Larry Osterman's WebLog

Confessions of an Old Fogey
Blog - Title

I get spam :)

I get spam :)

  • Comments 18

I just received this spam message the other day:

From: Microsoft [mailto:customerservice@microsoft.com]

Sent: Saturday, October 11, 2008 11:13 PM

To: Larry Osterman

Subject: Security Update for OS Microsoft Windows

Dear Microsoft Customer,

Please notice that Microsoft company has recently issued a Security Update for OS Microsoft Windows. The update applies to the following OS versions: Microsoft Windows 98, Microsoft Windows 2000, Microsoft Windows Millenium, Microsoft Windows XP, Microsoft Windows Vista.

Please notice, that present update applies to high-priority updates category. In order to help protect your computer against security threats and performance problems, we strongly recommend you to install this update.

Since public distribution of this Update through the official website http://www.microsoft.com would have result in efficient creation of a malicious software, we made a decision to issue an experimental private version of an update for all Microsoft Windows OS users.

As your computer is set to receive notifications when new updates are available, you have received this notice.

In order to start the update, please follow the step-by-step instruction:

1. Run the file, that you have received along with this message.

2. Carefully follow all the instructions you see on the screen.

If nothing changes after you have run the file, probably in the settings of your OS you have an indication to run all the updates at a background routine. In that case, at this point the upgrade of your OS will be finished.

We apologize for any inconvenience this back order may be causing you.

Thank you,

Steve Lipner

Director of Security Assurance

Microsoft Corp.

-----BEGIN PGP SIGNATURE-----

Version: PGP 7.1

AN86DCS206WKI6IK8LIFD5S1VODA48SHXDCG6KT8V4C50MO21RUHP8O84T6P73YGX

EO755U27OA5JVX3U51QF8N2E97FQQDOC6IRHH7T3TSQJRFYYPR3434M634A375LAO

49ICIMQZ680BR307KVS857K6U9UYSBHE20RNI16HUB45SMTDF0DDMQZ4YIR2QIHLD

UVPMVD54LRY8HNLDA020KWMIFYYD9B1A07AM1VWIA0YO8QZO2WLY27KAPXBFDN6DT

48VYUVW7M7JZ5P2NIU7FGDRIGCM819WMKJ2==

-----END PGP SIGNATURE-----

Attached to the message was an attachment named “KB266311.exe”.

I’ve heard that these before but I’ve never received one.  Apparently the email was sent from “koln-5d8184e2.pool.einsundeins.de (93.129.132.226)”, which I suspect is a trojaned machine in Germany.   In this case I’m pretty impressed with the email – it’s in plain text with the name of a real Microsoft employee, it has a PGP signature (which tends to give credence to the email).  On the other hand it has some grammatical errors (“Please notice that Microsoft company has…”, “We apologize for any inconvenience this back order may be causing you”) that give the scam away.  I also don’t know what trojan was inside KB266311 because it was filtered by our email servers before it got to me.

 

 

For those that are wondering how I knew it came from koln-5d8184e2.pool.einsundeins.de, here’s what I did:

I started with the raw email headers (some servers and IP addresses obscured):

Received: from XXX.microsoft.com (n.n.n.n) by
YYY.microsoft.com (m.m.m.m) with Microsoft SMTP
Server (TLS) id 8.2.83.0; Sat, 11 Oct 2008 23:13:52 -0700
Received: from koln-5d8184e2.pool.einsundeins.de (93.129.132.226) by
ZZZ.microsoft.com (o.o.o.o) with Microsoft SMTP Server id
8.1.291.1; Sat, 11 Oct 2008 23:13:41 -0700
Received: from [93.129.132.226] by QQQ.hotmail.com; Sun, 12 Oct 2008 07:13:17
+0100
From: Microsoft <customerservice@microsoft.com>
To: <<Larry’s Email Address>>
Subject: Security Update for OS Microsoft Windows
Date: Sun, 12 Oct 2008 07:13:17 +0100
MIME-Version: 1.0
Content-Type: multipart/mixed;
    boundary="----=_NextPart_000_000E_01C92C39.FF9CE480"
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
Thread-Index: Aca6Q862Q89QD80AN22RHXR0U7WZ61==
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700
Message-ID: <01c92c39$ff9ce480$e284815d@60GC7Q>
Return-Path: 60GC7Q@hotmail.com
X-MS-Exchange-Organization-PRD: microsoft.com
Received-SPF: TempError (XXX.microsoft.com: error in
processing during lookup of customerservice@microsoft.com: DNS timeout)
X-MS-Exchange-Organization-PCL: 2
X-MS-Exchange-Organization-Antispam-Report: DV:3.3.7011.600;SV:3.3.7011.1437;SID:SenderIDStatus
TempError;OrigIP:93.129.132.226
X-MS-Exchange-Organization-SCL: 0
X-MS-Exchange-Organization-SenderIdResult: TEMPERROR

RFC 2821 says that SMTP servers should prepend a Received: header to an email message whenever they process the email message.  In this case the last email server was XXX.microsoft.com.  XXX.microsoft.com received the message from YYY.microsoft.com which in turn received the message from koln-5d8184e2.pool.einsundeins.de (einsundeins.de appears to be a german ISP).   The next bit of trace is confusing.  The machine at 93.129.132.226 says that it received the message from QQQ.hotmail.com. 

