The other day, we discovered one of our customers had been compromised and was relaying outbound spam through us. The spammer was clever in this case and was using some fake headers to attempt to trick the recipient, whoever they were, about the source of the mail.
Here's the mechanism I use to discover that the message headers were fraudulent. I have modified some of the headers to protect the identity of the customer who sent out the mail, as well as some of the unnecessary headers.
Received: by mail62-sin (MessageSwitch) id 1226335206884132_19415; Mon, 10 Nov 2008 16:40:06 +0000 (UCT) Received: from webmail.example.co.fr (dsl-237-105-212-81.yoga.co.fr [2188.8.131.52]) by mail62-sin.bigfish.com (Postfix) with ESMTP id E247126804E; Mon, 10 Nov 2008 16:40:05 +0000 (UTC) Received: from 184.108.40.206 ([220.127.116.11]) by webmail.yoga.co.fr with Microsoft SMTPSVC(6.0.3790.3959); Sun, 9 Nov 2008 12:26:25 +0000 Received: from u32.yahoo.com (u32.yahoo.com [18.104.22.168]) by with SMTP; Thu, 13 Nov 2008 16:21:19 +0400 Message-ID: <firstname.lastname@example.org> Date: Thu, 13 Nov 2008 16:19:19 +0400 From: "?hRoss" <email@example.com> Reply-To: "?hLivingston" <firstname.lastname@example.org> To: <email@example.com> Subject: ????i?S?k?D???????S??? MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="--NextPart_qpb_4ppq_3a78p9pii5twwf9a" X-OriginalArrivalTime: 09 Nov 2008 12:26:26.0648 (UTC) FILETIME=[62AEA580:01C94266] Return-Path: firstname.lastname@example.org
This is some Chinese porn spam. Click here to view it!!!
Much of this data is not all that useful. I have created the contents of the message, it was actually a bunch of non-sensical text in Quoted Printable, but the essence of the message is that this particular message was porn spam claiming to be from Yahoo. Let's deconstruct it.
Our servers received a message from one of our outbound customers:
Right off the bat, I pretty much know that this computer is part of a botnet. Why do I suspect this? Well, I stripped out some headers that we use to tag this message as outbound spam. That's my first clue. The second is that this IP uses a DSL pool. Large pools of non-dedicated IPs are generally prime candidates for zombie botnets. This means that DSL and cable pools, and to a lesser extent dial-up pools, are commonly compromised. I've seen this before and this fits the pattern. Putting these together allows me to diagnose the problem.
The next two headers allow me to figure out who is being spoofed:
Received: from u32.yahoo.com (u32.yahoo.com [22.214.171.124]) by with SMTP; Thu, 13 Nov 2008 16:21:19 +0400
Look at the above header. It claims to come from yahoo.com. Properly read, the IP 126.96.36.199 has a reverse DNS of u32.yahoo.com. It HELO'd as u32.yahoo.com. The next header says: Message-ID: <email@example.com>
The Message-ID has a yahoo.com email address in it. So, in effect, these headers say that the message originated from yahoo (check out the From and Reply-To addresses above and the fact it has an @yahoo.com in the Message-ID) and is going to a recipient in Taiwan. The fact that the message is encoded in Quoted Printable leads me down the path of Chinese porn. This spammer is targeting a specific country, that is, Chinese spam going to a "Chinese" recipient.
However, those headers are fake. Here's how we can tell:
An IP that claims to be from Yahoo but which does not have a Yahoo forward or reverse DNS is undoubtedly fake. Yahoo is simply not that sloppy.
Next, consider the sequence of events; this header says that Yahoo Mail generated an email, connected to wemail.yoga.co.fr and relayed the message from there. That doesn't make sense. Why? Because Yahoo sends out email, it doesn't connect to a secondary web mail server and send out mail a second time; there's one too many Received headers in there for that to make sense. And in the unlikely event that it did do just that, webmail.yoga.co.fr would rewrite the Message-ID to something that did not contain the @yahoo.com in it.
Thus, what we have here is an example of a spammer attempting to mask where his spam came from. He faked the headers to make it look like it came from a Yahoo Mail source, but in fact, it came from a compromised host in the DSL pool used by Dhalsim's Yoga Factory. Dhalsim's Yoga Factory is the source of this spam.
PingBack from http://www.tmao.info/diagnosing-a-spam-run/
I believe Dhalsim is a Street Fighter video game character whose super power is the ability to stretch his arm and legs and often sits in different Yoga poses.