Tracking Spam
I receive a lot of spam, most of it gets filtered, but some of it finds it’s way through. Here’s a spam message I received today:
From [email protected] Wed Sep 21 12:26:23 2011 Return-Path: [email protected] X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on XXXXXXXXX X-Spam-Level: *** X-Spam-Status: No, score=3.7 required=5.0 tests=BAYES_50,KAM_LOTTO1, SPF_HELO_PASS,SPF_PASS,SUBJ_ALL_CAPS,US_DOLLARS_3 autolearn=no version=3.2.5 X-Original-To: XXXXXXXXX Delivered-To: XXXXXXXXX Received: from students.itb.ac.id (students.itb.ac.id [167.205.1.72]) by XXXXXXXXX (Postfix) with ESMTP id 442A2E0108 for <XXXXXXXXX>; Wed, 21 Sep 2011 12:26:23 +0100 (BST) Received: from localhost (localhost.localdomain [127.0.0.1]) by students.itb.ac.id (Postfix) with ESMTP id C1F30B812C; Wed, 21 Sep 2011 18:22:45 +0700 (WIT) X-Virus-Scanned: amavisd-new at students.itb.ac.id Received: from students.itb.ac.id ([127.0.0.1]) by localhost (students.itb.ac.id [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V743lSHN8t0g; Wed, 21 Sep 2011 18:22:45 +0700 (WIT) Received: from students.itb.ac.id (students.itb.ac.id [167.205.1.72]) by students.itb.ac.id (Postfix) with ESMTP id E9614B813E; Wed, 21 Sep 2011 18:22:27 +0700 (WIT) Date: Wed, 21 Sep 2011 18:22:27 +0700 (WIT) From: Sweepstakes Corporation <[email protected]> Reply-To: "Agent. Mr. Paul Chadwick" <[email protected]> Message-ID: <[email protected]> Subject: LUCKY NUMBERS: 07-26-33-09-07-22 (88) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Originating-IP: [41.138.242.246] X-Mailer: Zimbra 5.0.16_GA_2921.RHEL5_64 (zclient/5.0.16_GA_2921.RHEL5_64) To: undisclosed-recipients: ; X-UID: 80573 Status: O Content-Length: 1884 Dear Beneficiary, It is our pleasure to inform you on our successfully organized Sweepstakes which was organized this year 2011 and we rolled out over US$ 725,989,087 for the yearly Anniversary Draws, which participants for the draws were randomly selected and drawn from a wide range of web hosts which we enjoy their patronage. NOTE: {TICKET NUMBERS: 234-807-395-8109 ,SERIAL +NUMBERS: MICROSOFT/1276-009, LUCKY NUMBERS: 07-26-33-09-07-22 (88) Your email address have been selected in the MICROSOFT 2011 lottery promotion, you have a winning prize of £ 9,000,000 ( Nine Million British Pounds) as one of the jackpot winner in this draw. Please be informed by this winning notification to file your claims immediately. Contact your referred agent with your verification information as required on the form below: Address: 26 High Street Starbeck Harrogate North Yorkshire, England HG2 7HY Referred Agent : Mr . Paul Chadwick Tel: +44-702 409 4558 Email: [email protected] Name: .................................. Country of Origin....................... Place of Residence...................... Occupation.............................. Sex/Age................................. Telephone/Fax........................... Winning Email ID........................ You have Two (2) weeks from the date of this publication to claim your prize or you may forfeit your winnings. Thank you for being part of our commemorative our end of year draws. NOTE: DUE TO THE PRESENT ECONOMIC SITUATION IN THE WORLD AND FRAUDSTERS AS WELL, YOUR WINNING FUNDS WILL BE MADE READY TO YOUR HOME ACCOUNT BY THE ASSIGNED TRANSFERRING BANK WHICH HAVE BEEN GIVEN THE AUTHORITY BY MICROSOFT LOTTERY TO EFFECT TRANSFER TO WINNERS HOME BANK ACCOUNT UNDER 48 HOURS. Mr. Kassandra Dickerson Public Relations Officer © 2011 Microsoft Sweepstakes Corporation
