Powered by Movable Type 3.121
Home The Book Training Events Tools Stats
Web log archive.
Dispatches Archive

« May 2007 | Main | July 2007 »

June 24, 2007

Small Company Drowning in Spam—For Years Permalink

As I scanned through a recent collection of spam suspects trapped at my email server, I saw a message that is now known as backscatter. Backscatter is a message that is blindly sent to the apparent sender of a message to alert the apparent sender that the message couldn't be delivered for a variety of reasons. Backscatter takes a number of forms, including the (dreaded) out-of-office notification and the "you are infected because you tried to send malware" virus warning.

The problem with backscatter—and why it has attracted its own named classification among antispammers—is that the vast majority of malware propagation and botnet-generated spam messages do not contain addresses of the real senders in the From: fields of those messages (or Reply-To: fields, if present). It is just as likely that such messages have working addresses of real email accounts that had been harvested from various places on the Internet—perhaps yours.

What happens as a result is that an individual receives a thoroughly puzzling backscatter message. Thoughts race:

  • "I didn't send a message to so-and-so. Why did I get this bounce message?"
  • "Does my email program have a ghost that is sending out messages I don't know about?"
  • "Oh my god! My computer is infected with a virus! Die, computer, die!" [sounds of shattering plastic and breaking glass]

At one time in the history of backscatter, the mechanism was even used by spammers. The real targets of the intended spam messages would be written to the From: field of message headers. The To: field was intentionally set to an email address that was known to issue backscatter to the apparent sender, along with a complete copy of the original message. Thus, the spammer could essentially relay spam through the backscatter mechanism.

Things were getting ugly.

In some ways, backscatter has tapered off. For a long time, server-side antivirus software was notorious for issuing the "you are infected" backscatter messages. But when the malware senders were found to be using hijacked computers to launch further attacks with forged From: fields as the basic modus operandi, the default settings of these server programs changed. The volume of those virus warnings has dropped significantly over the years.

The piece (pieces, actually) of backscatter I mentioned at the start of this entry came from a Polish software company. The message begins as follows:

Subject: Deleting message due to invalid address at [Removed] Website
To: dannyg@dannyg.com
From: spam@[removed].com
Reply-To: devnull@[removed].com

Dear Sir/Madam,

Some of addresses at [removed].com have been cancelled due to heavy inflow of spam.

In particular, the following addresses had to go:

[list of 34 addresses, including usernames "support," "webmaster," and names of company principals.]

E-mail sent to those addresses is deleted and WILL NOT BE RETRIEVED!

If this is not spam, please resend your e-mail to a valid address listed on [Removed] Website in the Contact section

We apologize for this inconvenience

Most email administrators would immediately recognize that this company is doing it all wrong. Instead of accepting all messages and issuing this bounce message to those addressed to invalid accounts, the server should immediately reject such messages (which generates the appropriate server-level notification—not another email message—to the sending server).

I wondered what the company was doing differently today to handle contacts from site visitors. It's clear that the firm started out being very open and inviting to visitors by providing a lot of email addresses in the clear. That policy has now stopped—and wisely so. Instead they use a somewhat complicated (for visitors) technique, showing a contact email address as the account name followed by the "@" sign, but no domain name. At the top of the page are instructions how to assemble a valid address out of those pieces. At least that should stop most, if not all, of the automated address harvesters that crawl through the Web.

Next, I looked at their FAQ (Frequently Asked Questions) page. More than half of the questions had to do with contacting via email and spam issues. It's clear that email—a vital communications medium for the company—has been a problem. Then I noticed one question that referenced the kind of backscatter message I had just received. The question was dated from the year 2004!

I think that this small company, like many others, has been waging its own spam battles for years. Such organizations have been forced to change their policies and systems to defend themselves. They have even had to disable normal "role" accounts, such as "webmaster" and "support." Unfortunately, while possibly solving most of the problem for themselves, their long-running backscatter is only contributing to the overall spam problem.

Posted on June 24, 2007 at 10:19 AM

June 08, 2007

What's Worse: The Disease or Cure? Permalink

A few days ago I received a typical PayPal phishing message. It may be a case of the way my email client software displayed the content of this particular message, but the actual link URL was plainly visible in the message. Like a majority of phishing sites these days, this one was on a hijacked web site owned by someone else. Unfortunately for the phisher, the domain name—which was clear as day in my email reader—not only had nothing to do with PayPal, but was without a doubt an adult site. How do I know? The domain name (composed of three run-together words) included the word "porno" and the F-bomb. Dot com.

