Tracking Spam

I receive a lot of spam, most of it gets filtered, but some of it finds it’s way through. Here’s a spam message I received today:

From [email protected] Wed Sep 21 12:26:23 2011
Return-Path: [email protected]
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on XXXXXXXXX
X-Spam-Level: ***
X-Spam-Status: No, score=3.7 required=5.0 tests=BAYES_50,KAM_LOTTO1,
SPF_HELO_PASS,SPF_PASS,SUBJ_ALL_CAPS,US_DOLLARS_3 autolearn=no
version=3.2.5
X-Original-To: XXXXXXXXX
Delivered-To: XXXXXXXXX
Received: from students.itb.ac.id (students.itb.ac.id [167.205.1.72])
by XXXXXXXXX (Postfix) with ESMTP id 442A2E0108
for <XXXXXXXXX>; Wed, 21 Sep 2011 12:26:23 +0100 (BST)
Received: from localhost (localhost.localdomain [127.0.0.1])
by students.itb.ac.id (Postfix) with ESMTP id C1F30B812C;
Wed, 21 Sep 2011 18:22:45 +0700 (WIT)
X-Virus-Scanned: amavisd-new at students.itb.ac.id
Received: from students.itb.ac.id ([127.0.0.1])
by localhost (students.itb.ac.id [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id V743lSHN8t0g; Wed, 21 Sep 2011 18:22:45 +0700 (WIT)
Received: from students.itb.ac.id (students.itb.ac.id [167.205.1.72])
by students.itb.ac.id (Postfix) with ESMTP id E9614B813E;
Wed, 21 Sep 2011 18:22:27 +0700 (WIT)
Date: Wed, 21 Sep 2011 18:22:27 +0700 (WIT)
From: Sweepstakes Corporation <[email protected]>
Reply-To: "Agent. Mr. Paul Chadwick" <[email protected]>
Message-ID: <[email protected]>
Subject: LUCKY NUMBERS: 07-26-33-09-07-22 (88)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Originating-IP: [41.138.242.246]
X-Mailer: Zimbra 5.0.16_GA_2921.RHEL5_64 (zclient/5.0.16_GA_2921.RHEL5_64)
To: undisclosed-recipients: ;
X-UID: 80573
Status: O
Content-Length: 1884

Dear Beneficiary,

It is our pleasure to inform you on our successfully organized Sweepstakes which was organized this year 2011 and we rolled out over US$ 725,989,087 for the yearly Anniversary Draws, which participants for the draws were randomly selected and drawn from a wide range of web hosts which we enjoy their patronage. NOTE: {TICKET NUMBERS: 234-807-395-8109 ,SERIAL
+NUMBERS: MICROSOFT/1276-009, LUCKY NUMBERS: 07-26-33-09-07-22 (88)
Your email address have been selected in the MICROSOFT 2011 lottery promotion, you have a winning prize of £ 9,000,000 ( Nine Million British Pounds) as one of the jackpot winner in this draw. Please be informed by this winning notification to file your claims immediately. Contact your referred agent with your verification information as required on the form below: 

Address: 26 High Street Starbeck Harrogate North Yorkshire, England HG2 7HY
 
Referred Agent : Mr . Paul Chadwick Tel: +44-702 409 4558 
Email: [email protected] 
Name: .................................. 
Country of Origin....................... 
Place of Residence...................... 
Occupation.............................. 
Sex/Age................................. 
Telephone/Fax........................... 
Winning Email ID........................ 

You have Two (2) weeks from the date of this publication to claim your prize or you may forfeit your winnings. Thank you for being part of our commemorative our end of year draws.
NOTE: DUE TO THE PRESENT ECONOMIC SITUATION IN THE WORLD AND FRAUDSTERS AS WELL, YOUR WINNING FUNDS WILL BE MADE READY TO YOUR HOME ACCOUNT BY THE ASSIGNED TRANSFERRING BANK WHICH HAVE BEEN GIVEN THE AUTHORITY BY MICROSOFT LOTTERY TO EFFECT TRANSFER TO WINNERS HOME BANK ACCOUNT UNDER 48 HOURS. Mr. Kassandra Dickerson Public Relations Officer © 2011 Microsoft Sweepstakes Corporation

students.itb.ac.id appears to be a student webmail server for a Indonesian university. I did a quick nmap of the server:

