[conspire] Botnets making smarter use of Bayesian classifiers

Rick Moen rick at linuxmafia.com
Sat Sep 26 15:34:58 PDT 2015 

I've slightly messed with some e-mail addresses just so I won't hear
complaints from the 'I'm hiding from spammers' people.


----- Forwarded message from Rick Moen <rick at linuxmafia.com> -----

Return-path: <rick at linuxmafia.com>
Envelope-to: rick at linuxmafia.com
Delivery-date: Sat, 26 Sep 2015 15:30:07 -0700
Received: from rick by linuxmafia.com with local (Exim 4.72)
	(envelope-from <rick at linuxmafia.com>)
	id 1Zfxyo-0000lY-CK; Sat, 26 Sep 2015 15:30:06 -0700
Date: Sat, 26 Sep 2015 15:30:06 -0700
From: Rick Moen <rick at linuxmafia.com>
To: Michael Siladi <siladi at ix.netcom.com>
Subject: (forw) Fw: important
Message-ID: <20150926223006.GB2212 at linuxmafia.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Organization: If you lived here, you'd be $HOME already.
X-Mas: Bah humbug.
X-Clacks-Overhead: GNU Terry Pratchett
User-Agent: Mutt/1.5.20 (2009-06-14)
X-SA-Exim-Connect-IP: <locally generated>
X-SA-Exim-Mail-From: rick at linuxmafia.com
X-SA-Exim-Scanned: No (on linuxmafia.com); SAEximRunCond expanded to false

Note forgery:  The message arrived at my SMTP Mail server from IP
address 212.40.185.205 in Germany.

The _claimed_ previous-hop IP address in the second Received header,
190.255.161.59, is at an ISP In Bogota, Colombia.  All information in 
headers other than the last-hop IP address _can_ be forged, but it's
rare for the sender or the sender's automated tool to bother, so
provisionally one can assume that a malware-infected MS-Windows
workstation or laptop connecting to the Internet in Bogota sent out the
forged mail via the Windows user's outbound SMTP service in Germany
('SynServer', http://www.synserver.de): At that mail service,
'blue-ld-125.synserver.de' receive the mail from the Windows box in
Colombia, the mail was processed at SynServer.

I infer that the Windows workstation/laptop is botnet-controlled
remotely, and is being remotely fed instructions about what spam to
send, to what addresses and names, using what forged sender IDs, and
with what payloads.

I haven't bothered to look at the payload URL.  Probably some lame
low-rent advertising crud, maybe combined with inline Javascript
requests to the user's browser to fetch and run malware.  Notice that
in the message text there's no effort to believably sound like it's
really you.  They know they'll seem obviously fake to 99% of recipients,
but expect to make it up in volume.

The most interesting bit is this is being directed by someone with a big
database of past SMTP traffic information and a Bayesian classifier that
says 'Well, given that we're going to forge mail pretending to come from
Michael Siladi at siladi at ix.netcom.com, our records show he's 
sent or or received mail during the period our data covers with these
ten other addresses.' 

Notice also the low quality control in the addressee list, e.g., the 
several duplicates.  Again, this business is about volume, not quality.

My guess is that someone in our joint social circle had or has a
malware-infested Windows box, which used MAPI queries and scouring of
cache data to report address book and correspondent data to whoever
control a big botnet.  That data then got added to the botnet operator's
big database, and is being mined for forged sender data and plausible
correpondents of that forged sender to send out to botnet-zombified SMTP
generators like that person in Bogota.

The only thing new (to me) in this example is smarter use of the same
Bayesian classifier that makes Google, Amazon, Twitter, etc. believe you
have an ongoing obsession with whatever you've looked at in the past.


----- Forwarded message from siladi at ix.netcom.com -----

Return-path: <siladi at ix.netcom.com>
Envelope-to: rick at linuxmafia.com
Delivery-date: Sat, 26 Sep 2015 14:32:17 -0700
Received: from smtp-out-205.synserver.de ([212.40.185.205] helo=smtp-out-180.synserver.de)
	by linuxmafia.com with esmtp (Exim 4.72)
	(envelope-from <siladi at ix.netcom.com>)
	id 1Zfx4k-0000bJ-J8
	for rick at linuxmafia.com; Sat, 26 Sep 2015 14:32:16 -0700
Received: (qmail 13912 invoked by uid 0); 26 Sep 2015 16:31:05 -0000
X-SynServer-TrustedSrc: 1
X-SynServer-AuthUser: info at mbp-web.de
X-SynServer-PPID: 13540
Received: from unknown (HELO WORLDST-UQ3K9Q0) [190.255.161.59]
	by blue-ld-125.synserver.de with AES256-SHA encrypted SMTP; 26 Sep 2015 16:31:03 -0000
From: siladi at ix.netcom.com
To: staff <staff @westercon68.org>, Barbara Haddad <melchar @ gmail.com>,
	BASFA list <basfa at basfa.org>,
	"basfa at basfa.org" <basfa at lists.basfa.org>,
	basfa <basfa at lists.basfa.org>, BASFA <basfa at basfa.org>,
	Brenna <bsilbory @ gmail.com>,
	"Christopher J. Garcia" <garcia @ computerhistory.org>,
	melchar <melchar @ gmail.com>, Rick Moen <rick at linuxmafia.com>
Date: Sat, 26 Sep 2015 18:30:40 +0200
Message-ID: <0000b71fe41d$33dd2a7c$a97d593f$@ix.netcom.com>
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----=_NextPart_000_0001_3CC83DD6.16841133"
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AdDwEoBQvElpj6Thj85pfgf0Xm5/+A==
Content-Language: en-us
X-SA-Exim-Connect-IP: 212.40.185.205
X-SA-Exim-Mail-From: siladi at ix.netcom.com
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on linuxmafia.com
X-Spam-Level: **
X-Spam-Status: No, score=2.6 required=4.0 tests=BAYES_40,HTML_MESSAGE,
	NO_REAL_NAME,RCVD_IN_DNSWL_LOW,TVD_SPACE_RATIO,URIBL_DBL_ABUSE_BOTCC
	autolearn=no version=3.3.1
Subject: Fw: important
X-SA-Exim-Version: 4.2.1 (built Tue, 21 Aug 2007 23:39:36 +0000)
X-SA-Exim-Scanned: Yes (on linuxmafia.com)

Hey!

 

Important message, please visit <http://invoicetemplates.org.uk/wished.php?ud>

 

siladi at ix.netcom.com


----- End forwarded message -----

----- End forwarded message -----

More information about the conspire mailing list