[unisog] massive uptick in targeted spam this weekend and week

Peter Van Epp vanepp at sfu.ca
Tue Oct 15 20:08:03 GMT 2002


	Yep, but they have graced our "thanks, but no thanks" file since last 
week some time so I don't know how many we would have seen.

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

> 
> We saw a massive uptick in targeted spam this weekend and week with the
> following characteristics and wondered if anyone else had or was seeing
> same:
> 
> 1.	Sources.  Many of the DNS hostnames used in the headers (e.g. From: lines)
> 	and some of the spam is coming directly from optingnow.com hosts :
> 
> 	ns1.optingnow.com (aka exclusive.optingnow.com), IP # 65.198.164.4
> 
> 	We are also seeing a lot of spam emanating from a lot of different sources
> 	all over the Internet but apparently also from above direct email company.
> 
> 	We usually see yahoo.com used in the SMTP OOB dialog as the
> 	host named in the 'HELO' command (this is obviously not from Yahoo):
> 
> 	Received: from yahoo.com (200-207-131-21.dsl.telesp.net.br [200.207.131.21])
> 	Received: from yahoo.com ([193.194.74.10])
> 	Received: from yahoo.com (squid@[62.211.237.218])
> 
> 	I discovered that all of the above hosts are running an "open" HTTP proxy
> 	at TCP 8080 (usually "squid" but it was not running at 3128 surprisingly)...
> 
> 	Note that this differs from real email sent from yahoo.com :
> 
> 	Received: from web13206.mail.yahoo.com (web13206.mail.yahoo.com [216.136.174.191])
> 
> 	Which also bears real yahoo.com Message-ID headers:
> 	Message-ID: <20021015151718.92181.qmail at web13206.mail.yahoo.com>
> 
> 2.	Topics of messages (many variations on these themes):
> 
> 		Debt reduction
> 		Mortgate refinancing (Rates below 5%)
> 		Penis enlargement
> 		Hair loss / Baldness
> 
> 3.	Subject: lines
> 
> 	Based on above topics.  Generally there is a random looking wordstring at
> 	the end of the subject line which is apparently a tag used to track the
> 	messages (and perhaps responses).  Example subject lines:
> 
> 	Subject: New Short Mortage Form Here; Find Out How We...        oqoimlov
> 	Subject: NEW; One Minute Mortgage Quote...................         xtzexle
> 	Subject: ADD 3 TO 4 INCHES OVERNIGHT! GUARANTEED! .....        drdoyzdfny
> 
> 4.	To: addresses
> 
> 	Uses mined local email addresses in the To: header with
> 	"Fullname" strings which do not match.  Also the real recipients
> 	are not the user in the To: line nor do they necessarily have any
> 	relationship to the local email address in the To: line.
> 
> 5.	From: addresses are semi normal looking fullname strings
> 	with almost random junk for the email address:
> 
> 	From: "Raisie Woodrow" <kittyhvlfstsebpzt at ns1.optingnow.com>
> 	From: "Makaila Lixue" <audrafisdzhmkz at ns1.optingnow.com>
> 
> 6.	X-Mailer: headers.  The purported mailer program changes:
> 
> 	X-Mailer: The Bat! (v1.52f) Business
> 
> 	X-Mailer: Microsoft Outlook, Build 10.0.2627
> 
> 	X-Mailer: Mozilla 4.73 [en]C-CCK-MCD BA45DSL  (WinNT; U)
> 	X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
> 
> 	Most have the X-MimeOLE header.
> 
> 7.	Message-ID: headers.  The messages don't have them so our local
> 	mail servers are inserting them.  Note that real yahoo.com email
> 	does come bearing real Message-ID headers.
> 
> 8.	Body.
> 
