[OT] Odd spammer tactic?

This is really not a SpamAssassin issue, but since this list is
populated by people who are interested in spammer behavior, I'm
throwing it out for comment. If it's too far off topic, my
apologies and I'll let it go at that.

At $DAYJOB I run a mail server and a name server for several
domains, both our own and for clients. At home, I run a mail
server and a name server for a couple of personal domains. The
home name server is a slave for most of the domains hosted at
$DAYJOB. The home mail server is _not_ configured to handle mail
for any of the $DAYJOB domains and it is _not_ an MX for any of
those domains. The only connection is that it is an NS for the
$DAYJOB domains. These domains _do_ have $DAYJOB mail server as
their MX.

For a while now, I've been seeing attempts to send mail to the
home server for addresses in $DAYJOB domains. This is not a
problem since the volume is low and they are being properly
rejected as third-party relay attempts (authentication required
- relay not permitted). However, the fact that someone is
apparently trying to send mail to an NS instead of an existing
MX has piqued my curiosity. It looks like it's all spam (the
sender addresses tend to support that). So, has anyone else seen
this sort of behavior and what could be the rationale for trying
to deliver mail to an NS like this?

--
Christopher Bort
<topher@...>
<http://www.thehundredacre.net/>

Christopher Bort wrote:
it's the same as port scans. they look for open relays. they don't care
if the host is an MX, an NS, a www or anything. they just connect to the
IP and try to relay. I've seen this on hosts that "nobody should have
known about".

On the other hand, I also see attempts to connect to A hosts (thus
ignoring MX definitions) and to old MXes. This is different as there is
no relay attempt.

Christopher Bort wrote:
I have, I have also seen attempts to send to the A record as well. I see
no rational explanation except for the hope a poorly configured server
running multiple services (DNS, Web, Mail, etc) will let something slip
through.

DAve


--
Don't tell me I'm driving the cart!

On 07/21/08 13:04, mouss@... (mouss) wrote:

But they don't seem to be randomly looking for any open relay.
If they were just looking for open relays, wouldn't you expect
to see domains in the recipient addresses that have no
connection whatsoever with the target machine? In all of the
relay attempts I'm seeing on this mail server, the recipient
addresses are in domains for which the server is an NS. I don't
see any relay attempts where that is not true which implies, I
think, that they do care that it's an NS. It seems like they're
looking for hosts that will deliver|relay messages for specific
domains, so why don't they just use the existing MX rather than
trying an NS host with which there's no reasonable expectation
that it will relay for the target domain? I suppose they could
be looking for back doors, but that seems like it would be a
very low probability undertaking.

>On the other hand, I also see attempts to connect to A hosts (thus
>ignoring MX definitions) and to old MXes. This is different as there
>is no relay attempt.

The RFCs allow for A hosts to be tried in the absence of MX
records, so there is some rationale for that, however weak it
may be.

--
Christopher Bort
<topher@...>
<http://www.thehundredacre.net/>

Christopher Bort wrote:
> In all of the relay attempts I'm seeing on this mail server, the
> recipient addresses are in domains for which the server is an NS.

They are looking for any connection possible.  A nameserver is an
association.  They will hope that perhaps it allows mail.  Unlikely to
the extreme but not inconceivable.

> I think, that they do care that it's an NS. It seems like they're
> looking for hosts that will deliver|relay messages for specific
> domains, so why don't they just use the existing MX rather than
> trying an NS host with which there's no reasonable expectation that
> it will relay for the target domain?

You are trying to apply logic to a situation to which no reason can be
applied.  Spammers do not operate with a sanity of reason and logic.
There is intelligence.  But bludgeoning others for their own gain only
makes sense to them and not to members of society.

> I suppose they could be looking for back doors, but that seems like
> it would be a very low probability undertaking.

Spammers base their existence upon extremely low probabilities
multiplied by very large numbers of messages.

Bob

Christopher Bort wrote:
I don't consider it off topic at all. I'm going to look into this. Seems
like a way to feed right into my blacklist.

