Spamhuntress

Today I received yet one more 419 spams. I’ve noticed for a while that they seem to get through my spam filters. After the post I wrote yesterday about stolen passwords, I opened it and looked at the headers. Sure enough:

SquirrelMail authenticated user millerb1
I think this is one reason they’re using stolen passwords. In one case the spammer sent 171 mails with a lot of bcc’s from a server that doesn’t normally send spam. If they keep using fresh servers that way, they’re likely to get the spam through spam filters, unless the filters manage to filter based on the wording.

I’ve seen countless examples lately of mail sent from legitimate accounts via Squirrelmail. Do a search for “authenticated user” on news.admin.net-abuse.sightings and sort by date. You’ll see it’s become quite common.

I don’t know exactly what’s happening here, but I assume spammers have stolen passwords for legitimate accounts somehow.

I know of one case where the spammer changed the password of the account a while after the spamrun was complete.

If your established password stops working, do some due diligence after you get a new one issued.

The spammy mails were still in the Sent box in one account!

I got an e-mail from the guy behind the Litigatin blog, who posted about e360insight’s lawsuit against Comcast.

One of the key points in the lawsuit is that e360insight believe Comcast is using denial of service against their servers.

As I was reading the blog post I thought, wait a minute! e360insight is initiating those connections, not Comcast! And that point was also brought up by the (so far) sole commenter on that post.

So how can they get past that THEY are initiating those connections. Inquiring minds want to know…

I got a spam tonight that had a URL that led to Google. That piqued my curiosity, so I checked it out and figured out why it worked.

The spam was of the Canadian pharmacy variety. Just the usual stuff. So I tried recreating the URL, pointing to one of my sites.

Their URL was a variant on this:

http://google.com///search?hl=en&q=ann+elisabeth&btnI=5437

But it does work even without the ID at the end. So what’s the point? In my tests I couldn’t see the referrer when I used a similar URL, so it can’t be for referrers, unless they have tools that retain more info than regular referrer logs.

&btnI= at the end means this is the “I feel lucky” option Google uses. Which means if a site feels safe their site will be returned as the lucky site, then this sort of spam works.

I received an e-mail that attempted to (in Spanish) getting me to log in somewhere. The link was fake, and pointed somewhere else than it appeared to.

It pointed to an exe file (haven’t tested the exe file) in a folder that turned out to be the docs folder in a phpBB installation. A 2.0.x version. That folder had obviously been compromised, and a lot of scripts had been placed there. The forum appears to have been installed September 2006, but the phpBB files were last modified a year later. Some of the files have dates before that, but probably were uploaded in such a way the original file date was preserved?

I’ve notified the site admin, so let’s see if he responds and tells us what happened. I assume this is a vulnerability that’s been fixed in newer versions of phpBB?

When I got the second e-mail from someone I didn’t immediately recognize, inviting me to answer a question at fanbox, I thought it was one of those irritating invitations from some application I haven’t installed at Facebook.

But when I got the second identical e-mail, I got irritated enough to check it out.

Turns out it’s from fanbox.com, which is a new incarnation of sms.ac, which I’ve blogged about before:

sms.ac abuse

sms.ac continues to send invitations

By now it’s not visibly centered around text messages (which to me looked like a scam that would quickly result in huge cell phone bills if you were unlucky), but rather a desktop application.

But I kinda doubt this person I got the e-mail from actually tried to send me a question. I might find out, because I’ve figured out the e-mail address (which isn’t in the e-mail from fanbox).

I think the same caution goes now that it did before: Do NOT give them the password to your webmail account, if you decide to join. Because they’ll spam your friends to death, and they’ll get angry with YOU for it!

Come to think of it, they’ll most likely get your webmail password no matter what, because this is a desktop application! The point is storing important documents, mail and passwords (presumably, I haven’t actually tried it, but it’s what I’d want to use a desktop app for, if I found one I trusted). Geez, I would NOT trust them enough to use them as a desktop app, based on their history!

Wait, I forgot to include the actual letter I received:

xxxxxsomeoneyoumayormaynotknowxxxx asked you a question. View the question and answer it.

FanBox.com is the web-based desktop that instantly turns every computer into your computer. It includes over 10,000 web applications and games to choose from, including the Question It application.

