Spammer Bust

I previously replied to these words of Mark E Larson ...

Thought people would be interested in this article.

http://www.pcmike.com/Special%20Reports/High%20School%20Spammer.html

and add the following...

I went back and pulled up copies of this spam that I received. I received
about 12 copies of it. But what I received did not named RUSTnet, so I guess
he was generating numerous variations to perhaps try to distribute the load
enough to slow down the ISPs coming back to him. That means perhaps many
others have been blamed, as well. I found copies claiming to be from some
fake names, and one from hotmail.

One copy of this same spam (but who knows if it is or is not really the
same spammer) I got appeared to be from PSI. It came from a PSI connection
and used Earthlink as a mail hop. I complained to abuse@psi.net and they
sent back a reply claiming the mail came from Earthlink. Well, literally
I did get it from Earthlink, but it originated from PSI's IP address,
unless Earthlink faked the IP (but then why would they leave their own
address on it).

That's why I tend to believe a lot of ISPs ... and more often the BIGGER
ones than the smaller ones ... don't know what is going on. Of course, the
problem the bigger ones have is that even though they do have a few people
that do know, they have tons of poorly trained people that are the "front
line" for everything from customer support to abuse@whoever.net.

Equipment vendors like Cisco, though, are much, much better at this. I guess
that's because they know they are always dealing with professionals (well,
maybe for most of the calls).

One copy of this same spam (but who knows if it is or is not really the
same spammer) I got appeared to be from PSI. It came from a PSI connection
and used Earthlink as a mail hop. I complained to abuse@psi.net and they
sent back a reply claiming the mail came from Earthlink. Well, literally
I did get it from Earthlink, but it originated from PSI's IP address,
unless Earthlink faked the IP (but then why would they leave their own
address on it).

That's why I tend to believe a lot of ISPs ... and more often the BIGGER
ones than the smaller ones ... don't know what is going on.

I had two very similar incidents of PSI not knowing what was going on.
I've gotten a lot of spam that originated from PSI dialup users but using
Earthlink as a mail relay; for example, this one:

Return-Path: mail.earthlink.net@italy.it.earthlink.net
Return-Path: <mail.earthlink.net@italy.it.earthlink.net>
Received: from hops.cs.jhu.edu [this is where I received the mail]
           by blaze.cs.jhu.edu with SMTP; Wed, 9 Apr 1997 04:31:17 GMT
Sender: mail.earthlink.net@italy.it.earthlink.net
Received: from italy.it.earthlink.net (italy-c.it.earthlink.net
[204.250.46.18]) by hops.cs.jhu.edu (8.6.12/8.6.9) with ESMTP id AAA05428 for
<jelson@poincare.cs.jhu.edu>; Wed, 9 Apr 1997 00:31:15 -0400
Received: from LOCALNAME (ip55.rocky-mount.nc.pub-ip.psi.net
[38.30.63.55])
        by italy.it.earthlink.net (8.8.5/8.8.5) with SMTP id MAA14529;
        Tue, 8 Apr 1997 12:15:13 -0700 (PDT)
Message-Id: <199704081915.MAA14529@italy.it.earthlink.net>
Comments: Authenticated sender is <barnhillj@mail.earthlink.net>

In the above case, someone dialed into PSI (ip55.rocky-mount...) and
relayed mail through Earthlink. I complained to PSInet and they told me
"Sorry, nothing we can do, this is coming from Earthlink."

