On Mon, 21 May 2007 18:54:19 GMT, Beauregard T. Shagnasty put finger
to keyboard and typed:

>Jamie wrote:
>
>> Anyone seen this? "The Bat!" seems to be the spam tool in use.
>
>The Bat! is a well-respected email client, and is not a spam tool.
>Unless a spammer is using it to send spam, but that is not the fault of
>the client.

The Bat! (What is it with the Yahoo!-like! exclamation! mark!?) is
often used as a forged UA because it is a real client but on that's
not so well known, and hence is more likely to get beneficial points
on score-based anti-spam systems such as Spam******in (unlike
Microsoft Outlook, which is also often forged but more easily
detectable as such as it's more familiar).

Mark
--
Visit: http://www.MotorwayServices.info - read and share comments and opinons
"I need someone to hide under, should the sky fall on my car"

> I'm getting a ton of these bounced emails from some creep sending out spam:

According to senderbase, your servers are sending out 2000% normal email
volumes. You probably have a borked web form and the spam is coming from
your mail server.

The web form cracking spammer is enjoying remarkably successful delivery
rates and is doing bigger and bigger spam runs. He did a m***ive run the
last few days. His predictable style and a few other filtering tools
limited our exposure to a handful. The word is getting around that cracking
poorly written web mail forms is cheaper and easier than renting zombies,
since you can use free publicly available proxy server lists to insert your
spam in other peoples web forms untraceably.

For your amusement:

http://www.senderbase.org/senderbase...string=205.134
.237.37

You aren't on any blocklists yet, but I'm sure that will change soon.

Jamie wrote:
> In <EMAIL REMOVED>,
> Jerry Stuckle <EMAIL REMOVED> mentions:
>> Interesting. Normally I expect to see the Received: headers following
>> the Return-Path: But in this case there is one before that.
>>
>> Just out of curiosity, I tried to relay a message through your sever,
>> and it (correctly) replied RELAY DENIED. So you're not an open relay,
>> anyway.
>
> Thanks!
>
>> But is it possible your contact form got hacked? It's been known to
>> happen. Also, it could be that your email server has been hacked - and
>> someone is signing into it.
>
> I'm pretty sure the contact form wasn't hacked (I sometimes see people trying
> to hack it, but I was pretty careful about implementing it, IE, you can't
> "force" a \r or a \n in there to fake out the headers (or specify a bogus
> "To:" address)
>

OK, just making sure. Sometimes the things you're "sure of" will come
back to bite you.

>> However, if this were the case I would expect to see something in your
>> mail logs - but you indicate there is none.
>
> There really isn't anything all that unusual in the logs, if the contact
> form were hacked, I should expect to see hundreds of email messages going
> through it (the contact form uses a local SMTP server) and there really aren't
> that many (except those I normally get)
>

I wouldn't necessarily say "hundreds of email messages". I've seen
spammers who try to space their spam so that the domain owner doesn't
see it. However, if you're seeing all of those bounces and nothing
else, I suspect that's not the problem.

> Only "unusual" thing I'm seeing are thousands of messages with
> <whatever>[at]geniegate.com, relating to the bounced email from all these
> people who (understandably) think I'm spamming them.
>

Ok, you've been subjected to a "joe job" then. My sympathies. However,
any site which actually looks at the headers will see that.

>> 212.96.200.115 resolves to hotmail.com - I don't think it's possible to
>> insert headers like this through hotmail. I could be wrong - but you
>> really need to inject the headers directly into the SMTP stream, and you
>> can't do that unless you're communicating directly with an SMTP server.
>
> I didn't think it was possible for forge Recieved: headers, unless perhaps,
> you were the very first in the chain. But, I see all kinds of different
> routes in the Recieved: lines from different hosts. (perhaps windows boxes
> people left unsecured?)
>

It's quite easy to insert any headers you want if you're running your
own MTA (Mail Transfer Agent). No, you can't affect anything after it
leaves your site - but you can insert anything you want early on. Often
times it makes the headers somewhat confusing (as are here).