On 07/21/08 14:09, bob@... (Bob Proulx) wrote:

True enough. I suppose it's a good thing that I'm not entirely
able to think like a spammer.  ;-)

>>I suppose they could be looking for back doors, but that seems like
>>it would be a very low probability undertaking.
>
>Spammers base their existence upon extremely low probabilities
>multiplied by very large numbers of messages.

True again. Your comments essentially reflect my own assessment,
but I was curious enough about it to bring it up on a list like
this one to see if I was missing some twist that would make an
iota of sense, but I guess not. I'll let it go now.  8^)  Even
though there's no actual problem, it's still a low grade
irritant to me that someone out there is stupid enough to bang
their head against this wall.

--
Christopher Bort
<topher@...>
<http://www.thehundredacre.net/>

Christopher Bort wrote:
> Bob Proulx wrote:
> > You are trying to apply logic to a situation to which no reason can be
> > applied.  Spammers do not operate with a sanity of reason and logic.
> > There is intelligence.  But bludgeoning others for their own gain only
> > makes sense to them and not to members of society.
>
> True enough. I suppose it's a good thing that I'm not entirely
> able to think like a spammer.  ;-)

People who see the exploits that are possible but work for the good of
others are called "whitehats".  Bruce Schneier made an interesting
comment concerning ant farms related to this type of mindset[1].

I think the important thing is that if you are one of those that
always see how things can fail or be exploited that you work to solve
the problems.  (This is where test driven development comes from and
where security comes from and so forth.)  And that if you are not one
of those people that you don't become a block to improvements.  Too
often people close their eyes, put their fingers in their ears and
hum.  Instead they should be receptive to people trying to help them.

> > Spammers base their existence upon extremely low probabilities
> > multiplied by very large numbers of messages.
>
> True again. Your comments essentially reflect my own assessment,
> but I was curious enough about it to bring it up on a list like
> this one to see if I was missing some twist that would make an
> iota of sense, but I guess not.

It does make sense.  You don't see it from the spammer's perspective.
Someone who is running a nameserver for a domain just might at some
very small probability be slightly more likely to allow relaying for
that domain than other random servers on the network.

But I think it is the reverse.  I think a nameserver for a domain is
more likely to be locked down for relays to that domain.  I think
nameservers for a domain would be less likely to relay than random
other machines on the network.  But obviously at least one spammer is
testing this theory.

Spammers are already working at very, very low probabilities and so
poking at another low one isn't a problem.  So for the spammer it
makes sense to try wild ideas even if the likelihood is extremely
small of it being fruitful.

> I'll let it go now.  8^) Even though there's no actual problem, it's
> still a low grade irritant to me that someone out there is stupid
> enough to bang their head against this wall.

I think it is good that you brought this up and allowed people to
notice this behavior.  Perhaps it will be useful to use in relation to
generating block lists.  Who knows?  It is interesting.  I don't think
it is particularly unexpected.  In this particular case though they
are way behind the power curve.  They are working behind the years of
learning and selection that running any type of open mail relay is
unacceptable.

As far as spammers being stupid, I disagree.  I think they show
definite intelligence.  The first time I observed a distributed
spamming engine in operation I was definitely impressed.
Unfortunately it is an evil intelligence.  It works not for the public
good but against it.  Being annoying along the way is just one of the
lessor ways that they show that they care nothing about others.

Bob

[1] http://www.wired.com/politics/security/commentary/securitymatters/2008/03/securitymatters_0320

On Mon, 2008-07-21 at 12:30 -0700, Christopher Bort wrote:

> For a while now, I've been seeing attempts to send mail to the
> home server for addresses in $DAYJOB domains. This is not a
> problem since the volume is low and they are being properly
> rejected as third-party relay attempts (authentication required
> - relay not permitted). However, the fact that someone is
> apparently trying to send mail to an NS instead of an existing
> MX has piqued my curiosity. It looks like it's all spam (the
> sender addresses tend to support that).