More recently, though, something much more insidious started to happen:
spammers have started forging Received: lines in the headers to misdirect
attempts at tracing the source of the mail! Here's one beautiful example
of a spam header I received (my mailhost here was blaze.cs.jhu.edu):

Received: from fs.IConNet.NET
           by blaze.cs.jhu.edu with ESMTP; Wed, 9 Apr 1997 07:54:13 GMT
Sender: mailman@domaol.net
Received: from 199.173.160.250 (ip19.new-haven.ct.pub-ip.psi.net
   [38.11.102.19]) by fs.IConNet.NET (8.8.5/8.8.5) with SMTP id DAA12207;
   Wed, 9 Apr 1997 03:54:27 -0400 (EDT)
Received: from mailhost.bethere.net(alt2.bethere.net(214.756.86.9)) by
   bethere.net (8.8.5/8.6.5) with SMTP id GAA04732 for
   <friend@public.com>; Wed, 09 Apr 1997 02:52:20 -0600 (EST)
Message-ID: <37474743565665.JDL9087@bethere.net>

At first glance, it would appear the above spam originated from
bethere.net. When I looked more closely, though, I realized that
tracing the Received: lines up from the bottom shows the mail going from
alt2.bethere.net to bethere.net, then suddenly jumping from a dialup in
PSInet to fs.IConNet.NET. How did it get from bethere.net to PSInet??

The answer, of course, is that the mail really originated from a PSInet
dialup, using IConNet.NET as a spam relay; the bottom Received: line is an
utter forgery, presuambly added by the spam-mailing software. In fact,
it's not even a very good forgery, because the supposed IP address of
alt2.bethere.net is invalid (the 2nd octet is 756).

When I [again] wrote to PSInet to complain about spam coming from their
users, I was told I should complain to bethere.net instead -- a domain
that does not even exist!

As a final, even more depressing footnote to this already sad story: a few
days after I saw this new trend of getting spam with forged Received:
lines, I actually got an advertisement for spamming software that
prominently listed one of its features as being that it could add forged
sendmail-like headers in order to misdirect investigations! (To add
insult to injury, I received 8 copies of this ad via the wonders of spam.)

-Jeremy

Recognize that Earthlink is a "national" provider by virtue of the fact
that its customers are allowed to connect through PSI and UUNEt POPs (and
other ISP's POPs?). Just last week I established an Earthlink dial-up
acount for one of my relatives. Many of the Earthlink POP phone numbers
turned out to be Phone numbers belonging to PSI, UUNET. It was interesting
that the PPP Dial-up logon user ID was of the form: "ELN/userid" The
"ELN/" in front of the userid stands for Earthlink Network, so that
PSI/UUNET knows to which ISP to route the particular dial-up user.

I would suggest that your particular Spammer IS an Earthlink User, (who
happens to dial-in through a PSI POP) In this instance, I guess PSI would
have to be considered "just an innocent carrier" like the local phone
company that also helps the Spammer reach his ISP (Earthlink)

[One alternative thought, (and it's a messy one)... Most ISP's can restrict
their mail gateways to accept their customers only, but I wonder if
Earthlink would be able to configure its mail server to prohibit customers
of PSI's and UUNEt's Dial-up services from using Earthlink's mail server.]

Russ

Yes, it seems that once a spammer finds your site (fs.iconnet.net, mine)
they share it with others. What was a trickle (in April, when you got
spammed) became a flood as the "disposable dial-ppp / third-party relay"
technique became widespread. At the time we had approximately 15 "open"
mail servers - but only one was ever abused - they either share with each
other or have common sources/techniques of scanning for "open" servers.

X-Disclaimer: if you're not interested in sendmail techniques to keep spam
off your network, delete now.

Anyway, we were able to dig up with a nice simple solution that solves some
problems that ISPs have. The reason I'm posting is because it took a long
time to find the solution and most sources of information (spam.abuse.net,
etc) are aimed at small sites, not ISPs who provide mail-relay and MX
backup for their customers. The solution is located at

http://www.informatik.uni-kiel.de/~ca/email/check.html
http://www.informatik.uni-kiel.de/~ca/email/rules/check.tar

what we do now, with most help from Claus A�mann's site:

More recently, though, something much more insidious started to happen:
spammers have started forging Received: lines in the headers to misdirect
attempts at tracing the source of the mail! Here's one beautiful example
of a spam header I received (my mailhost here was blaze.cs.jhu.edu):