>> All in all, it's quite puzzling - but from this end it does look like it
>> went through your smtp server. I'd suggest you check your logs very
>> closely at the time the mail supposedly went through (Sun, 20 May 2007
>> 17:13:28 -0500) and see if there is any unusual activity there.
>
> Haven't seen any, here is yours (with possible personal info snipped)
>
> May 21 12:21:21 sendmail[19399]: l4LJL8h19399: ruleset=check_rcpt,
> arg1=[SNIPPED YOUR EMAIL], relay=[SNIP YOUR IP].comcast.net [0.0.0.0], reject=550 5.7.1
> [snip, your email address] ... Relaying denied
>
> May 21 12:21:26 sendmail[19399]: l4LJL8h19399: from=[snip]@[snip], size=0,
> cl***=0, nrcpts=0, proto=SMTP, daemon=MSA, relay=[snip].comcast.net [0.0.0.0]
>
> The above ("Relaying denied") seems to indicate all is well?
>
> Thanks for testing it though, much appreciated!
>
> Jamie

Yep, that was me checking it out. And it failed, as it should.

BTW - I appreciate you snipping the personal info - but I *never* use
this email anyway, so it doesn't make a difference :-)

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
EMAIL REMOVED
==================

> Any idea /how/ they know I'm sending all this out? Far as I know, almost
> everything that actually p***es through there is sent to me, (bounce messages)
>

They are looking at mail received from you by their <mostly> large
corporate/isp subscribers. The form-spammer-du-jour typically puts about
500 spam-ees in the :bcc list and it doesn't take many visits from him to
send out a lot of spam. I suspect one of the following four possibilities:
1. One of your two web forms has been broached by injection.
2. You are running something (likely written in php or perl script) that
is vulnerable and your server has been "compromised".
3. One of your users has figured out how to hack shell access and has set
up his own port 25 server.
4. A challenge-response is running on your server and joe-job messages are
generating a lot of nasty outgoing mail traffic.

If there is no evidence in /var/log/maillog of your sendmail ( or qmail or
postfix) doing m*** mailing then I would suggest (2) or (3) above.

BTW, (2) and (3) provide a good reason to force outbound port 25 packets
from anywhere in your network through your mail server.

The form spammer-du-jour is running about 4 times the volume he exhibited
over the last few months, indicating that he probably now has a fairly good
system to screen for spammable forms. Last week he clearly moved outside
the spam lists to which he originally sent his spam, suggesting the
popularity of his technique is increasing. A random test of spam sources we
have seen from this spammer reveals simple injection - nothing more complex
(at least for the time being).

If I had a web sight with webforms and had not checked them for injection
and overflow hazards I would not sleep too well this morning....

In <EMAIL REMOVED de.it>,
Cyberiade.it Anonymous Remailer <EMAIL REMOVED> mentions:
>> Any idea /how/ they know I'm sending all this out? Far as I know, almost
>> everything that actually p***es through there is sent to me, (bounce messages)
>>
>
>They are looking at mail received from you by their <mostly> large
>corporate/isp subscribers.

What determines "from me"? is this an actual, verified IP test or is it somehow
based on the headers? (do you know if it's my SMTP server directly contacting
their SMTP server directly?)

>The form-spammer-du-jour typically puts about
>500 spam-ees in the :bcc list and it doesn't take many visits from him to
>send out a lot of spam. I suspect one of the following four possibilities:
> 1. One of your two web forms has been broached by injection.
> 2. You are running something (likely written in php or perl script) that
>is vulnerable and your server has been "compromised".
> 3. One of your users has figured out how to hack shell access and has set
>up his own port 25 server.
> 4. A challenge-response is running on your server and joe-job messages are
>generating a lot of nasty outgoing mail traffic.
>
>If there is no evidence in /var/log/maillog of your sendmail ( or qmail or
>postfix) doing m*** mailing then I would suggest (2) or (3) above.

Well, there aren't any listening ports. No weird processes running, and the actual
access to the contact form isn't unusual, (people /DO/ try to hack it all the time,
but I have guarded against it)

>If I had a web sight with webforms and had not checked them for injection
>and overflow hazards I would not sleep too well this morning....

