Spamhuntress

I just received two copies of a pointless spam. It appears to be a Spamhaus joejob. I received two spams to the same address even. Here’s a discussion about the incident:

Google Groups 

During the night thousands of e-mail addresses connected with people in Denmark have received an e-mail purportedly from fedex.com. It’s written in what appears to me to be perfect Danish, and promises 15 % off if they send in the form attached to the mail. Only the “form” is not a form. It’s an executable with a random numeric name, and containing the virus TR/Spy.Bzub.B.

Some journalists in Denmark originally thought hackers had gotten into fedex and sent out those e-mails. But the e-mails were sent out to random Danish addresses, including inactive ones - both customers and non-customers of Fedex. And I got a sample of the headers, and will paste them in here (the relevant bits). Notice that it doesn’t even come from Denmark:

Received: from 66-195-105-206.static.twtelecom.net [66.195.105.206] by recipientsmailserver2.dk with ESMTP
(SMTPD-8.22) id AA310348; Wed, 18 Apr 2007 22:06:09 +0200
Return-Path:
Received: from 209.205.25.170 (HELO smtp.albert-white.com)
by recipientsmailserver.dk with esmtp (/-26A4FH5 LU6Z)
id 4ESG>0-/FYYK7-OR
for recipient@recipientsmailserver.dk; Wed, 18 Apr 2007 20:06:27 +0600
Message-ID: <01c781f5$0c516520$6c822ecf@gblk>
From: “FedEx”
To:
Subject: Kvittering
Date: Wed, 18 Apr 2007 20:06:27 +0600
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary=”—-=_NextPart_000_0007_01C781CB.237B5D20″
X-Priority: 3
X-MSMail-Priority: Normal

Notice how it’s got two received lines? The MX record for the e-mail address is for the recipientsmailserver.dk, while there’s another mailserver at the same IP number named recipientsmailserver2.dk (all recipient info munged). So I’m slightly unsure where that mail really came from… The twtelecom address is blocklisted at psbl.surriel.com for another spamrun on April 5

Here’s the text of the e-mail:

Æredede kunde,

Til Deres navn og adresse ankom der en pakke.

De vil få en modtagelseskvittering vedføjet til brevet.

Vær så venlig at åbne brevet og udfylde kvitteringen for at få pakken i den nærmeste FedEx afdeling.

De kan få adressen af den nærmeste FedEx afdeling på side fedex.com

Forbered en forsendelse online ved FedEx og spar på tiden, som De kan bruge til noget andet. De kan få informationer om priser, kan bestille afhentning og emballage, kan overvåge alle Deres forsendelser ved tracking dem derhjemme, osv, på fedex.com.

Registreres De nu, får De 15% rabat på FedEx Express tjenester online for 4 måneder fra registreringsdato.

Deres ærbødige,

Kundeservice

FedEx

Update:

Danish Computerworld has an article today about the speculation that a Baltic group is behind the mail, which they call a phishing mail. According to Peter Kruse at Csis, the virus is designed to spread over instant messengers and web based mail services. It supposedly uses templates (if I translated the Danish word skabeloner right), so I suppose that means it actually sends out messages in people’s names. There was a phishing attempt earlier regarding Tele2, and they feel the method is fairly similar (the use of templates). The command center that the virus phones home to is in Russia, and Danish internet providers have blocked access to it, in order to protect Danish surfers.

I get one piece of advice over and over:

Make up a new e-mail address every time you have to register at a new service, or even post on someone else’s blog. Then you can just turn off that e-mail address if it ever gets harvested by a spammer.

That’s bad advice for regular people for one very good reason: To make it work, you’ll need to configure your domain as catch all. No matter what you put in front of the @, it’ll end up in your inbox, until the day you “turn that particular address off”. One day you’ll wake up to in excess of (wildly estimated) five thousand mails in your inbox, because a spammer decided to misuse your domain as the from address, or decided to do a dictionary attack - sending mail to thousands of made up addresses on your domain while trying to find valid ones. Also, turning off an address may not be all that easy unless you know a thing or two about the mail setup you’re using.

But it’s a very good idea if you’re a spamhunter, and live for tracking down people who sell their e-mail lists, or whose databases get hacked or whatever.

Pascal Van Hecke found out that Performancing.com’s database somehow ended up in the hands of a spammer. His findings were confirmed by another user.

Yeah, right….

Just wanted to underscore how you should never trust spam. I received this e-mail to my two functioning e-mail addresses on a domain. Yep, there are two in existence, and both received the same e-mail. What are the chances of that, if this were indeed true? Very close to none!

