[Dshield] "Academic Freedom" vs Computer Security

Erik van Straten emvs.dsh.3FB4CC72 at cpo.tn.tudelft.nl
Fri Feb 13 18:07:03 GMT 2004


Sorry for sending spam to a security list - Deb asked for it :)

Hi Deb,

On Fri, 13 Feb 2004 09:38:24 -0600 Deb Hale wrote:
> I use Postini

Yep, I see:
pionet.net  mail exchanger = 100 pionet.net.mail1.psmtp.com. etc.

> and have had none of the emails get through.  Erik, it doesn't look
> like yours actually was pasted on by Postini, rather it trapped it
> in Quarantine.  Is that the case?

No. The full spam stuff is in them. I do get whitelisting's too, but I
have not seen any from/via Postini (but I'm not reading every message
as you can imagine, I'm just collecting evidence - in case it comes in
handy some day).

It is possible that all these MTA's that are bouncing to my site are
making things up (after all it is stuff in a message that anyone could
have typed). I can trust everything mailhost3.tudelft.nl tells me,
before that things may be forged.

However, these messages all look quite similar, and I have no reason
to believe they serve any other purpose. Also note that by spoofing
sender addresses, these spammers will never know whether the spam-
recipient exists or not (they could if Postini used "Forward Address
verification", and the recipient MTA rejects undeliverables upon
envelope RCPT TO).

Perhaps customers can tell Postini which blacklists they want, and
don't want them to use? Did you tell them anything similar? I can
imagine that some companies will want to accept most mail even if it
looks like spam, but just want to reject viruses. If you want to know
for sure, you can forward this to Postini and ask them if the messages
below indeed were transferred via their servers. MX lookups show that
accessatc.net and fidnet.com indeed are Postini customers.

BTW, I grepped aprox. 700MB of bounces (since Jan 1) for "pionet" and
didn't get a single hit (but your email address may not be on the CD
"my" spamgang uses).

But like I said, it's not just Postini - a lot of sites do this (incl.
Yahoo, Hotmail, AOL etc). I'm also getting quite some similar bounces
from MessageLabs. I do get bounces with the string "Brightmail" in
them, but none are Received: headers (so they may have been added by
spammers, like they have been adding Habeas headers recently). In
fact, my MTA does it (spam is sent to former recipients, and it gets
bounced to usually innocent third parties). I've been trying to
convince our perimeter MTA admins (and policy makers) to start using
these eXploit BlackLists (XBL) but have been unsuccessful - so far.

Anyway, my MTA get's Joe-jobbed, like many others. It goes on all day
like this. Nothing I can do about it. 160000/month. I'll give 2 more
Postini examples (spam bodies removed by me), and a list of spamproxy
IP's used by spammers today to send junk via Postini.

Regards,
Erik van Straten

----------------------------------------------------------------
Return-Path: <>
Received: from mailhost3.tudelft.nl (mailhost3.tudelft.nl [130.161.180.14])
        by cpo.tn.tudelft.nl (Postfix) with ESMTP id 8801297B44
        for <patricapineda_ou at cpo.tn.tudelft.nl>; Fri, 13 Feb 2004 17:12:07 +0100 (CET)
Received: from 127.0.0.1 (localhost [127.0.0.1])
        by rav.antivirus (Postfix) with SMTP id 6C62EE393A
        for <patricapineda_ou at cpo.tn.tudelft.nl>; Fri, 13 Feb 2004 17:12:07 +0100 (MET)
Received: from mx01.accessatc.net (mx01.accessatc.net [216.81.96.108])
        by mailhost3.tudelft.nl (Postfix) with SMTP id C9E623BA8
        for <patricapineda_ou at cpo.tn.tudelft.nl>; Fri, 13 Feb 2004 17:12:06 +0100 (MET)
Received: (qmail 25505 invoked for bounce); 13 Feb 2004 16:11:20 -0000
Date: 13 Feb 2004 16:11:20 -0000
From: MAILER-DAEMON at smtp1.accessatc.net
To: patricapineda_ou at dutndo7.tn.tudelft.nl
Subject: failure notice
Message-Id: <20040213161206.C9E623BA8 at mailhost3.tudelft.nl>

Hi. This is the qmail-send program at smtp1.accessatc.net.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<mabrazel at almatel.net>:
Sorry, no mailbox here by that name. (#5.1.1)

--- Below this line is a copy of the message.

