Today, I came across a spam message pushing Asian porn. The body of the links contained a redirector from google.com.tw and yahoo sites to the sites containing the payload. It’s a pretty standard technique for spammers to exploit known trusted sites like Google and Yahoo in hopes of evading content filters, since the assumption is that a content filter wouldn’t block on the domains yahoo.com whereas they would certainly block on where the sites point to.
I’m not going to go into that particular technique, instead, I will delve into the spam message headers and the extents the spammer has gone to in an attempt to mask his location. Below are the headers with some parts redacted:
Received: from VA3EHSMHS031.bigfish.com (unknown [10.7.14.247]) by mail182-va3.bigfish.com (Postfix) with ESMTP id 2BAEA1BA8052; Fri, 8 Jan 2010 15:33:08 +0000 (UTC) Received: from S-Orangesky.Orangesky.local (22.214.171.124) by mail.bigfish.com (10.7.99.41) with Microsoft SMTP Server (TLS) id 14.0.482.32; Fri, 8 Jan 2010 15:33:07 +0000 Received: from 126.96.36.199 (188.8.131.52) by s-orangesky.orangesky.local (10.210.34.10) with Microsoft SMTP Server id 8.1.393.1; Fri, 8 Jan 2010 15:29:46 +0000 Received: from smfxv.yahoo.com (smfxv.yahoo.com [184.108.40.206]) by with Microsoft SMTPSVC(5.0.2195.6824); Tue, 12 Jan 2010 16:36:51 +0100 Message-ID: <email@example.com> Date: Tue, 12 Jan 2010 16:27:51 +0100 From: "???i?i???i?iFw: AV ?W?a????r??,DVD????,??????e!!" <firstname.lastname@example.org> Reply-To: "?D????x?????!!?C???u?n40??!!?f??~???I??,?w?????O??!!" <email@example.com> To: <redacted> Subject: LANDY ??P ???????A MIME-Version: 1.0 This can be a little hard to read, so let me describe the path this message purportedly took to get to the end user’s inbox:
Below is a diagram of the path.
Click for ginormous image.
Of course, that is not what actually happened nor is it the route that actually occurred. There is a whole heck of a lot of spoofing going on, below is an analysis of what is wrong with the above headers and how much effort the spammer has put into hiding his location.
Below is a diagram containing what I just said. I think it’s clear that OrangeSky has a problem on their system and it’s probably infected with a piece of malware that is able to harvest the name of the internal host as well as figure out what the public outbound IP will be when it eventually starts spamming.
Click for bigger image.
An interesting post. Spam is clearly a big business where the CAN-SPAM stuff has barely made a dent.
Does anyone ever alert the owners of infected computers so they can do something about the abuse by spammers?
Are the "victim" ISPs blissfully unaware or wilfully blind to spammers?
Yes, in Australia ISPs will try to contact a customer and if they can't do that, the connection will be suspended. That way, the customer will phone and get the bad news.
Also, some ISPs in Australia will, by default, block ports known to be exploited by spammers. Customers have the option of removing such blocks if they so desire.
These methods seem to be quite effective.
I am still curious why purveyors of spam can still benefit from spam if it is illegal.
If a spammed mail is trying to sell something, surely the seller must be contactable in order to sell that thing. How then do they get away with it?
If a bus-stop says "STICK NO BILLS", how do you put up a notice for a room to rent and still get away with it?
Here is my take on the path this message had took.
1. This spam originated at IP 220.127.116.11, which can be identified from the 3rd Received header.
2. An NAT device with public IP 18.104.22.168, forwards its SMTP port to internal host s-orangesky.orangesky.local, which was an open relay. The spammer didn't know the internal name of the open relay. He merely used the open relay's IP as its own HELO string. The 3rd Received was added by the host s-orangesky.orangesky.local.
3. Then s-orangesky.orangesky.local forwards the message to its destination, mail.bigfish.com, which might be the mx host for bigfish.com.
So only the 4th Received header was forged.