[Dshield] PDF Spam Wave

jayjwa jayjwa at atr2.ath.cx
Fri Aug 3 22:20:22 GMT 2007


I've read the diaries, so I do know others are seeing PDF spam. What I'd like 
to see is if it's also spoofing your domains/hosts. Let me explain.

On Aug. 1st about midnight, a massive influx of mail started such that I never 
saw. Mailservers from all over, places I never heard of, started trying to 
deliver...something. These connections were about 2-3 per second, then after 
about 6-7 hours slowed to 2-3 per minute. They all had "bounces" for a host on 
the intranet. Only thing was, no one there ever sent any mail! They looked 
like so:

Return-Path: <guida at vdrl.ath.cx>
Received: (snipe 12352 invoked by uid 0); 1 Aug 2007 16:02:21 +0900
Received: from guida at vdrl.ath.cx with  Spamsniper 2.96.00 (Processed in 
1.026274 secs);

Received: from unknown (HELO 168.66.5.122.broad.zb.sd.dynamic.163data.com.cn) 
(122.5.66.168)

   by unknown with SMTP; 1 Aug 2007 16:02:20 +0900
X-SNIPER-SPF: none (localhost: domain at vdrl.ath.cx does not designate 
permitted sender hosts)
X-SNIPER-SENDERIP: 122.5.66.168
X-SNIPER-MAILFROM: guida at vdrl.ath.cx
X-SNIPER-RCPTTO: 0910 at sbc.or.kr
Received: from ZHANGZONG ([132.40.28.26])
         by vdrl.ath.cx.local (8.13.2/8.13.2) with SMTP id snSMiiAiFR9660;
         Tue, 31 Jul 2007 15:04:55 +0800
Message-ID: <AF274A0C.78CCEF7 at vdrl.ath.cx>
Date: Tue, 31 Jul 2007 15:04:54 +0800
From: Semion <guida at vdrl.ath.cx>
User-Agent: Thunderbird 1.5.0.12 (Windows/20070509)
MIME-Version: 1.0
To: 0910 at sbc.or.kr
Subject: investor letter-9230485907




Right off there are several things wrong here. There's no "guida" user, and 
the Sendmail version is totally wrong, the real one is 8.14.1. It's a fake, 
and a bad one at that. The server trying to kick this "back" to me tells more, 
supposedly 122.5.66.168, I'd imagine 
168.66.5.122.broad.zb.sd.dynamic.163data.com.cn submitted this to them. So, we 
have a spammer, spoofing as my host, and sending to an account that doesn't 
exit, which makes it rebound back and again hit me, because I was the supposed 
"send" (only I obviously never sent it):

Final-Recipient: RFC822; guida at vdrl.ath.cx
Action: failed
Status: 5.1.1
Remote-MTA: DNS; [192.168.10.76]
Diagnostic-Code: SMTP; 550 5.1.1 <guida at vdrl.ath.cx>... User unknown
Last-Attempt-Date: Wed, 1 Aug 2007 03:06:59 -0400

--l7176xW0020060.1185952019/atr2.ath.cx
Content-Type: message/rfc822
Content-Transfer-Encoding: 8bit

Return-Path: <postmaster at sniper.sbc.or.kr>
Received: from sniper.sbc.or.kr ([121.162.117.135])
         by atr2.ath.cx (8.14.1/8.14.1) with SMTP id l7176jW0020033
         for <guida at vdrl.ath.cx>; Wed, 1 Aug 2007 03:06:50 -0400
Message-Id: <200708010706.l7176jW0020033 at atr2.ath.cx>
Received: (snipe 12354 invoked for bounce); 1 Aug 2007 16:02:21 +0900
Date: 1 Aug 2007 16:02:21 +0900
From: postmaster at sniper.sbc.or.kr
To: guida at vdrl.ath.cx
Subject: failure notice
MIME-Version: 1.0
Content-Type: multipart/mixed;
  boundary="--Jiransoft of Spamsniper Server"


<0910 at sbc.or.kr>:
163.163.32.10 does not like recipient.
Remote host said[Response Message]: 550 5.1.1 User unknown
Giving up on 163.163.32.10.


This is what I'm getting flooded with: bogus bounces, all from mailservers. 
The flood of incoming connections and the server having to deal with them 
quickly exhausted what bandwidth I had. Finally I resorted to taking mail from 
only known hosts, for about 14 hours or so.

tcpwrappers (mx1.visi.net, 209.96.253.156) rejection
tcpwrappers (mail.e-isco.com, 12.108.20.7) rejection
tcpwrappers (mail.e-isco.com, 12.108.20.7) rejection
tcpwrappers (mail.pesengineers.com, 71.16.6.66) rejection
tcpwrappers (mail.rinet36.org, 208.247.111.24) rejection
tcpwrappers (mailgate3.nau.edu, 134.114.96.145) rejection
tcpwrappers (mx01.mta.xmission.com, 166.70.13.211) rejection
tcpwrappers (pm2.irt.drexel.edu, 144.118.29.82) rejection
tcpwrappers (magnum.websitewelcome.com, 70.86.17.98) rejection
tcpwrappers (bglbbmr1-a-fixed.dataone.in, 218.248.240.59) rejection
tcpwrappers (m17.spamarrest.com, 66.150.163.166) rejection
tcpwrappers (mail.royell.com, 64.38.151.33) rejection
tcpwrappers (iris1.directnic.com, 69.46.238.251) rejection
tcpwrappers (ns1.siteground134.com, 67.15.250.7) rejection
tcpwrappers (toq1.bellnexxia.net, 209.226.175.120) rejection
tcpwrappers (relay4.hrnoc.net, 216.120.225.16) rejection
tcpwrappers (ns1.xko.net.uk, 195.11.5.16) rejection
tcpwrappers (mail.daisy.cz, 193.165.105.114) rejection
tcpwrappers (rs-so-b1.amenworld.com, 62.193.206.26) rejection
tcpwrappers (relay4.hrnoc.net, 216.120.225.16) rejection
tcpwrappers (pas2.datec.net.pg, 202.95.202.5) rejection
...
and on and on...


Since then it's continued, but slower so that it's managable by sinking at the 
door anything not to a real user. PDF spam is one thing, spam arriving from 
somewhere to you, but this is spam that ping-pongs around and ends in the 
postmaster mailbox, which seems kinda pointless. Is anyone else seeing this 
type, and your domain(s) are getting spoofed?

Some of the fake "users":

Malbonduota at vdrl.ath.cx
Leho at vdrl.ath.cx
Manouchehr at vdrl.ath.cx
Anglequefleshood at vdrl.ath.cx
Vinicius at vdrl.ath.cx
FRANK_Berlin at vdrl.ath.cx
gurinderButter at vdrl.ath.cx
krietemeyerpokhk at vdrl.ath.cx

...and the funniest...

Aug  1 01:57:46 atr2 sm-mta[19264]: l715veW4019264: Milter: 
to=<Korneliusblumer at vdrl.ath.cx>, discard

I saw Mr. Korneliusblumer several times, so possibly this is a list, and I 
caught the attention of a botnet?




More information about the list mailing list