I receive a lot of spam, most of it gets filtered, but some of it finds it’s way through. Here’s a spam message I received today:<\/p>\n
\r\nFrom rahman.nurhakim@students.itb.ac.id Wed Sep 21 12:26:23 2011\r\nReturn-Path: rahman.nurhakim@students.itb.ac.id\r\nX-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on XXXXXXXXX\r\nX-Spam-Level: ***\r\nX-Spam-Status: No, score=3.7 required=5.0 tests=BAYES_50,KAM_LOTTO1,\r\nSPF_HELO_PASS,SPF_PASS,SUBJ_ALL_CAPS,US_DOLLARS_3 autolearn=no\r\nversion=3.2.5\r\nX-Original-To: XXXXXXXXX\r\nDelivered-To: XXXXXXXXX\r\nReceived: from students.itb.ac.id (students.itb.ac.id [167.205.1.72])\r\nby XXXXXXXXX (Postfix) with ESMTP id 442A2E0108\r\nfor <XXXXXXXXX>; Wed, 21 Sep 2011 12:26:23 +0100 (BST)\r\nReceived: from localhost (localhost.localdomain [127.0.0.1])\r\nby students.itb.ac.id (Postfix) with ESMTP id C1F30B812C;\r\nWed, 21 Sep 2011 18:22:45 +0700 (WIT)\r\nX-Virus-Scanned: amavisd-new at students.itb.ac.id\r\nReceived: from students.itb.ac.id ([127.0.0.1])\r\nby localhost (students.itb.ac.id [127.0.0.1]) (amavisd-new, port 10024)\r\nwith ESMTP id V743lSHN8t0g; Wed, 21 Sep 2011 18:22:45 +0700 (WIT)\r\nReceived: from students.itb.ac.id (students.itb.ac.id [167.205.1.72])\r\nby students.itb.ac.id (Postfix) with ESMTP id E9614B813E;\r\nWed, 21 Sep 2011 18:22:27 +0700 (WIT)\r\nDate: Wed, 21 Sep 2011 18:22:27 +0700 (WIT)\r\nFrom: Sweepstakes Corporation <rahman.nurhakim@students.itb.ac.id>\r\nReply-To: "Agent. Mr. Paul Chadwick" <agent.paulchadwick@gmail.com>\r\nMessage-ID: <680077070.38291316604157939.JavaMail.root@students.itb.ac.id>\r\nSubject: LUCKY NUMBERS: 07-26-33-09-07-22 (88)\r\nMIME-Version: 1.0\r\nContent-Type: text\/plain; charset=utf-8\r\nContent-Transfer-Encoding: quoted-printable\r\nX-Originating-IP: [41.138.242.246]\r\nX-Mailer: Zimbra 5.0.16_GA_2921.RHEL5_64 (zclient\/5.0.16_GA_2921.RHEL5_64)\r\nTo: undisclosed-recipients: ;\r\nX-UID: 80573\r\nStatus: O\r\nContent-Length: 1884\r\n\r\nDear Beneficiary,\r\n\r\nIt is our pleasure to inform you on our successfully organized Sweepstakes which was organized this year 2011 and we rolled out over US$ 725,989,087 for the yearly Anniversary Draws, which participants for the draws were randomly selected and drawn from a wide range of web hosts which we enjoy their patronage. NOTE: {TICKET NUMBERS: 234-807-395-8109 ,SERIAL\r\n+NUMBERS: MICROSOFT\/1276-009, LUCKY NUMBERS: 07-26-33-09-07-22 (88)\r\nYour email address have been selected in the MICROSOFT 2011 lottery promotion, you have a winning prize of \u00a3 9,000,000 ( Nine Million British Pounds) as one of the jackpot winner in this draw. Please be informed by this winning notification to file your claims immediately. Contact your referred agent with your verification information as required on the form below: \r\n\r\nAddress: 26 High Street Starbeck Harrogate North Yorkshire, England HG2 7HY\r\n \r\nReferred Agent : Mr . Paul Chadwick Tel: +44-702 409 4558 \r\nEmail: agent.paulchadwick@gmail.com \r\nName: .................................. \r\nCountry of Origin....................... \r\nPlace of Residence...................... \r\nOccupation.............................. \r\nSex\/Age................................. \r\nTelephone\/Fax........................... \r\nWinning Email ID........................ \r\n\r\nYou have Two (2) weeks from the date of this publication to claim your prize or you may forfeit your winnings. Thank you for being part of our commemorative our end of year draws.