Discussion:
new kind of spam (apparently from mailer daemon)
Lucio Chiappetti
2010-04-26 08:27:01 UTC
Permalink
I have just found a new kind of spam which went through our spamassassin
(actually it got a "banned" notification - we quarantine spam and virus
but let banned be delivered).

The subject was "Delivery reports about your e-mail", the apparent
originator was From: "MAILER-DAEMON" <***@ourdomain>, the body was
empty and there was a single attachment "transcript.zip".

There are only two Received lines in the header as seen on my destination
machine (I've edited out the local details):

Received: from our_mx by my_machine for my_address
Received: from ourdomain (localhost [113.167.75.53] (may be forged)by our_mx

So it looks like the spammer connected directly to our mx (one of two),
faking its name as our domain.

To users it seems a strange mailer daemon message, since our mx are linux
boxes and do not send zipped reports. So it is obvious spam.

My question is : is it ok to feed it into the sa-learn crontab we use for
spam which escapes spamassassin, or the way it is forged will cause
problems (e.g. filtering legitimate mailer daemon reports ?)
--
------------------------------------------------------------------------
Lucio Chiappetti - INAF/IASF - via Bassini 15 - I-20133 Milano (Italy)
------------------------------------------------------------------------
Citizens entrusted of public functions have the duty to accomplish them
with discipline and honour
[Art. 54 Constitution of the Italian Republic]
------------------------------------------------------------------------
For more info : http://www.iasf-milano.inaf.it/~lucio/personal.html
------------------------------------------------------------------------
Aaron Wolfe
2010-04-26 08:41:21 UTC
Permalink
On Mon, Apr 26, 2010 at 4:27 AM, Lucio Chiappetti
Post by Lucio Chiappetti
I have just found a new kind of spam which went through our spamassassin
(actually it got a "banned" notification - we quarantine spam and virus but
let banned be delivered).
The subject was "Delivery reports about your e-mail", the apparent
and there was a single attachment "transcript.zip".
There are only two Received lines in the header as seen on my destination
Received: from our_mx by my_machine for my_address
Received: from ourdomain (localhost [113.167.75.53] (may be forged)by our_mx
So it looks like the spammer connected directly to our mx (one of two),
faking its name as our domain.
FWIW, outright blocking mail from hosts that use our domain name (or
even the ip address of one of our MXes) as their HELO has proven to be
a safe and efficient way to block some amount of junk. Not too many
spammers try this, but when they do it makes things simple.
Post by Lucio Chiappetti
To users it seems a strange mailer daemon message, since our mx are linux
boxes and do not send zipped reports. So it is obvious spam.
My question is : is it ok to feed it into the sa-learn crontab we use for
spam which escapes spamassassin, or the way it is forged will cause problems
(e.g. filtering legitimate mailer daemon reports ?)
--
------------------------------------------------------------------------
Lucio Chiappetti - INAF/IASF - via Bassini 15 - I-20133 Milano (Italy)
------------------------------------------------------------------------
Citizens entrusted of public functions have the duty to accomplish them
with discipline and honour
                         [Art. 54 Constitution of the Italian Republic]
------------------------------------------------------------------------
For more info : http://www.iasf-milano.inaf.it/~lucio/personal.html
------------------------------------------------------------------------
BILLY/NICER
2010-04-26 08:42:47 UTC
Permalink
Dear Sir / Madam,

I don't know what's happen about the spam, I just asking you to remove me
from the block list, because I can't send email to my customer.

Please help and settle the problem.

Thanks & Best Regards,

Billy Lau
Direct Line:(852) 3969 0684 / Cell Phone:(852) 9220 1286
Email: ***@fashionable.com.hk

Nicer Fashion Ltd.
Tel:(852) 3969 0688
FAX:(852) 2361 9964
URL: www.fashionable.com.hk
9/F, Full View Factory Building,
50-52, Tong Mi Road, Mong Kok,
Kowloon, Hong Kong.

----- Original Message -----
From: "Lucio Chiappetti" <***@lambrate.inaf.it>
To: "Spamassassin list" <***@spamassassin.apache.org>
Sent: Monday, April 26, 2010 4:27 PM
Subject: new kind of spam (apparently from mailer daemon)
Post by Lucio Chiappetti
I have just found a new kind of spam which went through our spamassassin
(actually it got a "banned" notification - we quarantine spam and virus but
let banned be delivered).
The subject was "Delivery reports about your e-mail", the apparent
empty and there was a single attachment "transcript.zip".
There are only two Received lines in the header as seen on my destination
Received: from our_mx by my_machine for my_address
Received: from ourdomain (localhost [113.167.75.53] (may be forged)by our_mx
So it looks like the spammer connected directly to our mx (one of two),
faking its name as our domain.
To users it seems a strange mailer daemon message, since our mx are linux
boxes and do not send zipped reports. So it is obvious spam.
My question is : is it ok to feed it into the sa-learn crontab we use for
spam which escapes spamassassin, or the way it is forged will cause
problems (e.g. filtering legitimate mailer daemon reports ?)
--
------------------------------------------------------------------------
Lucio Chiappetti - INAF/IASF - via Bassini 15 - I-20133 Milano (Italy)
------------------------------------------------------------------------
Citizens entrusted of public functions have the duty to accomplish them
with discipline and honour
[Art. 54 Constitution of the Italian Republic]
------------------------------------------------------------------------
For more info : http://www.iasf-milano.inaf.it/~lucio/personal.html
------------------------------------------------------------------------
__________ Information from ESET NOD32 Antivirus, version of virus
signature database 5060 (20100426) __________
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
John Hardin
2010-04-26 13:15:23 UTC
Permalink
Post by Lucio Chiappetti
My question is : is it ok to feed it into the sa-learn crontab we use
for spam which escapes spamassassin, or the way it is forged will cause
problems (e.g. filtering legitimate mailer daemon reports ?)
If that worries you, then train some legitimate mailer daemon
notifications as ham so that it will learn the difference.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
***@impsec.org FALaholic #11174 pgpk -a ***@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
I would buy a Mac today if I was not working at Microsoft.
-- James Allchin, Microsoft VP of Platforms
-----------------------------------------------------------------------
12 days since a sunspot last seen - EPA blames CO2 emissions
Joseph Brennan
2010-04-26 14:12:59 UTC
Permalink
Post by Lucio Chiappetti
The subject was "Delivery reports about your e-mail", the apparent
empty and there was a single attachment "transcript.zip".
Here, yesterday, 93 of 102 came from hosts in Spamhaus Zen and were
rejected for that reason.