Return-Path: <patricapineda_ou at dutndo7.tn.tudelft.nl>
Received: (qmail 9056 invoked from network); 13 Feb 2004 16:09:09 -0000
Received: from unknown (HELO psmtp.com) (12.158.35.157)
  by mx01.accessatc.net with SMTP; 13 Feb 2004 16:09:08 -0000
Received: from source ([81.205.21.131]) by exprod6mx17.postini.com ([12.158.35.251]) with SMTP;
        Fri, 13 Feb 2004 11:08:51 EST
Message-ID: <211f01c3f24c$b9e3ad45$300466b6 at sihu.hu>
From: "Patrica K. Pineda" <patricapineda_ou at dutndo7.tn.tudelft.nl>
To: mabrazel at almatel.net
Subject: cheap víagra
Date: Fri, 13 Feb 2004 18:14:20 +0200
MIME-Version: 1.0
Content-Type: text/html;
        charset="iso-8859-1"
Content-Transfer-Encoding: 8bit

[Erik van Straten removed spam body]

-----------------------------------------------------------------

http://cbl.abuseat.org/lookup.cgi?ip=81.205.21.131
| IP Address 81.205.21.131 was found in the CBL.
|
| It was detected at 2004-02-12 22:00 GMT (+/- 30 minutes).

-----------------------------------------------------------------

This is from my "maildump" file since Fri, 13 Feb 2004 11:05:43 +0100
upto Fri, 13 Feb 2004 17:43:39 +0100. Undeliverable mail is simply
appended to it (mbox format).

Note: I rename the "maildump" file when it's approx 15-20MB, which
sometimes happens in less than 24 hours. When the file is missing,
the dump process automatically creates a new file:

> grep postini maildump | grep source
Received: from source ([210.92.216.215]) by exprod6mx44.postini.com ([12.158.35.251]) with SMTP;
Received: from source ([210.22.195.1]) by exprod5mx91.postini.com ([12.158.34.245]) with SMTP;
Received: from source ([68.55.110.22]) by exprod5mx96.postini.com ([12.158.34.245]) with SMTP;
Received: from source ([217.232.55.96]) by exprod5mx1.postini.com ([12.158.34.245]) with SMTP;
Received: from source ([219.234.252.188]) by exprod5mx99.postini.com ([12.158.34.245]) with SMTP;
Received: from source ([24.232.245.223]) by exprod6mx11.postini.com ([12.158.35.251]) with SMTP;
Received: from source ([61.79.202.49]) by exprod5mx99.postini.com ([12.158.34.245]) with SMTP;
Received: from source ([61.177.191.82]) by exprod6mx61.postini.com ([12.158.35.251]) with SMTP;
Received: from source ([24.207.233.8]) by exprod6mx16.postini.com ([12.158.35.251]) with SMTP;
Received: from source ([69.47.67.136]) by exprod5mx104.postini.com ([12.158.34.245]) with SMTP;
Received: from source ([213.8.12.202]) by exprod5mx62.postini.com ([12.158.34.245]) with SMTP;
Received: from source ([61.98.187.30]) by exprod5mx32.postini.com ([12.158.34.245]) with SMTP;
Received: from source ([69.66.62.134]) by exprod5mx66.postini.com ([12.158.34.245]) with SMTP;
Received: from source ([61.178.23.37]) by exprod6mx5.postini.com ([12.158.35.251]) with SMTP;
Received: from source ([218.238.158.229]) by exprod5mx40.postini.com ([12.158.34.245]) with SMTP;
Received: from source ([211.105.183.44]) by exprod6mx96.postini.com ([12.=
Received: from source ([80.143.151.198]) by exprod6mx105.postini.com ([12.158.35.251]) with SMTP;
Received: from source ([68.186.250.219]) by exprod5mx46.postini.com ([12.158.34.245]) with SMTP;
Received: from source ([24.114.167.237]) by exprod6mx109.postini.com ([12.158.35.251]) with SMTP;
Received: from source ([80.54.231.56]) by exprod5mx35.postini.com ([12.158.34.245]) with SMTP;
Received: from source ([24.196.10.33]) by exprod5mx100.postini.com (
Received: from source ([210.181.95.155]) by exprod5mx109.postini.com ([12.158.34.245]) with SMTP;
Received: from source ([24.3.246.18]) by exprod5mx2.postini.com ([12.158.34.245]) with SMTP;
Received: from source ([64.219.167.161]) by exprod6mx56.postini.com ([12.158.35.251]) with SMTP;
Received: from source ([217.208.45.93]) by exprod6mx95.postini.com ([12.158.35.251]) with SMTP;
Received: from source ([81.51.185.111]) by exprod5mx49.postini.com ([12.158.34.245]) with SMTP;
Received: from source ([69.105.133.80]) by exprod6mx52.postini.com ([12.158.35.251]) with SMTP;
Received: from source ([211.105.175.132]) by exprod6mx75.postini.com ([12.158.35.251]) with SMTP;
Received: from source ([218.235.121.65]) by exprod6mx86.postini.com ([12.=
Received: from source ([80.108.96.112]) by exprod6mx75.postini.com ([12.158.35.251]) with SMTP;
Received: from source ([81.205.21.131]) by exprod6mx17.postini.com ([12.158.35.251]) with SMTP;
Received: from source ([66.189.220.53]) by exprod6mx53.postini.com ([12.158.35.251]) with SMTP;

These messages were all accepted by Postini, forwarded to some company,
then the company finds out that the user does not exist, or mailbox is
full, or sends an Out of Office notification, or whitelisting request etc.
to my server. Most are also undeliverable at my site, but since spammers
use random names, some DO get delivered. My users are getting used to it.

