Spammers Go Full Circle    



In the last little while I have seen more spam showing up in my inbox. The type of spam presenting itself has been mostly stock market scams, and dangerous click here emails which I assume are the doorway to some impressive piece of malware.

My curiosity was piqued. I was wondering how did spam of this caliber end up getting past my grey-listing filter. Let me give a short lesson on grey listing so that you can understand. Some facts up front; herds of computers in a BOT-NET do not have a mail queue to ensure best effort delivery of email. Computers in a BOT-NET simply spew out email and hope for the best.

Grey-listing as a defense was based on this principle and works well at defeating BOT-NET based spam in a simple way. The grey-list equipped mail server disallows the first connection attempt. Simultaneously, the grey-list program remembers some key facts about the email. If another email shows up later, after the administratively configured time limit with matching criteria, then the email servers allows the email to flow.

One can see how this really puts a stop to BOT-NET sourced spam, as the source of the spam has no mail queue. And now you can see why I have been intrigued. After a bit of research I figured it out: The people who are sending spam are back to their old trick of using email servers with a mail queue - and not their own. I reviewed the email headers (options for you MS people) and saw the information below.

(This is not a complete header as I sanitized the information.)
Return-Path: 
Received: from mail.esubnet.com ([unix socket]) 
by mail (Cyrus v2.2.12-InvocaXXXXXXXXXXXX) with LMTPA;
Wed, 30 Jan 2008 14:44:36 -0500
X-Sieve: CMU Sieve 2.2
Received: by mail.esubnet.com (Postfix, )
id F0CA137A422; Wed, 30 Jan 2008 14:44:35 -0500 (EST)
X-Spam-Checker-Version: SpamAssassin 3.X.X () on mail
X-Spam-Level: **
X-Spam-Status: No, score=2.0 required=3.5 tests=DATE_IN_FUTURE_03_06,
HTML_MESSAGE autolearn=no version=3.X.X
Received: from qbatq.veloxzone.com.br (20179035246.user.veloxzone.com.br
  [201.79.35.246] (may be forged))
By mail1.esubnet.com (8.13.8/8.13.8) with SMTP id m0UJtAr4005896 for
 ; Wed, 30 Jan 2008 14:55:11 -0500
Date: Wed, 30 Jan 2008 22:55:11 +0000
From: "Milwee Shearon" 
X-Mailer: The Bat! (3.51.3) Professional
Reply-To: Milwee Shearon 
X-Priority: 3 (Normal)
Message-ID: <7593134680.20080130194557@emediawire.com>
To: 
Subject: neoplasms
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----------F02EBE428BD1C4"
X-Greylist: Delayed for 00:10:07 by milter-greylist-2.0.2 (mail.esubnet.com
 [10.10.10.10]); Wed, 30 Jan 2008 14:55:11 -0500 (EST)
The email message ID and the source address originate all over the web. I have seen this repeated across many samples of spam. It looks like a new round in the spam deliver/block battle is underway. Now might be a good time to ensure that your support contracts are up to date and do not lapse.

Originally published January, 2008
Fragment - Current Release


Articles
Administration

IT Roles and Responsibilities
App_Sec
BCP STATS
On Passwords
Spending Enough
Planning to Fail
Living With the Enemy
A Reason for Policy
Mission Critical Messaging – Do you have a policy
Globalizing the SMB
High Availability: People and Processes
Case for Project Management
Risk Management
Networking

On Routing
VLAN Tutorial
IPs 4 Golden Rules
WAN Technology primer
DHCP Primer
Your Head in the Cloud(s)
DNS: Terms and Process
VPN Surfing Challenge
Network Slowdown
Importance of Time
High Availability: Technologies
Security

Spammers Go Full Circle
Beyond the Lock
The Guardian at the Gate
A Web of Trust
Data Breach Notification
Misc

Electricity Primer
Documentation-101
Data Control
Open Source in the Enterprise
Closing the Loop
Helping IT to help you
Your ICT Keystone

eSubnet Services

Contact us regarding your network,
security and Internet services needs




All content © eSubnet 2003-2017
ESUBNET ENTERPRISES INC. TORONTO CANADA