Powered by Movable Type 3.121
Home The Book Training Events Tools Stats
Web log archive.
Dispatches Archive

« December 2006 | Main | February 2007 »

January 29, 2007

Inside a Mortgage Spammer's Template Permalink

I get a huge kick out of spammer engines that aren't programmed right and thus reveal some of the insider info. I suspect it's a case of a wannabe spammer who buys a spam kit, but doesn't know the first thing about computers. With dreams of dollar signs dancing in his head, he sends out a spew, only to let some of the dirty laundry go out with it.

Case in point is a spam message that arrived from a presumed botnet computer belonging to a Pennsylvania Comcast customer. The computer may belong to the customer, but it is pwned by at least one botmaster. But I digress.

The spam had the all-too-common mortgage spam Subject: line:

Subject: You are approved!

Longtime readers of this blog will know that mortgage spammers really rub me the wrong way. I routinely forward such messages (the entire source code listing) to the FTC's spam refrigerator (spam@uce.gov) in the hope that the messages will ultimately be used as evidence in prosecutions of these scumbags.

While I was in the process of fetching the source code listing, I noticed that the From: field had the following plain-language name associated with what otherwise looked like a plausible email address:

From: "%CUSTOM_FROMS"

Readers of Spam Wars will recognize the percent symbol as a possible indicator that the text is a placeholder where a mail merge type of operation is to occur. In this case, the spam spewing software running on the bot is supposed to insert a real-sounding name in the field—a name that would appear in the From listing in the recipient's email inbox. The boob who initiated this mailing, however, failed to fill out something or click a switch to make the program do what he intended. Thus, the placeholder remains in place.

But that's not all. The rest of the message shows exactly where the Mad Libs program is supposed to fill in the blanks for greeting, message, loan amount, monthly payment amount, and even a chunk of quoted text (probably from some public domain work) that is supposed to fool Bayesian spam filters.

Here's the complete body of the message as I received it (with the Taiwanese link disguised):

Dear %CUSTOM_HOMEOWNER,

%CUSTOM_7 %CUSTOM_8

You can receive %CUSTOM_3 for
%CUSTOM_4 per month.

Please respond %MTG_TODAY.
http://[removed].tw/guga


Dana Hancock
%CUSTOM_FROMS


%QUOTES

I'm amazed that this genius was able to get the bot to insert a URL. There's no way I'm going to visit the spamvertised site and possibly credit "guga" with a clickthrough. I did check the domain registration, however, and it seems that the domain was registered a couple of weeks ago.

So, the next time you receive a mortgage spam that looks like this, but with numbers in the right spaces, you can be sure the values were calculated with all the care and personal attention of a random number generator on a hijacked computer sitting in someone's den or teenager's bedroom.

Posted on January 29, 2007 at 10:33 PM

January 28, 2007

Attack of the Dictionary Attacks Permalink

For the past few days, my dannyg.com domain has been hammered by attempts to send spam to addresses that don't exist in the system. It's a case of the so-called dictionary attack, whereby spammers try to find valid user names at a domain by trying everything, including the kitchen sink. Having studied the logs of a lot of these attacks over the years, it seems that one tactic they use is to take valid user names at other domains and try them on other domains. One can wire up all kinds of logic to account for that behavior, so I won't speculate more.

One thing I noticed in the recent batches—which would have resulted in 10,000 to 13,000 additional spam messages per day invading my server if I had let them—is that some of the tactics have changed. In the past, it was easy to spot the attacks in the logs because there would be long batches of user name tries with a single email connection between servers. I recall one instance a couple of years ago in which over 9,000 names were tried in less than a minute from the same IP address in British Columbia.

As the attackers have discovered, this kind of Internet traffic is easy to recognize on the receiving server end. That drove the attackers to do their thing with fewer names per batch. Even today, I see groups of ten names per connection liberally sprinkled throughout the logs.

Today, however, I realized that there were thousands of attempts made one-at-a-time, each one from a different IP address. Not only that, most of the IP addresses made just one attempt throughout a 24-hour period.

This is all thanks to the (certainly by now) millions of PCs around the world connected to the Internet full-time through broadband connections (cable, DSL, corporate networks)—PCs that are infected with malware under the control of spam gangs...the botnets you may have read about. It may not be as efficient per millisecond to hunt for new addresses one user name per bot connection, but it's the kind of behavior that is impossible to fingerprint as being abusive in the eyes of the receiving email server, and thus less likely to be shut off at the receiving end.

I've long held a desire to pull off something that would be nearly impossible:

The Great International Bot Out!

This would be a 24-hour period during which all users of a permanently-connected Windows PC in the world either shut down their computers or disconnect their modems while the users are physically asleep. The world's Internet backbone traffic measurers and spam-blocking services would monitor Internet usage geographically during that period and compare it to the previous 24-hour period. The purpose is to get a sense of how much of the world's Internet traffic is attributable to botnet activity (plus or minus normal behind-the-scenes activity, like Windows Update). I envision a solar-eclipse-like shadow of activity starting in New Zealand and creeping its way westward around the globe throughout the day.

That would be so cool. And it would perhaps give my poor email server a little rest.

