so the amount of embarassing stuff is minimal, actually non-existent. Not a one company server…
But even so, whenever I send an e-mail that is of a sensitive nature in any way, I wonder about the mailservers I send it through. How big are they, how possible is it that it would get read? I’d rather send mail through my own mail server, because I know exactly what kind of monitoring is being done there!
Here’s an article about e-mail policy, and what could happen in case of a lawsuit or routine monitoring:
This case hinged on whether or not they’d been served.
High Court approves service of a lawsuit by email | The Register
The e-mail address used was info@…
And the e-mail never reached the right parties. The complainant had conversed with the company through other addresses before, but used the info address when sending the communcation about the lawsuit.
Why am I talking about this?
Make sure all e-mail addresses are monitored, so no important mail gets ignored. I’ve seen postmaster mailboxes go unchecked for years, so I know stuff like that happens.
John MacKenzie comments on the case in the news story, that companies should monitor addresses like admin@ and info@. I’d like to counter that: Never create those addresses at all. They’re spam magnets. Make sure you don’t use the “usual” addresses, and you’ll get less spam. But also make sure mail to those addresses are rejected, so they don’t end up in some mailbox somewhere that nobody knows about. That’s especially true of qmail with vpopmail. The system automaticallly generates a postmaster account for each domain.
You’ll need postmaster and abuse addresses that work. But those could be diverted to the server’s postmaster. In Postfix that’s easy: Just use virtual for that. Redirect postmaster/abuse mail for all domains to one mailbox.
A reader asked me if he should implement this or not.
Short version:
SPF = Sender Policy Framework
http://www.openspf.org/
It’s one of several policies domain owners can implement to authenticate their mail.
If you should implement it or not, depends on your usage. And how much you’ll get out of it, depends on how many mail server admins who observe SPF.
It adds records to the DNS, that tells other servers where mail from your domain is permitted to be originated. The material I’ve read makes it a little fuzzy if this is about the end user’s IP number or the mail server he uses. It looks like it refers to the end user’s IP number.
The point to this, is that spammers normally wouldn’t be able to fool anyone that their mail originates from your IP numbers. Which means that when they fake your domain as sending mail addresses, mail would be discarded or rejected.
SPF would work best on domains with few mail users. If you have total control over how it’s used, ie where it originates at any time, that would work best. Because if mail originates at some other point in the world at times (like if you’re travelling), then mail may or may not reach your recipients.
Another way SPF could break your mail, is if you forward mail from your domain to another address (especially AOL mailboxes), mail could be lost unless you rewrite the “FROM” address. That creates other problems.
What we’ve seen so far, is that a certain class of spammers have adopted SPF en mass.
Many mail server admins do not observe SPF, and domains owners are on the fence, wondering if they should or not.
I guess, if you have a domain with one or two users, and you have complete control over where the mail is coming FROM, and you don’t use forwarding, then go ahead. Most webhosts are able to publish SPF if you ask for it.
For the admins here:
One way to cut down on spam considerably, is to add a HELO filter to your mail server. It’s easy to implement on Postfix, which is what I use.
Here’s the recipe I used:
Blocking spammers with Postfix HELO controls
A little gotcha is that your main.cf may not like like his. Both run on lines and one variable per line works, in the same file.
I add both the IP numbers of the mailservers, and the domain names it houses. The server will only relay mail to outside domains if the sender is in “my networks”, so the only false positives I’ve seen so far was when someone decided to route mail through my server and gave me the wrong IP number (didn’t consider that they had a firewall in front of their Exchange server) to include in “my networks”.
This filter is wonderful. It blocks a lot of mail each day. And when I pair it with policyd-weight and Spamassassin, as well as recipient maps, I get a pretty good end result.
The good thing about the HELO filter and policyd-weight, is that it reduces spam to existing users. I have users that receive up to 300 mails per day, and a good percentage is spam. So cutting down on that number is a very good thing for them. It’s noticeable for the end users.
So, why is a HELO filter a good thing?
Many spammers use YOUR IP number or domain as THEIR HELO. I assume some mail servers are tricked somehow. Maybe the server will think it’s a local mail, and bypass the spam check? I don’t know. I just know many spammers use that trick. And I suppose few servers have filters for it, so it’s not worth their while to figure out if you reject mail based on it. Which means those filters will be effective for a while longer, until a certain percentage of the world’s mail servers implement such filters.
The other consideration, is that much of the spam I receive is from zombied boxes. So the virus would have to figure out the correct helo for each IP number, in order to get mail through. And some filters will reject or penalize mail with HELO that appear to be from a dynamic IP range. And numeric HELO will also be penalized by some filters.