\r\nNOTE: DUE TO THE PRESENT ECONOMIC SITUATION IN THE WORLD AND FRAUDSTERS AS WELL, YOUR WINNING FUNDS WILL BE MADE READY TO YOUR HOME ACCOUNT BY THE ASSIGNED TRANSFERRING BANK WHICH HAVE BEEN GIVEN THE AUTHORITY BY MICROSOFT LOTTERY TO EFFECT TRANSFER TO WINNERS HOME BANK ACCOUNT UNDER 48 HOURS. Mr. Kassandra Dickerson Public Relations Officer \u00a9 2011 Microsoft Sweepstakes Corporation\r\n<\/pre>\nstudents.itb.ac.id appears to be a student webmail server for a Indonesian university. I did a quick nmap of the server:<\/p>\n
\r\n$ nmap students.itb.ac.id\r\n\r\nStarting Nmap 4.62 ( http:\/\/nmap.org ) at 2011-09-21 15:47 BST\r\nInteresting ports on students.itb.ac.id (167.205.1.72):\r\nNot shown: 1675 filtered ports\r\nPORT STATE SERVICE\r\n22\/tcp open ssh\r\n25\/tcp open smtp\r\n60\/tcp open unknown\r\n79\/tcp open finger\r\n80\/tcp open http\r\n81\/tcp open hosts2-ns\r\n137\/tcp open netbios-ns\r\n143\/tcp open imap\r\n336\/tcp open unknown\r\n338\/tcp open unknown\r\n443\/tcp closed https\r\n487\/tcp open saft\r\n497\/tcp open retrospect\r\n501\/tcp open stmf\r\n551\/tcp open cybercash\r\n554\/tcp closed rtsp\r\n568\/tcp open ms-shuttle\r\n606\/tcp open urm\r\n674\/tcp open acap\r\n718\/tcp open unknown\r\n775\/tcp open entomb\r\n778\/tcp open unknown\r\n812\/tcp open unknown\r\n877\/tcp open unknown\r\n887\/tcp open unknown\r\n899\/tcp open unknown\r\n974\/tcp open unknown\r\n993\/tcp open imaps\r\n1017\/tcp open unknown\r\n1350\/tcp open editbench\r\n1401\/tcp open goldleaf-licman\r\n1529\/tcp open support\r\n1536\/tcp open ampr-inter\r\n1984\/tcp open bigbrother\r\n2004\/tcp open mailbox\r\n2047\/tcp open dls\r\n2628\/tcp open dict\r\n3001\/tcp open nessus\r\n3372\/tcp open msdtc\r\n5060\/tcp open sip\r\n<\/pre>\nThat’s a lot of open ports!!!!!!!<\/p>\n
Strange thing is, if I run it again, I get a different set of open ports!<\/p>\n
\r\nnmap students.itb.ac.id\r\n\r\nStarting Nmap 4.62 ( http:\/\/nmap.org ) at 2011-09-21 16:12 BST\r\nInteresting ports on students.itb.ac.id (167.205.1.72):\r\nNot shown: 1689 filtered ports\r\nPORT STATE SERVICE\r\n22\/tcp open ssh\r\n25\/tcp open smtp\r\n51\/tcp open la-maint\r\n80\/tcp open http\r\n81\/tcp open hosts2-ns\r\n110\/tcp open pop3\r\n143\/tcp open imap\r\n187\/tcp open aci\r\n207\/tcp open at-7\r\n327\/tcp open unknown\r\n443\/tcp closed https\r\n446\/tcp open ddm-rdb\r\n554\/tcp closed rtsp\r\n625\/tcp open apple-xsrvr-admin\r\n695\/tcp open unknown\r\n850\/tcp open unknown\r\n876\/tcp open unknown\r\n993\/tcp open imaps\r\n1030\/tcp open iad1\r\n1477\/tcp open ms-sna-server\r\n1545\/tcp open vistium-share\r\n3268\/tcp open globalcatLDAP\r\n4045\/tcp open lockd\r\n6103\/tcp open RETS-or-BackupExec\r\n6547\/tcp open powerchuteplus\r\n18000\/tcp open biimenu\r\n<\/pre>\nI guess “something” is confusing nmap. I tried using a TCP connect scan, rather than a SYN scan:<\/p>\n
\r\nnmap -sT students.itb.ac.id\r\n\r\nStarting Nmap 4.62 ( http:\/\/nmap.org ) at 2011-09-21 16:16 BST\r\nInteresting ports on students.itb.ac.id (167.205.1.72):\r\nNot shown: 1706 filtered ports\r\nPORT STATE SERVICE\r\n22\/tcp open ssh\r\n25\/tcp open smtp\r\n80\/tcp open http\r\n81\/tcp open hosts2-ns\r\n110\/tcp open pop3\r\n143\/tcp open imap\r\n443\/tcp closed https\r\n554\/tcp closed rtsp\r\n993\/tcp open imaps\r\nNmap done: 1 IP address (1 host up) scanned in 73.519 seconds\r\n<\/pre>\nThat looks more sensible! And when I try the ports, those are actually open.<\/p>\n
