Spam from 211.32.91.234

While reviewing email logs, I noticed an attempt to send email on February 15, 2006 to a mailing list that no longer exists on my server. The list was invalidated over a month ago. The mailing list was a private mailing list and the email address for the mailing list was only supposed to be used by about 4 people in an office that was closed down at the end of last year. The mailing list name was fairly long with numbers, underscores, and dashes in the name and so it would not appear in any dictionary and would be highly unlikely to be generated even with a Rumplestilskin attack, a type of spammer attack where attempts are made to guess valid email addresses on the server. The name of the attack was taken from the fairy tale of the same name, where the queen tries to guess the name of the little man who will take her first born child unless she can guess his name.

I was suspicious as to why I would see an attempt to send email to this mailing list, so I followed up on what I found. The entry in the maillog file was as follows except the mailing list address has been changed:

Feb 15 00:00:14 frostdragon sendmail[4401]: k1F50C9G004401: ruleset=check_rcpt, arg1=<lpx_2005-list@cargosecurity.us>, relay=[:], reject=550 5.7.1 <lpx_2005-list@cargosecurity.us>... Mail from 211.32.91.234 refused - see http://opm.blitzed.org

When I performed a whois search at American Registry for Internet Numbers (ARIN) on the IP address of the system attempting to deliver email to my server, I saw the following: 

OrgName:    Asia Pacific Network Information Centre
OrgID:      APNIC
Address:    PO Box 2131
City:       Milton
StateProv:  QLD
PostalCode: 4064
Country:    AU

ReferralServer: whois://whois.apnic.net

Since ARIN indicated that the address falls under the Asia Pacific Network Information Centre (APNIC), I went there and performed another whois query. From what I found there, it appears the IP address belongs to an ISP in Korea. 

inetnum:      211.32.0.0 - 211.32.255.255
netname:      BORANET-NET-211-32
descr:        DACOM Corp.
descr:        Facility-based Telecommunication Service Provider
descr:        providing Internet leased-ine, on-line service, BLL etc.
country:      KR
admin-c:      DB50-AP
tech-c:       DB50-AP
mnt-by:       APNIC-HM
mnt-lower:    MNT-KRNIC-AP
changed:      hm-changed@apnic.net 20021025
status:       ALLOCATED PORTABLE
source:       APNIC

role:         DACOM BORANET
address:      DACOM Bldg., 706-1, Yoeksam-dong, Kangnam-ku, Seoul
country:      KR
phone:        +82-2-2089-7755
fax-no:       +82-2-2089-0706
e-mail:       ipadm@nic.bora.net
e-mail:       abuse@bora.net
e-mail:       security@bora.net
admin-c:      EC115-AP
tech-c:       SIJ1-AP
nic-hdl:      DB50-AP
mnt-by:       MNT-KRNIC-AP
remarks:      IP address administrator group of NIC team, DACOM Corp.
remarks:      If related with spam, send mail to abuse@bora.net
remarks:      If related with security, send mail to security@bora.net
remarks:      Only for whois information correction, send mail to ipadm@nic.bora.net
changed:      jeonsi@bora.net 20041105
source:       APNIC

When I used blq to check on blacklists the IP address might be on, I found the following:

Generic Category (English)120x600 
# ./blq all 211.32.91.234
211.32.91.234 : sbl.spamhaus.org : ok
211.32.91.234 : relays.visi.com : ok
211.32.91.234 : dialups.visi.com : ok
211.32.91.234 : relays.ordb.org : ok
211.32.91.234 : dnsbl.njabl.org : ok
211.32.91.234 : dnsbl.sorbs.net : ok
211.32.91.234 : blackholes.five-ten-sg.com : BLOCKED
211.32.91.234 : bl.spamcop.net : ok
211.32.91.234 : hil.habeas.com : ok
211.32.91.234 : cbl.abuseat.org : BLOCKED
211.32.91.234 : psbl.surriel.com : ok
211.32.91.234 : ipwhois.rfc-ignorant.org : ok
211.32.91.234 : opm.blitzed.org : BLOCKED
211.32.91.234 : wingate.opm.blitzed.org : ok
211.32.91.234 : socks.opm.blitzed.org : ok
211.32.91.234 : http.opm.blitzed.org : ok
211.32.91.234 : list.dsbl.org : BLOCKED
211.32.91.234 : multihop.dsbl.org : ok
211.32.91.234 : unconfirmed.dsbl.org : BLOCKED
211.32.91.234 : blackholes.mail-abuse.org : ok
211.32.91.234 : dialups.mail-abuse.org : ok
211.32.91.234 : relays.mail-abuse.org : ok