Marc, this might be another way for you to collect your spam zombie
data. Offer a free public secondary-DNS service and run your dummy MTA
on that box. That way you're inherently rewarding (at least a little
bit) the people who are cooperating to provide you data.

--
 John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
 jhardin@...    FALaholic #11174     pgpk -a jhardin@...
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  If Microsoft made hammers, everyone would whine about how poorly
  screws were designed and about how they are hard to hammer in, and
  wonder why it takes so long to paint a wall using the hammer.
-----------------------------------------------------------------------
 Today: the 39th anniversary of Man's first steps on the Moon

On Mon, 2008-07-21 at 14:01 -0700, Christopher Bort wrote:
> I suppose they could
> be looking for back doors, but that seems like it would be a
> very low probability undertaking.

Other people's CPU cycles and net bandwidth are cheap (at least for
spammers). If they hit one in fifty thousand as an open relay, it's a
net win for them.

--
 John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
 jhardin@...    FALaholic #11174     pgpk -a jhardin@...
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  If Microsoft made hammers, everyone would whine about how poorly
  screws were designed and about how they are hard to hammer in, and
  wonder why it takes so long to paint a wall using the hammer.
-----------------------------------------------------------------------
 Today: the 39th anniversary of Man's first steps on the Moon

Christopher Bort wrote: I have seen that spammers usually target  most available "A" records of
a  domain
So if a domain is example.com All machines , mail.example.com ,
example.com , ns.example.com etc are all targeted.

Remove the A record ns.example.com ( if possible )  and you will see
spams disappear

Unfortunately this works :-( in  evading spam filters in far too many
cases. A lot of domains host their websites/mailboxes/DNS  on shared
servers who do not offer any protection at SMTP levels .Even if the
customer subscribes to a third party Antispam solution and points his MX
to a spam filter the spammer easily sends his mail to the unportected
mailhost server and gets straight to the inbox.  We ourselves had
extremely tough times explaining to clients

Probably Spamassassin Comunity needs to develop a email client plugin
that can detect such mails

Thanks
Ram






===================================================================
sms START NEWS <your city> to 09845398453 for Breaking News and Top
Stories on Business, Sports & Politics. For more services visit
http://www.mytodaysms.com
===================================================================

Marc Perkel wrote: You mean you need a  script will listen to port 25 instead of a smtpd
daemon ?
Will be a trivial thing to do?
What should this do , just log to syslog the IP's and break connection
immediately after connect




Yes , I think that would give a zero fp  blacklist on ip's
Any real MTA would mx lookup ,
IMO If mail is sent on non mx ips the mail is spam and the ip is of a
spammer
(internal misconfigured transport relays need to be excluded )









===================================================================
sms START NEWS <your city> to 09845398453 for Breaking News and Top
Stories on Business, Sports & Politics. For more services visit
http://www.mytodaysms.com
===================================================================

Ramprasad wrote: Yes - the idea being that you have some service, like a name server,
that there is no reason at all that anything should be connecting to
port 25 on and everything that attempts to connect on it is spam. So
it's not an MTA but just a script (xinetd -> shel script - or perl) that
closes the connection immediately and sends the IP to a central
collector that accumulates information and builds blacklists that can be
used by Spamassassin.

Yep - you got it.

Spammers operate on the premise that lots of stupid people read email.  For example, only stupid people would actually respond to an offer to sell medications, from a service that does not spell the product name correctly (they are either too stupid to recognize the deviant spelling even though the correct version is all over TV and magazines, or too stupid to realize it means the offeror is ethics challenged).  But these offers are getting responses, or the spammers would not keep sending them.

The spammers are spending other people's money, since much of their "work" is done by hijacked machines, thus they do not care how 'expensive' their project might be, and any responses they do get are practically pure profit.  So to probe a million targets and find even one vulnerable is "worth the trouble" since it is not their own trouble.

The flaw in your logic is that you are thinking logically, working from the premise that any intelligent administrator (such as yourself) would never create a machine that is susceptible to this particular attack.  Maybe YOUR server is not a viable avenue for the spammer, but there are SO many servers out there - finding a few that ARE viable is almost a certainty, since some people who connect systems to the internet are not so well-informed as we here.

