JaBbA's Hut - SPAM

Columbus Day SPAM Attack

nospam@example.com (JaBbA) — Mon, 09 Oct 2006 11:15:04 -0400

The last few months, the mailware writers have been taking advantage of the fact that even security people like to take their weekends off to blast the Internet with their latest and greatest creations.

Apparently, the pump-and-dump SPAMmers have decided to use the same tactic, and thought maybe the Columbus day weekend might be a good time to do it.

At work, my usual volume of SPAM on a Sunday is about 90,000 emails. Here's my current graph. That huge spike at the end - 204,000 email on Sunday.

Where are they coming from? Delivery failures. We've become the spoofed From: line for some spammer out there. And we're not the only ones.

It's getting nasty out there.

how fast will they use it?

nospam@example.com (JaBbA) — Thu, 20 Apr 2006 19:25:56 -0400

I found a pump-and-dump spam in my folders that had an email address to stop being on their list.

So I sent an email from a new address at 7:26pm to that address.

Any bets on how fast they start spamming the new address?

Spam King Busted

nospam@example.com (JaBbA) — Tue, 28 Feb 2006 16:37:01 -0500

Yeah, this is what a spammer looks like

The Secret Service is on the case....

Adam Vitale, aka Batch1 aka Baxter, 25, of Boynton Beach, FL, and his partner Todd Moeller, aka M3rk, of New Jersey, are accused of sending nearly 50,000 pieces of spam e-mail to more than 1.2 million AOL subscribers.

Yeah, 50,000 emails is nothing, but it's enough to put these scumbags behind bars.

Referrer Spam Solution

nospam@example.com (JaBbA) — Tue, 11 Oct 2005 12:12:36 -0400

The referrer SPAM has just gotten worse and worse. I see thousands of hits on my blog from zombies with references to various {xanax|cialis|viagra|phentenermine}, casino and porn websites.

I finally tooka little time and put in a blocking mechanism which seems to effectively stop them at the door - it's going to be like a SPAM filter, in that I'll need to keep tweaking it, but so far so good. If you need my solution, contact me. (I'm obviously not going to publicly comment on my actual solution).

But here's the somewhat scary part. Many of the refererring domains are subdomains of names that seem completely unrelated. That's not unusual - somehow I doubt that Jackie Zhao really runs a "blackfilmmakermag.com" website. (He doesn't. It's a gambling advertising domain). But at least one of them seems to be a legitimate site - did they sell access to their domain name, or has their DNS been hacked?

Registrant:
Mike Di Sabatino
*** deleted ****
Camarillo, CA 93011
United States

Registrar: DOTSTER
Domain Name: SUPERBIKECLUB.COM
Created on: 15-MAR-00
Expires on: 15-MAR-06
Last Updated on: 13-MAR-05

Administrative Contact:
DiSabatino, Michael ******deleted*******
**** deleted ******
Camarillo, CA 93011
US
****deleted****
****deleted****

Domain servers in listed order:
NS1.SJ1.NORTHSKY.COM
NS2.SJ1.NORTHSKY.COM

Northsky.com, check your servers! Michael, do you really want to be associated with buy-hydrocodone-online.superbikeclub.com ??????

German SPAM? Or Virus

nospam@example.com (JaBbA) — Mon, 16 May 2005 12:26:24 -0400

Actually, a little of both.

At some point, you'll get a German email today. It will either be a short message with a link:

Lese selbst:
http://www.npd.de/npd_info/deutschland/2005/d0405-39.html

Or a long tract:

In den fruehen Abendstunden des 13. Februar 1945 gegen 21:41 Uhr
heulten die Sirenen der Lazarettstadt Dresden das erste mal auf. Die Bewohner der Elbmetropole machten sich zu der Zeit noch keine Sorgen, da Dresden als Stadt ohne Bewaffnung und ohne militaerischen Nutzen bekannt war und von ca. 1,2 Millionen Frauen, Kindern und Greisen bewohnt wurde.

Gegen 22:09 Uhr gab der Rundfunk durch, daÃ die alliierten Bomberverbaende ihren Kurs geaendert haben und nun auf Dresden zufliegen. Kurz darauf befanden sich 244 britische Bomber am Himmel der deutschen Kulturstadt. Drei Stunden nach dieser ersten Angriffswelle - es befanden sich bereits alle verfuegbaren Rettungsmannschaften, Sanitaeter und Feuerwehmaenner in Dresden - verdunkelten weitere 500 Bomber den Himmel.
Am naechsten Tag folgte die letzte Angriffswelle mit erneut 300 US-B-17-Bombern. Zwischen 12:12 Uhr und 12:21 Uhr warfen diese 783 Tonnen Bomben ab. - Das entspricht mehr als 85 Tonnen pro Minute. Nach dem Abwerfen setzten die US-Bomber zum Tiefflug an und beschossen Fluechtende mit ihren Bordwaffen. In diesen drei Angriffsschlaegen, die insgesamt 14 Stunden andauerten, warfen die "Befreier" 650.000 Brandbomben und 200.000 Sprengbomben ab, welche einen Feuersturm von ueber 1000 Grad in der Stadt erzeugten. Obwohl Dresden weder Flugabwehr, noch Ruestungsindustrie oder aehnliche kriegswichtige Ziele besass wurden weit mehr als 350.000 unschuldige deutsche Zivilisten in diesen zwei Tagen kaltbluetig ermordet.

