|
I woke up this morning to my Spam box full of email from a variety of people, to a variety of my email boxes, greeting me and checking into my well being. One example of this is From: Luella Winkler <sacrilegioush@real-time-vision.com>
To Luella and the other 54 email addresses that checked up on me...I would just like to thank all of you for caring so much and reassure you that I am quite well. Seriously though, there is no solicitation, no attempt at phishing, and no embedded crap, just warm regards. Is this a dry run for something big to come?
UPDATE 2010-09-21: Today the same IP addresses are delivering emails with subjects such as "Deposit", "demands for payment", "schedule of bridging loan payments", and "June Voice". They each have a .html attachment and lots of bad English. I haven't had time to look into the attachment, but if any of you has, safely of course, I would love to hear what you found. -- Rick Wanner - rwanner at isc dot sans dot org - http://rwanner.blogspot.com/ |
Rick 324 Posts ISC Handler Sep 18th 2010 |
| Thread locked Subscribe |
Sep 18th 2010 1 decade ago |
|
Could it be a way to verify email addresses? Make sure they don't bounce?
|
Steve Campbell 7 Posts |
| Quote |
Sep 19th 2010 1 decade ago |
|
My company is also getting these emails. They appear to be going to addresses that normally receive a fair amount of spam (and I mean spam, not annoying UCE). This includes invalid addresses that I regularly see spammed.
They're doing quite well at getting through our spam filters as well - about 60% of the emails got through. I think Steve could be right. An innocuous email designed to evade filters and elicit bouncebacks on the invalid addresses. However I can't see spammers ever actually removing email addresses from their lists. I have enough trouble getting email marketers to remove addresses for people who have left or died. |
Rabbi 7 Posts |
| Quote |
Sep 19th 2010 1 decade ago |
|
Steve, that was my first thought. Validating emails through bounces, out of office replies, and the occasional reply. But the question still remains...to what longer-term end.
I agree with Rabbi. With email essentially being free why go to the cost and effort of cleaning up the list? |
Rick 324 Posts ISC Handler |
| Quote |
Sep 19th 2010 1 decade ago |
|
Just a guess.. but the thing about the scattergun directory harvesting attacks that botnets do is that they are quite easy to detect. This could be an attempt to find valid mailboxes so that directory harvesting is not needed, leading to increased deliverability.
http://blog.dynamoo.com/2010/09/hello-how-are-you-mystery-spam.html |
Conrad 15 Posts |
| Quote |
Sep 19th 2010 1 decade ago |
|
My first thought would be poisoning Bayesian filters by pumping stuff through initially to lower their score and get whitelisted.
|
Conrad 2 Posts |
| Quote |
Sep 19th 2010 1 decade ago |
|
My second thought would be mapping IP block policy blockages. By mapping out what address blocks produce delivery rejections and which do not you could target future deliveries to a server to come only from the unblocked IP address ranges.
|
Conrad 2 Posts |
| Quote |
Sep 19th 2010 1 decade ago |
|
About half the originating IPs from the spam I just checked were from Russia or the Ukraine. The seems to be an unusually high proportion, so perhaps it IS IP address mapping
|
Conrad 15 Posts |
| Quote |
Sep 19th 2010 1 decade ago |
|
I just started seeing these as well. Last week, there was a lot of the folks who liked my profile asking if I wanted to see their pic with an email address to request it.
|
Conrad 1 Posts |
| Quote |
Sep 19th 2010 1 decade ago |
|
Or.. perhaps it is looking for the responses from the mail server in order to find vulnerable servers? Enumerate them now.. attack them all later.
Or.. it's just a prank. |
Conrad 15 Posts |
| Quote |
Sep 19th 2010 1 decade ago |
|
.. or there is a TRY IT NOW / LIVE DEMO button on the marketing pages of a new spam tool that is just too tempting to click on ..
