Newsletter

HOME Contact Technical Website OUR SERVICES Applications Networking Security OUR CLIENTS Client List Testimonials Case Studies FRAGMENT Current Release of Fragment CONTACT Careers ABOUT US Our Founder Our Vision Media and News Services Agreement Privacy & Terms

Spammers Go Full Circle    

In the last little while I have seen more spam showing up in my inbox. The type of spam presenting itself has been mostly stock market scams, and dangerous click here emails which I assume are the doorway to some impressive piece of malware.

My curiosity was piqued. I was wondering how did spam of this caliber end up getting past my grey-listing filter. Let me give a short lesson on grey listing so that you can understand. Some facts up front; herds of computers in a BOT-NET do not have a mail queue to ensure best effort delivery of email. Computers in a BOT-NET simply spew out email and hope for the best.

Grey-listing as a defense was based on this principle and works well at defeating BOT-NET based spam in a simple way. The grey-list equipped mail server disallows the first connection attempt. Simultaneously, the grey-list program remembers some key facts about the email. If another email shows up later, after the administratively configured time limit with matching criteria, then the email servers allows the email to flow.

One can see how this really puts a stop to BOT-NET sourced spam, as the source of the spam has no mail queue. And now you can see why I have been intrigued. After a bit of research I figured it out: The people who are sending spam are back to their old trick of using email servers with a mail queue - and not their own. I reviewed the email headers (options for you MS people) and saw the information below.

(This is not a complete header as I sanitized the information.)
Return-Path: 
Received: from mail.esubnet.com ([unix socket]) 
by mail (Cyrus v2.2.12-InvocaXXXXXXXXXXXX) with LMTPA;
Wed, 30 Jan 2008 14:44:36 -0500
X-Sieve: CMU Sieve 2.2
Received: by mail.esubnet.com (Postfix, )
id F0CA137A422; Wed, 30 Jan 2008 14:44:35 -0500 (EST)
X-Spam-Checker-Version: SpamAssassin 3.X.X () on mail
X-Spam-Level: **
X-Spam-Status: No, score=2.0 required=3.5 tests=DATE_IN_FUTURE_03_06,
HTML_MESSAGE autolearn=no version=3.X.X
Received: from qbatq.veloxzone.com.br (20179035246.user.veloxzone.com.br
  [201.79.35.246] (may be forged))
By mail1.esubnet.com (8.13.8/8.13.8) with SMTP id m0UJtAr4005896 for
 ; Wed, 30 Jan 2008 14:55:11 -0500
Date: Wed, 30 Jan 2008 22:55:11 +0000
From: "Milwee Shearon" 
X-Mailer: The Bat! (3.51.3) Professional
Reply-To: Milwee Shearon 
X-Priority: 3 (Normal)
Message-ID: <7593134680.20080130194557@emediawire.com>
To: 
Subject: neoplasms
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----------F02EBE428BD1C4"
X-Greylist: Delayed for 00:10:07 by milter-greylist-2.0.2 (mail.esubnet.com
 [10.10.10.10]); Wed, 30 Jan 2008 14:55:11 -0500 (EST)

The email message ID and the source address originate all over the web. I have seen this repeated across many samples of spam. It looks like a new round in the spam deliver/block battle is underway. Now might be a good time to ensure that your support contracts are up to date and do not lapse.

Fragment - Current Release

---

Articles

Administration IT Roles and Responsibilities App_Sec BCP STATS On Passwords Spending Enough Planning to Fail Living With the Enemy A Reason for Policy Mission Critical Messaging – Do you have a policy Globalizing the SMB High Availability: People and Processes Case for Project Management Risk Management

Networking On Routing VLAN Tutorial IPs 4 Golden Rules WAN Technology primer DHCP Primer Your Head in the Cloud(s) DNS: Terms and Process VPN Surfing Challenge Network Slowdown Importance of Time High Availability: Technologies

Security Spammers Go Full Circle Beyond the Lock The Guardian at the Gate A Web of Trust Data Breach Notification

Misc Electricity Primer Documentation-101 Data Control Open Source in the Enterprise Closing the Loop Helping IT to help you Your ICT Keystone