I ran a basic proxy test with pxytest, a Perl utility that scans a system to determine if it is functioning as a proxy server. 

# ./pxytest -v2 211.32.91.234
Testing addr "211.32.91.234" port "80" proto "http-connect" ... cannot connect
Testing addr "211.32.91.234" port "80" proto "http-post" ... cannot connect
Testing addr "211.32.91.234" port "3128" proto "http-connect" ... cannot connect
Testing addr "211.32.91.234" port "8080" proto "http-connect" ... cannot connect
Testing addr "211.32.91.234" port "8080" proto "http-post" ... cannot connect
Testing addr "211.32.91.234" port "8081" proto "http-connect" ... cannot connect
Testing addr "211.32.91.234" port "1080" proto "socks4" ... cannot connect
Testing addr "211.32.91.234" port "1080" proto "socks5" ... cannot connect
Testing addr "211.32.91.234" port "23" proto "telnet" ... cannot connect
Testing addr "211.32.91.234" port "23" proto "cisco" ... cannot connect
Testing addr "211.32.91.234" port "23" proto "wingate" ... cannot connect
Testing addr "211.32.91.234" port "6588" proto "http-connect" ... cannot connect
Testing addr "211.32.91.234" port "1180" proto "socks4" ... cannot connect
Test complete - no proxies found

The pxytest proxy test program did not report the system was running proxy server software on any of the common proxy ports it tests. When I queried the opm.blitzed.org site for information on why the system was listed in its blacklist, though, it showed port 31453 being used for the proxy service (see details). The proxy service is, or at least was, being run through a SOCKS proxy.

I checked port 31453 on the system with nmap. I didn't get a response initially to the nmap scan. I tried pinging the system, but got no response, so then I tried scanning ports 80 and 31453 with nmap not trying to ping it, but there was still no response. The system may have been taken off-line because it was being used to transmit spam or the problem may have been otherwise addressed. 

$ nmap -p 31453 211.32.91.234

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Note: Host seems down. If it is really up, but blocking our ping probes, try -P0
Nmap run completed -- 1 IP address (0 hosts up) scanned in 60 seconds
$ ping 211.32.91.234
PING 211.32.91.234 (211.32.91.234) 56(84) bytes of data.

--- 211.32.91.234 ping statistics ---
6 packets transmitted, 0 received, 100% packet loss, time 5013ms
$ nmap -P0 -p 80,31453 211.32.91.234

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on  (211.32.91.234):
Port       State       Service
80/tcp     filtered    http
31453/tcp  filtered    unknown

Nmap run completed -- 1 IP address (1 host up) scanned in 36 seconds

References:

  1. [IP] "Rumplestiltskin worm" on the loose?
    Monthly Archives for interesting-people
    Date: Sat, 07 May 2005
  2. Software Archive: pxytest
    Unicom Systems Development
    Date: 28-Dec-2002
  3. Rumplestiltskin
    If You Love To Read
  4. Fending off the Rumplestiltskin Mail Attack
    BigNoseBird.com
  5. Internet Anonymity Protocols: SOCKS
    RAD Data Communications

 

TechRabbit ad 300x250 newegg.com

Justdeals Daily Electronics Deals1x1 px

Valid HTML 4.01 Transitional

Created: February 21, 2006