.. or a new spammers 101 course that people are following too literally .. Well - either way I wish they'd all just roll over and get a proper job. I don't mind them making money, but why not deserve them? |
dotBATman 70 Posts |
| Quote |
Sep 20th 2010 1 decade ago |
|
From what we are seeing, they all seem to be tied to the a specific range of domain names. The subjects are mail or hello. If the behavior follows past patterns, a Zeus botnet spamflood will follow in a day or 2.
|
CBob 23 Posts |
| Quote |
Sep 20th 2010 1 decade ago |
|
This past saturday morning, about once per hour from 3 am until 9 am, I got 6 spams to the same account from these IP addresses:
62.24.127.28 217.203.84.22 78.3.224.9 79.115.208.166 178.90.69.185 87.252.227.84 My SMTP server rejects all connection attempts from IP's located in Russia, China and all of South and Central America. These spams were all similar in that: - The subject was simply -> hello - The body was simply -> how are you? - The header contained a second Return-Path: line (unusual for the direct-to-mx spam I usually get) - The header contained a second Received: line that contained a port=nnnn and helo=(string) parameter (which I believe is indicative of Exim software). There seems to be some history of abuse using servers running Exim where the operators are having a hard time securing them or even properly logging their operations. |
CBob 3 Posts |
| Quote |
Sep 21st 2010 1 decade ago |
|
This past saturday morning, about once per hour from 3 am until 9 am, I got 6 spams to the same account from these IP addresses:
62.24.127.28 217.203.84.22 78.3.224.9 79.115.208.166 178.90.69.185 87.252.227.84 My SMTP server rejects all connection attempts from IP's located in Russia, China and all of South and Central America. These spams were all similar in that: - The subject was simply -> hello - The body was simply -> how are you? - The header contained a second Return-Path: line (unusual for the direct-to-mx spam I usually get) - The header contained a second Received: line that contained a port=nnnn and helo=(string) parameter (which I believe is indicative of Exim software). There seems to be some history of abuse using servers running Exim where the operators are having a hard time securing them or even properly logging their operations. |
CBob 3 Posts |
| Quote |
Sep 21st 2010 1 decade ago |
|
This past saturday morning, about once per hour from 3 am until 9 am, I got 6 spams to the same account from these IP addresses:
62.24.127.28 217.203.84.22 78.3.224.9 79.115.208.166 178.90.69.185 87.252.227.84 My SMTP server rejects all connection attempts from IP's located in Russia, China and all of South and Central America. These spams were all similar in that: - The subject was simply -> hello - The body was simply -> how are you? - The header contained a second Return-Path: line (unusual for the direct-to-mx spam I usually get) - The header contained a second Received: line that contained a port=nnnn and helo=(string) parameter (which I believe is indicative of Exim software). There seems to be some history of abuse using servers running Exim where the operators are having a hard time securing them or even properly logging their operations. |
CBob 3 Posts |
| Quote |
Sep 21st 2010 1 decade ago |
|
This attempt may be like, spammer hoping that receiver will reply to the mail. And apparently, the email id gets into victims contact list, so whitelisted.
|
CBob 1 Posts |
| Quote |
Sep 21st 2010 1 decade ago |
|
It was indeed a trial run. At the moment I get from the same IP adresses hundreds of attempts to spread malware W32/Sasfis.MA!tr.
|
CBob 1 Posts |
| Quote |
Sep 21st 2010 1 decade ago |
|
I just started receiving gibberish emails with no apparent intent, as below:
Received: From: from For good <izyjyb6570@cgocable.net> To: xxxxxxxx Subject: He Wessex premiered is Sir Date: Wed, 22 Sep 2010 08:39:15 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" X-Mlf-Connecting-IP: 209.51.186.102 Return-Path: izyjyb6570@cgocable.net However World with of fast Lazar in on |
CBob 2 Posts |
| Quote |
Sep 22nd 2010 1 decade ago |
|
It looks like the malware attacks may have started - I have begun receiving emails with HTML attachments : all these attachments purporting to come from Amazon.com, with an unescape sequence which I, frankly, do not have the skills to decipher.
|
CBob 3 Posts |
| Quote |
Sep 24th 2010 1 decade ago |
|
It looks like the malware attacks may have started - I have begun receiving emails with HTML attachments : all these attachments purporting to come from Amazon.com, with an unescape sequence which I, frankly, do not have the skills to decipher.
|
CBob 3 Posts |
| Quote |
Sep 24th 2010 1 decade ago |
|
Sorry to post a a comment to my own comment. It looks like this is a virus, and has very poor detection, as per virustotal : 1 in 43, with Sophos being the only one to detect it as JS/WndRed-B
|
CBob 3 Posts |
| Quote |
Sep 24th 2010 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
