MavEtJu's Distorted View of the World - Spam

Political spam
BATV and Postgrey
Feedback, going to try it again
Worsening spam tactics
MS-RPC spam!
Spammers are abusing mavetju.org

Back to index

Political spam

Posted on 2013-08-28 18:00:00
Tags: Rant, Spam, Politics

Over the years, I have published various email addresses from the @mavetju.org domain in my weblog. They have been harvested by spammers. In this article, I published a From and a Reply-To field which don't exist as an email address: ryopdx@mavetju.org. It also published a Message-id: UHUh4a7dWj6_CpI3ZmfY@mavetju.org.

Imagine my surprise when I found two emails from Clive Palmer, the head of the Palmer United Party, in my mailbox:

From: clive.palmer@news1.palmerunitednews.com.au
Subject: A Message From Clive Palmer
To: ryopdx@mavetju.org

and:
From: clive.palmer@news1.palmerunitednews.com.au
Subject: A Message From Clive Palmer
To: uhuh4a7dwj6_cpi3zmfy@mavetju.org

Looks like he got his list of email addresses from a dubious source!


No comments | Share on Facebook | Share on Twitter

BATV and Postgrey

Posted on 2008-05-22 19:00:00, modified on 2008-06-03 19:00:00
Tags: SMTP, Spam, Email

BATV stands for Bounce Address Tag Validation and is a method to prevent backscatter from spam runs. It works by modifying (danger! technical content ahead!) the Envelope From address in an SMTP session from joe@example.com to prvs=tag-value=joe@example.com. If this email is undeliverable, it will be send back to prvs=tag-value=joe@example.com instead of to joe@example.com and your mail host knows that this is a valid undeliverable message.

So what has Postgrey to do with this? Postgrey is a greylisting server. It is (danger! technical content ahead!) forcing email deliveries from addresses and hosts which are not yet known to be retried later. Why? Earlier this century, emails sent by viruses and spam-hosts weren't smart enough to understand this and the email with the malicious payload was not accepted by your mailhost.

Yes, but what has greylisting to do with it? Greylisting delays every email from / email to / sending host combination it hasn't seen before. So if BATV changes the email from address every day, the first email from that user will be delayed every day. Every day! So Postgrey needs to be taught what the real email address is. Luckely BATV keeps this information in the from address: prvs=tag-value=joe@example.com. Small patch, and it works.

And now the tricky stuff: Not every read the documentation properly, and the two following formats have been seen:

prvs=tag-value=joe@example.com prvs=joe=tag-value@example.com
Brilliant! They swapped it around! So my four line patch becomes an eight line patch.

Anyway, the patch is available and submitted to the Postgrey author.

Note: Please note that I've made a little change to the patch to pick the second field (as the standard suggests) instead of the wrong standard. Not that it ever should come to there, but it's a "just in case" thing.


No comments | Share on Facebook | Share on Twitter

Feedback, going to try it again

Posted on 2006-01-09 16:36:04, modified on 2006-01-09 16:37:05
Tags: Rant, Spam

A new year, a new attempt for feedback!

To see how spammy the weblogging world is these days, I've enabled comments again.


Show comment | Share on Facebook | Share on Twitter

Worsening spam tactics

Posted on 2005-05-25 10:28:14, modified on 2006-01-09 16:29:23
Tags: Networking, Spam, SMTP, Email

If you think this is bad: (mavetju.org isn't served by 200.121.183.223)

Received: from mavetju.org ([200.121.183.223])
        by imta02sl.mx.bigpond.com with ESMTP
        id <20050524232049.GTMA2733.imta02sl.mx.bigpond.com@mavetju.org>;
        Tue, 24 May 2005 23:20:49 +0000
message-id: <UHUh4a7dWj6_CpI3ZmfY@mavetju.org>

Wait until you see this:

Return-Path: ryopdx@stjames.net.au
Received: from APlessis-Bouchard-152-1-59-216.w82-121.abo.wanadoo.fr (APlessis-Bouchard-152-1-59-216.w82-121.abo.wanadoo.fr [82.121.170.216])
        by mx1.midcoast.com.au (8.13.1/8.13.1) with SMTP id j4N6sWvS003077
        for <fromms@midcoast.com.au>; Mon, 23 May 2005 16:54:47 +1000
Received: from mail3.barnet.com.au
        by APlessis-Bouchard-152-1-59-216.w82-121.abo.wanadoo.fr (8.9.3/8.9.3) with ESMTP id PCEIP7onXFNw
        for <fromms@midcoast.com.au>; Mon, 23 May 2005 14:41:04 -0700
Received: from (root@localhost)
        by mail3.barnet.com.au (8.12.8/8.12.8/Submit) id 1GaCy2wErDj5Ks
        for <fromms@midcoast.com.au>; Mon, 23 May 2005 14:41:04 -0700
Date: Mon, 23 May 2005 14:41:04 -0700
From: Edwin Groothuis <ryopdx@mavetju.org>
Reply-To: Edwin Groothuis <ryopdx@mavetju.org>
Message-ID: <123898390844.691925904529@mavetju.org>

What do the headers says?

Why is this worsening? It is because the email actually looks, for the untrained eye and a lot of automatic header-parser programs, like it was coming from mail3.barnet.com.au:

In the first example, everybody who knows a little bit about SMTP headers first checks if 200.121.183.223 is somewhat related to 16wardell.com.au.

In the second example, you have two more lines to parse. I admit that the syntax of the second-last line isn't proper (it is missing the hostname/ip address between brackets in the from field), but for the rest looks pretty good.

What is still wrong with it?

Could this have been prevented if mx1.midcoast.com.au would have done SPF checks? Yes. The SPF tests would have failed on every received line with a hostname.


No comments | Share on Facebook | Share on Twitter

MS-RPC spam!

Posted on 2005-04-19 22:34:41, modified on 2006-01-09 16:29:23
Tags: Networking, Rant, Spam

I was doing some network traces yesterday, and found these in my logs. Destination host is a Cisco 2821.

After spam via email, spam via instant messaging and spam via voice-over-ip, the next big thing is.... spam via the MS-RPC protocol! Check the following network traces:

U 61.235.154.101:57710 -> 202.83.178.14:1027
..(.......................{Z........O...,....."'..m...-.....................................SECURITY....................ALERT.......................Microsoft Windows has encounted an Internal Error
Your windows registry is corrupted.
Microsoft recommends an immediate system scan.
visit 
http://e-regfix.com
to repair.
.
#
U 61.152.158.123:32780 -> 202.83.178.14:1026
..(.......................{Z........O.....P.|../.E..n..,..................i.................SECURITY....................ALERT...........%.......%...SECURITY ALERT :  Windows has detected 10 Spyware programs installed on your computer!

Spyware causes pop up messages , tracks your online activities and displays advertisements.
Your Anti-Virus and Firewall will not remove Spyware.
Visit:  www.antieye.com  for free removal information!
.

Bunch of sad-sad-sad persons....


No comments | Share on Facebook | Share on Twitter

Spammers are abusing mavetju.org

Posted on 2003-11-23 22:36:36, modified on 2006-01-09 16:29:21
Tags: Rant, Spam

Since the last two weeks I have been receiving email bounces with somerandomstring@mavetju.org as source address.


No comments | Share on Facebook | Share on Twitter