• Home
• Blog
• Downloads
• Info
• Reviews
• Virus Warnings
• Search Site

[More Info]

[/network/email/spam] permanent link

Michael Jackson died on June 25. Spammers are already trying to capitalize on his death by referencing it in their spam messages. Mcafee's TrustedSource site reports the following at Michael Jackson News Affects Web Traffic

The announcement of Michael Jackson.s death has caused immediate effects on the Web 2.0 world. The impact ranged from the interruption on Facebook of coverage of Farrah Fawcett.s death to a surge experienced by Twitter. The Web 2.0 world is definitely abuzz with traffic regarding his passing.

Within hours the percentage of “long-tail” URL traffic associated with Michael Jackson was growing. It peaked around 1 p.m. Eastern time today and now seems to be dropping. These URLs contained mostly generic information about Jackson-blogs, posts, tributes, photos, and collections of his entertainment past. And, yes, some even contained links to malware or rogue anti-virus software.

How do people find these URLs? We.ve seen spam, tweets, blog postings, group postings, and even mobile phone alerts. In addition, as predicted by Avert Labs, we.ve seen search-engine optimization (SEO) in action. There were several attempts to capitalize on redirecting users to known malware-serving sites associated with other SEO campaigns. We found it interesting during our research to see how fast some of the search engines seemed to respond to this. One popular keyword search done around 9 p.m. yesterday showed seven of the top 10 links going to some of these well-known malicious servers. That same search done an hour later showed only one of the top 10 involved.

As the entertainment industry continues to pay tribute and homage to Jackson, we expect that spam and SEO efforts will grow over the weekend. Eventually a new piece of news will replace this event, and there will be a new story-with much the same results.

My wife got email this morning with a subject of "Michael Jackson dead? NO!!!". Withing the message was the following text:

Michael Jackson dead? NO!!!

Open attached file and read!!!

There was an attachment with the message, Michael Jackson Live!.html . I saved the attachment to the hard drive and opened it with a text editor. There was only one line in it, which is shown below:

<meta http-equiv='Refresh' content='0; url=http://addfamous.com/' />

If you opened the file in a web browser, that line would cause your browser to "refresh" the webpage you opened, but using the URL addfamous.com .

The spam message my wife received was listed at Michael Jackson dead? NO!!! on Spam me! Send me your spam messages!, a site which states "In a normal situation you should definitelly not want such thing in your e-mail inbox, however, this website is meant to do exactly the opposite: get as many spam messages as possible, clean them of any harmful stuff (adult images, links to dubious websites and others) and present them to you to research or whatever you want them for."

I didn't visit the addfamous.com site, but out of curiosity, checked its reputation at various web reputation sites.

TrustedSource

I issued a query for addfamous.com at TrustedSource. Unfortunately, that site was experiencing difficulties when I checked and simply returned "Service currently not available (3), please try again later!"

McAfee SiteAdvisor^®

I issued a query for addfamous.com at the McAfee SiteAdvisor^® site. It returned "Our analysis found that this site may be promoted through spammy e-mail." It also reported "This site has been queued for testing. Please come back soon for automated results."

Norton Safe Web

I issued a query for addfamous.com at Symantec's Norton Safe Web site. It reported "This site has not been tested yet."

Barracuda Central

I also checked the reputation of the site using Barracuda Central's IP / Domain Lookups tools. Barracuda Networks sells antspam appliances. I clicked on the Domain Reputation tab and put in addfamous.com . Barracuda Central reported "This domain name addfamous.com is listed on Barracuda's Intent Block List."

Trend Micro Web Reputation Query

I issued a query on http://addfamous.com. The Trend Micro Web Reputation Query site reported "This URL is not currently listed as malicious."

BorderWare ReputationAuthority

I issued a query on addfamous.com. The site reported the domain had a "good" reputation.