From: mailman@domaol.net
Received: from fs.IConNet.NET
           by blaze.cs.jhu.edu with ESMTP; Wed, 9 Apr 1997 07:54:13 GMT
Sender: mailman@domaol.net
Received: from 199.173.160.250 (ip19.new-haven.ct.pub-ip.psi.net
   [38.11.102.19]) by fs.IConNet.NET (8.8.5/8.8.5) with SMTP id DAA12207;
   Wed, 9 Apr 1997 03:54:27 -0400 (EDT)
Received: from mailhost.bethere.net(alt2.bethere.net(214.756.86.9)) by
   bethere.net (8.8.5/8.6.5) with SMTP id GAA04732 for
   <friend@public.com>; Wed, 09 Apr 1997 02:52:20 -0600 (EST)

                                                    ^^^^^^^^^^^

To: friend@public.com
Message-ID: <37474743565665.JDL9087@bethere.net>

[ "how did it get there?" ]

The answer, of course, is that the mail really originated from a PSInet
dialup, using IConNet.NET as a spam relay; the bottom Received: line is an
utter forgery, presuambly added by the spam-mailing software. In fact,
it's not even a very good forgery, because the supposed IP address of
alt2.bethere.net is invalid (the 2nd octet is 756).

This is a known spamming program; the highlighted mistake would
probably work _exceptionally_ well in your procmail file. :slight_smile:

Cheers,
-- jra

Please excuse me, but I would like to turn this traditional spam topic
(often in form as well as content) into something operational.

Paul Vixie is doing something about spam which is technical, operational,
and which can be put into your router, a BGP feed to blackhole spam sites.
It is moving from prototype deployment towards production. I can not guess
the resources it will take to maintain this effort, not so much maintaining
the feeds, but maintaining the list of spam source IPs.

So, my suggestions, and realize I have not talked to Paul about this (*)
(and i am only talking to actual bgp-speaking net ops here):

  o check out http://spam.abuse.net/spam/.

  o get a blackhole feed, maybe from someone downstream to decentralize the
    load. the agreement is transitive, but you do still have to indemnify
    Paul, which seems quite reasonable to me.

  o offer to pass the blackhole feed on to help decentralize the load. but
    be sure to see the indemnification is maintained.

  o encourage the largest bgpish folk who will listen to you to do the same.

  o send a donation to vixie enterprises' voluntary funds to help defray
    the costs they will surely incur maintaining these data.

randy

(*) if i talked to paul, that could make him liable for these suggestions.
    i have stepped on his toes before, and he still seems ambulatory, so
    what the heck, maybe this time i'll get him.

Is it possible to get the list of sites included in this feed. Paul Vixie
used to publish these site on his web site, but the "Rogue" sites area has
been taken down. Apparently a large number of list "memebers" threaten
legal action. They alleged some used this list as a list of targets for
retaliation.

We were freuquent reviewers of the list. We used the information there to
update our sendmail filters. We were very dissapointed to see it go.
  
The only trouble I have with Paul's list was it occasionally needed fine
tuning by hand. Some sites had to be permitted, even though they may have
been guilty of UCE. On one occasion, they had an ISP on their list. This
ISP was close enough to us in geographic region that it was reasonable to
expect some of our users were emailing users on their system. We could not
therefore black hole them.

It would seem to me that this would be more serious if this were an
automatic feed, sent directly to our routers. There would be no way to
review the sites on the list before they were blocked.

Perhaps Paul would create a mailing list for network operators interested
in receiving his blackhole list. As new updates to the group were made,
they could be sent to the list. So as not to appear as though we are
looking for something for nothing, we would be willing to donate resources
to run the list.

You should also take a look at smtpd from Obtuse (ftp://ftp.obtuse.com/pub/smtpd/beta)
It allows you to block relaying in many different ways some of which you dont
see in sendmail filters. For instance, you can refuse relaying for
IP X because ip X's authorative name servers dont include Y.

Its also flexible in deploying a single file across all your mail servers
which takes care of relaying and spam.