Today I started receiving several spammy emails. Here's the first one:
You'll note that it appears to be from me! But a quick look at the headers reveals that the sender address was forged, a common spam tactic:
23 of these have appeared in my inbox today. The subject will vary, but it's usually some plea to talk more, or concern that I forgot the person, or regret that I have lost my love. The person's name varies from among a half dozen or so. The URL is exactly the same, every time. You'll note that in this example, the sending server EHLO'ed using my own domain; this isn't always the case.
Upon examining my mail logs, I was shocked to see that this crap has been hitting me nonstop since 28 October!
I built this server on 6 October. The logs are small, as you'd expect on a server used by only two people. Coincidentally, after the log rolled over on 28 October, that's when the onslaught started. The first arrived at 2:18:
My log is overflowing with these; 961 so far. Some botnet is going mad, sending zillions of these to who knows how many people, mostly using invented domain names. Decent Postfix configurations will block those. Of the few that get through, their domain names are valid.
In the last few hours, Spamassassin has begun scoring them, and the score is increasing...apparently the various online block lists are figuring out whatever pattern exists here. The most recent four have been scored thusly:
Fun times...
You'll note that it appears to be from me! But a quick look at the headers reveals that the sender address was forged, a common spam tactic:
Code:
Return-Path: <bristlesgesu195@dilos.com> Delivered-To: s...@rileyz.net Received: from localhost (localhost [127.0.0.1]) by m92p.rileyz.local (Postfix) with ESMTP id EF39D16A23CE for <s...@rileyz.net>; Wed, 6 Nov 2013 14:30:47 -0800 (PST) X-Virus-Scanned: Debian amavisd-new at m92p.rileyz.local Received: from m92p.rileyz.local ([127.0.0.1]) by localhost (m92p.rileyz.local [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SbP0JHn5Ks3J for <s...@rileyz.net>; Wed, 6 Nov 2013 14:30:43 -0800 (PST) Received: from mail-23-ewr.dyndns.com (mxout-042-ewr.mailhop.org [216.146.33.42]) by m92p.rileyz.local (Postfix) with ESMTP id 4857816A234B for <s...@rileyz.net>; Wed, 6 Nov 2013 14:30:41 -0800 (PST) X-Mail-Handler: MailHop by DynDNS X-Originating-IP: 200.68.68.1 Received: from mx.brihetyasociados.com (unknown [200.68.68.1]) by mail-23-ewr.dyndns.com (Postfix) with ESMTP id AD88C42C9E for <s...@rileyz.net>; Wed, 6 Nov 2013 22:30:40 +0000 (UTC) Received: from 200.68.68.1(helo=rileyz.net) by rileyz.net with esmtpa (Exim 4.69) (envelope-from ) id 1MMQOP-3037wz-X8 for <s...@rileyz.net>; Wed, 6 Nov 2013 19:30:39 -0300 From: <s...@rileyz.net> To: <s...@rileyz.net> Subject: We talked for a long time, and you went and said goodbye! Date: Wed, 6 Nov 2013 19:30:39 -0300 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Mailer: achwdk-67 Message-ID: <4306586829.RN4QO2PB368394@qkcdqlqqgkolk.foaiojn.ua> Hi, I'm cute girl I dream to have sex with strangers, my name is Lisa. Can we get started? I'm on this dating site - come in to me! http://bangmedia.go2cloud.org/aff_ad?campaign_id=1544&aff_id=548
Upon examining my mail logs, I was shocked to see that this crap has been hitting me nonstop since 28 October!
Code:
root@m92p:/var/log# [B]ll mail.log*[/B] -rw-r----- 1 root adm 1139901 Nov 7 01:20 mail.log -rw-r----- 1 root adm 1451517 Nov 3 06:25 mail.log.1 -rw-r----- 1 root adm 166014 Oct 27 06:25 mail.log.2.gz -rw-r----- 1 root adm 126534 Oct 20 06:30 mail.log.3.gz -rw-r----- 1 root adm 130798 Oct 13 06:35 mail.log.4.gz root@m92p:/var/log# [B]zcat mail.log.2.gz | grep reject | wc -l[/B] 0 root@m92p:/var/log# [B]grep reject mail.log.1 | wc -l[/B] 404 root@m92p:/var/log# [B]grep reject mail.log | wc -l[/B] 557
Code:
Oct 28 02:18:36 m92p postfix/smtpd[31082]: NOQUEUE: reject: RCPT from mxout-030-ewr.mailhop.org[216.146.33.30]: 450 4.1.8 <iu@bhjygrp.org>: Sender address rejected: Domain not found; from=<iu@bhjygrp.org> to=<s...@rileyz.net> proto=ESMTP helo=<mail-12-ewr.dyndns.com>
In the last few hours, Spamassassin has begun scoring them, and the score is increasing...apparently the various online block lists are figuring out whatever pattern exists here. The most recent four have been scored thusly:
Code:
X-Spam-Status: No, score=2.284 tagged_above=2 required=6.31 tests=[RCVD_IN_DNSWL_NONE=-0.0001, T_SURBL_MULTI1=0.01, T_URIBL_BLACK_OVERLAP=0.01, URIBL_BLACK=1.775, URIBL_JP_SURBL=0.336, URIBL_WS_SURBL=0.1533] X-Spam-Status: No, score=3.529 tagged_above=2 required=6.31 tests=[RCVD_IN_BL_SPAMCOP_NET=1.246, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_SURBL_MULTI1=0.01, T_URIBL_BLACK_OVERLAP=0.01, URIBL_BLACK=1.775, URIBL_JP_SURBL=0.336, URIBL_WS_SURBL=0.1533] X-Spam-Status: No, score=5.328 tagged_above=2 required=6.31 tests=[RCVD_IN_DNSWL_NONE=-0.0001, SPF_FAIL=0.919, TO_EQ_FM_DOM_SPF_FAIL=0.001, TO_EQ_FM_SPF_FAIL=2.123, T_SURBL_MULTI1=0.01, T_URIBL_BLACK_OVERLAP=0.01, UNPARSEABLE_RELAY=0.001, URIBL_BLACK=1.775, URIBL_JP_SURBL=0.336, URIBL_WS_SURBL=0.1533] X-Spam-Status: No, score=2.284 tagged_above=2 required=6.31 tests=[RCVD_IN_DNSWL_NONE=-0.0001, T_SURBL_MULTI1=0.01, T_URIBL_BLACK_OVERLAP=0.01, URIBL_BLACK=1.775, URIBL_JP_SURBL=0.336, URIBL_WS_SURBL=0.1533]
Comment