This email was sent by xxxxxsomeoneyoumayormaynotknowxxxx while using the Question It application on FanBox. Go here to learn more or stop receiving emails from friends using Question It. FanBox: 255 G Street #723, San Diego, CA 92101, USA

Update: I heard back from the person who supposedly sent those messages. She said she’d gotten starting yesterday too, and didn’t know why. But I also found I’d gotten another message, supposedly from her, and this time to a Yahoo groups listowner address. She’s on AOL, and I’m guessing she has a setting adding all senders of e-mails she receives to her address book automatically.

I got a Gmail phish today. Short version: They wanted me to fill in my account details, including password, in order to avoid my gmail account being deleted. And then reply with those details.

More details: All images were from the Gmail server. The e-mail appears to have been sent from through Gmail servers, not from anoutside server. Official looking e-mail address.

So, why do I believe it’s a phish?

First of all, Gmail wouldn’t need me to send them anything to confirm my account is active. I happen to be conversant on e-mail servers. Gmail will at any time know - if they need to find out - when I last logged into the server. That’s part of mailserver architecture. In the past, you could use a tool called “finger” to find out when someone else last logged into their mail account. A very useful tool, that unfortunately became a security risk when the internet took a nosedive into spam, commercialism and crime.

The e-mail had a “To” address that wasn’t my address. That’s inelegant, and wouldn’t be used for an e-mail sent to ALL accounts on a server.

Imagine the amount of e-mails something like this would generate, if it were legit. And to even consider using ONE e-mail address as a recipient for responses? Not feasible on this scale. Gmail would use a secure form on their server. But wait, Gmail already knows my password… No human other than the account holder has any business knowing your password, as long as the server itself can handle you logging in and out, changing your password and retrieving it if you lose it. When you know about server architecture, it’s just so obvious that it’s a phish.

Unfortunately, it probably seems legit for a large enough number of people, some criminal element decided it was worth the expense to do this.

Or, if I put on my tinfoil hat, maybe some criminal element decided on trying to acquire the passwords of particular accounts? So guys, who received this phish?

Gmail phish screencap

I got a few hundred e-mails today in the space of a few minutes. The e-mails were identical, except they came from a few different sources. The spammer misused a feedback form, or so it seemed.

The mails came from e-mail addresses that included Free_Porn@ and some random domain names, but the return-path was usually from a working domain name - same as the server the hacker sent the e-mails through. The ones coming from a different server had the nonsense domains as return-path too (reminds me, that server - not mine - needs to be locked down a bit more).

The domain spamvertized in all those e-mails appears like an innocent bystander - constantpated.blogspot.com. I found spam for that same site other places (including gmane.linux.debian.devel.bugs.general a few days ago).

I wonder what the heck the bad guy is looking to accomplish?

I got two spam e-mails (to two of my main addresses) advertizing pokerloco, a Swedish (they say Costa Rica, but nobody’s fooled by that) owned poker site.

The spam originated from Ukraine and Russia:

81.21.14.3
78.85.26.6

But here’s the wrinkle. The HTML in the file was a bit tricky, and I wasn’t sure the images would load. So I checked, and found that when viewed in an HTML browser/viewer, you’d only see an image flogging a stock (CHINA YOUTV CORP) from one of these sites:

mediapix.ru
imgnation.net
The pokerloco e-mail looks as though it’s an e-mail sent from them to one of their customers, somebody by the name of Anders. And it was written in Swedish. It might have been cribbed from somewhere, then used to confuse spam hunters.

I just got this e-mail, twice to the same address:

Dear Customer,

Our robot has detected an abnormal activity from your IP adress
on sending e-mails. Probably it is connected with the last epidemic
of a worm which does not have official patches at the moment.

We recommend you to install this patch to remove worm files
and stop email sending, otherwise your account will be blocked.

Customer Support Robot

Under the text “this patch”, there’s a link to an IP address with some encrypted looking URL. Different IP addresses for each mail. Both of them already have socket error, so I can’t check out what it contained.

Shaking head… There’s a discussion on “alt.madcrew” about this. Some people who appear to have taken the e-mail at face value. One of them writes:

installed the patch too but now my computer has become very slow and
even when I am not doing anything on my computer my hard drive makes a
lot of noise as if there is a lot of activity, I don’t understand