$ nmap students.itb.ac.id

Starting Nmap 4.62 ( http://nmap.org ) at 2011-09-21 15:47 BST
Interesting ports on students.itb.ac.id (167.205.1.72):
Not shown: 1675 filtered ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
60/tcp open unknown
79/tcp open finger
80/tcp open http
81/tcp open hosts2-ns
137/tcp open netbios-ns
143/tcp open imap
336/tcp open unknown
338/tcp open unknown
443/tcp closed https
487/tcp open saft
497/tcp open retrospect
501/tcp open stmf
551/tcp open cybercash
554/tcp closed rtsp
568/tcp open ms-shuttle
606/tcp open urm
674/tcp open acap
718/tcp open unknown
775/tcp open entomb
778/tcp open unknown
812/tcp open unknown
877/tcp open unknown
887/tcp open unknown
899/tcp open unknown
974/tcp open unknown
993/tcp open imaps
1017/tcp open unknown
1350/tcp open editbench
1401/tcp open goldleaf-licman
1529/tcp open support
1536/tcp open ampr-inter
1984/tcp open bigbrother
2004/tcp open mailbox
2047/tcp open dls
2628/tcp open dict
3001/tcp open nessus
3372/tcp open msdtc
5060/tcp open sip

That’s a lot of open ports!!!!!!!

Strange thing is, if I run it again, I get a different set of open ports!

nmap students.itb.ac.id

Starting Nmap 4.62 ( http://nmap.org ) at 2011-09-21 16:12 BST
Interesting ports on students.itb.ac.id (167.205.1.72):
Not shown: 1689 filtered ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
51/tcp open la-maint
80/tcp open http
81/tcp open hosts2-ns
110/tcp open pop3
143/tcp open imap
187/tcp open aci
207/tcp open at-7
327/tcp open unknown
443/tcp closed https
446/tcp open ddm-rdb
554/tcp closed rtsp
625/tcp open apple-xsrvr-admin
695/tcp open unknown
850/tcp open unknown
876/tcp open unknown
993/tcp open imaps
1030/tcp open iad1
1477/tcp open ms-sna-server
1545/tcp open vistium-share
3268/tcp open globalcatLDAP
4045/tcp open lockd
6103/tcp open RETS-or-BackupExec
6547/tcp open powerchuteplus
18000/tcp open biimenu

I guess “something” is confusing nmap. I tried using a TCP connect scan, rather than a SYN scan:

nmap -sT students.itb.ac.id

Starting Nmap 4.62 ( http://nmap.org ) at 2011-09-21 16:16 BST
Interesting ports on students.itb.ac.id (167.205.1.72):
Not shown: 1706 filtered ports
PORT    STATE  SERVICE
22/tcp  open   ssh
25/tcp  open   smtp
80/tcp  open   http
81/tcp  open   hosts2-ns
110/tcp open   pop3
143/tcp open   imap
443/tcp closed https
554/tcp closed rtsp
993/tcp open   imaps
Nmap done: 1 IP address (1 host up) scanned in 73.519 seconds

That looks more sensible! And when I try the ports, those are actually open.

A scan with http://www.checkor.com/ shows that it’s not running as an open relay. That and the headers suggest that the mail is originating on this server, either through a Zimbra compromised account (it’s running a Zimbra server) or a compromised server. The server lists a admin email so I’ll drop them a mail. But I doubt I’ll get a response… wonder where I can take the investigation from here?

Interestingly I looked at another spam message. It also came from a student mail server. This time it looks like PHPMailer. Is this the current popular vector for sending spam? Compromised webmail accounts?