[/network/email/spam] permanent link

FEATURE(`blacklist_recipients')dnl
FEATURE(`dnsbl', `bl.csma.biz', `550 Spam Block: mail from $&{client_addr} refused - See http://bl.csma.biz/')dnl
FEATURE(`dnsbl', `sbl.spamhaus.org', `550 Spam Block: mail from $&{client_addr} refused - See http://www.spamhaus.org/sbl/')dnl
FEATURE(`dnsbl', `psbl.surriel.com', `550 Spam Block: mail from $&{client_addr} refused - see http://psbl.surriel.com/')dnl
FEATURE(`dnsbl',`dnsbl.sorbs.net',`550 Spam Block: mail from $&{client_addr} refused - see http://dnsbl.sorbs.net/')dnl
FEATURE(`dnsbl',`dnsrbl.swinog.ch',`550 Spam Block: mail from $&{client_addr} refused - see http://antispam.imp.ch/spamikaze/remove.php')dnl

After adding the entry for the Swinog RBL, I generated a sendmail.cf file from sendmail.mc and restarted sendmail.

# m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
# /etc/init.d/sendmail restart

I checked /var/log/maillog just moments after adding that blacklist and found it had blocked spam:

# grep 'antispam.imp.ch' /var/log/maillog
Apr  8 21:16:57 frostdragon sendmail[15676]: n391GuGi015676: ruleset=check_rcpt,
 arg1=<broderbundxxxxxx@moonpoint.com>, relay=65-75-229-245.dsl.ctcn.net [65.75.
229.245] (may be forged), reject=550 5.7.1 <broderbundxxxxxx@moonpoint.com>... S
pam Block:mail from 65.75.229.245 refused - see http://antispam.imp.ch/spamikaze
/remove.php

The Swinog DNSBL blocked email to an email address that I used on December 8, 2004 when I registered software with Brøderbund Software. I never used the email for any other purpose. Usually, when I'm providing an email address to any company, I don't use my primary email address, but instead create an alias for that address that points to my primary email address. So, if I start getting a lot of spam addressed to the alias, I can just invalidate the alias. And, since the aliases I create are not ones a spammer would use if the spammer was employing a name dictionary attack, i.e. guessing likekly names, I know that the company has provided the email address I gave them to a spammer. So I know the spammer got the address above, which I've changed for any spam spiders that may crawl across this page, from Brøderbund Software or one of the companies that subsequently owned Brøderbund Software.

The Wikipedia article on the company at Brøderbund lists the following history of corporate ownership for Brøderbund.

Brøderbund was purchased by The Learning Company in 1998 for about USD$420 million in stock. Ironically, Brøderbund had initially attempted to purchase the original The Learning Company in 1995, but was outbid by Softkey, who purchased The Learning Company for $606 million in cash and then adopted its name. In a move to rationalize costs, The Learning Company promptly terminated 500 employees at Brøderbund the same year, representing 42% of the company's workforce. Then in 1999 the combined company was bought by Mattel for $3.6 billion. Mattel reeled from the financial impact of this transaction, and Jill Barad, the CEO, ended up being forced out in a climate of investor outrage. Mattel then gave away The Learning Company in September 2000 to Gores Technology Group, a private acquisitions firm, for a share of whatever Gores could obtain by selling the company. In 2001, Gores sold The Learning Company's entertainment holdings to Ubisoft, and most of the other holdings, including the Brøderbund name, to Irish company Riverdeep. Currently, all of Brøderbund's games, such as the Myst series, are published by Ubisoft.

I suspect that it wasn't just my email address that was sold to spammers. Probably Brøderbund's entire mailing list was sold by either Brøderbund or one of the companies that acquired it, though, of course there is a possibility it could just have been an employee of one of the companies trying to make some easy cash or one who was losing a job as his or her company was acquired by another company, who could have been looking to compensate for lost wages.

The address is still being used by spammers over four years later, even though the address has probably not been valid for over a year. Unfortunately, I don't remember when I first started getting spam addressed to that email address.

After having a hernia operation recently, I noticed I've been getting spam on a fairly regular basis suggesting I might want to use the legal services mentioned in the spam if I wanted to sue for any problems related to the patch used in the surgery. I don't remember seeing any of this type of message previously, though it's possible that I might have received such messages, but they never registered in my consciousness then as I deleted spam. But I'm wondering now if someone at the office of the doctor who performed the surgery sold my email address. I believe I did put my primary email address on a form I filled out at the doctor's office. If I had used an alias, I would know for certain, if that was the case.

