CNN Spammer is back : Eludes SpamCop

showker · September 19, 2013

Posting here FYI -- I know nothing can be done.

We're tracking spam from a Russian Drug Cartel hitting us with a new spam about every 6 to 8 minutes, all different domains of compromised victims machines.

This group spammed more than 8,000 emails in the spring of 2012 and then disappeared until now. They set up a page that looks like CNN or FOX News, but all the live links go to a body "enhancement" page. At least TWO of the arrival domains used are analyzed as purveying drive-by malware exploits, according to http://urlquery.net/index.php . Money trail leads to the Russian Federation

This time, however, they've configured their headers to elude SpamCop.

This new wave has ...

No date

No sender

No subject line

Every single one of more than 100 spams received since 8 PM yesterday has been untrackable and unreportable by SpamCop because of misconfigured headers.

We can track, and Knujon is able to track.

I have complete files and screens if anyone else is interested.

gare · September 19, 2013

Posting here FYI -- I know nothing can be done.

...

I have complete files and screens if anyone else is interested.

WOW!

Thank you for the info. How can we receive the files to look at them? Not that I will understand them, but it sounds interesting to look at.

Can blocking be pursued based on the host of the website that is referenced?

turetzsr · September 19, 2013

...If I understand correctly how it works, that shouldn't matter to the SpamCop parser, showker, provided your accepting e-mail server is adding the correct "Received" header.

petzl · September 20, 2013

Every single one of more than 100 spams received since 8 PM yesterday has been untrackable and unreportable by SpamCop because of misconfigured headers.

We can track, and Knujon is able to track.

I have complete files and screens if anyone else is interested.

Sounds like Botnet spam?

At least one spamCop tracking link would help see whats happing

showker · September 27, 2013

I really wish I could get some help.

This is very frustrating because there are now more than 1,600 since Sunday.

The Botnet has infected innocent web sites.

Each web site becomes a "landing" site for victims.

Each web site owner should be warned and alerted to remove the botnet page.

but Spamcop will not.

Spamcop's response is "No header information -- no reports sent"

We know who is sending the spam. We know where the criminals are.

We cannot stop the barrage.

1,600 innocent infected sites, and a new one every 6 minutes.

What can we do to alert all those owners?

I've send 93 complaints to the ISP and the Host for the offending spambot site. they have ignored it.

I've reported the host and the offending owner to ICANN . . . they refuse reports.

We're watching the house burn down, hearing the children's screams . . .

but nobody does anything but watch.

Here's what Spamcop says :

No blank line delineating headers from body - abort

Here is your TRACKING URL - it may be saved for future reference:

http://www.spamcop.net/sc?id=z5571465233z4...4bf970e4fce124z

No source IP address found, cannot proceed.

Add/edit your mailhost configuration

Finding full email headers

Submitting spam via email (may work better)

Example: What spam headers should look like

No body text provided, check format of submission. spam must have body text.

-------------------------------------

Here's what Spamcop saw:

Return-Path: <earthenwareboar[at]bloomberg.com>

Delivered-To: spamcop-net-showker[at]spamcop.net

Received: (qmail 5712 invoked from network); 27 Sep 2013 01:44:43 -0000

X-spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on filter8

X-spam-Level: ********

X-spam-Status: hits=8.4 tests=MISSING_DATE,MISSING_HB_SEP,MISSING_HEADERS,

MISSING_MID,MISSING_SUBJECT,RDNS_NONE,TVD_SPACE_RATIO version=3.2.4

Received: from unknown (192.168.1.107)

by filter8.cesmail.net with QMQP; 27 Sep 2013 01:44:43 -0000

Received: from unknown (HELO reseption) (188.244.139.6)

by mx70.cesmail.net with SMTP; 27 Sep 2013 01:44:47 -0000

Received: (from root[at]localhost) by mail4.bloomberg.com (8.11.3/8.11.3)

id k0V1OhN14404; Fri, 27 Sep 2013 01:44:47 -1000 (PDT envelope-from root)

Date: Fri, 27 Sep 2013 01:21:21 -1000

Message-Id: <37280056442695.bZsNTlICQX[at]lung>

X-Mailer: phpmailer [version 1.41]

X-BeenThere: thug[at]mailman.bloomberg.com

X-Kaspersky: Checking

Content-Type: text/plain;

charset="us-ascii"

Content-Transfer-Encoding: 7bit

To: <showker[at]spamcop.net>

Cc: <edamron[at]spamcop.net>

From: "Get BIGGER with Promo" <earthenwareboar[at]bloomberg.com>

Subject: Enhance your organ with organic wonder drugs

Life was better when i was younger, and with this secret potion, life seems young again.

http://beautifulbandung.com/sarsparillaaqueduct/

The spam works for the reader, and the spam is successful for the spammer.