Keiner der schuldigen Alliierten wurde jemals fuer dieses brutale Kriegsverbrechen auch nur angeklagt und die Massenmedien und die bundesdeutsche Regierung schweigen diese Taten tot und sehen es nicht als noetig an den Opfern zu gedenken.!

It's an artifact of the Sober-Q Virus. Apparently, the virus targets European users with copies of itself, but targets the whole world with a political message related to the anniversary of the end of WWII and upcoming elections.

Don't trust the fact that US users seem to get only email. Delete the German emails immediately, in case it morphs to sending malware to everyone.

More info at SANS

They're still trying

nospam@example.com (JaBbA) — Fri, 04 Feb 2005 17:03:41 -0500

The Trackback SPAMmers are still trying. After their blast didn't work, they tried a trickle this morning - just one attempt every few minutes. Still didn't work, trackback moderation is on.

So just a couple minutes ago, I get the following moderation message:

A new comment has been posted on your blog "JaBbA's Rants", in the entry entitled "What the meaning of.....is".
Link to entry: http://jalcorn.net/politics/archives/2-What-the-meaning-of.....is.html

Requires review: Yes (Auto-moderation after X days)
User IP-address: 66.171.183.222
User Name: texas holdem
User Email: umuwb@ae65cf3638579985c6c77e30b1e722abb.com
User website: http://www.tigerspice.com

Comments:
Vertigo is anguish to the extent that I am afraid not of falling over the precipice, but of throwing myself over. by online poker

----

I dunno - were they thinking that if they hid the poker reference in a random sentence I'd allow the trackback?

Serendipity is wonderful.

Unintended Consequences

nospam@example.com (JaBbA) — Wed, 02 Feb 2005 11:57:14 -0500

I came across a SPAM blocking issue today that could be about to make life very difficult for spam fighters.

At this time, the SPAMmers seem to be ahead in the war against CipherTrust's IronMail appliance. It still blocks over 80% of the incoming SPAM, but hundreds of SPAMs are getting through, achieving SPAM scores similar to 'ham' email. I've had to lower my threshold for hand-administration of incoming email, increasing the workload at least 3x what it was before, because of all the SPAM complaints.

One of my strategies for mitigating this was to have an email address where users could forward any received SPAM. (We use Lotus Notes, so the automated reporting tools built into the appliance don't work, because Notes destroys the header information. There's many good things about Notes - SMTP mail handling is probably the biggest Bad Thing (tm)). I take emails sent to this mailbox, export them as text and run them through a perl script with parses out all the URLs, then insert those domains as SPAM. Any email coming in subsequently with those domains gets a +100, guaranteeing that it will get dropped as SPAM. It's been somewhat effective, although the SPAMmers are changing domains constantly, but I'm stopping an average of 1000+ more emails per day with this strategy.

But today, I got a shock. tinyurl.com appeared in my list.

For those of you that don't know, tinyurl.com is one of the most useful tools on the net - take one of those monster URLs that get munged by email clients, feed it to tinyurl, and you get a URL easily sent via email.

But now it's being abused by SPAMmers. I'm not blocking the domain yet, but I'll have to keep an eye on this development.

TinyURL needs to put in a 'captcha' to stop automated use of their tool. It will make it slightly less convenient, but it might just be enough to stop the spammers, whose high volume of data will make it less useful to get URLs by hand.

Are you listening, TinyURL?

S9y 0.8 Effectively stopped a SPAM attack

nospam@example.com (JaBbA) — Tue, 01 Feb 2005 10:12:33 -0500

S9y's comment administration

This morning I woke up to more than 100 messages from my blog that trackbacks had been created. And the developers list confirmed - all the blogs had been hit by the same spammer.

A Spammer had figured out the Trackback API, and an online casino had paid to be advertised.

The good news? We use Serendipity. And the spammer is going to have to refund the casino's money.

Not a single trackback actually appeared on my blog. It took me about 4 minutes to go through and delete all the trackbacks using the backend administration, and another minute to delete all the emails.

There's a lot of talk about how to solve this. My feeling, though, is that they didn't get any advertisement. It took just a couple minutes - and I have some idea for some small interface tweaks that could make cleaning up after this even faster. So right now, I'm happy with the solution in place.

Kristian, Christian, Sebastian and Tom also blogged about this, and Kristian implemented a patch that would stop at least the most common of these.

SPF Update: Beware...

nospam@example.com (JaBbA) — Wed, 01 Dec 2004 09:31:32 -0500

Well, I've been having just tons of SPF fun.