A scan with http:\/\/www.checkor.com\/ shows that it’s not running as an open relay. That and the headers suggest that the mail is originating on this server, either through a Zimbra compromised account (it’s running a Zimbra server) or a compromised server. The server lists a admin email so I’ll drop them a mail. But I doubt I’ll get a response… wonder where I can take the investigation from here?<\/p>\n
Interestingly I looked at another spam message. It also came from a student mail server. This time it looks like PHPMailer. Is this the current popular vector for sending spam? Compromised webmail accounts?<\/p>\n
\r\nFrom regalinginl80@spcollege.edu Wed Sep 21 13:07:17 2011\r\nReturn-Path: regalinginl80@spcollege.edu\r\nX-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on XXXXXX\r\nX-Spam-Level:\r\nX-Spam-Status: No, score=-0.0 required=5.0 tests=BAYES_00,HTML_IMAGE_ONLY_12,\r\n HTML_MESSAGE,RDNS_NONE,SPF_PASS autolearn=no version=3.2.5\r\nX-Original-To: XXXXXX\r\nDelivered-To: XXXXXX\r\nReceived: from [41.225.54.189] (unknown [41.225.54.189])\r\n by XXXXXXX (Postfix) with ESMTP id 1702EE0107\r\n for <XXXXXX>; Wed, 21 Sep 2011 13:06:17 +0100 (BST)\r\nReceived: from apache by spcollege.edu with local (Exim 4.63)\r\n (envelope-from <regalinginl80@spcollege.edu>)\r\n id ZXDS83-H1HPZD-JI\r\nfor <XXXXXX>; Wed, 21 Sep 2011 13:06:17 +0100\r\n\r\nTo: XXXXXXXSubject: ACH payment rejected\r\nDate: Wed, 21 Sep 2011 13:06:17 +0100\r\nFrom: alerts@nacha.org\r\nMessage-ID: <FD310F91C9E4762E4B5852F3F44D00DB@mdbheeowbjmaovaemaouxj.spcollege.edu>\r\nX-Priority: 3\r\nX-Mailer: PHPMailer 5.1 (phpmailer.sourceforge.net)\r\nMIME-Version: 1.0\r\nContent-Type: multipart\/alternative;\r\nboundary="------------07050100901020407070209"\r\nX-UID: 80574\r\nStatus: RO\r\nContent-Length: 2044\r\nContent-Transfer-Encoding: 7bit\r\nContent-Type: text\/plain; charset="iso-8859-1"\r\n\r\nThe ACH transaction (ID: 4152103091357), recently initiated from your checking account (by you or any other person), was canceled\r\nby the other financial institution.\r\n\r\nRejected transaction\r\nTransaction ID: 4152103091357\r\nReason for rejection See details in the report below\r\n \r\nTransaction Report\r\nreport_4152103091357.pdf.exe (self-extracting archive, Adobe PDF)\r\nPlease click here to download report:\r\nhttp:\/\/nachausers-instructions.com\r\n------------ \r\n13450 Sunrise Valley Drive, Suite 100 Herndon, VA 20171 (703) 561-1100\r\n2011 NACHA - The Electronic Payments Association\r\n<\/pre>\nI receive a lot of those ACH mails. Here’s another:<\/p>\n
\r\nFrom hookahspr7@multiform.at Tue Sep 20 09:28:31 2011 \r\nReturn-Path: hookahspr7@multiform.at \r\nX-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on XXXXXXX \r\nX-Spam-Level: **** \r\nX-Spam-Status: No, score=4.8 required=5.0 tests=BAYES_00,HELO_LOCALHOST, \r\n HTML_IMAGE_ONLY_12,HTML_MESSAGE,RCVD_IN_SORBS_DUL,RDNS_NONE,SPF_PASS \r\n autolearn=no version=3.2.5 \r\nX-Original-To: XXXXXXX \r\nDelivered-To: XXXXXX \r\nReceived: from localhost (unknown [113.165.16.70]) \r\n by XXXXXX (Postfix) with ESMTP id D8258E0107 \r\n for <XXXXXX>; Tue, 20 Sep 2011 09:28:30 +0100 (BST) \r\nReceived: from (192.168.1.79) by multiform.at (113.165.16.70) with Microsoft \r\nSMTP Server id 8.0.685.24; Tue, 20 Sep 2011 14:53:30 +0630 \r\nMessage-ID: <4E784E71.801080@multiform.at>\r\nDate: