Terry Zink's Cyber Security Blog

Discussing Internet security in (mostly) plain English

Diagnosing a spam run

Diagnosing a spam run

  • Comments 2

The other day, we discovered one of our customers had been compromised and was relaying outbound spam through us.  The spammer was clever in this case and was using some fake headers to attempt to trick the recipient, whoever they were, about the source of the mail. 

Here's the mechanism I use to discover that the message headers were fraudulent.  I have modified some of the headers to protect the identity of the customer who sent out the mail, as well as some of the unnecessary headers.

Received: by mail62-sin (MessageSwitch) id 1226335206884132_19415; Mon, 10 Nov 2008 16:40:06 +0000 (UCT)
Received: from webmail.example.co.fr (dsl-237-105-212-81.yoga.co.fr [287.105.212.81]) by mail62-sin.bigfish.com (Postfix) with ESMTP id E247126804E;   Mon, 10 Nov 2008 16:40:05 +0000 (UTC)
Received: from 237.105.212.81 ([125.110.123.13]) by
webmail.yoga.co.fr with Microsoft SMTPSVC(6.0.3790.3959);       Sun, 9 Nov 2008 12:26:25 +0000
Received: from u32.yahoo.com (u32.yahoo.com [131.128.46.80]) by  with SMTP; Thu, 13 Nov 2008 16:21:19 +0400
Message-ID: <ydiwpeunukojmeikxitdxk.0171156498611385053547065@yahoo.com>
Date: Thu, 13 Nov 2008 16:19:19 +0400
From: "?hRoss" <fzqvkbtkblxq@yahoo.com>
Reply-To: "?hLivingston" <fzqvkbtkblxq@yahoo.com>
To: <munged@mxic.com.tw>
Subject: ????i?S?k?D???????S???
MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary="--NextPart_qpb_4ppq_3a78p9pii5twwf9a"
X-OriginalArrivalTime: 09 Nov 2008 12:26:26.0648 (UTC) FILETIME=[62AEA580:01C94266]
Return-Path:
qszdvjosgxxe@yahoo.com

This is some Chinese porn spam.  Click here to view it!!!

Much of this data is not all that useful.  I have created the contents of the message, it was actually a bunch of non-sensical text in Quoted Printable, but the essence of the message is that this particular message was porn spam claiming to be from Yahoo.  Let's deconstruct it.

Our servers received a message from one of our outbound customers:

from webmail.dhalsim.co.fr (dsl-237-105-212-81.yoga.co.fr [287.105.212.81]) by mail62-sin.bigfish.com (Postfix) with ESMTP id E247126804E;   Mon, 10 Nov 2008 16:40:05 +0000 (UTC)
  • The IP that connected to us is 287.105.212.81

  • The reverse DNS of this IP is dsl-237.105.212.81.yoga.co.fr.  This is a DSL pool in France, meaning that our customer is using a French ISP to connect to us.

  • The machine HELO'd to us as webmail.dhalsim.co.fr.  Just by looking at this HELO and the reverse DNS, I'd guess that it was a small business that teaches yoga.  They don't have a dedicated IP so their ISP provides them with an IP as the way of connecting to the web and sending out mail. They use that IP to connect to us and relay their mail.

Right off the bat, I pretty much know that this computer is part of a botnet.  Why do I suspect this?  Well, I stripped out some headers that we use to tag this message as outbound spam.  That's my first clue.  The second is that this IP uses a DSL pool.  Large pools of non-dedicated IPs are generally prime candidates for zombie botnets.  This means that DSL and cable pools, and to a lesser extent dial-up pools, are commonly compromised.  I've seen this before and this fits the pattern.  Putting these together allows me to diagnose the problem.

The next two headers allow me to figure out who is being spoofed:

Received: from u32.yahoo.com (u32.yahoo.com [131.128.46.80]) by  with SMTP; Thu, 13 Nov 2008 16:21:19 +0400

Look at the above header.  It claims to come from yahoo.com.  Properly read, the IP 131.128.46.80 has a reverse DNS of u32.yahoo.com.  It HELO'd as u32.yahoo.com.  The next header says:

Message-ID: <ydiwpeunukojmeikxitdxk.0171156498611385053547065@yahoo.com>

The Message-ID has a yahoo.com email address in it.  So, in effect, these headers say that the message originated from yahoo (check out the From and Reply-To addresses above and the fact it has an @yahoo.com in the Message-ID) and is going to a recipient in Taiwan.  The fact that the message is encoded in Quoted Printable leads me down the path of Chinese porn.  This spammer is targeting a specific country, that is, Chinese spam going to a "Chinese" recipient.

However, those headers are fake.  Here's how we can tell:

  • The reverse DNS of 131.18.46.80 is not u32.yahoo.com.  That IP is not part of any Yahoo subnet and in fact has no reverse DNS. 

  • The domain u32.yahoo.com does not have an A-record.

An IP that claims to be from Yahoo but which does not have a Yahoo forward or reverse DNS is undoubtedly fake.  Yahoo is simply not that sloppy. 

Next, consider the sequence of events; this header says that Yahoo Mail generated an email, connected to wemail.yoga.co.fr and relayed the message from there.  That doesn't make sense.  Why?  Because Yahoo sends out email, it doesn't connect to a secondary web mail server and send out mail a second time; there's one too many Received headers in there for that to make sense.  And in the unlikely event that it did do just that, webmail.yoga.co.fr would rewrite the Message-ID to something that did not contain the @yahoo.com in it.

Thus, what we have here is an example of a spammer attempting to mask where his spam came from.  He faked the headers to make it look like it came from a Yahoo Mail source, but in fact, it came from a compromised host in the DSL pool used by Dhalsim's Yoga Factory.  Dhalsim's Yoga Factory is the source of this spam.

Leave a Comment
  • Please add 3 and 2 and type the answer here:
  • Post
Page 1 of 1 (2 items)