However, because it is misconfigured, Spamcop doesn't "see" it. Cannot report it.

The sender is irrelevant ... we know who is sending it, but their provider

doesn't do anything.

The innocent by-stander site is irrelevant -- they have been compromised,

and they do not know the spamvertised page is on their site. The links on the

spamvertised site redirect to the cybercrime site. They've changed those

domains four times since the barrage started.

I've reported those more than 60 times with no success.

Evidently they know they're being reported and taken down -- so switch domains.

There should be something we can do.

I've spent hours and hours and hours on this and haven't made a dent -- trying to report them, and alert their site owners. I'm going to have to give up.

:-(

...If I understand correctly how it works, that shouldn't matter to the SpamCop parser, showker, provided your accepting e-mail server is adding the correct "Received" header.

Spamcop is my accepting email server.

turetzsr · September 27, 2013

Hi, showker,

...Appreciate your willingness to try to do something but sometimes there's nothing the willing "good Samaritan" can do. Even if SpamCop could send reports, those are unlikely to be any more effective than those you've sent. Probably the best you can do that you have not mentioned trying is to complain to "upstream" providers, if you can find them.

<snip>
To: <showker[at]spamcop.net>

Cc: <edamron[at]spamcop.net>

From: "Get BIGGER with Promo" <earthenwareboar[at]bloomberg.com>

Subject: Enhance your organ with organic wonder drugs

Life was better when i was younger, and with this secret potion, life seems young again.

http://beautifulbandung.com/sarsparillaaqueduct/

<snip>

...SpamCop doesn't provide an e-mail service -- I presume you are talking about the (misnamed) "SpamCop e-mail service" provided by CES.

...You have an e-mail client that was able to display this e-mail? It is malformed -- standard e-mail specs require that there be a blank line between the last header line ("Subject: Enhance your organ with organic wonder drugs") and the first line of the body ("Life was better when i was younger, and with this secret potion, life seems young again.").

showker · September 27, 2013

For the past two hours I've been contacting the victim web sites.

about 50% of them are Wordpress blogs and the arrrival page says "Hello World"

:-(

standard e-mail specs require that there be a blank line between the last header line

okay . . . I'll try that

For the past two hours I've been contacting the victim web sites.

about 50% of them are Wordpress blogs and the arrrival page says "Hello World"

:-(

okay . . . I'll try that

Wow ... that worked.

Maybe I can re-database the mbox file to put that space in and pump back through spam cop to get reports.

Will have to change all the dates over 24 hours.

The victim sites are still there. Even after several days.

turetzsr · September 27, 2013

...Ah, good work! Please just be sure that you don't actually proceed all the way through to allowing SpamCop to send the reports -- that violates the rules -- see SpamCop FAQ articles labeled "-----> Material changes to spam," "-------> Material changes to spam - Updated!" and "-----> What if I break the rule(s)?" You can use the parser to find the abuse addresses to send your own reports but then cancel the parses!

petzl · September 27, 2013

For the past two hours I've been contacting the victim web sites.

about 50% of them are Wordpress blogs and the arrrival page says "Hello World"

:-(

okay . . . I'll try that

Wow ... that worked.

Maybe I can re-database the mbox file to put that space in and pump back through spam cop to get reports.

Will have to change all the dates over 24 hours.

The victim sites are still there. Even after several days.

There is

NO TEXT IN spam BODY

http://www.spamcop.net/sc?id=z5571549043z2...0437ddbb2b2a50z

Works by pasting in headers. under headers push ENTER twice

Then past

NO TEXT IN spam BODY

then parse

Gives

Re: 188.244.139.6 (Administrator of network where email originates)

To: abuse[at]ttk.ru (Notes)

To: info[at]cert.ru (Notes)

BOTNET spam

in notes put

BOTNET

http://cbl.abuseat.org/lookup.cgi?ip=188.244.139.6

BLOCK OUTBOUND PORT 22 (ONLY EMAIL SERVERS SHOULD SEND EMAIL)

CHANGE AND REPLACE PASSWORDS TO SECURE PASSWORD

SCAN FOR MALWARE

if you have Grey listing on you should not be even getting this trash?

showker · October 20, 2013

...You have an e-mail client that was able to display this e-mail? It is malformed -- standard e-mail specs require that there be a blank line between the last header line ("Subject: Enhance your organ with organic wonder drugs") and the first line of the body ("Life was better when i was younger, and with this secret potion, life seems young again.").

