[Dshield] HELO friend Spammers

jayjwa jayjwa at atr2.ath.cx
Sat Feb 11 23:17:51 GMT 2006



OK, this has been going on along time now, and I'm still not closer to 
figuring it out, so I thought I'd ask on-list. Sure you've seen the spam I'm 
talking about, it's from some bogus pills or something, advertising one of 
many fly-by-night webhosting outfits that are invariably based in China. What 
made me take notice of this spam is that it comes in waves of spamming 
machines, about 15-20 per wave, all trying to deliver this spam with similar 
forged From: entries. The one outstanding characteristic, and the one that 
makes this spam easy to stop, is whoever designed the spamming software 
(probably a bot- more on that in a minute) made the mistake of always using 
the client HELO smtp greeting set to "friend". Looks like this:



Return-Path: <simon at repairnet.biz>
Received: from friend (24-54-83-146.bflony.adelphia.net [24.54.83.146])
         by atr2.ath.cx (8.13.5/8.13.5) with ESMTP id k1BKxaJW028789
         for <slrndfsp16.cvh.jayjwa at vdrl.ath.cx>; Sat, 11 Feb 2006 15:59:49 
-0500Message-ID: <000001c62f4e$1a30d400$0100007f at your-ae066c3a9b>
From: "Rogert" <simon at repairnet.biz>
To: <slrndfsp16.cvh.jayjwa at vdrl.ath.cx>
Subject: All products for your health!
Date: Sat, 11 Feb 2006 15:59:52 +0100
MIME-Version: 1.0
Content-Type: multipart/related;
         type="multipart/alternative";
         boundary="------------ms090703050903000705030501"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180



The target addresses are harvested from Usenet/NNTP servers. In the example 
above, the harvesting software has incorrectly identified a News User-Agent as 
an email address, and attempted to send to it:

slrndfsp16.cvh.jayjwa at vdrl.ath.cx

This seemingly random string is the product of the Linux news reader known as 
SLRN, which has the INSHO nasty habit of appending "slrn"(random letters) onto 
the users real email name and host. While this won't get the user himself 
spammed, it does draw a clear path back to the server, and the postmaster will 
see thousands of attempts to some unknown user slrn.*@.* .

These spams are easy enough to block: we can use a regex filter on the rcpt 
name of 'slrn.*@.*', or on the connection's helo of 'friend':


Jan 28 10:32:06 atr2 sm-mta[12370]: NOQUEUE: connect from c-67-177-248-134.hsd1.co.comcast.net [67.177.248.134]
Jan 28 10:32:06 atr2 sm-mta[12370]: k0SFW6We012370: Milter (milter-regex): init success to negotiate
Jan 28 10:32:06 atr2 sm-mta[12370]: k0SFW6We012370: Milter: connect to filters
Jan 28 10:32:09 atr2 sm-mta[12370]: k0SFW6We012370: Milter: helo=friend, reject=554 5.7.1 [BANNED] SPAMMERS are no one's friends: transaction logged, reporting to ISP.

Jan 28 10:32:14 atr2 sm-mta[12372]: NOQUEUE: connect from c-67-177-248-134.hsd1.co.comcast.net [67.177.248.134]
Jan 28 10:32:14 atr2 sm-mta[12372]: k0SFWEdm012372: Milter (milter-regex): init success to negotiate
Jan 28 10:32:14 atr2 sm-mta[12372]: k0SFWEdm012372: Milter: connect to filters
Jan 28 10:32:17 atr2 sm-mta[12372]: k0SFWEdm012372: Milter: helo=friend, reject=554 5.7.1 [BANNED] SPAMMERS are no one's friends: transaction logged, reporting to ISP.


Feb  1 13:06:46 atr2 sm-mta[6188]: NOQUEUE: connect from static-70-20-202-95.phil.east.verizon.net [70.20.202.95]
Feb  1 13:06:47 atr2 sm-mta[6188]: k11I6kwY006188: Milter (milter-regex): init success to negotiate
Feb  1 13:06:47 atr2 sm-mta[6188]: k11I6kwY006188: Milter: connect to filters

Feb  1 13:06:49 atr2 sm-mta[6190]: NOQUEUE: connect from static-70-20-202-95.phil.east.verizon.net [70.20.202.95]
Feb  1 13:06:49 atr2 sm-mta[6190]: k11I6nE3006190: Milter (milter-regex): init success to negotiate
Feb  1 13:06:49 atr2 sm-mta[6190]: k11I6nE3006190: Milter: connect to filters
Feb  1 13:06:50 atr2 sm-mta[6188]: k11I6kwY006188: Milter: helo=friend, reject=554 5.7.1 [BANNED] SPAMMERS are no one's friends: transaction logged, reporting to ISP.

Feb  1 13:06:51 atr2 sm-mta[6192]: NOQUEUE: connect from static-70-20-202-95.phil.east.verizon.net [70.20.202.95]
Feb  1 13:06:51 atr2 sm-mta[6192]: k11I6psv006192: Milter (milter-regex): init success to negotiate
Feb  1 13:06:51 atr2 sm-mta[6192]: k11I6psv006192: Milter: connect to filters
Feb  1 13:06:52 atr2 sm-mta[6190]: k11I6nE3006190: Milter: helo=friend, reject=554 5.7.1 [BANNED] SPAMMERS are no one's friends: transaction logged, reporting to ISP.

