Today, I got a spam in my junk mail folder that nearly fooled me. Below are the headers with some information removed to protect trade secrets:
Received: from VA3EHSMHS008.bigfish.com (unknown [10.7.14.235]) by mail29-va3.bigfish.com (Postfix) with ESMTP id 0C2D9368054 for <email@example.com>; Fri, 16 Oct 2009 23:46:34 +0000 (UTC) Received: from waledac (220.127.116.11) by VA3EHSMHS008.bigfish.com (10.7.99.18) with Microsoft SMTP Server id 14.0.482.32; Fri, 16 Oct 2009 23:46:33 +0000 Received: (qmail 28488 invoked from network); Sat, 17 Oct 2009 08:39:21 +0900 Received: from unknown (HELO tlvftz) (18.104.22.168) by waledac with SMTP; Sat, 17 Oct 2009 08:39:21 +0900 Message-ID: <002701ca4eb9$e2b83600$e7b3a12c@LocalHosttlvftz> From: Gertie Lockhart <firstname.lastname@example.org> To: <email@example.com> Subject: What's she doing now Date: Sat, 17 Oct 2009 08:39:21 +0900 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: quoted-printable
This is a spam from the waledac botnet. From time to time, I like to inspect my spam to see who is spamming me and to verify whether or not I can tell, simply by looking at it, what spam is spamming me. I was quite proud of our spam filtering engine because this IP isn’t even on any DNSBLs anywhere at the time of this writing.
Going from the first IP, 22.214.171.124, this is a mail host located in South Korea infected with waledac. But nearly fooled me is the parts after it:
Received: (qmail 28488 invoked from network); Sat, 17 Oct 2009 08:39:21 +0900 Received: from unknown (HELO tlvftz) (126.96.36.199) by waledac with SMTP; Sat, 17 Oct 2009 08:39:21 +0900
This makes it look like a mail server running qmail is also infected with waledac. The first Received header is an actual (possible) qmail header. The second is the exact type of format that qmail has – Received: from <ptr record> (HELO <helo>) (<IP>) by <string> with <SMTP or ESMTP>. This type of header is in older versions of qmail, the newer ones have a different header. What would have made this so unusual is that this would have been an example of an infected system running Linux (or Unix), not Windows. It would have been clear evidence of a Linux botnet.
However, there are two problems with this:
If it weren’t for that, I would have trusted that this is an actual infected Linux machine because it is unlikely to me that a spammer would spend that much time forging a pair of Received headers to look exactly like a popular MTA that runs only on Linux, and the Received headers have time stamps on them that are chronologically correct (ie, 08:39:21 +0900 is 7 minutes before 23:46:33 +0000). Why would you spoof qmail? I don’t understand the motivation, but it certainly looks like that is what happened.
If it were true, it would imply that waledac is not only used to spam, but it also installs its own MTA. That would be quite an advancement. At the very least, it is impersonating an actual one.