It isn’t easy being a mail spammer. They have to figure out lots of stuff in order to get their spam through…
I just posted the MO of two spammers. Both affiliates of topsearch10.com.
The whois info comes back to this outfit:
Dimago Overseas GmbH
Jaan Randolph (searchadv@gmail.com)
Suites 25 and 27, Second Floor,
Oliaji Trade Centre, Francis Rachel Street, P
Victoria
Mahe,120000
SC
Tel. +42.0723233092
What’s interesting here, is that this is the outfit behind other websites, with permutations of the term umax. Which usually means - Russian stuff.
And if you look at the Alexa page for the domain, it’s got Umax contact info.
And yes, if I follow the trail of domains associated with Dimago, I end up with this e-mail address:
wello@mail.ru
The address given is in Prague, but I’ve seen him posting on Russian sites like he’s living there.
And according to his ICQ page (169184030), his first name is Alexey, he speaks Russian and English and is interested in high profile sports cars. He also says he lives in the US, and was born 24-nov-1968. His nickname is unimaxxximmuuus.
I also find lists of cws infected sites, with some of his on them.
And he’s got another network, run with the name Rex Services Ltd. Also on CWS lists.
But this company has an anti parasite tool, named Security iGuard. Problem is, that TOO has landed itself on some uncool lists. Namely rogue spyware. In this case, it’s on the list because it’s often advertized through CWS sites.
I found a WIPO case for a domain that appeared to knock off MSN search. The respondent’s name was given as Serge Kovalev. He used the domain to promote Rex Service’s programs, though I can’t be sure it’s the same person, due to lack of detail in the WIPO document (ie, affiliate links or not?).
Sans reports a pharming attack in March 2005, with one of his sites as the beneficiary.
I’ll dig some more later, but I’ve got stuff to do, so posting for now.
Update July 9, 2006:
Found this:
APS Telecom APS-EPSI (NET-216-195-32-0-1)
216.195.32.0 - 216.195.63.255
Dimago Overseas GmbH NET-216-195-51-0 (NET-216-195-51-0-1)
216.195.51.0 - 216.195.51.255
Details:
CustName: Dimago Overseas GmbH
Address: Suites 25 and 27, Second Floor, Oliaji Trade Centre, Francis Rachel Street
City: Victoria
StateProv: Mahe
PostalCode: 120000
Country: SC
RegDate: 2005-05-04
Updated: 2005-05-04
abuse is at 0ad.net
What this means, is that the Dimago overseas whois info we’ve been seeing, might be whois protection from the sub-netblock owner.
Another spammer, this one with a broken comment spam tool
IP address:
87.248.167.57
Starnet in Moldova
This might be the spammer’s own address. I believe it might be worth complaining to the ISP.
User agent:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1
Here’s the whole string:
POST /wp-comments-post.php?author=Goe&email=ivan%40mail.ru&url=http%3A%2F%2Fbig-cook.dj12o.com%2F&comment=Everything%20for%20cooking.%20right%20herel!!%0D%0Ahttp%3A%2F%2Fbig-cook.dj12o.com%2F%0D%0A&comment_post_ID=204 HTTP/1.0
He consistently posts to the googlepray post.
And it’s yet another topsearch10 affiliate: 42482
This one embedded in a javascript and encoded.
I’ve been so busy this last week, I haven’t posted.
Comment spam has really exploded lately. I think Rathamahata might be right - probably lots of newbie Russian spammers out there.
So I took a random comment spam, and turned it inside out. It happened to be the last one to arrive.
valentine-day-gift-idea.50megs.com
has a javascript that ultimately leads to affiliate ID: 49221 at topsearch10, as well as links from the body pointing the same place.
What was interesting with the free webhost here, is that when I tried to load the javascript in wannabrowser, I got an error, but it worked in a regular browser. Now, WHY is that? Got something to hide?
K, back to the spammer.
This is a low volume spammmer, unlike some of the others I’ve seen lately.
User agent:
libwww-perl/5.803
I’ve had hits with that user agent from others. Some asking for robots.txt, some legitimate spiders. And one legitimate feed reader: XmlRssTimingBot/2.03 (libwww-perl/5.803). I’m leaning towards blocking POST as a request type with this user agent. I’ve also seen other versions of this user agent. Other software revisions. So block libwww-perl with POST.
IP:
204.15.149.58
It’s a proxy
Other IP addresses seen with that user agent (various versions), posting comments:
201.6.101.190 (proxy in Brazil)
64.246.42.58 (proxy. EV1 server)
202.57.138.131 (proxy in Bangkok)
E-mail address:
xanax@yandex.ru
(I got a few others from that address, and so far that corresponds with the user agent)