[/network/email/spam/blocklists] permanent link

Mark Sunner, MessageLabs MessageLabs' chief security analyst, reported that spammers are now also using Google Docs and Microsoft's SkyDrive free online storage to host the contents of their spam messages. The spammers put a link into the messages they send pointing to online documents hosted on those services, which have the advantage of providing large amounts of bandwidth.

References:

1. Report: Cyberspace Becoming More Malicious
   By William Jackson
   June 4, 2008
   Redmond Developer News

[/network/email/spam] permanent link

Smart Network Data Services (SNDS) is a revolutionary Windows Live Mail initiative designed to allow everyone who owns IP space to contribute to the fight against spam, malware, viruses, and other internet evils, and to protect e-mail and the internet as a valued communications, productivity and commerce tool. Windows Live Mail and MSN Hotmail, with over 250 million active user accounts world-wide, is in a unique position to collect and analyze e-mail activity data. By providing that data to service providers, most of whom wouldn.t otherwise have access to any such data, they are empowered to use their relationship with their customers to react and take repair actions, such as preventing spam from originating within their IP space. The overarching goal of SNDS is to make the Internet a better, safer place. Working together, Windows Live Mail and service providers can make their respective customers happier and more satisfied with the various services we all provide.

When you click on Submit you will see the message "We've determined that the following email addresses are associated with the specified network in an appropriately authoritative way. Please choose one that you can receive mail at and we will send instructions for completing the signup process to that address." You may then see 4 addresses similar to those below:

abuse@yourdomain.com 
noc@isp1.net 
noc@isp2.net 
postmaster@yourdomain.com

Two of the addresses will be of the form abuse@yourdomain.com and postmaser@yourdomain.com, assuming that a reverse DNS lookup on a provided IP address yields "yourdomain.com".

A "whois" lookup will also be done on a provided IP address using the relevant registrar, which, if you are in the U.S. will likely be the American Registry for Internet Numbers (ARIN). The "OrgTechEmail" address listed for the IP address may be used as one of the possible addresses, e.g. noc@isp1.net, if that was the "OrgTechEmail" listed for the ISP.

You can see further information on how the email addresses are derived at SNDS - FAQ.

If you have PTR record in DNS that points back to yourdomain.com, and wish to use one of those email addresses, make sure that you have valid abuse@yourdomain.com and postmaster@yourdomain.com email addresses.

What data does SNDS provide?

The data provided by SNDS is meant to provide as broad a picture of an IP's mail sending behavior as necessary for the system's consumers to be able to stop spam.  It reports on a variety of characteristics of mail traffic.  The data points provided are designed to be difficult or impossible for spammers to avoid differentiating themselves from well-behaved mailers.  Similarly however, data isn't provided on IPs that send very little mail because they (currently) account for a negligible amount of spam.  For each IP within the ranges that the user has been authorized, the following data is provided:

• IP Address
• Mail data
  • Activity period
  • Traffic data
    • SMTP verb and message recipient counts
    • Sample commands
  • Junk mail data
    • Filter result
    • Complaint reports
    • Trap hits
    • Sample messages
• Virus-infected emails
• Malware hosting
• Open proxy status

An email message is sent to the address you specified. You will need to go to a link provided in that email message to grant access to the data to a Windows Live ID account, such as a hotmail.com email address, you specified when you requested an account.

Once you have confirmed access, you can view data at SNDS - View Data There you will see a calendar where you can select dates for which to view data. You have the option to change your settings to allow access your data as a .CSV file without the need for browser-based authentication technologies such as Windows Live™ ID. This facilitates access to your data via your own automated scripts or programs.

I didn't see any data listed for an IP address I specified. I know email is sent from that address to hotmail.com users, but the volume of traffic is fairly low. The SNDS - FAQ states that "data isn't provided on IPs that send very little mail because they (currently) account for a negligible amount of spam."

[/network/email/spam] permanent link

# ./find-recipients.pl wendyvi21@alltel.net /var/log/maillog
Found 2 messages from wendyvi21@alltel.net in /var/log/maillog

Message recipients

Time            Message ID     Status        Recipient
----------------------------------------------------------------
Jun 10 07:58:02 l5ABupmb001042 Rejected      kittycat321@moonpoint.com
Jun 10 08:05:03 l5AC3omb001081 Sent          kittycat321@moonpoint.com

When I checked the /var/log/maillog file for those two message IDs, I found that the first message had been blocked by the Spam and Open-Relay Blocking System (SORBS) blocklist. SORBS is a DNS Blacklist (DNSBL).

