[unisog] massive uptick in targeted spam this weekend and week

Hunt,Keith A keith at uakron.edu
Tue Oct 15 20:12:04 GMT 2002


Yes, we have been seeing this as well.  Your description matches exactly.  What I find to be most curious is that they seem to be sending the exact same messages over and over to the same addresses.  Even for stupid spammers that seems rather pointless.

Keith Hunt  330.972.7968  keith at uakron.edu
Internet & Server Systems
The University of Akron 

> -----Original Message-----
> From: H. Morrow Long [mailto:morrow.long at yale.edu]
> Sent: Tuesday, October 15, 2002 1:12 PM
> To: Jerome M Berkman; unisog at sans.org
> Subject: [unisog] massive uptick in targeted spam this 
> weekend and week
> 
> 
> We saw a massive uptick in targeted spam this weekend and 
> week with the
> following characteristics and wondered if anyone else had or 
> was seeing
> same:
> 
> 1.	Sources.  Many of the DNS hostnames used in the headers 
> (e.g. From: lines)
> 	and some of the spam is coming directly from 
> optingnow.com hosts :
> 
> 	ns1.optingnow.com (aka exclusive.optingnow.com), IP # 
> 65.198.164.4
> 
> 	We are also seeing a lot of spam emanating from a lot 
> of different sources
> 	all over the Internet but apparently also from above 
> direct email company.
> 
> 	We usually see yahoo.com used in the SMTP OOB dialog as the
> 	host named in the 'HELO' command (this is obviously not 
> from Yahoo):
> 
> 	Received: from yahoo.com 
> (200-207-131-21.dsl.telesp.net.br [200.207.131.21])
> 	Received: from yahoo.com ([193.194.74.10])
> 	Received: from yahoo.com (squid@[62.211.237.218])
> 
> 	I discovered that all of the above hosts are running an 
> "open" HTTP proxy
> 	at TCP 8080 (usually "squid" but it was not running at 
> 3128 surprisingly)...
> 
> 	Note that this differs from real email sent from yahoo.com :
> 
> 	Received: from web13206.mail.yahoo.com 
> (web13206.mail.yahoo.com [216.136.174.191])
> 
> 	Which also bears real yahoo.com Message-ID headers:
> 	Message-ID: <20021015151718.92181.qmail at web13206.mail.yahoo.com>
> 
> 2.	Topics of messages (many variations on these themes):
> 
> 		Debt reduction
> 		Mortgate refinancing (Rates below 5%)
> 		Penis enlargement
> 		Hair loss / Baldness
> 
> 3.	Subject: lines
> 
> 	Based on above topics.  Generally there is a random 
> looking wordstring at
> 	the end of the subject line which is apparently a tag 
> used to track the
> 	messages (and perhaps responses).  Example subject lines:
> 
> 	Subject: New Short Mortage Form Here; Find Out How 
> We...        oqoimlov
> 	Subject: NEW; One Minute Mortgage 
> Quote...................         xtzexle
> 	Subject: ADD 3 TO 4 INCHES OVERNIGHT! GUARANTEED! ..... 
>        drdoyzdfny
> 
> 4.	To: addresses
> 
> 	Uses mined local email addresses in the To: header with
> 	"Fullname" strings which do not match.  Also the real recipients
> 	are not the user in the To: line nor do they 
> necessarily have any
> 	relationship to the local email address in the To: line.
> 
> 5.	From: addresses are semi normal looking fullname strings
> 	with almost random junk for the email address:
> 
> 	From: "Raisie Woodrow" <kittyhvlfstsebpzt at ns1.optingnow.com>
> 	From: "Makaila Lixue" <audrafisdzhmkz at ns1.optingnow.com>
> 
> 6.	X-Mailer: headers.  The purported mailer program changes:
> 
> 	X-Mailer: The Bat! (v1.52f) Business
> 
> 	X-Mailer: Microsoft Outlook, Build 10.0.2627
> 
> 	X-Mailer: Mozilla 4.73 [en]C-CCK-MCD BA45DSL  (WinNT; U)
> 	X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
> 
> 	Most have the X-MimeOLE header.
> 
> 7.	Message-ID: headers.  The messages don't have them so our local
> 	mail servers are inserting them.  Note that real yahoo.com email
> 	does come bearing real Message-ID headers.
> 
> 8.	Body.
> 
> 	The message is in HTML format.  There are a number of 
> URLs in the msg.
> 	Most of these are in the sneaky username at webhost form 
> with ns.qijlip2xrn.ph
> 	as the actual website:
> 
> 	On a mortgage message :
> 	
> http://www.moneydeals.biz.cg@ns.qijlip2xrn.ph/search.php?id=1103W
> 
> 	On one to add inches you don't want to know where :
> 	http://www.addinches.com.mn@ns.qijlip2xrn.ph/search.php?id=1102I
> 
> 	Now however, a different URL used for the background of 
> the mortgate refinance msg:
> 	
> http://imagegalleria.com.mx/museos/IAGO/ll03/active_lender_email1.jpg
> 
> 	And a similar background image URL used for the 'Add 
> inches' message from the same site:
> 	http://imagegalleria.com.mx/museos/IAGO/ll02/extenzepic.jpg
> 
> 	At the end of the body of the message each message has the text:
> 
> 	INFORMATION FOR iREWARDSTECH RECIPIENTS:
> 	To subscribe or unsubscribe from the iREWARDSTECH 
> mailing list, click here.
> 
> 	'here' is hyperlinked to a 'removal' URL such as:
> 
> 	
http://www.moneydeals.biz.cg@ns.qijlip2xrn.ph/search.php?id=1103R
	http://www.addinches.com.mn@ns.qijlip2xrn.ph/search.php?id=1102R

