[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Asrg] Mailfragments

To: asrg at ietf.org
Subject: Re: [Asrg] Mailfragments
From: Bill Cole <grsa at billmail.scconsult.com>
Date: Fri, 11 Jun 2004 09:39:35 -0400
In-reply-to: <200406102045.i5AKj6oY017442@post.webmailer.de>
List-archive: <http://www1.ietf.org/pipermail/asrg>
List-help: <mailto:asrg-request@ietf.org?subject=help>
List-id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-post: <mailto:asrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
References: <200406102045.i5AKj6oY017442@post.webmailer.de>
Sender: asrg-bounces at ietf.org

At 10:45 PM +0200 6/10/04, edgar at edgarschwarz.de wrote:

Hi,
at the moment (this spam 25 minutes ago) I get a lot of mail
fragments like that below.
There more than one IP address which it seems to come from I get
multiple mails to
different invalid addresses at my domain.
So my question is: can I trust that this spam is really coming from
151.24.205.44 ?

Yes, assuming that you can trust the server at 'mailin.webmailer.de' which presumably you can. It is where that Received header was added.

X-Oberon-Status: R010000000 X-UIDL: 77c1a1f9ee80c33025bd5ccc27560840 X-Envelope-From: <kfsux at starfish.ca> X-Envelope-To: <slawsonge at edgarschwarz.de> X-Delivery-Time: 1086898449 Received: from ppp-44-205.24-151.libero.it (ppp-44-205.24-151.libero.it [151.24.205.44]) by mailin.webmailer.de (8.12.10/8.12.10) with SMTP id i5AKCeWx000867; Thu, 10 Jun 2004 22:13:47 +0200 (MEST) Date: Thu, 10 Jun 2004 22:13:47 +0200 (MEST) From: kfsux at starfish.ca Received: from 102.12.120.59 by 151.24.205.44; Thu, 10 Jun 2004 16:09:40 -0500 Message-ID: <K[20

That pattern is a familiar one. It seems to be specific to some sort of broken spamware infecting the sending machine. Note that the second Received header is completely bogus.

I looked up some of the servers which are sending me these mails in
this minutes.
151.24.205.44 		ppp-44-205.24-151.libero.it
200.180.235.71 	200-180-235-071.slece200.dial.brasiltelecom.net.br
213.156.219.243 	usr4-219-243.dial-up.kraft-s.ru
62.98.42.191 		ppp-191-42.98-62.inwind.it
217.43.184.219 	host217-43-184-219.range217-43.btcentralplus.com
80.230.88.165 	tony06-88-165.inter.net.il

Those are almost certainly not 'servers' in any usual sense of the word. They are compromised Windows machines running the broken spamware that generates those messages. Those machines are probably on dialup or other consumer-grade connections that use dynamic address assignment, so the specific addresses are likely to be used by some other customer in fairly short order.

So would it make sense to automatically forward these spams to
abuse at libero.it, abuse at net.br ... ?

That is debatable, especially since you can't reliably automate detection of the correct abuse reporting point for any particular IP address. For example, net.br is not one entity, it is Brazil's local analog to .net, i.e. a domain under which various entities register their own domains. There is also a very serious problem with most ISP's globally that they largely ignore abuse reports that point to compromised customer machines on dynamic addresses. I can say from direct experience reporting to most of the ISP's involved in that list that NONE of those I've reported events to deal with the problem of their customers' insecure systems in a serious and responsible fashion.

Or do you know whether anti spam organisations would be interested
in getting this stuff forwarded
to update their spammer lists ?

That's probably pointless. Except for the Russian address, all of those addresses are already carried on the SORBS dynamic address blacklist and some are on other similar lists, so those are very likely to already be blocked by most sites that do any serious blocking of mail by IP address. With the ISP's in question unwilling to take any serious steps toward dealing with the problem of compromised customer systems, there's really not much any anti-spam organization can do beyond what is already being done in that area.

One of the implied goals of virtually all of the technical approaches discussed on this list is to make that sort of spam (i.e. messages with forged headers and sender envelopes coming out of compromised systems) universally undeliverable. It is already feasible using readily available mechanisms for a mail server to reject that particular strain of broken spamware message because it has a couple of highly identifiable idiosyncrasies that make it easy to catch. If your mail provider was doing all they could do to reject spam, you would never have seen those messages.


--
Bill Cole
bill at scconsult.com


_______________________________________________
Asrg mailing list
Asrg at ietf.org
https://www1.ietf.org/mailman/listinfo/asrg

References:
- [Asrg] Mailfragments
  - From: edgar

Prev by Date: [Asrg] Mailfragments
Next by Date: [Asrg] Anti-spam work, a writeup
Previous by thread: [Asrg] Mailfragments
Next by thread: [Asrg] Anti-spam work, a writeup
Index(es):
- Date
- Thread