The message that was rejected was from ispmxmta05-srv.windstream.net [166.102.165.166], while the one that was accepted was from ispmxmta09-srv.windstream.net [166.102.165.170].

When I checked the SORBS list, it appeared that the 166.102.165.166 had been there for at least a week due to SORBS detecting spam orginating from the email server at that address.

But when I looked up the other IP address, 166.102.165.170, it appeared it was also in the SORBS blocklist.

When I queried the SORBS database through the SORBS Database Lookup webpage, it appeared both addresses were present in the SORBS blocklist, yet when I used blq to query the SORBS blocklist, I found only the first .166 address listed and not the .170 address, which was consistent with Sendmail's rejection of the first message, but not the second one.

# ./blq sorbs 166.102.165.166
166.102.165.166 ispmxmta05-srv.windstream.net : dnsbl.sorbs.net : BLOCKED
# ./blq sorbs 166.102.165.170
166.102.165.170 ispmxmta09-srv.windstream.net : dnsbl.sorbs.net : ok

I received another report from a Hotmail sender that she was finding email rejected as well. I went through the same process as above. Again the SORBS website database query seemed to indicate that both addresses would be blocked, but using blq showed only one was blocked, which matched the entries I found in today's maillog file with the first message from the sender being rejected and the second accepted. The first was from bay0-omc2-s36.bay0.hotmail.com [65.54.246.172] and the second from bay0-omc2-s37.bay0.hotmail.com [65.54.246.173].

When performing a database check via the website, I saw the following for the IP address from which a message was rejected:

But I also saw the following for the IP address of the server from which a message was accepted:

Again, the information returned didn't seem to be consisttent with what a blq query returned:

# ./blq sorbs 65.54.246.172
65.54.246.172 bay0-omc2-s36.bay0.hotmail.com : dnsbl.sorbs.net : BLOCKED
# ./blq sorbs 65.54.246.173
65.54.246.173 bay0-omc2-s37.bay0.hotmail.com : dnsbl.sorbs.net : ok

So the results I obtained through the website query don't seem to accurately reflect what will be blocked, if I interpret seeing "Currently active and flagged to be published in DNS" appearing in a red block as an indication the address is in the blocklist as one to be blocked.

[/network/email/spam/blocklists] permanent link

[ More Info ]

[/network/email/spam/barracuda] permanent link

The SORBS entry for the EarthLink server is shown below:

Address: 207.69.195.61
Record Created: Fri Mar 10 09:30:02 2006 GMT
Record Updated: Fri Mar 10 09:30:02 2006 GMT
Additional Information: Received: from pop-gadwall.atl.sa.earthlink.net (pop-gadwall.atl.sa.earthlink.net [207.69.195.61]) by desperado.sorbs.net (Postfix) with ESMTP id 52E7111471 for <[email]>; Fri, 10 Mar 2006 19:06:10 +1000 (EST)

My Problem Report

I provide PC and network support to small businesses in my area and am trying to resolve an email problem for a client who has not been able to receive email from his daughter, who uses EarthLink as her ISP. Her email is being blocked on the server handling his incoming email because it is coming through an EarthLink email server with the IP address 207.69.195.61 (pop-gadwall.atl.sa.earthlink.net), which is on the Spam and Open Relay Blocking System (SORBS) blocklist (see http://www.dnsbl.us.sorbs.net). Will EarthLink contact SORBS about removing the address from the SORBS list?

EarthLink's Response

Thank you for contacting us.

We understand that one of the EarthLink client in your area is unable to receive email from his daughter who uses EarthLink as his ISP.

In addressing the issue we would like to inform you that the issues you're having will require active troubleshooting that can only be accomplished by working with someone in real time. In order to help you efficiently as possible, we recommend that you contact Open Relay department at: "openrelay @ earthlink.net"

Open relay is a term used to describe an email server that is not secured against unauthorized access in order to send email. Spam is often generated from such servers, either knowingly or unknowingly.

EarthLink blocks open relay servers from delivering mail to EarthLink. This prevents a great deal of spam from arriving in our customer's email boxes. If someone is trying to send you email, and are being denied for this reason, they will have to speak to the administrator of their email server.

