massive uptick in targeted spam this weekend and week

H. Morrow Long morrow.long at yale.edu
Tue Oct 15 17:11:38 GMT 2002


We saw a massive uptick in targeted spam this weekend and week with the
following characteristics and wondered if anyone else had or was seeing
same:

1.	Sources.  Many of the DNS hostnames used in the headers (e.g. From: lines)
	and some of the spam is coming directly from optingnow.com hosts :

	ns1.optingnow.com (aka exclusive.optingnow.com), IP # 65.198.164.4

	We are also seeing a lot of spam emanating from a lot of different sources
	all over the Internet but apparently also from above direct email company.

	We usually see yahoo.com used in the SMTP OOB dialog as the
	host named in the 'HELO' command (this is obviously not from Yahoo):

	Received: from yahoo.com (200-207-131-21.dsl.telesp.net.br [200.207.131.21])
	Received: from yahoo.com ([193.194.74.10])
	Received: from yahoo.com (squid@[62.211.237.218])

	I discovered that all of the above hosts are running an "open" HTTP proxy
	at TCP 8080 (usually "squid" but it was not running at 3128 surprisingly)...

	Note that this differs from real email sent from yahoo.com :

	Received: from web13206.mail.yahoo.com (web13206.mail.yahoo.com [216.136.174.191])

	Which also bears real yahoo.com Message-ID headers:
	Message-ID: <20021015151718.92181.qmail at web13206.mail.yahoo.com>

2.	Topics of messages (many variations on these themes):

		Debt reduction
		Mortgate refinancing (Rates below 5%)
		Penis enlargement
		Hair loss / Baldness

3.	Subject: lines

	Based on above topics.  Generally there is a random looking wordstring at
	the end of the subject line which is apparently a tag used to track the
	messages (and perhaps responses).  Example subject lines:

	Subject: New Short Mortage Form Here; Find Out How We...        oqoimlov
	Subject: NEW; One Minute Mortgage Quote...................         xtzexle
	Subject: ADD 3 TO 4 INCHES OVERNIGHT! GUARANTEED! .....        drdoyzdfny

4.	To: addresses

	Uses mined local email addresses in the To: header with
	"Fullname" strings which do not match.  Also the real recipients
	are not the user in the To: line nor do they necessarily have any
	relationship to the local email address in the To: line.

5.	From: addresses are semi normal looking fullname strings
	with almost random junk for the email address:

	From: "Raisie Woodrow" <kittyhvlfstsebpzt at ns1.optingnow.com>
	From: "Makaila Lixue" <audrafisdzhmkz at ns1.optingnow.com>

6.	X-Mailer: headers.  The purported mailer program changes:

	X-Mailer: The Bat! (v1.52f) Business

	X-Mailer: Microsoft Outlook, Build 10.0.2627

	X-Mailer: Mozilla 4.73 [en]C-CCK-MCD BA45DSL  (WinNT; U)
	X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000

	Most have the X-MimeOLE header.

7.	Message-ID: headers.  The messages don't have them so our local
	mail servers are inserting them.  Note that real yahoo.com email
	does come bearing real Message-ID headers.

8.	Body.

	The message is in HTML format.  There are a number of URLs in the msg.
	Most of these are in the sneaky username at webhost form with ns.qijlip2xrn.ph
	as the actual website:

	On a mortgage message :
	http://www.moneydeals.biz.cg@ns.qijlip2xrn.ph/search.php?id=1103W

	On one to add inches you don't want to know where :
	http://www.addinches.com.mn@ns.qijlip2xrn.ph/search.php?id=1102I

	Now however, a different URL used for the background of the mortgate refinance msg:
	http://imagegalleria.com.mx/museos/IAGO/ll03/active_lender_email1.jpg

	And a similar background image URL used for the 'Add inches' message from the same site:
	http://imagegalleria.com.mx/museos/IAGO/ll02/extenzepic.jpg

	At the end of the body of the message each message has the text:

	INFORMATION FOR iREWARDSTECH RECIPIENTS:
	To subscribe or unsubscribe from the iREWARDSTECH mailing list, click here.

	'here' is hyperlinked to a 'removal' URL such as:

	http://www.moneydeals.biz.cg@ns.qijlip2xrn.ph/search.php?id=1103R
	http://www.addinches.com.mn@ns.qijlip2xrn.ph/search.php?id=1102R

9.	SpamAssassin report.  Spamassassin gives the messages a fairly high spam rating:

	A mortgage refinance message:

	X-Spam-Report:   19.9 hits, 5 required;
	  *  4.0 -- Subject contains lots of white space
	  *  1.5 -- BODY: Asks you to click below
	  *  1.5 -- URI: Uses a username in a URL
	  *  2.1 -- BODY: FONT Size +2 and up or 3 and up
	  *  0.8 -- BODY: Tells you to click on a URL
	  *  2.4 -- Contains phrases frequently found in spam
	            [score:  13, hits: click here, find out, list]
	            [click, mailing list, the internet, you]
	            [get]
	  *  3.3 -- Date: is 12 to 24 hours after Received: date
	  *  1.7 -- HTML-only mail, with no text version
	  *  1.5 -- 'From' yahoo.com does not match 'Received' headers
	  *  1.1 -- 'Message-Id' was added by a relay (3)
	
	"ADD 3 TO 4 INCHES OVERNIGHT ..." message:

	X-Spam-Report:   34.1 hits, 5 required;
	  *  4.0 -- Subject contains lots of white space
	  *  0.1 -- Subject has an exclamation mark
	  *  1.5 -- BODY: Contains word 'guarantee' in all-caps
	  *  4.7 -- BODY: Plugs Viagra
	  *  1.5 -- BODY: Asks you to click below
	  *  4.3 -- BODY: Offers a limited time offer
	  *  1.1 -- BODY: A word in all caps repeated on the line
	  * -0.0 -- BODY: A WHOLE LINE OF YELLING DETECTED
	  *  1.5 -- URI: Uses a username in a URL
	  *  1.3 -- BODY: HTML mail with non-white background
	  *  2.1 -- BODY: FONT Size +2 and up or 3 and up
	  *  0.8 -- BODY: Tells you to click on a URL
	  *  2.4 -- Contains phrases frequently found in spam
	            [score:  20, hits: click here, here for,]
	            [including shipping, list click, mailing list,]
	            [offer order, that can, with our, with this, you]
	            [not]
	  *  2.1 -- spam-phrase score is over 20
	  *  2.4 -- Date: is 6 to 12 hours after Received: date
	  *  1.7 -- HTML-only mail, with no text version
	  *  1.5 -- 'From' yahoo.com does not match 'Received' headers
	  *  1.1 -- 'Message-Id' was added by a relay (3)

- H. Morrow Long
   University Information Security Officer
   Yale University, ITS, Dir. InfoSec Office



More information about the unisog mailing list