[Dshield] PDF Spam Wave

Tom dshield at oitc.com
Sat Aug 4 00:20:18 GMT 2007


At 6:20 PM -0400 8/3/07, jayjwa wrote:
>I've read the diaries, so I do know others are seeing PDF spam. What I'd like
>to see is if it's also spoofing your domains/hosts. Let me explain.
>
>On Aug. 1st about midnight, a massive influx of mail started such that I never
>saw. Mailservers from all over, places I never heard of, started trying to
>deliver...something. These connections were about 2-3 per second, then after
>about 6-7 hours slowed to 2-3 per minute. They all had "bounces" for a host on
>the intranet. Only thing was, no one there ever sent any mail! They looked
>like so:

<snip>

You telling me that this is the first time you have had to deal with 
backsplatter and joejobs?  Wow, wish I had your luck....

Seriously, this happens all the time.  backsplatter = broken AV 
systems that accept mail, determine its bogus and send it back to 
forged senders. joejob forgeries which just forge the MAIL FROM and 
you get the "unknown address" rejects and other crap.

When we see these we just rejigger our filter rules to reject them. 
This is especially easy when they are using forged addresses that 
don't exist.

We reject during the RFC 2821 handshake rather than accept and bounce 
which causes all these problems.

Tom

>Return-Path: <guida at vdrl.ath.cx>
>Received: (snipe 12352 invoked by uid 0); 1 Aug 2007 16:02:21 +0900
>Received: from guida at vdrl.ath.cx with  Spamsniper 2.96.00 (Processed in
>1.026274 secs);
>
>Received: from unknown (HELO 168.66.5.122.broad.zb.sd.dynamic.163data.com.cn)
>(122.5.66.168)
>
>    by unknown with SMTP; 1 Aug 2007 16:02:20 +0900
>X-SNIPER-SPF: none (localhost: domain at vdrl.ath.cx does not designate
>permitted sender hosts)
>X-SNIPER-SENDERIP: 122.5.66.168
>X-SNIPER-MAILFROM: guida at vdrl.ath.cx
>X-SNIPER-RCPTTO: 0910 at sbc.or.kr
>Received: from ZHANGZONG ([132.40.28.26])
>          by vdrl.ath.cx.local (8.13.2/8.13.2) with SMTP id snSMiiAiFR9660;
>          Tue, 31 Jul 2007 15:04:55 +0800
>Message-ID: <AF274A0C.78CCEF7 at vdrl.ath.cx>
>Date: Tue, 31 Jul 2007 15:04:54 +0800
>From: Semion <guida at vdrl.ath.cx>
>User-Agent: Thunderbird 1.5.0.12 (Windows/20070509)
>MIME-Version: 1.0
>To: 0910 at sbc.or.kr
>Subject: investor letter-9230485907
>
>
>
>
>Right off there are several things wrong here. There's no "guida" user, and
>the Sendmail version is totally wrong, the real one is 8.14.1. It's a fake,
>and a bad one at that. The server trying to kick this "back" to me tells more,
>supposedly 122.5.66.168, I'd imagine
>168.66.5.122.broad.zb.sd.dynamic.163data.com.cn submitted this to them. So, we
>have a spammer, spoofing as my host, and sending to an account that doesn't
>exit, which makes it rebound back and again hit me, because I was the supposed
>"send" (only I obviously never sent it):
>
>Final-Recipient: RFC822; guida at vdrl.ath.cx
>Action: failed
>Status: 5.1.1
>Remote-MTA: DNS; [192.168.10.76]
>Diagnostic-Code: SMTP; 550 5.1.1 <guida at vdrl.ath.cx>... User unknown
>Last-Attempt-Date: Wed, 1 Aug 2007 03:06:59 -0400
>
>--l7176xW0020060.1185952019/atr2.ath.cx
>Content-Type: message/rfc822
>Content-Transfer-Encoding: 8bit
>
>Return-Path: <postmaster at sniper.sbc.or.kr>
>Received: from sniper.sbc.or.kr ([121.162.117.135])
>          by atr2.ath.cx (8.14.1/8.14.1) with SMTP id l7176jW0020033
>          for <guida at vdrl.ath.cx>; Wed, 1 Aug 2007 03:06:50 -0400
