Newsletter |
![]() |
Spammers Go Full Circle
In the last little while I have seen more spam showing up in my inbox. The type of spam presenting itself has been mostly stock market scams, and dangerous click here emails which I assume are the doorway to some impressive piece of malware.
My curiosity was piqued. I was wondering how did spam of this caliber end up getting past my grey-listing filter. Let me give a short lesson on grey listing so that you can understand. Some facts up front; herds of computers in a BOT-NET do not have a mail queue to ensure best effort delivery of email. Computers in a BOT-NET simply spew out email and hope for the best.
Grey-listing as a defense was based on this principle and works well at defeating BOT-NET based spam in a simple way. The grey-list equipped mail server disallows the first connection attempt. Simultaneously, the grey-list program remembers some key facts about the email. If another email shows up later, after the administratively configured time limit with matching criteria, then the email servers allows the email to flow.
One can see how this really puts a stop to BOT-NET sourced spam, as the source of the spam has no mail queue. And now you can see why I have been intrigued. After a bit of research I figured it out: The people who are sending spam are back to their old trick of using email servers with a mail queue - and not their own. I reviewed the email headers (options for you MS people) and saw the information below.
(This is not a complete header as I sanitized the information.) Return-Path:The email message ID and the source address originate all over the web. I have seen this repeated across many samples of spam. It looks like a new round in the spam deliver/block battle is underway. Now might be a good time to ensure that your support contracts are up to date and do not lapse.Received: from mail.esubnet.com ([unix socket]) by mail (Cyrus v2.2.12-InvocaXXXXXXXXXXXX) with LMTPA; Wed, 30 Jan 2008 14:44:36 -0500 X-Sieve: CMU Sieve 2.2 Received: by mail.esubnet.com (Postfix, ) id F0CA137A422; Wed, 30 Jan 2008 14:44:35 -0500 (EST) X-Spam-Checker-Version: SpamAssassin 3.X.X () on mail X-Spam-Level: ** X-Spam-Status: No, score=2.0 required=3.5 tests=DATE_IN_FUTURE_03_06, HTML_MESSAGE autolearn=no version=3.X.X Received: from qbatq.veloxzone.com.br (20179035246.user.veloxzone.com.br [201.79.35.246] (may be forged)) By mail1.esubnet.com (8.13.8/8.13.8) with SMTP id m0UJtAr4005896 for ; Wed, 30 Jan 2008 14:55:11 -0500 Date: Wed, 30 Jan 2008 22:55:11 +0000 From: "Milwee Shearon" X-Mailer: The Bat! (3.51.3) Professional Reply-To: Milwee Shearon X-Priority: 3 (Normal) Message-ID: <7593134680.20080130194557@emediawire.com> To: Subject: neoplasms MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----------F02EBE428BD1C4" X-Greylist: Delayed for 00:10:07 by milter-greylist-2.0.2 (mail.esubnet.com [10.10.10.10]); Wed, 30 Jan 2008 14:55:11 -0500 (EST)
Originally published January, 2008
Fragment - Current Release Articles
eSubnet Services
Contact us regarding your network,
security and Internet services needs
Contact us regarding your network,
security and Internet services needs
ESUBNET ENTERPRISES INC. TORONTO CANADA