THat worked for that specific error . . . however, since my last posting, another 4,000 have come in, and now they have changed and are mixed with "broken" headers -- as you've noted above -- and these style sheet nightmares . . . . note this one is also an error -- SpamCop sez "Unable to parse headers"

and the "Subject" you mention above is up in the header . . .

<pre>

Return-Path: <verdehedgehog[at]lycos.com>

Delivered-To: spamcop-net-showker[at]spamcop.net

Received: (qmail 14802 invoked from network); 20 Oct 2013 13:39:24 -0000

X-spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on filter8

X-spam-Level: ********

X-spam-Status: hits=8.4 tests=MISSING_DATE,MISSING_HB_SEP,MISSING_HEADERS,

MISSING_MID,MISSING_SUBJECT,RDNS_NONE,TVD_SPACE_RATIO version=3.2.4

Received: from unknown (192.168.1.108)

by filter8.cesmail.net with QMQP; 20 Oct 2013 13:39:24 -0000

Received: from unknown (HELO computer-870d71) (136.169.138.107)

by mx71.cesmail.net with SMTP; 20 Oct 2013 13:39:28 -0000

Received: (qmail 9697 by uid 829); Sun, 20 Oct 2013 13:39:28 -0600

From: "Penis Growth Free trial" <verdehedgehog[at]lycos.com>

To: <neko[at]spamcop.net>,

<showker[at]spamcop.net>

Subject: Saucy young college hotties

Date: Sun, 20 Oct 2013 13:14:06 -0600

Message-ID: <004a01cecdcc$171eccc0$455c6640$[at]com>

MIME-Version: 1.0

Content-Type: multipart/alternative;

boundary="----=_NextPart_000_0048_01CECDCC.171ECCC0"

X-Mailer: Microsoft Office Outlook 12.0

Thread-Index: AcjmaDJmle6V3cwnmjOCWyoc7ciTkQ=Content-Language: en-us

This is a multipart message in MIME format.

------=_NextPart_000_0048_01CECDCC.171ECCC0

Content-Type: text/plain;

charset="us-ascii"

Content-Transfer-Encoding: 7bit

Butts that look awesome

http://manas-vis.com/playfuldoorkeeper/

------=_NextPart_000_0048_01CECDCC.171ECCC0

Content-Type: text/html;

charset="us-ascii"

Content-Transfer-Encoding: quoted-printable

<head>

<style>

<!--

/* Font Definitions */

[at]font-face {font-family:"Cambria Math"; panose-1:2 4 5 3 5 4 6 3 2 4;}

[at]font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4;}

/* Style Definitions */

p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0in; margin-bottom:.0001pt; font-size:11.0pt; font-family:"Calibri","sans-serif";}

a:link, span.MsoHyperlink {mso-style-priority:99; color:blue; text-decoration:underline;}

a:visited, span.MsoHyperlinkFollowed {mso-style-priority:99; color:purple; text-decoration:underline;}

span.EmailStyle17 {mso-style-type:personal-compose; font-family:"Calibri","sans-serif"; color:windowtext;}

.MsoChpDefault {mso-style-type:export-only;}

[at]page Section1 {size:8.5in 11.0in; margin:1.0in 1.0in 1.0in 1.0in;}

div.Section1 {page:Section1;}

-->

</style>

<!--[if gte mso 9]><xml>

<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" ></o:shapedefaults>

</xml><![endif]--><!--[if gte mso 9]><xml>

<o:shapelayout v:ext=3D"edit">

<o:idmap v:ext=3D"edit" data=3D"1" ></o:idmap>

</o:shapelayout></xml><![endif]-->

</head>

<p class=3DMsoNormal><o:p>Butts that look awesome</o:p></p>

<p class=3DMsoNormal><o:p><a href="http://manas-vis.com/playfuldoorkeeper/">http://manas-vis.com/playfuldoorkeeper/</a></o:p></p>

</div>

</body>

</html>

------=_NextPart_000_0048_01CECDCC.171ECCC0--

</pre>

Live payload link broken ...