Some is good:

Nov 30 22:28:53 bigfoot postfix/smtpd[20736]: NOQUEUE: reject: RCPT from c-24-16-134-128.client.comcast.net[24.16.134.128]: 554 <spamcatcher@jalcorn.net>: Recipient address rejected: Please see http://spf.pobox.com/why.html? sender=spamcatcher%40jalcorn.net&ip=24.16.134.128&receiver=bigfoot; from=<spamcatcher@jalcorn.net> to=<spamcatcher@jalcorn.net> proto=SMTP helo=<c-24-16-134-128.client.comcast.net></code>

No, I didn't send that. It's SPAM, and it would have made it through the SPAM filters without SPF. Excellent!

Some is indifferent:

Nov 30 18:05:03 bigfoot postfix/smtpd[18180]: NOQUEUE: reject: RCPT from lale.tr.net[195.155.1.6]: 554 <spamcatcher@jalcorn.net>: Recipient address rejected: Please see http://spf.pobox.com/why.html? sender=r.jarvispx%40azzit.de&ip=195.155.1.6&receiver=bigfoot; from=<r.jarvispx@azzit.de> to=<spamcatcher@jalcorn.net> proto=ESMTP helo=<lale.trnet.com>

trnet.com is my old domain, and the Turkish ISP that bought it from me is forwarding my old address to me. I only get SPAM from it now, but I probably shouldn't be rejecting it. Lesson learned: make sure you know where ALL your valid forwarders are, not just your relayers.

Some is bad:

Dec 1 07:24:27 bigfoot postfix/smtpd[26770]: NOQUEUE: reject: RCPT from mta13.adelphia.net[68.168.78.44]: 554 <spamcatcher@groovysecurity.com>: Recipient address rejected: Please see http://spf.pobox.com/why.html? sender=spamcatcher%40jalcorn.net&ip=68.168.78.44&receiver=bigfoot; from=<spamcatcher@jalcorn.net> to=<spamcatcher@groovysecurity.com> proto=ESMTP helo=<mta13.adelphia.net>

This is me trying to send to someone else on my own mail server. the entries a:mail.adelphia.net and mx:adelphia.net don't work, because adelphia uses many different servers for OUTBOUND email but they're not on the mx list. I tried include:adelphia.net but the results are inconclusive - luckily, adelphia DOES publish the following SPF record:

adelphia.net. 3600 IN TXT "v=spf1 mx ip4:68.168.78.0/24 -all"

so this should work.

Finally, SPF

nospam@example.com (JaBbA) — Tue, 30 Nov 2004 16:48:56 -0500

Well, it took a little doing, but I finally have my mail server implementing a SPF rejection policy. No more SPAM from myself! When someone other than me sends a email from my domain, this is what happens:

Nov 30 16:41:06 bigfoot postfix/smtpd[17058]: NOQUEUE: reject: RCPT from notescom.lincolnelectric.com[99.99.99.99]: 554 <spamcatcher@jalcorn.net>: Recipient address rejected: Please see http://spf.pobox.com/why.html?sender = spamcatcher%40jalcorn.net&ip=99.99.99.99&receiver=bigfoot; from=<spamcatcher@jalcorn.net> to=<spamcatcher@jalcorn.net> proto=SMTP helo=<safemail.com>

and the sender gets DENIED:

My setup is in the extended entry....

Continue reading "Finally, SPF"

MS license is killing Anti-Spam

nospam@example.com (JaBbA) — Wed, 08 Sep 2004 14:44:30 -0400

Apache has rejected Sender ID because Microsoft's License on the technology that they injected into it would stop Open Source implementations.

ARG

nospam@example.com (JaBbA) — Fri, 03 Sep 2004 08:35:20 -0400

I just got hit with Blog SPAM.

Not just a couple. TWO HUNDERED comments about 2am today. Luckily, the CVS version of S9y I'm using allows me to moderate comments, so I'm turning that on.

Damn fake drug vendors. Scourge of the earth, I tell you.

Operation Slam Spam

nospam@example.com (JaBbA) — Thu, 26 Aug 2004 08:49:58 -0400

The Justice Department is announcing "Operation Slam Spam", a yearlong effort to arrest and prosecute Spammers, Phishers and other online cons. Apparently, stings have been set up to identify the people involved and gather the proof, and the arrests are coming soon.

Here's hoping, although they haven't shown any ability to follow up on this kind of stuff so far.

SPF, coming soon

nospam@example.com (JaBbA) — Mon, 09 Aug 2004 10:48:39 -0400

There's a good article on the current state of SPAM over at Netcraft. SPF, as outlined in the article, looks very promising (I'll be setting it up both at home and at work) but I doubt that it will reach critical mass any time soon. Unfortuntely, but not unexpected, Microsoft has a different idea.

The ideas have supposedly been combined as "Sender ID", but there's a big difference between SPF and Sender ID - Sender ID is encumbered by a Microsoft license.

I come not to bury Caesar, but to praise him

nospam@example.com (JaBbA) — Fri, 16 Jul 2004 09:43:42 -0400

OK, I don't have much good to say about Microsoft, but they did nail a SPAMmer for $4M.

A drop in the bucket - and the SPAMmer wasn't one of the big ones. But it's a start.