3 more bounced because envelope sender was mailer-***@columbia.edu
instead of <>. That's a useful local rule.


That doesn't leave many left to analyze, but it's enough to report
variations in the attachment:

transcript.scr in transcript.zip
letter.doc .scr in letter.zip
file.pif in file.zip
mail.scr in mail.zip

Very old-school, using pif and scr file extensions and the name with
a lot of spaces in it (actually more spaces than I show here). We
started refusing mail with pif and scr files ages ago. It's almost
like a very old virus that got reactivated somehow. How many email
viruses do you even see these days?

Did antivirus provide a name for this thing?



Joseph Brennan
Columbia University Information Technology
Lucio Chiappetti
2010-04-27 10:03:24 UTC
Permalink
Post by Joseph Brennan
Post by Lucio Chiappetti
empty and there was a single attachment "transcript.zip".
Very old-school, using pif and scr file extensions and the name with
a lot of spaces in it (actually more spaces than I show here).
After posting, I found that a few other passed through, and a few were
blocked, all coming from 113.167.75.53, which curiously responds to a
reverse DNS query as "localhost", and is in an IP range in Vietnam.
Post by Joseph Brennan
It's almost like a very old virus that got reactivated somehow. How many
email viruses do you even see these days? Did antivirus provide a name
for this thing?
We are currently running with antivirus disabled, because the most recent
clamav is incompatible with our OS version and we cannot upgrade soon.
But looking around, I suspect it could be ***@mm.
--
------------------------------------------------------------------------
Lucio Chiappetti - INAF/IASF - via Bassini 15 - I-20133 Milano (Italy)
For more info : http://www.iasf-milano.inaf.it/~lucio/personal.html
------------------------------------------------------------------------
John Hardin
2010-04-27 13:15:07 UTC
Permalink
Post by Lucio Chiappetti
Post by Joseph Brennan
Post by Lucio Chiappetti
empty and there was a single attachment "transcript.zip".
Very old-school, using pif and scr file extensions and the name with
a lot of spaces in it (actually more spaces than I show here).
After posting, I found that a few other passed through, and a few were
blocked, all coming from 113.167.75.53, which curiously responds to a reverse
DNS query as "localhost", and is in an IP range in Vietnam.
That's apparently pretty common for sites in VN.

That by itself should have gotten 3.7 points. Is RDNS_LOCALHOST in your
base rules? If not, you might want to run sa-update.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
***@impsec.org FALaholic #11174 pgpk -a ***@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The one political issue that strips all politicians bare is
individual gun rights.
-----------------------------------------------------------------------
13 days since a sunspot last seen - EPA blames CO2 emissions
John Hardin
2010-04-27 13:25:10 UTC
Permalink
Post by John Hardin
Post by Lucio Chiappetti
Post by Joseph Brennan
Post by Lucio Chiappetti
empty and there was a single attachment "transcript.zip".
Very old-school, using pif and scr file extensions and the name with
a lot of spaces in it (actually more spaces than I show here).
After posting, I found that a few other passed through, and a few were
blocked, all coming from 113.167.75.53, which curiously responds to a
reverse DNS query as "localhost", and is in an IP range in Vietnam.
That's apparently pretty common for sites in VN.
That by itself should have gotten 3.7 points. Is RDNS_LOCALHOST in your
base rules? If not, you might want to run sa-update.
Whoops. 3.7 points in scoreset zero, but only 0.1 in scoreset 3. Bummer.

You might want to explicitly set the score for RDNS_LOCALHOST higher.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
***@impsec.org FALaholic #11174 pgpk -a ***@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The one political issue that strips all politicians bare is
individual gun rights.
-----------------------------------------------------------------------
13 days since a sunspot last seen - EPA blames CO2 emissions
Continue reading on narkive:
Search results for 'new kind of spam (apparently from mailer daemon)' (Questions and Answers)
38
replies
Epsilon breach on CollegeBoard? What's going on?
started 2011-04-02 19:55:02 UTC
higher education (university +)
Loading...