students.itb.ac.id appears to be a student webmail server for a Indonesian university. I did a quick nmap of the server:
$ nmap students.itb.ac.id Starting Nmap 4.62 ( http://nmap.org ) at 2011-09-21 15:47 BST Interesting ports on students.itb.ac.id (167.205.1.72): Not shown: 1675 filtered ports PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 60/tcp open unknown 79/tcp open finger 80/tcp open http 81/tcp open hosts2-ns 137/tcp open netbios-ns 143/tcp open imap 336/tcp open unknown 338/tcp open unknown 443/tcp closed https 487/tcp open saft 497/tcp open retrospect 501/tcp open stmf 551/tcp open cybercash 554/tcp closed rtsp 568/tcp open ms-shuttle 606/tcp open urm 674/tcp open acap 718/tcp open unknown 775/tcp open entomb 778/tcp open unknown 812/tcp open unknown 877/tcp open unknown 887/tcp open unknown 899/tcp open unknown 974/tcp open unknown 993/tcp open imaps 1017/tcp open unknown 1350/tcp open editbench 1401/tcp open goldleaf-licman 1529/tcp open support 1536/tcp open ampr-inter 1984/tcp open bigbrother 2004/tcp open mailbox 2047/tcp open dls 2628/tcp open dict 3001/tcp open nessus 3372/tcp open msdtc 5060/tcp open sip
That’s a lot of open ports!!!!!!!
Strange thing is, if I run it again, I get a different set of open ports!
nmap students.itb.ac.id Starting Nmap 4.62 ( http://nmap.org ) at 2011-09-21 16:12 BST Interesting ports on students.itb.ac.id (167.205.1.72): Not shown: 1689 filtered ports PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 51/tcp open la-maint 80/tcp open http 81/tcp open hosts2-ns 110/tcp open pop3 143/tcp open imap 187/tcp open aci 207/tcp open at-7 327/tcp open unknown 443/tcp closed https 446/tcp open ddm-rdb 554/tcp closed rtsp 625/tcp open apple-xsrvr-admin 695/tcp open unknown 850/tcp open unknown 876/tcp open unknown 993/tcp open imaps 1030/tcp open iad1 1477/tcp open ms-sna-server 1545/tcp open vistium-share 3268/tcp open globalcatLDAP 4045/tcp open lockd 6103/tcp open RETS-or-BackupExec 6547/tcp open powerchuteplus 18000/tcp open biimenu
I guess “something” is confusing nmap. I tried using a TCP connect scan, rather than a SYN scan:
nmap -sT students.itb.ac.id Starting Nmap 4.62 ( http://nmap.org ) at 2011-09-21 16:16 BST Interesting ports on students.itb.ac.id (167.205.1.72): Not shown: 1706 filtered ports PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 80/tcp open http 81/tcp open hosts2-ns 110/tcp open pop3 143/tcp open imap 443/tcp closed https 554/tcp closed rtsp 993/tcp open imaps Nmap done: 1 IP address (1 host up) scanned in 73.519 seconds
That looks more sensible! And when I try the ports, those are actually open.
A scan with http://www.checkor.com/ shows that it’s not running as an open relay. That and the headers suggest that the mail is originating on this server, either through a Zimbra compromised account (it’s running a Zimbra server) or a compromised server. The server lists a admin email so I’ll drop them a mail. But I doubt I’ll get a response… wonder where I can take the investigation from here?
Interestingly I looked at another spam message. It also came from a student mail server. This time it looks like PHPMailer. Is this the current popular vector for sending spam? Compromised webmail accounts?