To the actual site's credit, the front page includes sufficient warnings about the content within the site. There is nothing on the home page (other than the domain name) that would offend anyone.

Per my usual modus operandi, I sent an email to the site owner to advise of the hacking. I heard back within an hour or so that the phishing directory had been removed. The next day, however, I saw that the phishing page was still in operation. Another quick email exchange revealed that the site owner had removed the directory three times and was trying to find out how the site continued to be compromised.

I checked back today to see if he had been successful. Thankfully, the phishing page was gone. Not-so-thankfully, rather than just "404" ("not found") the page, the destination redirected my browser to a different adult site—one not too concerned about an accidental visitors' sensibilities. Lots o' pics of female anatomical features.

Adult web sites have a nasty habit of performing drive-by installs of malware and putting visitors into popup hell. I'm glad my accidental visit was done on a Macintosh, but that won't always be a guard against who-knows-what.

My real concern here is how others who follow such a phishing message link might react to seeing the adult site page out of the—um—blue. For a home user, the content might not be a big deal. But if this happens to someone at work, that porno site visit is probably being logged by the corporate IT department. Moreover, the browser cache is now loaded with dozens of bare-chested (and other regions) photo files. That can't be good.

The bottom lin...I mean end resul...I mean.... Let me start over. I'm glad the hacked site owner took responsible action to deactivate the phishing site; it's the way he did it that gives me pause.

Posted on June 08, 2007 at 10:01 AM

June 03, 2007

Gattling Gun Approach to Infecting Windows PCs Permalink

Wow! That is my reaction to a simple email message that managed to get through today. The "wow" factor isn't in what one normally sees if opening the message; rather, it's in the source code for the message.

The body is relatively tiny—a mere 521 characters of HTML code. But here's what that code does:

  • Loads an HTML page into a hidden iframe element
  • Loads an image file into a hidden img element
  • Loads two different HTML pages into two more hidden iframe elements
  • Loads another image file, whose URL appends an identifiable numeric code, into another hidden img element (possibly ticking a server access counter if the image were actually retrieved)
  • Loads yet another image file, whose URL appends my email address, into yet another hidden img element

I started to dig into the un-appended URLs using text-only terminal software to see what these pages served up to the HTML renderer that might normally open such an email message. Within seconds, I was tracing a rat maze of downloaders and obfuscated (but easily deciphered) scripting code. Some were specifically targeting Microsoft Internet Explorer.

Life today is too short to follow all the trails, but this delivery is another example of the ways Bad Guys will attempt multiple attacks as economically (byte size wise) as possible. If the recipient has some patches already installed, one of the other attacks may do the trick. No need to try to get multiple single-attack messages through when one monster attacker stands a better chance of success.

This message, whose Subject: line is very identifiable English nonsense ("On dinner table happy secret") appears to have been circulating for the past month or so. I found numerous instances of the message having been submitted to message boards and blog comments. Thankfully, many of the message boards display only plain text. But the text message archives include easily clickable links to obtain the HTML—even more deadly because this type of action typically occurs in a web browser, rather than an often more limited email program.

I just took another glance at this message's source code, and I'm left with the same impression: Wow!

Posted on June 03, 2007 at 08:44 PM

June 02, 2007

Failing To Know the Subtleties of English Permalink

Either someone is trying to pull off a joke, or someone is already the victim of the joke.

I glanced at a medz spam whose link URL domain is a lulu. The domain has a country-specific top-level domain—a country I won't reveal here to prevent the curious from visiting the site and adding ticks to the visit counter. So, don't bother trying to visit the .com, .org, .info, or other generic version.

Here is the text of the message (without the link punchline):

LegalRXMedications pharmacy offers all medicinal agents that you require to recover your health for a little price. We work through the globe with buyers from Europe, America and Asia. At present time you don't have to seek drug-store at your area. We necessarily transfer medicines of the highest qualityworldwide.

Visit our site purchase cures you instantly demand straightly to your residence.

We are verified by VeriSign VISA then we support secure confidential purchase.

It's clear we're not dealing with a Hemingway here. But this spammer wants us to entrust our lives to this so-called pharmacy. I imagine this is the type of pharmacy that mails pills loose in padded envelopes, as I've seen in numerous videotaped interceptions (in which some of the pills are broken or crushed, as well).

Such pills are not only not the real thing, but many have been tested to be found to contain dangerous—if not lethal—contaminants. Ingesting such tablets could be among the last things you do on the planet.

The domain name event suggests it: earthleave.

Posted on June 02, 2007 at 10:02 AM