Clever 419 Spammer or What?

[cppgenius]

Most 419 scammers are not into e-mail header forgery, they are known for using prehistoric spamming methods.

I'm currently working on a very interesting 419 scam sample, with a very interesting e-mail header:

http://www.cybertopcops.com/419-scam-stmic...s-job-offer.php

Now the e-mail seems to follow a logical route, first through some kind of local network connected to the pangkor.motour.gov.my domain and from there it is passed onwards until it reaches the vicitm's ISP.

The X-Originating-IP: [41.205.166.104] at the bottom of the e-mail looks out of place, now we all know this is a non-standard header entry. It is a Nigerian IP address, so many might jump to the conclusion "Hey it is a 419 scam so it has to be the originating IP!" But is this really the originating IP?

Now I have a couple of theories:

1. It was sent by a Nigerian 419 scammer from 41.205.166.104, but made it look as if it passed through pangkor.motour.gov.my.
   
2. It was sent from the e-mail account on pangkor.motour.gov.my, but the scammer made it look as if it came from 41.205.166.104
   
3. It is an infected machine on pangkor.motour.gov.my that's pumping out 419 spam
   

Any thoughts on what may be the actual case here?

This is some clever e-mail header spoofing, but is quite uncommon among traditional 419 scammers. So it is clear that they are using some advanced spamming software to send out their scams (after all it is not uncommon for 419 scammers to operate for larger spam syndicates).

[rconner]

I'm not inclined to believe the X-header at all. It could have been placed by the spammer, particularly seeing how far down it is in the header. WHOIS shows the address to have been allocated to Mauritius (Africa) so it is in the correct part of the world for 419, but I would rather it had appeared in one of the Received lines. I'm more inclined to peg the reportable source as 202.190.210.144. This address does resolve to pangkor.motour.gov.my, but it doesn't go the other way (which is odd if this is supposed to be an MTA). Anyway, Maylasia is hardly unknown as a source of scams and spam.

I wonder, did you submit this to the SpamCop parser, and if so what did it say? You can do this without actually sending any reports, simply cancel the reports after the parser delivers its results. Snag the tracker URL at the top of the page and post it here.

-- rick

[cppgenius]

I'm not inclined to believe the X-header at all. It could have been placed by the spammer, particularly seeing how far down it is in the header.

Rick, my thoughts exactly.

I don't think the spamcop report will be of any use. This e-mail was not delivered directly to me, it was reported to our spam account. But here is the link anyway.

http://www.spamcop.net/sc?id=z2229533210zb...95d14c3903372ez

[rconner]

I don't think the spamcop report will be of any use. This e-mail was not delivered directly to me, it was reported to our spam account. But here is the link anyway.

You are correct, probably since no Mail Host Configuration was done on this path the results are not very edifying.

-- rick

[cppgenius]

I tried to make contact with Malaysian Ministry of Tourism to confirm this at their end, but haven't received any replies yet. So it is really hard to say if it really came from pangkor.motour.gov.my (202.190.210.144).

After all a "Received" entry can also be forged.

But is it possible for the spammer to forge a Received entry at that level in the header, because at that stage the e-mail already reached the ISP of the complainant in the U.S.

[Farelf]

Here is a parse without mailhosts

http://www.spamcop.net/sc?id=z2229630415ze...6fcdc81ff7ee63z

The parser is apparently detecting the injection point amongst the fakery. A fair amount of spam does come from Malaysia. Mercifully (for 'us') not to the sort of lists most of us are on.

[rconner]

But is it possible for the spammer to forge a Received entry at that level in the header, because at that stage the e-mail already reached the ISP of the complainant in the U.S.

In general, unless someone wants to enlighten me on this point, the spammer can put in as many bogus Received lines as he likes BEFORE he transmits the mail, but once he hands off the mail to a host not under his control, he no longer has any access to tamper with the headers. The forged lines really aren't Recieved lines at all, no more than a fake passport is really a passport. They are just "creative writing" that happens to look like mail headers.

The usual procedure in scanning a header is to start from the top, and work your way down until you reach an entry that doesn't make sense. The from-host of one line should be the same name as the by-host on the line beneath it, if you find otherwise then you may have hit the point at which the forgery began. We can't always be absolutely sure, but in 95% or better of the cases I've tried, this type of analysis leads me to the source of the mail.

Here's my casual run-through of this header:

1. The first line shows that ibbsonline got the message from broadbandsupport.net. The HELO given by broadbandsupport does resolve to the indicated address, although the address does not resolve back to the name. This is poor form, but maybe not a shooting offense.
   
2. If this spam had been sent to you, you would probably recognize ibbsonline as being part of your normal mail service. If the recipient had gone through the SpamCop mail host configuration process, then broadbandsupport might have a clean bill of health as well. We will wait until the next line to pass judgement on broadbandsupport.
   
3. On the next line down, broadbandsupport.net gets the mail from pangkor.motour.gov.my. As I noted, the HELO name does point to the given address, although again it does not work in reverse.
   