The administrator can choose to secure the server, or contact our Abuse department and prove that their server is in fact secured. If the administrator has secured the server, they need to email openrelay@abuse.earthlink.net and provide the server's IP address or name. Once verified that the relay is closed, the server will be removed from the block list, and EarthLink will begin to accept mail from them.

Please be advised that not all matters may be resolved via email for security reasons or due to the complexity of the issue.

We appreciate your understanding in this regard.

I sent a reply to that message. I'm curious as to whether I can get a relevant response from either ISP within two messages or even at all. I also wonder how many others may have reported the same issues to AOL and EarthLink and gotten the same canned non-germane responses. It is no wonder why an email server may stay on a blocklist for a long time, if one has to get someone at the ISP of the offending server to request a delisting.

[/network/email/spam] permanent link

A few weeks ago I found that email from AOL users was being blocked by the SORBS list, because two AOL servers were on the list. Those AOL servers are listed below:

Name: imo-d05.mx.aol.com
Address: 205.188.157.37

Name: imo-m25.mx.aol.com
Address: 64.12.137.6

I reported the problem to AOL then, using an AOL account I keep just for assisting AOL users, and received a response on April 3. However, the response was irrelevant to the problem I reported. I've included my message and AOL's response below:

My Problem Report

User comments = Two AOL email servers are in the Spam and Open Relay Blocking System (SORBS) blocklist (see www.http://www.dnsbl.us.sorbs.net). Their IP addresses are 64.12.137.6 and 205.188.157.37.

Because those IP addresses are in the SORBS blocklist, whenever email is sent through those AOL servers, it is rejected by other email servers which use the SORBS blocklist.

I am hoping AOL will address the issue with SORBS.

AOL's Response

From: SPIncomingMail
To: <snipped>
Sent: Mon, 3 Apr 2006 11:24:32 PM Eastern Daylight Time
Subject: Re: I have a problem sending or receiving email in AOL


Dear Jim,

Hi! My name isácille from America Online. I would like to thank you for writing and making us aware of your concern.

I understand that you have questions with AOL blocking e-mail coming from Sorbs domain.

I apologize for the inconvenience this has caused you, Jim.

AOL has developed Solicited Bulk Mailing Guidelines to both aid 'netizens' with their online marketing campaigns and to protect our member base from e-mail abuse.

To learn about AOL's Unsolicited Bulk Mail Policy, please visit http://postmaster.info.aol.com/guidelines/bulk_email.html.

If you believe that Sorbs organization's e-mail provider can adhere to AOL guidelines provided at http://postmaster.info.aol.com/guidelines/index.html, please ask their e-mail provider to call our Postmaster Hotline at 703-265-4670 or 1-888-212-5537 and the Postmaster group will evaluate your mailing patterns and resolve any outstanding issues with their server or domain.

AOL has developed a site for Internet users who are experiencing problems sending e-mail to AOL or for people who have questions about AOL's e-mail and junk e-mail policies at http://postmaster.info.aol.com/index.html.

If they would like to test their e-mail server against our database, enter the IP address at http://postmaster.info.aol.com/tools/duls.html.

I hope that I have sufficiently provided you with useful information about your inquiry.

If you have other concerns or questions regarding AOL, please do not hesitate to contact us in the future.

You can chat online with a technical support specialist by going to AOL Keyword:
Live Help. My colleagues there are available 24 hours a day to assist you in a secure, one-on-one session.

If you prefer to be assisted via phone, you may call us at our toll-free number:
1-800-827-6364. Calling early in the day usually reduces the waiting time to speak to a consultant.

We are always ready to answer questions and do whatever we can to make your online experience even more enjoyable.

Again, thank you for your patience and understanding on this matter.