Posted on January 28, 2007 at 05:34 PM

January 16, 2007

One Airplane I Wouldn't Want to Be On Permalink

The message (CAN-SPAM identifying itself as originating from Singapore, and heavily coded to confirm your email address with any click or embedded image download) speaks for itself:

From: Customer Service <alert@[removed].com&rt;
To: dannyg@dannyg.com
Subject: Jet Blue Fight Voucher #05GH5986GJ

============SHIPPING ALERT===========SHIPPING ALERT=====

URGENT NOTICE FOR dannyg@dannyg.com,

Re: Jet Blue Ticket Voucher

http://ixdpvwg.[removed].com/sonokym?e=8QLDD.49QLDD.478tS&m=2923231&l=0



Jet Blue Fight Voucher: #05GH5986GJ
Notice Date: 01/11/07
Reference Date: 01/11/07
Amount Due: $0.00*

Please complete the following information and Let us pick
up the tab and get your a Jet Blue Ticket! Please act fast
because there are limit quantities!


http://ixdpvwg.[removed].com/sonokym?e=19L660VJ9L660V4Zru&m=2923231&l=0



=====END NOTICE============

Will the flight attendants charge extra for boxing gloves?

Posted on January 16, 2007 at 09:15 PM

January 15, 2007

An Invitation To Be Pwned Permalink

Looking through my backlog of email stopped at my server today, I came across this gem:

Subject: Your New ICQ Password
From: ICQ Password Assistance

Hello,

As a part of our general efforts to improve the ICQ service, we are currently upgrading our password assistance system.

The new system is based on a question & answer format.
This means that each time you would like to get a new ICQ password you will be asked to provide the answers to two questions that you have chosen.
Once you have set your questions & answers, you will be able to get a new password using the password assistance system.

To set your questions & answers, simply click this link and open keygen:
http://www.[removed_for_your_safety].com/keygen.exe


Your confirmation code is:
58FED9627787180D743DBC30B6EE31AB70FDBFED7AB80DA5A0A25A6C357929F9778123D455=
E60A76600112165620B46EEC22CB2B6C885729599F1521B60EEF227DFD25B84047A2063D9C=
CF01DACD5A735FE5A53F52F74C490FE4F84AF6F4E029
The ICQ Password Assistance System.

The only reason this caught my eye is that I've had an ICQ account for eons, although I use it very rarely. (ICQ, for those unaware, is a live chat protocol, for which you need an ICQ program on your computer to conduct live typewritten chat with a friend, family member, etc.)

That a system accessible via a username/password combination would offer additional "protection" against password theft is nothing new. My bank recently implemented a system like this for online transactions. I could see a lot of ICQ users thinking this thing is legitimate. I mean, look at that huge confirmation code!

But what stinks to high heaven about this email request is the fact that you are asked to download and open an executable file (keygen.exe)—not to mention that the domain name of the URL has nothing whatsoever to do with ICQ (it has some Scandinavian names within it).

It turns out that the file, if run on an unprotected Windows PC, would start loading all kinds of spyware and other junk on your computer. Your computer would be, in today's gamer lexicon, pwned (translation: "owned"). Say goodbye to many things on your computer you hold dear (passwords, addresses of all email correspondents, etc.); say hello to many things you probably don't want (popup porno ads, behind-the-scenes spam spewing, etc.).

While many anti-virus programs would have caught this (if they had been updated within a few days of my receipt of this message), some very popular ones don't recognize the file at all. That's why we can't rely exclusively on technology to prevent problems. Awareness and a healthy dose of paranoia are essential tools in the fight.

Posted on January 15, 2007 at 02:07 PM

January 04, 2007

Drowning in Denial Permalink

Oh, the arrogance of some tech companies!

I received the umpteen-billionth phishing message today, this one purporting to be from amazon.com. Yawn. The web page with the fake amazon.com userid/password page is hosted on a server belonging to a high-tech company in Silicon Valley. From my long experience in seeing and tracking the URLs of offending pages, I could see that the server had been compromised, with the phishing stuff thrown into a semi-hidden directory (one whose name begins with a period).

The contact info in the company's main web site didn't list an email address, but since the company was so close, I chose to telephone the company directly to report the problem. Although the company is more into semiconductors that Internet technologies, I was transferred to someone in "Support" (whether it was internal computer support, or support for their products, I still don't know).

I explained that I had received the message claiming to come from amazon, and the phishing page was hosted within "Support's" domain. Mr. Support got all uppity and sneered at me that it couldn't be at their company, and it was a result of domain spoofing.

First of all, "domain spoofing" is more usually associated with email, not hosting. The phishing message I received was a case of domain spoofing because it wanted me to believe the message originated from amazon.com, when, in truth, it originated from gte.net. That's not what I was reporting.

There are cases of web site address spoofing, when tricksters register domains that are either lookalikes (using zeros for "o"s, for instance) or employ some international character tricks. But in this case, I reached the home page of the company by stripping off all the subdirectory stuff from the URL in the browser's Address bar. I didn't confuse or mistype anything that wasn't in the phishing page's URL.

This type of "It can't possibly be us" response is, unfortunately, all too common. I've lost count of the times the reportee zips a flaming message back to me—how dare I accuse them of having been cracked by a phisher. A half hour later, I get another message thanking me for reporting the encroachment and that the offending page has been removed.

This time, it took 11 minutes:

Thanks for the forward. I thought they were spoofing the domain, sorry
about that. Our web team have been notified.

Sure, it's embarrassing to acknowledge that your server has been cracked. It could even happen to one of my domains some day. But until I can get to the bottom of the issue, I won't shoot from the hip to deny the occurrence if someone reports it.

Posted on January 04, 2007 at 03:45 PM