It’s possible that this spam email originated from hotmail, but I don’t think so.  First off, as far as I know, you can’t relay through the hotmail SMTP servers and the sender of the email is “customerservice@microsoft.com” (the sender is included in the Received-SPF header which indicates that the “MAIL FROM” header in the SMTP exchange was “customerservice@microsoft.com”.  Secondly the hotmail servers don’t set the X-Mailer header, but this header indicates that it was sent from Outlook 2003.  Instead, I think that the bottom Received: header was forged to throw off people trying to figure out where the email came from.

 

 

Needless to say, Microsoft will never EVER send a security update to customers by mail, and customers should immediately delete any emails that claim to have security fixes from Microsoft.

  • "The next bit of trace is confusing.  The machine at 93.129.132.226 says that it received the message from QQQ.hotmail.com."

    Yes and no.  The next bit of trace is confusing.  QQQ.hotmail.com says that it received the message from 93.129.132.226.

    Maybe 93.129.132.226 was trojaned with a mail sender that thinks it's QQQ.hotmail.com?  Still confusing.  QQQ.hotmail.com asserted a timestamp in British Summer Time.  I think Germany is still on summer time too so they'd be in time zone +0200 not +0100.

    "For those that are wondering how I knew it came from koln-5d8184e2.pool.einsundeins.de"

    Actually you probably don't know.  Spammers can put anything they want there.  Probably ZZZ.microsoft.com recorded 93.129.132.226 correctly (since the socket has to be connected to a genuine IP address) but the hostname could be forged however the spammer wishes.  Theoretically ZZZ.microsoft.com could do a reverse DNS lookup automatically, but odds are that it doesn't.

  • Norman: Actually I did a reverse IP address on 92.129.132.226 and it's in a block of IP addresses assigned to einsundeins.de, so that part is consistent.  

    Also I believe that the Exchange gateway servers do the same reverse IP lookup (because they got the same name I got on my reverse DNS lookup).  For a spammer to spoof it, they would have to own the DNS servers that own the block of addresses.

  • Did you mean to say they will (N)EVER send via email?

  • For those interested in more info, google, er, sorry Larry, I mean, MSN Live Search (or whatever you call it) "spamfighting" or "spam fighting".  I remember wasting many angry hours using similar techniques to track down the @#$%^&* who dared pollute the inboxes of the local Fidonet.... ;-)

  • I get that sort of spam on a regular basis. Outlook is good, and happily junks them for me.

    Still, I'm kinda depressed that either the spammers don't bother to exclude @microsoft.com from their mailing lists for those ones, or there's a possibility that it works. Still, I'ld be even more depressed if the "MS office for $10" scams worked when sent to microsoft employees.  ;)

  • "Did you mean to say they will (N)EVER send via email?"

    'never EVER send' ... 'by mail'.  Um, oh, OK, I figured out what your question means.  "Mail" is ambiguous.  But since cell phones have e-mail even in third-world countries, the idea that the default meaning of "mail" should be "postal mail" is so second-millennium.

    "Still, I'ld be even more depressed if the "MS office for $10" scams worked when sent to microsoft employees."

    I wonder too, but here's something close enough to maybe depress you.  When some of those spams gave contact addresses at Hotmail or MSN for people to send orders to, I used to report those addresses to the administrators of Hotmail or MSN.  The administrators answered that Hotmail or MSN couldn't take any action because they didn't send the spams.  I tried around 3 times to argue with them, but it was useless.  If Microsoft wants pirates to use Microsoft's services to receive orders, who am I to say otherwise?

  • By the way: RFC 5321 and RFC 5322 have now been published (updating RFC 2821 and 2822 to Draft Standard).

  • Whoops, thanks for the correction Barry - I hadn't realized that 2821 and 2822 had been superseded.

  • The forged header doesn't even make sense.  They got "from" and "by" backwards.

    I'm hoping the PGP signature didn't check out.

  • I received this same email the other day, so if you are interested in the file let me know and I will put it on an ftp site for you in a password protected zip.

    Chris

  • Larry,

    There is a header field called:

    X-Originating-IP:

    Which civilised mail servers append to the message. Messages from yahoo.com and hotmail.com always have that header. If your message doesn't have it and pretends that it came from those services then it has been forged. The IP address you see is probably fake.

  • X-Originating-IP:

    Any mail server could prepend any forged line they wish.  The only way to tell if one of these lines is somewhat accurate is if it's close enough to the top to know that *your* mail server prepended it when *receiving* from the nearest sender.  It doesn't really tell you who the originator was.  It definitely doesn't tell you if the nearest sender was civilized (and doesn't tell you if the originator was civilized).

  • "I get that sort of spam on a regular basis. Outlook is good, and happily junks them for me."

    Not exactly nit picking, but Outlook is the biggest disappointment for me when it comes to filter spam.

  • *filtering

    5 AM doesn't exactly help for grammar errors when one of the heuritics is grammatical errors themselves.

  • "one of the heuritics is grammatical errors"

    And is one of the heuristics spelling errors  ^_^

    Well, this could explain one or two of the reasons why Yahoo often rejects mail from Yahoo.  Mail often has atrociously bad Japanese grammar or moderately bad Japanese spelling, especially if the mail was either written by me or written in English (or both).  Mail often has atrociously bad English grammar or atrociously bad English spelling, especially if the mail was written in Japanese or was written in something intended to be English by a Japanese person.

    But it doesn't explain everything, because sometimes e-mail that is legitimate and has correct English from Yahoo US to Yahoo US arrives in spam boxes, and spams from Yahoo US to Yahoo US arrive in inboxes, and spams from Yahoo Japan to Yahoo Japan arrive in inboxes.

    Do those heuristics work better on Indian languages?

Page 1 of 2 (18 items) 12