Same here, thats why I made sure it guarded against it. (it does guard against
injection)


Jamie
--
http://www.geniegate.com Custom web programming
Perl * Java * UNIX User Management Solutions

Jamie wrote:
> In <EMAIL REMOVED de.it>,
> Cyberiade.it Anonymous Remailer <EMAIL REMOVED> mentions:
>>> Any idea /how/ they know I'm sending all this out? Far as I know, almost
>>> everything that actually p***es through there is sent to me, (bounce messages)
>>>
>> They are looking at mail received from you by their <mostly> large
>> corporate/isp subscribers.
>
> What determines "from me"? is this an actual, verified IP test or is it somehow
> based on the headers? (do you know if it's my SMTP server directly contacting
> their SMTP server directly?)
>

Yes, that's how it works. When you send an email to me, your SMTP
server contacts my SMTP server directly.

>> The form-spammer-du-jour typically puts about
>> 500 spam-ees in the :bcc list and it doesn't take many visits from him to
>> send out a lot of spam. I suspect one of the following four possibilities:
>> 1. One of your two web forms has been broached by injection.
>> 2. You are running something (likely written in php or perl script) that
>> is vulnerable and your server has been "compromised".
>> 3. One of your users has figured out how to hack shell access and has set
>> up his own port 25 server.
>> 4. A challenge-response is running on your server and joe-job messages are
>> generating a lot of nasty outgoing mail traffic.
>>
>> If there is no evidence in /var/log/maillog of your sendmail ( or qmail or
>> postfix) doing m*** mailing then I would suggest (2) or (3) above.
>
> Well, there aren't any listening ports. No weird processes running, and the actual
> access to the contact form isn't unusual, (people /DO/ try to hack it all the time,
> but I have guarded against it)
>

If you can receive email, your port 25 is open. But are there any
strange files on your web server, for instance?

>> If I had a web sight with webforms and had not checked them for injection
>> and overflow hazards I would not sleep too well this morning....
>
> Same here, thats why I made sure it guarded against it. (it does guard against
> injection)
>

Are you really sure it's guarded against everything? Are you sure, for
instance, that they can't add a newline anywhere in the headers?

>
> Jamie

But again, it's puzzling because if this were a problem you should see
something in your logs.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
EMAIL REMOVED
==================

Jamie wrote:

> Anyone seen this? "The Bat!" seems to be the spam tool in use. I'm
> getting bounced spam at such a high rate it's comming in faster than I
> can download it.

"The Bat!" is a fairly decent, and entirely innocent Windows mail client.

It's likely that some spammer has just forged the X-Mailer header. This is
quite a common practise, as a fake-looking X-Mailer header, or no X-Mailer
header at all is a fairly good indication of spam, so spam filters are
more likely to flag.

--
Toby A Inkster BSc (Hons) ARCS
[Geek of HTML/SQL/Perl/PHP/Python/Apache/Linux]
[OS: Linux 2.6.12-12mdksmp, up 87 days, 23:12.]

The Great Wi-Fi Controversy
http://tobyinkster.co.uk/blog/2007/05/22/wifi-scare/

Jamie wrote:

> I didn't think it was possible for forge Recieved: headers, unless perhaps,
> you were the very first in the chain.

It's easy to forge them -- if a piece of mail p***es through my server, I
could tamper or remove any existing "Received" headers. After it's left my
server, any later headers are beyond my control.

--
Toby A Inkster BSc (Hons) ARCS
[Geek of HTML/SQL/Perl/PHP/Python/Apache/Linux]
[OS: Linux 2.6.12-12mdksmp, up 87 days, 23:17.]

The Great Wi-Fi Controversy
http://tobyinkster.co.uk/blog/2007/05/22/wifi-scare/

In <EMAIL REMOVED>,
Jerry Stuckle <EMAIL REMOVED> mentions:
>> What determines "from me"? is this an actual, verified IP test or is it somehow
>> based on the headers? (do you know if it's my SMTP server directly contacting
>> their SMTP server directly?)
>>
>
>Yes, that's how it works. When you send an email to me, your SMTP
>server contacts my SMTP server directly.