Tue, 20 Sep 2011 14:53:30 +0630\r\nFrom: risk_manager@nacha.org\r\nUser-Agent: Mozilla\/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.9) Gecko\/20101112 Thunderbird\/3.1.4\r\nMIME-Version: 1.0\r\nTo: XXXXXX\r\nSubject: Your ACH transaction\r\nContent-Type: multipart\/alternative;\r\n boundary="------------08080600905030507030903"\r\nX-UID: 80441\r\nStatus: RO\r\nContent-Length: 2038\r\nContent-Type: text\/plain; charset=UTF-8; format=flowed\r\nContent-Transfer-Encoding: 7bit\r\n\r\nThe ACH transaction (ID: 97908134103271), recently initiated from your bank account (by you or any other person), was rejected by +the Electronic Payments Association.\r\n\r\nCanceled transfer\r\nTransaction ID: 97908134103271\r\n\r\nReason of rejection See details in the report below\r\n\r\nTransaction Report\r\nreport_97908134103271.pdf.exe (self-extracting archive, Adobe PDF) Please click here to download report:\r\n\r\nhttp:\/\/nacha-industry.com\r\n\r\n------------ 13450 Sunrise Valley Drive, Suite 100 Herndon, VA 20171 (703) 561-1100\r\n2011 NACHA - The Electronic Payments Association\r\n<\/pre>\nThat localhost address is weird too. Is that designed to get round spam filtered that pass through mail coming from the localhost? (FYI, that’s not my localhost, it a weird DNS entry) here’s what happens when you do a lookup on that address:<\/p>\n
\r\nnslookup\r\n> 113.165.16.70\r\nServer:\t\t192.168.1.1\r\nAddress:\t192.168.1.1#53\r\n\r\nNon-authoritative answer:\r\n70.16.165.113.in-addr.arpa\tname = localhost.\r\n<\/pre>\nThe IP address appears to belong to VietNam Post and Telecom Corporation (VNPT). That host itself appears to be down. I’m guessing that’s a compromised broadband connection. I’ll try dropping them a mail anyway.<\/p>\n","protected":false},"excerpt":{"rendered":"
I receive a lot of spam, most of it gets filtered, but some of it finds it’s way through. Here’s a spam message I received today: From rahman.nurhakim@students.itb.ac.id Wed Sep 21 12:26:23 2011 Return-Path: rahman.nurhakim@students.itb.ac.id X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on XXXXXXXXX X-Spam-Level: *** X-Spam-Status: No, score=3.7 required=5.0 tests=BAYES_50,KAM_LOTTO1, SPF_HELO_PASS,SPF_PASS,SUBJ_ALL_CAPS,US_DOLLARS_3 autolearn=no version=3.2.5 X-Original-To: XXXXXXXXX Delivered-To: XXXXXXXXX […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[1],"tags":[],"class_list":["post-71","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p1RRoU-19","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/41j.com\/blog\/wp-json\/wp\/v2\/posts\/71","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/41j.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/41j.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/41j.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/41j.com\/blog\/wp-json\/wp\/v2\/comments?post=71"}],"version-history":[{"count":21,"href":"https:\/\/41j.com\/blog\/wp-json\/wp\/v2\/posts\/71\/revisions"}],"predecessor-version":[{"id":205,"href":"https:\/\/41j.com\/blog\/wp-json\/wp\/v2\/posts\/71\/revisions\/205"}],"wp:attachment":[{"href":"https:\/\/41j.com\/blog\/wp-json\/wp\/v2\/media?parent=71"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/41j.com\/blog\/wp-json\/wp\/v2\/categories?post=71"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/41j.com\/blog\/wp-json\/wp\/v2\/tags?post=71"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}