Spam Forensics I

I’ve been getting a lot of these emails coming through my Gmail filters — and on searching, I found a lot more were caught. After a quick look around I found a blog post discussing the most recent barrage over at geofffox.com and decided to look into it more closely.

Here is what the message in “original form” with headers (I modified the headers — see below):

                                                                                                                                                                                                                                                       
Delivered-To: {my_name}@gmail.com
Received: by 10.216.17.75 with SMTP id i53cs3487wei;
        Fri, 24 Sep 2010 00:33:03 -0700 (PDT)
Received: by 10.223.114.194 with SMTP id f2mr3098412faq.71.1285313582949;
        Fri, 24 Sep 2010 00:33:02 -0700 (PDT)
Return-Path: <{my_initials}+caf_={my_name}=gmail.com@{oneofmydomains.com}>
Received: from mail-fx0-f53.google.com (mail-fx0-f53.google.com [209.85.161.53])
        by mx.google.com with ESMTP id 15si1933947fax.156.2010.09.24.00.33.02;
        Fri, 24 Sep 2010 00:33:02 -0700 (PDT)
Received-SPF: neutral (google.com: 209.85.161.53 is neither permitted nor denied by best guess record for domain of {my_initials}+caf_={my_name}=gmail.com@{oneofmydomains.com}) client-ip=209.85.161.53;
Authentication-Results: mx.google.com; spf=neutral (google.com: 209.85.161.53 is neither permitted nor denied by best guess record for domain of {my_initials}+caf_={my_name}=gmail.com@{oneofmydomains.com}) smtp.mail={my_initials}+caf_={my_name}=gmail.com@{oneofmydomains.com}
Received: by mail-fx0-f53.google.com with SMTP id 14so1830412fxm.12
        for <{my_name}@gmail.com>; Fri, 24 Sep 2010 00:33:02 -0700 (PDT)
Received: by 10.223.104.71 with SMTP id n7mr3115235fao.27.1285313582681;
        Fri, 24 Sep 2010 00:33:02 -0700 (PDT)
X-Forwarded-To: {my_name}@gmail.com
X-Forwarded-For: {my_initials}@{oneofmydomains.com} {my_name}@gmail.com
Delivered-To: archellian001@{oneofmydomains.com}
Received: by 10.223.108.197 with SMTP id g5cs3379fap;
        Fri, 24 Sep 2010 00:33:02 -0700 (PDT)
Received: by 10.101.69.6 with SMTP id w6mr3307377ank.207.1285313582003;
        Fri, 24 Sep 2010 00:33:02 -0700 (PDT)
Return-Path: 
Received: from ARDBVPNZJS ([117.196.230.243])
        by mx.google.com with ESMTP id c4si4326905anc.186.2010.09.24.00.32.03;
        Fri, 24 Sep 2010 00:33:01 -0700 (PDT)
Received-SPF: neutral (google.com: 117.196.230.243 is neither permitted nor denied by best guess record for domain of brushwoodzd279@rotulosjethro.com) client-ip=117.196.230.243;
Received: from 5802.rotulosjethro.com ([207.171.164.40])
	by rotulosjethro.com with esmtp (Exim 4.69)
	id C5B7C3-A452D9-9E
	for ashleybentley@sammyk.com; Fri, 24 Sep 2010 13:01:19 +0530
Date: Fri, 24 Sep 2010 13:01:19 +0530
From: "Barbra Ladner" 
To: ashleybentley@sammyk.com
Message-ID: <74583179.15516372984772561261.JavaMail.abhi114b879f20@rotulosjethro.com>
Subject: hello
MIME-Version: 1.0
Content-Type: multipart/mixed; 
	boundary="----=_Part_023295_191642150.1971937775771"

------=_Part_023295_191642150.1971937775771
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

Please find attached my CV for your attention.

------=_Part_023295_191642150.1971937775771
Content-Type: text/html; name="78238doc.html"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="78238doc.html"

(Base64 encoded data here)

------=_Part_023295_191642150.1971937775771--

First of all, I forward all of the mail to any address at one of my domains to my personal gmail address. That means that legitimate email addresses and random strings both end up headed to my gmail account. (I then employ a whitelist filter in Gmail). But to avoid having the email addresses scooped up by spiders, I edited them in the header with tags like {my_name}, {my_initials} and {oneofmydomains.com}.

The email address it was sent to was: archellian001@{oneofmydomains.com} — and the archellian001 is called the “local-part” in email lingo. In this case, the local-part is clearly just a random string (name?) and some numbers. Nothing on that domain would suggest archellian would be a good name to choose.

The return path and sender are both listed as: brushwoodzd279@rotulosjethro.com — likely a forgery.

Starting at the beginning of the email’s life, we see:

Received: from 5802.rotulosjethro.com ([207.171.164.40])
	by rotulosjethro.com with esmtp (Exim 4.69)
	id C5B7C3-A452D9-9E
	for ashleybentley@sammyk.com; Fri, 24 Sep 2010 13:01:19 +0530

Now 207.171.164.40 traces back to mm-notify-out-1102.amazon.com and this was verified with a DNS lookup for mm-notify-out-1102.amazon.com and it indeed returned 207.171.164.40. I also tried a DNS lookup for 5802.rotulosjethro.com which failed and rotulosjethro.com which returned an ISP in Spain. So this adds credibility to the idea that this is whole hop is a forgery but we’ll know better soon.

The next hop reports,

Received: from ARDBVPNZJS ([117.196.230.243])
        by mx.google.com with ESMTP id c4si4326905anc.186.2010.09.24.00.32.03;
        Fri, 24 Sep 2010 00:33:01 -0700 (PDT)

We can be relatively certain this is not a forgery. The reason is that the recipient reports themselves as mx.google.com and recall that the email was sent to {oneofmydomains.com}.

So far, the reported path was:

5802.rotulosjethro.com ([207.171.164.40])   ->   rotulosjethro.com
ARDBVPNZJS ([117.196.230.243])   ->   mx.google.com

So either:

  1. The Amazon IP address (207.171.164.40) actually did send the email to ARDBVPNZJS (117.196.230.243) (perhaps an Amazon Web Hosting client) and the DNS settings and mail records of rotulosjethro.com has changed since.
  2. 117.196.230.243 is the originating sender who forged the first receipt header.

Most likely its the second case. A test to see if 117.196.230.243 was up showed that it did not respond to ping or attempts to open a connection on port 22 (SSH) or 25 (SMTP) — this seems unlikely for a legitimate mail server. Further tests show that the IP is registered to BSNL, an Indian ISP.

Also note where gmail checked the SPF record of rotulosjethro.com:

Received-SPF: neutral (google.com: 117.196.230.243 is neither permitted nor denied by best guess record for domain of brushwoodzd279@rotulosjethro.com) client-ip=117.196.230.243;

This exposes one of weaknesses of SPF. Although SPF can help prevent others from impersonating you or your domain, it does little to prevent spam. This is because all a spammer needs to do is find a domain that doesn’t have an SPF whitelist defined, such that SPF checks return neutral, and use that domain name to send out an unlimited number of emails. As long as one domain is yet to implement an SPF whitelist, SPF will not be effective against this sort of forgery spam.

I don’t see much else interesting in the header, it bounces around internal private Gmail networks and is ultimately delivered.

So then I decided to have a look into what the attachment contained….

Continue to Spam Forensics II

Posted Friday, September 24th, 2010 under networking.

One comment so far

Leave a Reply