4. On the next line, pangkor.motour.gov.my gets the mail from localhost. The "loopback" address (127.0.0.0) is given as the address for localhost. At this point, I would give up because localhost/127.0.0.0 is not something I can track down. That's why I concluded that the source was pangkor.motour.gov.my.
   
5. Continuing on just for fun, the next line shows the same thing: pangkor.motour.gov.my gets the mail from localhost. This is a malformed header (otherwise it would be showing us who localhost got the mail from).
   
6. The last line shows the same thing yet again. This is really goofy.
   
7. I note that there is a block of X-headers after the third line, and they smell a bit funny (negative spam score, incomplete X-Virus-Scanned info). This would tend to reinforce my conjecture that the forgery started at that point.
   

I can't guess as to what path this message may have taken before it was sent by pangkor.motour.gov.my, but I have a fair degree of confidence that it did pass through this server. I am far more certain that the mail passed through broadbandsupport, and this may be an open relay, but I have no way to tell from here. The domain motour.gov.my does not appear to have SPF records, so I can't tell whether pangkor is a bona-fide outgoing mail server.

As far as the X-headers are concerned, I generally treat X-headers as being possibly interesting to read, but not proving anything one way or another. The "X" stands for "eXperimental" of course, and you use their information at your own risk.

This page on my website explains this procedure in more detail, perhaps you might find it useful:

http://www.rickconner.net/spamweb/pop-find-mail-host.html

-- rick

[rconner]

Here is a parse without mailhosts

Hey, howd'ya do that?

-- rick

[Farelf]

...Hey, howd'ya do that?

Two accounts, I kept my old one from home (never hosted) and use it for 'forensics' also 'full reporting' of stuff from work. My newer (home) account is mailhosted and I use that for the small amount of spam my home provider allows me. I could turn off his filtering and report it all but he won't let my emailed submissions out (because they contain spam, naturally) while publicly maintaining he does no such thing and there's 'way too much of it to copy and paste (last time I checked). But I digress.

Hmmm - the payload would appear to be the actual eMail "From: " address = "Return-path:" = marianis[at]motour.gov.my This is unusual if it is a 419 - by the request for personal detail, return by email is classic 419/scam/ID theft stuff.

MX records

preference exchange IP address (if included)

5 MX.motour.gov.my [202.190.210.132]

10 viruswall.motour.gov.my [202.190.210.139]

[cppgenius]

I can't guess as to what path this message may have taken before it was sent by pangkor.motour.gov.my, but I have a fair degree of confidence that it did pass through this server.

This complainant reported quite a number of e-mails to us. All of them show the following pattern:

From msgsysXX.broadbandsupport.net (209.55.1.14x) by atmailX.ibbsonline.com

From [RANDOMDOMAIN] by msysmtaXX.broadbandsupport.net

So this seems to be standard procedure by his/her ISP and I find it hard to believe that the 2nd Received entry (from the top) was forged. But as you said, one can only say this with a fair degree of confidence. Since it is uncommon for traditional 419 scammers to go to such great lengths to forge an e-mail header, I'm sticking with a combination of theory 2 and 3 (for now).

This page on my website explains this procedure in more detail, perhaps you might find it useful:

Thanks Rick, it is a useful resource indeed. The whole process is explained in great detail. I appreciate your help and insights into this problem.

PS: The negative spam score is quite funny. Perhaps the spammer thought he will be able to bypass any possible spam filtering software along the chain, with a more than perfect spam score. A spam score so perfect, the spam filter should actually award him some points for creativity.

Here is a parse without mailhosts

Thanks for the help Farelf

[rconner]

I find it hard to believe that the 2nd Received entry (from the top) was forged.

Actually, I think that the authentic headers probably end after the third one down (localhost to pangkor, the first time). Unless, that is, we don't trust the address given for broadbandsupport (but it seems OK).

I'm sticking with a combination of theory 2 and 3 (for now).

Both theories put the injection point at pangkor, so I agree with you on that much. We don't have much evidence as to HOW the mail was relayed to pangkor, although the from address tends to suggest that this was a bona-fide user of this server (if so, he was a really STUPID one, since the admin at pangkor has but to walk down the hall to bust him).

PS: The negative spam score is quite funny. Perhaps the spammer thought he will be able to bypass any possible spam filtering software along the chain, with a more than perfect spam score. A spam score so perfect, the spam filter should actually award him some points for creativity.

If this is really what he thought, he needs to think again. No mail server is even going to attempt to READ this information, let alone believe it.

-- rick

[Farelf]

When I Google motour.gov.my, I come across a xssed.com/mirror site with the synopsis "Cross-site scripting (XSS) vulnerability affecting motour.gov.my." Which might have some bearing on the whole saga but I don't know. The xssed site hijacks my browser if I try to look at it (the cached version too). Anyway, the motour.gov.my site itself looks fine, no problems seen with its behavior offhand.