From [email protected]  Wed Sep 21 13:07:17 2011
Return-Path: [email protected]
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on XXXXXX
X-Spam-Level:
X-Spam-Status: No, score=-0.0 required=5.0 tests=BAYES_00,HTML_IMAGE_ONLY_12,
        HTML_MESSAGE,RDNS_NONE,SPF_PASS autolearn=no version=3.2.5
X-Original-To: XXXXXX
Delivered-To: XXXXXX
Received: from [41.225.54.189] (unknown [41.225.54.189])
        by XXXXXXX (Postfix) with ESMTP id 1702EE0107
        for <XXXXXX>; Wed, 21 Sep 2011 13:06:17 +0100 (BST)
Received: from apache by spcollege.edu with local (Exim 4.63)
        (envelope-from <[email protected]>)
        id ZXDS83-H1HPZD-JI
for <XXXXXX>; Wed, 21 Sep 2011 13:06:17 +0100

To: XXXXXXXSubject: ACH payment rejected
Date: Wed, 21 Sep 2011 13:06:17 +0100
From: [email protected]
Message-ID: <FD310F91C9E4762E4B5852F3F44D00DB@mdbheeowbjmaovaemaouxj.spcollege.edu>
X-Priority: 3
X-Mailer: PHPMailer 5.1 (phpmailer.sourceforge.net)
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="------------07050100901020407070209"
X-UID: 80574
Status: RO
Content-Length: 2044
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="iso-8859-1"

The ACH  transaction (ID: 4152103091357), recently initiated from your  checking account (by you or any other person), was canceled
by the  other financial institution.

Rejected transaction
Transaction ID: 4152103091357
Reason for rejection  See details in the report below
                                                                                                                                     
Transaction Report
report_4152103091357.pdf.exe (self-extracting archive, Adobe PDF)
Please click here to download report:
http://nachausers-instructions.com
------------                                                                                                                         
13450 Sunrise Valley Drive, Suite 100 Herndon, VA 20171 (703) 561-1100
2011 NACHA - The Electronic Payments Association

I receive a lot of those ACH mails. Here’s another:

From [email protected]  Tue Sep 20 09:28:31 2011                                                                               
Return-Path: [email protected]                                                                                                 
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on XXXXXXX                                                             
X-Spam-Level: ****                                                                                                                   
X-Spam-Status: No, score=4.8 required=5.0 tests=BAYES_00,HELO_LOCALHOST,                                                             
        HTML_IMAGE_ONLY_12,HTML_MESSAGE,RCVD_IN_SORBS_DUL,RDNS_NONE,SPF_PASS                                                         
        autolearn=no version=3.2.5                                                                                                   
X-Original-To: XXXXXXX                                                                                                     
Delivered-To: XXXXXX                                                                                                      
Received: from localhost (unknown [113.165.16.70])                                                                                   
        by XXXXXX (Postfix) with ESMTP id D8258E0107                                                                          
        for <XXXXXX>; Tue, 20 Sep 2011 09:28:30 +0100 (BST)                                                               
Received: from  (192.168.1.79) by multiform.at (113.165.16.70) with Microsoft 
SMTP Server id 8.0.685.24; Tue, 20 Sep 2011 14:53:30           +0630                                                                                                                        
Message-ID: <[email protected]>
Date: Tue, 20 Sep 2011 14:53:30 +0630
From: [email protected]
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.9) Gecko/20101112 Thunderbird/3.1.4
MIME-Version: 1.0
To: XXXXXX
Subject: Your ACH transaction
Content-Type: multipart/alternative;
        boundary="------------08080600905030507030903"
X-UID: 80441
Status: RO
Content-Length: 2038
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit

The ACH  transaction (ID: 97908134103271), recently initiated from your bank account (by you or any other person), was  rejected by  +the  Electronic Payments Association.

Canceled transfer
Transaction ID: 97908134103271

Reason of rejection  See details in the report below

Transaction Report
report_97908134103271.pdf.exe (self-extracting archive, Adobe PDF) Please click here to download report:

http://nacha-industry.com

------------                                                                                                                         13450 Sunrise Valley Drive, Suite 100 Herndon, VA 20171 (703) 561-1100
2011 NACHA - The Electronic Payments Association

That localhost address is weird too. Is that designed to get round spam filtered that pass through mail coming from the localhost? (FYI, that’s not my localhost, it a weird DNS entry) here’s what happens when you do a lookup on that address:

nslookup
> 113.165.16.70
Server:		192.168.1.1
Address:	192.168.1.1#53

Non-authoritative answer:
70.16.165.113.in-addr.arpa	name = localhost.

The IP address appears to belong to VietNam Post and Telecom Corporation (VNPT). That host itself appears to be down. I’m guessing that’s a compromised broadband connection. I’ll try dropping them a mail anyway.