> 	The message is in HTML format.  There are a number of URLs in the msg.
> 	Most of these are in the sneaky username at webhost form with ns.qijlip2xrn.ph
> 	as the actual website:
> 
> 	On a mortgage message :
> 	http://www.moneydeals.biz.cg@ns.qijlip2xrn.ph/search.php?id=1103W
> 
> 	On one to add inches you don't want to know where :
> 	http://www.addinches.com.mn@ns.qijlip2xrn.ph/search.php?id=1102I
> 
> 	Now however, a different URL used for the background of the mortgate refinance msg:
> 	http://imagegalleria.com.mx/museos/IAGO/ll03/active_lender_email1.jpg
> 
> 	And a similar background image URL used for the 'Add inches' message from the same site:
> 	http://imagegalleria.com.mx/museos/IAGO/ll02/extenzepic.jpg
> 
> 	At the end of the body of the message each message has the text:
> 
> 	INFORMATION FOR iREWARDSTECH RECIPIENTS:
> 	To subscribe or unsubscribe from the iREWARDSTECH mailing list, click here.
> 
> 	'here' is hyperlinked to a 'removal' URL such as:
> 
> 	http://www.moneydeals.biz.cg@ns.qijlip2xrn.ph/search.php?id=1103R
> 	http://www.addinches.com.mn@ns.qijlip2xrn.ph/search.php?id=1102R
> 
> 9.	SpamAssassin report.  Spamassassin gives the messages a fairly high spam rating:
> 
> 	A mortgage refinance message:
> 
> 	X-Spam-Report:   19.9 hits, 5 required;
> 	  *  4.0 -- Subject contains lots of white space
> 	  *  1.5 -- BODY: Asks you to click below
> 	  *  1.5 -- URI: Uses a username in a URL
> 	  *  2.1 -- BODY: FONT Size +2 and up or 3 and up
> 	  *  0.8 -- BODY: Tells you to click on a URL
> 	  *  2.4 -- Contains phrases frequently found in spam
> 	            [score:  13, hits: click here, find out, list]
> 	            [click, mailing list, the internet, you]
> 	            [get]
> 	  *  3.3 -- Date: is 12 to 24 hours after Received: date
> 	  *  1.7 -- HTML-only mail, with no text version
> 	  *  1.5 -- 'From' yahoo.com does not match 'Received' headers
> 	  *  1.1 -- 'Message-Id' was added by a relay (3)
> 	
> 	"ADD 3 TO 4 INCHES OVERNIGHT ..." message:
> 
> 	X-Spam-Report:   34.1 hits, 5 required;
> 	  *  4.0 -- Subject contains lots of white space
> 	  *  0.1 -- Subject has an exclamation mark
> 	  *  1.5 -- BODY: Contains word 'guarantee' in all-caps
> 	  *  4.7 -- BODY: Plugs Viagra
> 	  *  1.5 -- BODY: Asks you to click below
> 	  *  4.3 -- BODY: Offers a limited time offer
> 	  *  1.1 -- BODY: A word in all caps repeated on the line
> 	  * -0.0 -- BODY: A WHOLE LINE OF YELLING DETECTED
> 	  *  1.5 -- URI: Uses a username in a URL
> 	  *  1.3 -- BODY: HTML mail with non-white background
> 	  *  2.1 -- BODY: FONT Size +2 and up or 3 and up
> 	  *  0.8 -- BODY: Tells you to click on a URL
> 	  *  2.4 -- Contains phrases frequently found in spam
> 	            [score:  20, hits: click here, here for,]
> 	            [including shipping, list click, mailing list,]
> 	            [offer order, that can, with our, with this, you]
> 	            [not]
> 	  *  2.1 -- spam-phrase score is over 20
> 	  *  2.4 -- Date: is 6 to 12 hours after Received: date
> 	  *  1.7 -- HTML-only mail, with no text version
> 	  *  1.5 -- 'From' yahoo.com does not match 'Received' headers
> 	  *  1.1 -- 'Message-Id' was added by a relay (3)
> 
> - H. Morrow Long
>    University Information Security Officer
>    Yale University, ITS, Dir. InfoSec Office
> 
> 



More information about the unisog mailing list