[Dshield] Spam related but kind of interesting

Chris Brenton cbrenton at chrisbrenton.org
Fri Dec 26 14:14:08 GMT 2003


I know Johannes said cool it on the spam stuff, but this has to do with
the owned systems so I thought people might find it interesting.

I'm noticing some patterns with some of the owned boxes on the net.
Check this out:

Dec 24 00:30:05 mailgate sendmail[8431]: hBO5U5HS008431:
ruleset=check_mail, arg1=<youngdoctors at msn.com>,
relay=cpe-66-169-6-082.spa.sc.charter.com [66.169.6.82], reject=550
5.0.0 <youngdoctors at msn.com>... Spammers grow from the puss on viruses
Dec 24 00:51:22 mailgate sendmail[8455]: hBO5pLHS008455:
ruleset=check_mail, arg1=<youngdoctors at msn.com>,
relay=pcp01120852pcs.flshng01.mi.comcast.net [68.61.168.245], reject=550
5.0.0 <youngdoctors at msn.com>... Spammers grow from the puss on viruses
Dec 24 01:17:23 mailgate sendmail[8510]: hBO6HMHS008510:
ruleset=check_mail, arg1=<youngdoctors at msn.com>,
relay=c-24-131-242-22.mw.client2.attbi.com [24.131.242.22], reject=550
5.0.0 <youngdoctors at msn.com>... Spammers grow from the puss on viruses

Then 2 days later they come back:

Dec 26 01:52:33 mailgate sendmail[17007]: hBQ6qWHS017007:
ruleset=check_mail, arg1=<youngdoctors at msn.com>,
relay=h00051b00a60c.ne.client2.attbi.com [24.91.156.160], reject=550
5.0.0 <youngdoctors at msn.com>... Spammers grow from the puss on viruses
Dec 26 02:13:32 mailgate sendmail[17058]: hBQ7DTHS017058:
ruleset=check_mail, arg1=<youngdoctors at msn.com>,
relay=evrtwa1-ar6-4-46-155-241.evrtwa1.dsl-verizon.net [4.46.155.241],
reject=550 5.0.0 <youngdoctors at msn.com>... Spammers grow from the puss
on viruses
Dec 26 02:45:10 mailgate sendmail[17086]: hBQ7j9HS017086:
ruleset=check_mail, arg1=<youngdoctors at msn.com>,
relay=24-52-87-61.clvdoh.adelphia.net [24.52.87.61], reject=550 5.0.0
<youngdoctors at msn.com>... Spammers grow from the puss on viruses

So when I 550 the spammers inbound message, _another_ relay tried again
20 minutes later. The time interval varies between 10-50 minutes, but
the pattern is always the same (at least from this one spammer). I'm
sure this is to get around banned IPs. Obviously this speaks of an
intelligent master-->zombie config which tells me these zombies have to
be calling home at the end of a run to report the results of their
spamming attempt. It also speaks to a rather large network, as I've
never seen this spammer use the same IP twice. 

The only TCP port I'm finding open consistently is NetBIOS. Some have
SOCKS running, some don't. Some have SMB/IP open, some don't. Its fairly
consistent that nmap can not identify the target OS. Its also fairly
consistent that the source has a firewall running on it. The two do not 
necessarily go hand in hand (detectable target may or may not have a
firewall running).

Scanning UDP ports, the only consistency was DHCP is open. Most (but not
all) have IKE open as well. So if the attack has a way of remotely
controlling the box, they are not using a standard back door as I
checked all of those ports as well. 

I'm starting to wonder if these boxes were taken over via social
engineering, as I'm not seeing a consistent pattern to the OS or the
config. If so, that could mean this spammer is responsible for one of
the back door e-mails that have been floating around. This is kind of
smart as they are less likely to get trapped in a honeypot because they
are not hitting random systems, just the ones with someone behind the
keyboard who clicks through.

Anyone have any additional thoughts or ideas on this?

Thanks,
C






More information about the list mailing list