I believe that until a technique is discovered to eliminate ignorance and gullibility from the human population, there will be no solution to the spam problem.

>>> Christopher Bort <topher@...> 07/21/08 3:30 PM >>>
This is really not a SpamAssassin issue, but since this list is populated by people who are interested in spammer behavior, I'm throwing it out for comment. If it's too far off topic, my apologies and I'll let it go at that.

At $DAYJOB I run a mail server and a name server for several domains, both our own and for clients. At home, I run a mail server and a name server for a couple of personal domains. The home name server is a slave for most of the domains hosted at $DAYJOB. The home mail server is _not_ configured to handle mail for any of the $DAYJOB domains and it is _not_ an MX for any of those domains. The only connection is that it is an NS for the $DAYJOB domains. These domains _do_ have $DAYJOB mail server as their MX.

For a while now, I've been seeing attempts to send mail to the home server for addresses in $DAYJOB domains. This is not a problem since the volume is low and they are being properly rejected as third-party relay attempts (authentication required - relay not permitted). However, the fact that someone is apparently trying to send mail to an NS instead of an existing MX has piqued my curiosity. It looks like it's all spam (the sender addresses tend to support that). So, has anyone else seen this sort of behavior and what could be the rationale for trying to deliver mail to an NS like this?

--
Christopher Bort
<topher@...>
<http://www.thehundredacre.net/>

Marc Perkel wrote:

> I don't care what it's written in but I'm thinking that xinetd might be
> easiest. What I want is something to record the IP address of any host
> connection to port 25.

You don't really need to accept the connection. Just logging
connection attenmpts should be enough.

As an examplem something like this (watch for wrapping):

tcpdump -lnpqt -i vr0 'tcp[13] & 2 != 0 and dst port 25 and dst
host 195.67.112.220'

Should output lines like:

213.163.128.161.48278 > 195.67.112.220.25: tcp 0 (DF)
213.163.128.161.48279 > 195.67.112.220.25: tcp 0 (DF)
190.84.222.78.2106 > 195.67.112.220.25: tcp 0 (DF)

for each connection attempt to port 25 on 195.67.112.220.

If port 25 is firewalled usinbg pf, vr0 should probably be
replaced with "pflog0". Similar setup should be doable with other
firewalls that create a log interface for tcpdump.

Then you can filter that output to remove evevrything but the IP
address.

For example

tcpdump -lnpqt -i vr0 'tcp[13] & 2 != 0 and dst port 25 and dst
host 195.67.112.220' | sed -e 's/\.[0-9]* .*$//'

should output just the IP numbers.

So maybe something like this should work:

tcpdump -lnpqt -i <interface> 'tcp[13] & 2 != 0 and dst port 25
and dst host <host>' | sed -e 's/\.[0-9]* .*$//' | nc -u 2 <host>
<port>

It could be running in a detached session. (And yes, the '-u' is
on purpose, I think UDP is good for this kind of thing.)

Please not that the above is untested and that I'm not used to
working with sed or netcat.

Regards
/Jonas
--
Jonas Eckerman, FSDB & Fruktträdet
http://whatever.frukt.org/
http://www.fsdb.org/
http://www.frukt.org/

Quoting Marc Perkel <marc@...>:

>
>
> Ramprasad wrote:

>>> I don't care what it's written in but I'm thinking that xinetd  
>>> might be easiest. What I want is something to record the IP  
>>> address of any host connection to port 25. Then going to need it  
>>> to run a one line script file that runc netcat (nc) and sends me  
>>> data. Basically I just need te IP address. I have a collector  
>>> program listening that feeds the blacklist system. The collector is.
>>>

Here is a little program I wrote a while back for just this purpose.  
Change lines 58ff as you see fit for your purposes.  I have modified  
the listening port to 25 and put a plausible looking banner lines on it.

also I have attached an RC file to start it up.  Let me know how it works out.

jp