From [email protected] Wed Sep 21 13:07:17 2011 Return-Path: [email protected] X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on XXXXXX X-Spam-Level: X-Spam-Status: No, score=-0.0 required=5.0 tests=BAYES_00,HTML_IMAGE_ONLY_12, HTML_MESSAGE,RDNS_NONE,SPF_PASS autolearn=no version=3.2.5 X-Original-To: XXXXXX Delivered-To: XXXXXX Received: from [41.225.54.189] (unknown [41.225.54.189]) by XXXXXXX (Postfix) with ESMTP id 1702EE0107 for <XXXXXX>; Wed, 21 Sep 2011 13:06:17 +0100 (BST) Received: from apache by spcollege.edu with local (Exim 4.63) (envelope-from <[email protected]>) id ZXDS83-H1HPZD-JI for <XXXXXX>; Wed, 21 Sep 2011 13:06:17 +0100 To: XXXXXXXSubject: ACH payment rejected Date: Wed, 21 Sep 2011 13:06:17 +0100 From: [email protected] Message-ID: <FD310F91C9E4762E4B5852F3F44D00DB@mdbheeowbjmaovaemaouxj.spcollege.edu> X-Priority: 3 X-Mailer: PHPMailer 5.1 (phpmailer.sourceforge.net) MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="------------07050100901020407070209" X-UID: 80574 Status: RO Content-Length: 2044 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="iso-8859-1" The ACH transaction (ID: 4152103091357), recently initiated from your checking account (by you or any other person), was canceled by the other financial institution. Rejected transaction Transaction ID: 4152103091357 Reason for rejection See details in the report below Transaction Report report_4152103091357.pdf.exe (self-extracting archive, Adobe PDF) Please click here to download report: http://nachausers-instructions.com ------------ 13450 Sunrise Valley Drive, Suite 100 Herndon, VA 20171 (703) 561-1100 2011 NACHA - The Electronic Payments Association
I receive a lot of those ACH mails. Here’s another:
From [email protected] Tue Sep 20 09:28:31 2011 Return-Path: [email protected] X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on XXXXXXX X-Spam-Level: **** X-Spam-Status: No, score=4.8 required=5.0 tests=BAYES_00,HELO_LOCALHOST, HTML_IMAGE_ONLY_12,HTML_MESSAGE,RCVD_IN_SORBS_DUL,RDNS_NONE,SPF_PASS autolearn=no version=3.2.5 X-Original-To: XXXXXXX Delivered-To: XXXXXX Received: from localhost (unknown [113.165.16.70]) by XXXXXX (Postfix) with ESMTP id D8258E0107 for <XXXXXX>; Tue, 20 Sep 2011 09:28:30 +0100 (BST) Received: from (192.168.1.79) by multiform.at (113.165.16.70) with Microsoft SMTP Server id 8.0.685.24; Tue, 20 Sep 2011 14:53:30 +0630 Message-ID: <[email protected]> Date: Tue, 20 Sep 2011 14:53:30 +0630 From: [email protected] User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.9) Gecko/20101112 Thunderbird/3.1.4 MIME-Version: 1.0 To: XXXXXX Subject: Your ACH transaction Content-Type: multipart/alternative; boundary="------------08080600905030507030903" X-UID: 80441 Status: RO Content-Length: 2038 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit The ACH transaction (ID: 97908134103271), recently initiated from your bank account (by you or any other person), was rejected by +the Electronic Payments Association. Canceled transfer Transaction ID: 97908134103271 Reason of rejection See details in the report below Transaction Report report_97908134103271.pdf.exe (self-extracting archive, Adobe PDF) Please click here to download report: http://nacha-industry.com ------------ 13450 Sunrise Valley Drive, Suite 100 Herndon, VA 20171 (703) 561-1100 2011 NACHA - The Electronic Payments Association
That localhost address is weird too. Is that designed to get round spam filtered that pass through mail coming from the localhost? (FYI, that’s not my localhost, it a weird DNS entry) here’s what happens when you do a lookup on that address:
nslookup > 113.165.16.70 Server: 192.168.1.1 Address: 192.168.1.1#53 Non-authoritative answer: 70.16.165.113.in-addr.arpa name = localhost.
The IP address appears to belong to VietNam Post and Telecom Corporation (VNPT). That host itself appears to be down. I’m guessing that’s a compromised broadband connection. I’ll try dropping them a mail anyway.