I didn't check all IP's above but my best guess is they are backdoored
DSL boxes (which is apparently what "my" spamgang favorizes, I've some
indications that it's "Optin Global":
http://www.spamhaus.org/rokso/listing.lasso?-op=cn&spammer=Calvin%20Ho%20/%20Optin%20Global%20Inc.

Note: most boxes are probably listed on cbl.abuseat.org or spamcop.net.

The last one (I noticed in the list above it just came in), and you should
know that "dutndo7" is an alias for "cpo":
-----------------------------------------------------------------------------

Return-Path: <>
X-User-unknown: <HYXV at cpo.tn.tudelft.nl>
Received: from mailhost3.tudelft.nl (mailhost3.tudelft.nl [130.161.180.14])
        by cpo.tn.tudelft.nl (Postfix) with ESMTP id 764E397B44
        for <HYXV at cpo.tn.tudelft.nl>; Fri, 13 Feb 2004 17:16:32 +0100 (CET)
Received: from 127.0.0.1 (localhost [127.0.0.1])
        by rav.antivirus (Postfix) with SMTP id 5C15C479F
        for <HYXV at cpo.tn.tudelft.nl>; Fri, 13 Feb 2004 17:16:32 +0100 (MET)
Received: from mail.fidnet.com (four.fidnet.com [216.229.64.74])
        by mailhost3.tudelft.nl (Postfix) with SMTP id 97CA16266
        for <HYXV at cpo.tn.tudelft.nl>; Fri, 13 Feb 2004 17:16:31 +0100 (MET)
Received: (qmail 10523 invoked for bounce); 13 Feb 2004 16:15:30 -0000
Date: 13 Feb 2004 16:15:30 -0000
From: MAILER-DAEMON at mail.fidnet.com
To: HYXV at dutndo7.tn.tudelft.nl
Subject: failure notice
Message-Id: <20040213161631.97CA16266 at mailhost3.tudelft.nl>

Hi. This is the qmail-send program at mail.fidnet.com.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<lbjr at fidnet.com>:
Sorry, no mailbox here by that name. (#5.1.1)

--- Below this line is a copy of the message.

Return-Path: <HYXV at dutndo7.tn.tudelft.nl>
Received: (qmail 10493 invoked from network); 13 Feb 2004 16:15:29 -0000
Received: from exprod6mx53.postini.com (HELO psmtp.com) (12.158.35.197)
  by mail.fidnet.com with SMTP; 13 Feb 2004 16:15:29 -0000
Received: from source ([66.189.220.53]) by exprod6mx53.postini.com ([12.158.35.251]) with SMTP;
        Fri, 13 Feb 2004 11:15:27 EST
Message-ID: <0ae101c3f24f$41393435$0468e9c4 at LfuMSC>
From: "Microsoft Windows Necessity" <HYXV at dutndo7.tn.tudelft.nl>
To: lbjr at fidnet.com
Subject: Secure Your computer
Date: Fri, 13 Feb 2004 11:38:15 -0500
Mime-Version: 1.0
Content-Type: multipart/alternative;
        boundary="----=_NextPart_929_A861_2BFBA861.2BFBA861"
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165

This is a multi-part message in MIME format.

------=_NextPart_929_A861_2BFBA861.2BFBA861
Content-Type: text/plain;
        charset="iso-8859-1"
Content-Transfer-Encoding: 8bit

The online store:
http://211.97.46.44/ee/?qZqTI

[Erik van Straten removed random spam crap]

------=_NextPart_929_A861_2BFBA861.2BFBA861
Content-Type: text/html;
        charset="iso-8859-1"
Content-Transfer-Encoding: 8bit

[Erik van Straten removed html spam body]

------=_NextPart_929_A861_2BFBA861.2BFBA861--

---------------------------------------------------------

http://cbl.abuseat.org/lookup.cgi?ip=66.189.220.53
| IP Address 66.189.220.53 was found in the CBL.
|
| It was detected at 2004-02-12 05:00 GMT (+/- 30 minutes).





More information about the list mailing list