Feb  1 13:06:53 atr2 sm-mta[6194]: NOQUEUE: connect from static-70-20-202-95.phil.east.verizon.net [70.20.202.95]
Feb  1 13:06:53 atr2 sm-mta[6194]: k11I6r3x006194: Milter (milter-regex): init success to negotiate
Feb  1 13:06:53 atr2 sm-mta[6194]: k11I6r3x006194: Milter: connect to filters
Feb  1 13:06:54 atr2 sm-mta[6192]: k11I6psv006192: Milter: helo=friend, reject=554 5.7.1 [BANNED] SPAMMERS are no one's friends: transaction logged, reporting to ISP.
Feb  1 13:06:56 atr2 sm-mta[6194]: k11I6r3x006194: Milter: helo=friend, reject=554 5.7.1 [BANNED] SPAMMERS are no one's friends: transaction logged, reporting to ISP.

Feb  1 18:43:53 atr2 sm-mta[17896]: NOQUEUE: connect from 24.115.213.87.res-cmts.sth.ptd.net [24.115.213.87]
Feb  1 18:43:53 atr2 sm-mta[17896]: k11NhrAb017896: Milter (milter-regex): init success to negotiate
Feb  1 18:43:53 atr2 sm-mta[17896]: k11NhrAb017896: Milter: connect to filters
Feb  1 18:43:56 atr2 sm-mta[17896]: k11NhrAb017896: Milter: helo=friend, reject=554 5.7.1 [BANNED] SPAMMERS are no one's friends: transaction logged, reporting to ISP.

Feb  1 18:43:57 atr2 sm-mta[18187]: NOQUEUE: connect from 24.115.213.87.res-cmts.sth.ptd.net [24.115.213.87]
Feb  1 18:43:58 atr2 sm-mta[18187]: k11NhvnO018187: Milter (milter-regex): init success to negotiate
Feb  1 18:43:58 atr2 sm-mta[18187]: k11NhvnO018187: Milter: connect to filters
Feb  1 18:44:01 atr2 sm-mta[18187]: k11NhvnO018187: Milter: helo=friend, reject=554 5.7.1 [BANNED] SPAMMERS are no one's friends: transaction logged, reporting to ISP.

Feb  1 18:46:51 atr2 sm-mta[20933]: NOQUEUE: connect from 24.115.213.87.res-cmts.sth.ptd.net [24.115.213.87]
Feb  1 18:46:51 atr2 sm-mta[20933]: k11Nkppe020933: Milter (milter-regex): init success to negotiate
Feb  1 18:46:51 atr2 sm-mta[20933]: k11Nkppe020933: Milter: connect to filters
Feb  1 18:46:55 atr2 sm-mta[20933]: k11Nkppe020933: Milter: helo=friend, reject=554 5.7.1 [BANNED] SPAMMERS are no one's friends: transaction logged, reporting to ISP.

Feb  1 18:46:56 atr2 sm-mta[20935]: NOQUEUE: connect from 24.115.213.87.res-cmts.sth.ptd.net [24.115.213.87]
Feb  1 18:46:56 atr2 sm-mta[20935]: k11Nkujo020935: Milter (milter-regex): init success to negotiate
Feb  1 18:46:56 atr2 sm-mta[20935]: k11Nkujo020935: Milter: connect to filters
Feb  1 18:47:00 atr2 sm-mta[20935]: k11Nkujo020935: Milter: helo=friend, reject=554 5.7.1 [BANNED] SPAMMERS are no one's friends: transaction logged, reporting to ISP.


The reason I think that a botnet is behind this is because:

1) The spamming hosts attack in sync: nothing, then suddenly a sustained 4-5 
minute constant barrage of attempts from a bunch of hosts, then it goes quiet 
again until the next wave.

2) All the hosts act similar, eg, same number of attempted connections, same 
behavior, as if they were all running under the same program.

3) Of the ones I've checked, and if the p0f utility is correct, these are all 
Windows hosts- most are well-connected, broadband/cable connections w/static 
IP's. Comcast, Verizon, Adelphia, Shawcable, Broadband.hu, Charter, etc..

4) Hosts come from all over the world

5) Many IRC bots include email harvesting functions from Usenet, which these 
certainly do.


It appears to be a large-scale, botnet-driven operation which is organised 
with a clear purpose; this I think makes it stand out from usual noise. I'd 
like to know if anyone has any more info on this, particularly more about the 
botnet side of it. The best would be a sample of the program running on the 
hosts, which I suspect is likely a bot, possibly a modified rbot varient. From 
that, working towards the central botserver would definately be more 
productive in ending this spam run, as going after individual hosts (which are 
likely infected by advanced malware and invisible to most day-to-day users) 
hasn't worked and probably will continue not to work.



-- 
j


More information about the list mailing list