[conspire] Case study in modern forgery of SMTP headers, revisited

Rick Moen rick at linuxmafia.com
Mon Aug 8 17:45:31 PDT 2016 

----- Forwarded message from Rick Moen <rick at linuxmafia.com> -----

Date: Mon, 8 Aug 2016 17:42:31 -0700
From: Rick Moen <rick at linuxmafia.com>
To: Michael Siladi 
Subject: Re: More spam from Michael -- Spoofing?
Organization: If you lived here, you'd be $HOME already.

Quoting Michael Siladi:

> Here's a note that seems to indicate at least 205 emails were sent:

Apologies for not having looked at the specifics of the cited mail you
sent, until now.

   Received: from 216-164-11-61.c3-0.drf-ubr1.atw-drf.pa.cable.rcn.com
   ([216.164.11.61]:34457 helo=hnpo.org)
        by eua6.servidoreua6.srv.br with esmtpsa
        (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256)
        (Exim 4.84)
        (envelope-from<[REDACTED]>)
        id 1bWr4V-000G8K-Up; Mon, 08 Aug 2016 17:22:54 -0300
   From: fantables15<[REDACTED]>
   To: "Friday Follies"<[REDACTED]>, "GLAR"<[REDACTED]>,
      "Glenn Blackler"<[REDACTED]>, "Jim  Melody Rondeau"
     <[REDACTED]>, "Karl Thiessen"<[REDACTED]>

IP 216.164.11.61 is the point of origin, handing it off to
ua6.servidoreua6.srv.br.  IP 216.164.11.61 gave its name as 'hnpo.org'.
216.164.11.61 -- but that's a little doubtful (and the HELO strings are
often forged).  

The reverse DNS for that IP is
216-164-11-61.c3-0.drf-ubr1.atw-drf.pa.cable.rcn.com. , which is a
generic DNS entry typical of IPs not used for anything in particular by
an ISP.

I strongly suspect 'hnpo.org' is strictly smokescreen bullshit
information, and am not investigating that further.

IP 216.164.11.61 is owned by RCN Corporation of Princeton NJ.  If you
felt like complaining about their terrible security, you could do so
here:  abuse at rcn.com .  But it's a cable modem company (like Comcast or
Rogers), and those _always_ have terrible security.  Probably, the
216.164.11.61 IP was just a DHCP lease to a malware-infected MS-Windows
box that is being used as a spam-source under the control of a large
botnet.

eua6.servidoreua6.srv.br accepted the handoff of mail allegedly from
your Netcom address (forged), without bothering to check Netcom's
(obsolete) DomainKeys published information that could have told them
that the mail came _neither_ from your mailbox _nor_ from Netcom.


I'm guessing that eua6.servidoreua6.srv.br somehow forwarded the mail to
some host in domain vector.eng.br (perhaps related?), that then worked
hard attempting to pump out a large number of copies of some piece of
spam addressed to a list of recipient addresses associated with you.

As before, we see clear signs of a good database-driven Bayesian
classifier at work in picking out the targets:  I see Karl Thiessen,
Tony Cratz, someone you probably know or work with at UCSC, and other
people who are doubtless among your friends and associates.  I noticed a
couple of years ago that a major subset of spam had suddenly become a
great deal smarter in the targeted addresses:  Suddenly, they were
recipients who know the (forged) claimed sender.  Someone, possibly the
usual suspects in Eastern Europe, has been sucking up a tremendous
amount of information from MS-Windows malware and building relationship
graph data: who corresponds with whom.  The spambot scripts then use
this data to pump out an endless supply of spam that, for a change, has
believable (forged) sender and recipient matchings -- though the
contents in the message body are so far still the same old easily
recognisable rubbish.

Incidentaly, it wasn't 205 copies; it was probably a lot more than 205
copies.

What you were seeing there is that original IP 216.164.11.61 (the
malware-infected cable modem customer) was pumping out the forged spams
so quickly, to the relays in Brazil, that one of them started discarding
them after a preconfigured maximum of 205 mails arrived in a single hour
that all claimed to be from your address.  At this limit, rate-limiting
kicked in, and the Brazilian company ceased accepting any additional
mail (for that hour) forged with a claimed sender of your mailbox.

For all you know, the RCN Corp. cable-modem customer might have been
trying to pump _thousands_ of forged mails claiming to be from you.
(This is what happens when you give hapless people broadband.)



To sum:

1.  Netcom / Earthlink sucks epically about implementing modern
anti-spoofing on its netcom.com domain.  Your several hours talking to
helpdesk monkeys last November could not be reasonably expected to
improve broken company IT infrastructure.  I mean, seriously, did you
expect to have a serious conversation about mail forgery with their
helpdesk?  And did you seriously expect them to fix anything?

2.  Gosh, there are malware-infected Windows desktop boxes on cable
modems.  It must be a day ending in 'y'.

3.  The Brazilian guys didn't bother to check Netcom's (terrible,
obsolete) antispoofing information, but at least they rate-limited the
forgeries.


All of this is basically unchanged from a year ago, differing only in
minor details.



----- End forwarded message -----

More information about the conspire mailing list