Cecille
AOL Customer Care Consultant

I replied to the AOL message today, since I found the two AOL servers are still on the SORBS list, requesting AOL address the issue with SORBS. The 64.12.137.6 address appears to have been on the list since December 15, 2005. And for the other address I see the following:

Address: 205.188.157.37 
Record Created: Sun Apr 25 22:36:02 2004 GMT 
Record Updated: Thu Feb 23 04:29:58 2006 GMT 
Additional Information: Received: from imo-d05.mx.aol.com (imo-d05.mx.aol.com [205.188.157.37]) by server (8.10.2/8.10.2) with ESMTP id k1N2Krh14751 for ; Wed, 22 Feb 2006 20:20:53 -0600 

I would not be surprised if I get a similar non-germane response again, though. There was a time when I recommended America Online (AOL) - I think Ads Online would be a more appropriate name - to novice computer users, but now I wouldn't recommend it to anyone and reports that its membership has been significantly declining don't surprise me.

[/network/email/spam] permanent link

Blitzed Open Proxy Monitor List
Open Relay Database
Composite Blocking List
McFadden Associates E-Mail Blacklist
SORBS
Passive Spam Block List

I also download the jwSpamSpy Spam domain blacklist, which is available from http://www.joewein.de/sw/blacklist.htm once a week and update sendmail's /etc/mail/access file with it to block email from domains on that list.

Recently, I was notified by a couple of users that some of their email correspondents are reporting that email to the users is being rejected. I created a Perl script, find-recipients, to check sendmail maillog files for a specified sender's email address to determine if email from that sender was successfully delivered or rejected.

I found one BellSouth sender's email was being rejected because the IP address of a server handling his outgoing email, 205.152.59.72 [imf24aec.mail.bellsouth.net] is on the SORBS blocklist. I submitted a report on the matter to BellSouth by completing their support request form at http://services.bellsouth.net/footer/feedback.html, but I am not a BellSouth customer, so don't know whether my report will prompt them to address the matter. I also notified the sender of why the message was rejected and provided the URL for the support request form to him, but I would be surprised if the sender reported the problem to BellSouth, his email server provider.

I'm afraid most senders will conclude, if they can send email to most of their correspondents that the problem is not on their end, no matter what explanation I might provide about spam blocklists and why their email was rejected. It is difficult just to get a sender to provide the exact rejection message they get when their email is bounced. Most feel they only need say that email they have sent has bounced, ignoring the cause listed in the bounced messages they receive. And when users on my system pass on reports of email to them not getting through, they often don't even provide me with the email address of the sender or a date when the problem occurred making it virutally impossible to immediately isolate the cause of a particular message being bounced.

I found that email from another sender, whose email was coming from Network Solutions' email servers, was rejected four times on March 8, 2006 and once on March 17, because three Network Solutions email servers were on the SORBS blocklist and one server was on the Passive Spam Block List. Two email messages from him were accepted on March 8 and one on March 29, however.

March 8, 2006 Rejections

SORBS: 205.178.146.53 [omr3.networksolutionsemail.com]
PSBL: 205.178.146.50 [mail.networksolutionsemail.com]
SORBS: 205.178.146.55 [omr5.networksolutionsemail.com]
SORBS: 205.178.146.55 [omr5.networksolutionsemail.com]
SORBS: 205.178.146.55 [omr5.networksolutionsemail.com]

March 17, 2006 Rejections

SORBS: 205.178.146.52 [omr2.networksolutionsemail.com]

When I checked the PSBL list, I found the Network Solutions server had been detected as sending spam on March 6, but had been removed from that list on March 8, but apparently after the sender had sent his email on that date when one of his messages was rejected, because of the presence of the server's address on that list.

When I checked the SORBS blocklist, I found that all of the Network Solutions server addresses had been removed from that list also, so it appears his email service provider, Network Solutions, has already addressed the problem.

I added both senders to the list of those for whom no blocklist checks should be made by adding their email addresses to /etc/mail/access with lines like the following:

someone123a@bellsouth.net       OK
someone456b@example2.com        OK

I then rebuilt the access database with the command makemap hash /etc/mail/access </etc/mail/access

Note: In order to bypass blocklist checks for a sender by adding the sender's email address to /etc/mail/access, delay_checks has to have been specified in the sendmail configuration file, e.g. /etc/mail/sendmail.mc. This can be done by adding the line below to sendmail.mc and then rebuilding sendmail.cf from sendmail.mc.

FEATURE(delay_checks)dnl

You can regenerate the sendmail.cf file with the m4 command. You need to restart sendmail afterwards for the change to take effect.

m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
/etc/init.d/sendmail restart

[/network/email/spam] permanent link