Dr Mike Oxgreen · November 29, 2013

Is there a solution to this problem?

I'm getting countless emails every day, each with the FROM field set to one of the following:

"Penis Growth Free trial sample"

"Promo Men's Supplement"

"Free Sample enlargement"

"Enlargement pills Free trial"

"Get BIGGER with Sample"

etc etc.

This has been going on for weeks and weeks. It's getting to the point where I'm considering dumping Spamcop and looking for an alternative.

Any help gratefully received!

petzl · November 29, 2013

Is there a solution to this problem?

I'm getting countless emails every day, each with the FROM field set to one of the following:

"Penis Growth Free trial sample"

"Promo Men's Supplement"

"Free Sample enlargement"

"Enlargement pills Free trial"

"Get BIGGER with Sample"

etc etc.

This has been going on for weeks and weeks. It's getting to the point where I'm considering dumping Spamcop and looking for an alternative.

Any help gratefully received!

Show some SpamCop tracks

188.244.139.6 is now clear so if you give details it is mostly fixed

Dr Mike Oxgreen · November 29, 2013

Show some SpamCop tracks

188.244.139.6 is now clear so if you give details it is mostly fixed

Sorry, I'm being dense. Can you explain what you mean by a SpamCop track?

Also, what is the significance of that IP address?

Dr Mike Oxgreen · November 29, 2013

Is this what you mean:

http://www.spamcop.net/sc?id=z5630981587ze...a809c19a737185z

Dr Mike Oxgreen · November 29, 2013

A few more:

http://www.spamcop.net/sc?id=z5631004785z3...d3233bae0cb540z

http://www.spamcop.net/sc?id=z5631004784z5...eeb4be487ace83z

http://www.spamcop.net/sc?id=z5631004783zb...0e7f3c3da4d269z

http://www.spamcop.net/sc?id=z5631004782z0...f0eae7099554b9z

http://www.spamcop.net/sc?id=z5631004779zd...20535b402bd7b0z

Do these help?

petzl · November 29, 2013

A few more:

http://www.spamcop.net/sc?id=z5631004785z3...d3233bae0cb540z

Snip to give better exp

Do these help?

By George you've got it

They should be going to your held folder

But you have

X-SpamCop-Whitelisted: reuters.com

Whitelist overides any/all blacklistshh

If you can extend the email address to full or more one/s?

2nd one should of been blocked BOTNET attack host

78.143.240.128 not listed in cbl.abuseat.org (it is)

Spamcop email blacklists are braking down I'm afraid?

I found and reported this to them (no action)

CBL check has been working though?

Your main problem is your Whitelist

X-SpamCop-Whitelisted: reuters.com

I'm finding SC Email is NOT checking (it should be)

SpamCop Blacklist

China (the country)

Brazil

You need to make sure your blacklists are checke

http://webmail.spamcop.net/horde/imp/spamcop/blacklists.php

Make sure

"Composite Blocking List"

Is checked if it is push problem and tell SC email it's broken

AND fix/extend your whitelist entry "reuters.com" if you can

http://webmail.spamcop.net/horde/imp/spamcop/whitelist.php

Dr Mike Oxgreen · November 30, 2013

Brilliant - thanks for your help!

I used to work for Reuters, so it's quite possible that I added reuters.com to my whitelist at some time, but I can remove it altogether now. Thanks for spotting that issue for me!

I do have all of the blocking lists switched on, including CBL.

I'll wait and see what effect removing reuters.com has before taking any further action.

petzl · November 30, 2013

Brilliant - thanks for your help!

I used to work for Reuters, so it's quite possible that I added reuters.com to my whitelist at some time, but I can remove it altogether now. Thanks for spotting that issue for me!

I do have all of the blocking lists switched on, including CBL.

I'll wait and see what effect removing reuters.com has before taking any further action.

Whitelist bypass Greylisting also so if you can be more precise in whitelisting it helps speed up with delivery

Trouble is I'm fiding SC email selective in Greylisting (it's also now broken) stops only the good the bad SC email allows through immediatly! The email spam you are getting is being sent from non-email servers

Greylisting if working (which it's not) should of stopped you from even seening the spam in every case you mentioned.

CNN Spammer is back : Eludes SpamCop

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Archived