We are happy to inform you that you have emerged a winner
under the First Category,BankGiro International
Promotion. The draws were officially announced this day
24th of February,2007.Participants were selected through
acomputer ballot system drawn from 2,500,000 email
addresses of individuals world wide.You have therefore
been approved for a lump sum pay out of ?1,000,000.00 (One
Million Euros ).

I’ve had a gmail account for a while, and I’ve often used it to send abuse complaints and also for other things. It’s been available publicly, so I’ve always gotten a few spams a day.

October 11, that changed. A deluge of spam, seemingly from the same source, started that day. Today I noticed the count in my spam folder was off. Normally about 50 spams would accumulate during  month. Today I had 327.

The read messages are phishing messages, some of which I’ve reported as phishing.

I counted 251 messages with the same message body:

And today the body message has changed to Cialis soft tabs. 34 and counting.

Tell me, does anyone else receive that many copies of the same spam? Remember that this is ONE e-mail account, not a catch all. And the spam is addressed to that e-mail address.

The first Norwegian has been convicted of spamming. It’s a tiny case, compared to US cases, and he got just a slap on the wrist in my opinion. They’re still hailing it as an important case.

Verdens Gang newspaper story (in Norwegian)
I haven’t found any English stories on this one yet.

I met Anna Vlasova from Kaspersky labs when I went to Holland for the Spam Symposium earlier this year. She was talking about a new law going into effect this summer, so I asked her for a breakdown. She has allowed me to post her e-mail text here, for all of you to read:

Yes, now we have new version of some law articles (valid from july 2006), but it is not ’spam law’. It regulates advertising process, so it covers only some part of the e-mail spam. But in Russia most of e-mail spam is advertising.

In the latest version of the law, the following points are of crucial importance:

1. The introduction of the concept of ‘advertising distributed via electronic networks’. This means that the law applies to advertising sent via email, and spam which is of an advertising nature will be covered by this law. The word ’spam’ itself is not used in the law.

2. The law also legislates the ‘opt-in’ principle (i.e. preliminary agreement to receive messages, or a subscription to messages).

3. It is assumed that an agreement to receive such messages does not exist, i.e. the originator of a mailing (for instance, a spammer) will have to show that the user agreed to receive advertising. Otherwise the advertising will be viewed as not in accordance with the law.

4. Automatic mailings are prohibited. It’s true that the law talks about prohibiting the use of tools which work ‘without human participation’. In such cases, it will be difficult to demonstrate that spam is sent fully automatically.

Here is a comment on the new law:
http://www.spamtest.ru/document.html?pubid=183916209&context=9562

and here is text of the new law (article 18 covers ‘advertising distributed via electronic networks): http://www.brandfabrica.ru/law/adv/ In russian the title of Article 18 is ‘’Статья 18. Реклама, распространяемая по сетям электросвязи и размещаемая на почтовых отправлениях .

I created a Gmail account for my mom a few months ago. We gave the address to one other person, and then forgot about it. I found it again today and logged in.

She had 6 messages from her friend, and 46 spam messages (anything from before August 2 had been auto-deleted).
This for an address that’s never been in circulation.

Why? Her username is in the Norwegian dictionary…

I found multiple attempts to reach nonsense addresses on one of our domains this morning. It was so weird, I just had to blog it. I’ve redacted the domain, but kept the attempt count.

As far as I can tell, that domain was used as the from address in a spamrun. These message counts represent the MAILER-DAEMON bounces from misconfigured mail servers. When mail is rejected, they just keep on trying.

And no, I don’t accept bounces for non-existing addresses.

36   dang.anything
34   concocter.breadroot
34   Millerbodhisattva
33   cedillaacademe
30   biconcavecircumvent
24   complyambrosial
18   conantcybernetics
14   barnyarddeneb
10   biconcavecannonball
9   acetate.attention

I found this post via Email spam/Topix:

IronPort Wants To Give Bounce Spam The Boot

In short, IronPort wants to outfit their mailserver appliances with technology to sign outgoing mail, so that when a bounce is sent to it, they’ll know if it originated from their server.

The problem with that, is when an IronPort appliance is used for an environment where some customers are on other ISP’s. It’s customary for an “outside” customer to use the outgoing mail server belonging to his ISP, even though incoming mail is going through a business mail server where his business domain is residing.

In order for IronPort’s technology to work, all outgoing mail needs to go through that server, no matter where the sender is. Otherwise, guess what? No bounces, if you sent through an outside mailserver!

The solution is trivial, but enforcing it may not be:

Use an authenticating outgoing mail server, often used on other ports than SMTP. Just a question: How does that affect e-mail clients on cell phones?