Today, I got a spam in my junk mail folder that nearly fooled me.  Below are the headers with some information removed to protect trade secrets:


Received: from VA3EHSMHS008.bigfish.com (unknown [10.7.14.235]) by
mail29-va3.bigfish.com (Postfix) with ESMTP id 0C2D9368054 for
<munged@microsoft.com>; Fri, 16 Oct 2009 23:46:34 +0000 (UTC)
Received: from waledac (110.46.151.204) by VA3EHSMHS008.bigfish.com
(10.7.99.18) with Microsoft SMTP Server id 14.0.482.32; Fri, 16 Oct 2009
23:46:33 +0000
Received: (qmail 28488 invoked from network); Sat, 17 Oct 2009 08:39:21 +0900
Received: from unknown (HELO tlvftz) (231.179.161.44) by waledac with SMTP;
Sat, 17 Oct 2009 08:39:21 +0900
Message-ID: <002701ca4eb9$e2b83600$e7b3a12c@LocalHosttlvftz>
From: Gertie Lockhart <munged@hwns.com.au>
To: <munged@microsoft.com>
Subject: What's she doing now
Date: Sat, 17 Oct 2009 08:39:21 +0900
MIME-Version: 1.0
Content-Type: text/plain; format=flowed; charset="iso-8859-1";
reply-type=original
Content-Transfer-Encoding: quoted-printable

This is a spam from the waledac botnet.  From time to time, I like to inspect my spam to see who is spamming me and to verify whether or not I can tell, simply by looking at it, what spam is spamming me.  I was quite proud of our spam filtering engine because this IP isn’t even on any DNSBLs anywhere at the time of this writing.

Going from the first IP, 110.46.151.204, this is a mail host located in South Korea infected with waledac.  But nearly fooled me is the parts after it:

Received: (qmail 28488 invoked from network); Sat, 17 Oct 2009 08:39:21 +0900
Received: from unknown (HELO tlvftz) (231.179.161.44) by waledac with SMTP;
Sat, 17 Oct 2009 08:39:21 +0900

This makes it look like a mail server running qmail is also infected with waledac.  The first Received header is an actual (possible) qmail header.  The second is the exact type of format that qmail has – Received: from <ptr record> (HELO <helo>) (<IP>) by <string> with <SMTP or ESMTP>.  This type of header is in older versions of qmail, the newer ones have a different header.  What would have made this so unusual is that this would have been an example of an infected system running Linux (or Unix), not Windows.  It would have been clear evidence of a Linux botnet.

However, there are two problems with this:

  1. You cannot trust headers after the Received header.

  2. What makes this one fake is the IP 231.179.161.44.  This is a reserved multicast IP address (located in Algeria).  From what I understand, IPs in this IP address range cannot be used to send mail, or traffic, in this manner (I don’t understand multicast very well despite looking it up online and reading several documents).  According to RFC 3171, it is reserved but it doesn’t say for what.  This IP cannot be correct because it is reserved for multicast purposes.

    This IP is allocated to the African Internet Numbers Register, they are assigned 213.179.160.0/19, ASN 16214.

If it weren’t for that, I would have trusted that this is an actual infected Linux machine because it is unlikely to me that a spammer would spend that much time forging a pair of Received headers to look exactly like a popular MTA that runs only on Linux, and the Received headers have time stamps on them that are chronologically correct (ie, 08:39:21 +0900 is 7 minutes before 23:46:33 +0000).  Why would you spoof qmail?  I don’t understand the motivation, but it certainly looks like that is what happened.

If it were true, it would imply that waledac is not only used to spam, but it also installs its own MTA.  That would be quite an advancement.  At the very least, it is impersonating an actual one.