I was talking about that service (lost the URL now) that allegedly knows
how much email I'm sending out, if they count actual IP connections -vs-
the Recieved: header (even so, it isn't totally unusual to see an increase
in email being sent out, my product has a demo that sends email, useless
to spammers even if that were to be compromised some how, there is no
good way to inject any body text)

>> Well, there aren't any listening ports. No weird processes running, and the actual
>> access to the contact form isn't unusual, (people /DO/ try to hack it all the time,
>> but I have guarded against it)
>>
>
>If you can receive email, your port 25 is open. But are there any
>strange files on your web server, for instance?

Yea, my port 25 is open, but the context was that of "Maybe someone broke in
and set up their own mail server, therefore byp***ing my logs" they would have
had to replace netstat, ps and a host of other things to do this, all without
me detecting it. (certainly possible, but very doubtful)

>>> If I had a web sight with webforms and had not checked them for injection
>>> and overflow hazards I would not sleep too well this morning....
>>
>> Same here, thats why I made sure it guarded against it. (it does guard against
>> injection)
>>
>
>Are you really sure it's guarded against everything? Are you sure, for
>instance, that they can't add a newline anywhere in the headers?

I'm positive of that. (in fact, every so often I see messages from would-be
crackers who've tried to do just that)

Everything other email form is arranged in such a way that even if a cracker did
manage to hack it, it'd be useless because the form doesn't control the text in
any way. (furthermore the bounced email I'm getting doesn't contain any text that
would have been inserted into the message, I can be reasonably sure it wasn't
a contact form or web related.)

Guess I was mostly wondering how that service (a few posts back) is able to determine
the volume of email I'm sending out.

Jamie
--
http://www.geniegate.com Custom web programming
Perl * Java * UNIX User Management Solutions

In article <EMAIL REMOVED>,
Jerry Stuckle <EMAIL REMOVED> wrote:

>No one can tell without your logs just how much mail you send out. Some
>of them, like www.senderbase.org, report figures - but that's based on
>reported spam, nothing more.

That last part of that must be wrong, or non-spamming mail senders
would have zeros in Ironport's traffic numbers. Instead I have
always ***umed that Ironport contracts with a bunch of ISPs to snoop
on the mail sent to their users.


>comment about no listening ports. The problem is - unless you scan your
>system, you don't know just which ports might be open.

***uming that a naive port scan will find a serious infestation requires
***uming that one's enemies are stupid. I think that is a bad idea.

If I wrote trojan spamware, it would not keep ports open. Instead it
would listen on psuedo-random ports at infrequent, psuedo-random times
and only for a second or two. The controller would know the psuedo-random
sequences and so know which port to contact and when. It would be
invisible to naive, simplistic port scanning and a lot of intrusion
detection snakeoil, just as frequency hopping spread spectrum radios
are invisible to simplistic radio scanning. Yes, there are some
complications that I'd have to solve including synchronizing clocks,
but they are all minor. I ***ume that I'm no smarter than spammers and
bot-writers, and so ***ume that if they needed to, they'd solve those
problems.


>>> Are you really sure it's guarded against everything? Are you sure, for
>>> instance, that they can't add a newline anywhere in the headers?
>>
>> I'm positive of that. (in fact, every so often I see messages from would-be
>> crackers who've tried to do just that)
>
>OK, just checking. It's easy to make a misteak :-).

I hope I don't understand that, because it would be wrong claim that
evidence that some attacks have been defeated shows that all attacks
have been defeated.


>It's not the text you have to worry about. It's things like a newline
>character (and other stuff) in the From or Subject fields. And while
>your form just has them as a single-line text field, it's very easy for
>a spammer to generate his own form which does have those.

I think that is true only in what seem to be at best very dangerous
ways to wire an MUA to an HTML form.


Vernon Schryver EMAIL REMOVED