9.	SpamAssassin report.  Spamassassin gives the messages a fairly high spam rating:

	A mortgage refinance message:

	X-Spam-Report:   19.9 hits, 5 required;
	  *  4.0 -- Subject contains lots of white space
	  *  1.5 -- BODY: Asks you to click below
	  *  1.5 -- URI: Uses a username in a URL
	  *  2.1 -- BODY: FONT Size +2 and up or 3 and up
	  *  0.8 -- BODY: Tells you to click on a URL
	  *  2.4 -- Contains phrases frequently found in spam
	            [score:  13, hits: click here, find out, list]
	            [click, mailing list, the internet, you]
	            [get]
	  *  3.3 -- Date: is 12 to 24 hours after Received: date
	  *  1.7 -- HTML-only mail, with no text version
	  *  1.5 -- 'From' yahoo.com does not match 'Received' headers
	  *  1.1 -- 'Message-Id' was added by a relay (3)
	
	"ADD 3 TO 4 INCHES OVERNIGHT ..." message:

	X-Spam-Report:   34.1 hits, 5 required;
	  *  4.0 -- Subject contains lots of white space
	  *  0.1 -- Subject has an exclamation mark
	  *  1.5 -- BODY: Contains word 'guarantee' in all-caps
	  *  4.7 -- BODY: Plugs Viagra
	  *  1.5 -- BODY: Asks you to click below
	  *  4.3 -- BODY: Offers a limited time offer
	  *  1.1 -- BODY: A word in all caps repeated on the line
	  * -0.0 -- BODY: A WHOLE LINE OF YELLING DETECTED
	  *  1.5 -- URI: Uses a username in a URL
	  *  1.3 -- BODY: HTML mail with non-white background
	  *  2.1 -- BODY: FONT Size +2 and up or 3 and up
	  *  0.8 -- BODY: Tells you to click on a URL
	  *  2.4 -- Contains phrases frequently found in spam
	            [score:  20, hits: click here, here for,]
	            [including shipping, list click, mailing list,]
	            [offer order, that can, with our, with this, you]
	            [not]
	  *  2.1 -- spam-phrase score is over 20
	  *  2.4 -- Date: is 6 to 12 hours after Received: date
	  *  1.7 -- HTML-only mail, with no text version
	  *  1.5 -- 'From' yahoo.com does not match 'Received' headers
	  *  1.1 -- 'Message-Id' was added by a relay (3)

- H. Morrow Long
   University Information Security Officer
   Yale University, ITS, Dir. InfoSec Office



More information about the unisog mailing list