Jump to content
Sign in to follow this  
Farelf

Holiday season spam

Recommended Posts

Ah, they never stop trying to reduce us to penury and our heirs and successors in perpetuity too. With the "holiday season" (AKA Christmas, ta very muchly - too late for Hanukkah this year and Eid al-Fitr is long gone) comes this fake airline itinerary notification, lovingly crafted to emulate (no doubt) in every detail the correct format of the right regional airline for the delivery area, just at the time when millions of people would be expecting real notifications/e-tickets in their inboxes. This one carries a trojan downloader, recognised so far by only a handful anti-virus defenders according to the VirusTotal test battery:

Virus scan results:

https://www.virustotal.com/file/acf692cc8f5...87d85/analysis/

The spam:

http://www.spamcop.net/sc?id=z5439965422z1...438cbeae2858daz

People in the G20 countries can look forward to this one - the gift that keeps on giving for those who actually open that exploit file. Once it would have been only the G7's denizens that were bothered so, this 21st century continues to delight. No doubt the downloder can be trivially varied to continue eluding, most of the time it is freshly-delivered, most AVs relying on hash signatures (which is most of them) and the thing will be re-used with those slight variations, the covering e-mail re-written to suit the local airlines, many times. And the smartphone equivalents, I suppose.

So, what other holiday specials are being served up to the unsuspecting public this festive season?

Share this post


Link to post
Share on other sites

Here is your TRACKING URL - it may be saved for future reference:

http://www.spamcop.net/sc?id=z5441330155zc...5fcc0f5556337cz

No source IP address found, cannot proceed.

That's not IPv6 causing a problem keef - it's just a badly manged header (full of very inexpert forgery) which has probably never transited out of uk.tiscali.com. Since that is evidently your network, there may be better ways to report it (internally) than through SpamCop.

Here's what it would look like if patched up enough to parse, and without mailhosting being set up:

http://www.spamcop.net/sc?id=z5441363934zb...6079b9e2b4009ez

Presumably the attachment is some sort of trojan dropper. As posted elsewhere, 'tis the season for those. Unless I've misinterpreted something (please say if so), these two posts will be split out of this topic and moved to a more appropriate one in due course.

Share this post


Link to post
Share on other sites

That's not IPv6 causing a problem keef - it's just a badly manged header

Thanks.

Why can't Spamcop deal with headers then? I thought we weren't suppost to mess with them ourselves.

Share this post


Link to post
Share on other sites

The parser sticks to the "standards", spammers can do what they please - or into whatever they blunder. I would imagine spammers (whether intentionally or not) could lead SC on a merry chase indeed, if it chose to follow and compensate for all the infelicities in their forged and unpredictably mangled headers.

I have little doubt that some naughty reporters do "fix" spam so they can report it. That is contrary to the cardinal rule - spam must not be altered to "help" the parser.** It may be easy enough for a human to see the problem but what else they might do in fixing it is unknowable. Making material changes to spam can lead to suspension of the reporter's account (or fining if a paying reporter) because the "evidence" is then altered, it can then be challenged, there could then be further repercussions. There is nothing more vengeful than a crook - or a spammer - "wrongfully accused". Except maybe a woman scorned. And the righteous aren't too pleased about it either.

SpamCop has always sought the willing co-operation of the mail administrators in stopping spam, that's why the evidence is reported to them, in unusually complete form, to assist that process. That requires integrity and trustfulness to work at all. Not sure what works with women, but I digress.

There is more than enough spam left to report, that the parser does handle successfully (I would say). The mangled type seems to fade away pretty quickly - presumably the networks it transits get around to dealing with it/the senders - or the spammers sending it find out something is broken and fix it.

** See SpamCop Administrator's recent post re-enforcing this - http://forum.spamcop.net/forums/index.php?...ost&p=83684

Edited by Farelf

Share this post


Link to post
Share on other sites

presumably the networks it transits get around to dealing with it/the senders - or the spammers sending it find out something is broken and fix it.

Still getting these; are they all non-IP6 then? :-

Here is your TRACKING URL - it may be saved for future reference:

http://www.spamcop.net/sc?id=z5445229756z7...35ac714e171e11z

No source IP address found, cannot proceed.

Share this post


Link to post
Share on other sites
Still getting these; are they all non-IP6 then? :-

Here is your TRACKING URL - it may be saved for future reference:

http://www.spamcop.net/sc?id=z5445229756z7...35ac714e171e11z

No source IP address found, cannot proceed.

No, the parse of that one chokes on "Unable to process header. IPv6 addresses are not supported." You can't do a blessed thing with it except maybe send a manual report if you've a mind to.

It appears to enter your network (my emphasis):

Received: from exchange2010.octech.edu ([199.4.164.15]:60659)

by www.cbcadmin.com with esmtp (Exim 4.69 #1 (EximConfig 2.5))

id 1Tm8L5-0000a6-GB

for <x>; Fri, 21 Dec 2012 19:33:06 +0000

Pasting the server name exchange2010.octech.edu only into the SC reporting webform:

http://members.spamcop.net/sc?track=exchange2010.octech.edu (have to be logged in to your reporting account) shows:

SpamCop v 4.6.2.001 © 1992-2012 Cisco Systems, Inc. All rights reserved.

Parsing input: exchange2010.octech.edu

No recent reports, no history available

Routing details for 199.4.164.15

[refresh/show] Cached whois for 199.4.164.15 : foleyg[at]org.tec.sc.us

Using last resort contacts foleyg[at]org.tec.sc.us

If you wanted to (and from an account you don't mind if it should end up with the spammers), you could forward the spam to foleyg and politely request investigation and elimination of the spam source.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×