>Message-Id: <200708010706.l7176jW0020033 at atr2.ath.cx>
>Received: (snipe 12354 invoked for bounce); 1 Aug 2007 16:02:21 +0900
>Date: 1 Aug 2007 16:02:21 +0900
>From: postmaster at sniper.sbc.or.kr
>To: guida at vdrl.ath.cx
>Subject: failure notice
>MIME-Version: 1.0
>Content-Type: multipart/mixed;
>   boundary="--Jiransoft of Spamsniper Server"
>
>
><0910 at sbc.or.kr>:
>163.163.32.10 does not like recipient.
>Remote host said[Response Message]: 550 5.1.1 User unknown
>Giving up on 163.163.32.10.
>
>
>This is what I'm getting flooded with: bogus bounces, all from mailservers.
>The flood of incoming connections and the server having to deal with them
>quickly exhausted what bandwidth I had. Finally I resorted to taking mail from
>only known hosts, for about 14 hours or so.
>
>tcpwrappers (mx1.visi.net, 209.96.253.156) rejection
>tcpwrappers (mail.e-isco.com, 12.108.20.7) rejection
>tcpwrappers (mail.e-isco.com, 12.108.20.7) rejection
>tcpwrappers (mail.pesengineers.com, 71.16.6.66) rejection
>tcpwrappers (mail.rinet36.org, 208.247.111.24) rejection
>tcpwrappers (mailgate3.nau.edu, 134.114.96.145) rejection
>tcpwrappers (mx01.mta.xmission.com, 166.70.13.211) rejection
>tcpwrappers (pm2.irt.drexel.edu, 144.118.29.82) rejection
>tcpwrappers (magnum.websitewelcome.com, 70.86.17.98) rejection
>tcpwrappers (bglbbmr1-a-fixed.dataone.in, 218.248.240.59) rejection
>tcpwrappers (m17.spamarrest.com, 66.150.163.166) rejection
>tcpwrappers (mail.royell.com, 64.38.151.33) rejection
>tcpwrappers (iris1.directnic.com, 69.46.238.251) rejection
>tcpwrappers (ns1.siteground134.com, 67.15.250.7) rejection
>tcpwrappers (toq1.bellnexxia.net, 209.226.175.120) rejection
>tcpwrappers (relay4.hrnoc.net, 216.120.225.16) rejection
>tcpwrappers (ns1.xko.net.uk, 195.11.5.16) rejection
>tcpwrappers (mail.daisy.cz, 193.165.105.114) rejection
>tcpwrappers (rs-so-b1.amenworld.com, 62.193.206.26) rejection
>tcpwrappers (relay4.hrnoc.net, 216.120.225.16) rejection
>tcpwrappers (pas2.datec.net.pg, 202.95.202.5) rejection
>...
>and on and on...
>
>
>Since then it's continued, but slower so that it's managable by sinking at the
>door anything not to a real user. PDF spam is one thing, spam arriving from
>somewhere to you, but this is spam that ping-pongs around and ends in the
>postmaster mailbox, which seems kinda pointless. Is anyone else seeing this
>type, and your domain(s) are getting spoofed?
>
>Some of the fake "users":
>
>Malbonduota at vdrl.ath.cx
>Leho at vdrl.ath.cx
>Manouchehr at vdrl.ath.cx
>Anglequefleshood at vdrl.ath.cx
>Vinicius at vdrl.ath.cx
>FRANK_Berlin at vdrl.ath.cx
>gurinderButter at vdrl.ath.cx
>krietemeyerpokhk at vdrl.ath.cx
>
>...and the funniest...
>
>Aug  1 01:57:46 atr2 sm-mta[19264]: l715veW4019264: Milter:
>to=<Korneliusblumer at vdrl.ath.cx>, discard
>
>I saw Mr. Korneliusblumer several times, so possibly this is a list, and I
>caught the attention of a botnet?
>
>
>_________________________________________
>SANSFIRE 2007 July 25-August 2 in Washington, DC.  56 courses, SANS top
>instructors, and a great tools and solutions expo. Register today!
>http://www.sans.org/info/4651 (brochure code ISC)


-- 

Tom Shaw - Chief Engineer, OITC
<tshaw at oitc.com>, http://www.oitc.com/
US Phone Numbers: 321-984-3714, 321-729-6258(fax), 
321-258-2475(cell/voice mail,pager)
Text Paging: http://www.oitc.com/Pager/sendmessage.html
AIM/iChat: trshaw at mac.com
Google Talk: trshaw at gmail.com



More information about the list mailing list