Re: [Declude.JunkMail] Message header review

2004-07-22 Thread Matt 




I just tried to do a telnet session with this server and it requires
SMTP AUTH.  My feeling here is that there are enough Earthlink
customers out there that someone could quite easily generate lists of
hundreds of valid usernames and passwords from an AUTH attack on a
server such as this, and that this is what they have done.  Your mail
headers and the ones that I have seen show clearly that spam zombies
are sending E-mail directly through this server, and since this server
requires AUTH to do so, I am guessing that this is what they are
doing.  I first noticed this about a month ago, although at this moment
I can't guarantee it was the exact same machine at Earthlink that was
leaking the spam.

Here's the bad news about this server...it is a legitimate relay. 
Yesterday's log shows a message that is definitely legitimate that
comes from this server (in addition to about 4 pieces of spam from the
Cyrillic Spammer who encodes subjects in Windows 1251 charactersets and
sends in both English and Russian if this is the guy that I am thinking
it is).  Unfortunately I don't have a copy of that message so I can't
tell if it was relayed from another Earthlink server, or if it was
relayed directly from a client through that server and then to us. 
Unless it is relayed from another server, you can't IPBYPASS it.

Note that there are other Earthlink servers that are also relaying
authenticated spam such as 207.217.120.220, 207.217.120.131,
207.217.120.227, etc.  All of the spam is from this Cyrillic Spammer
guy and it seems to be an issue with their entire mail server network. 
If anyone thinks that there is an easy way to stop this from our
end...think again.  If someone hacks your the AUTH in enough accounts,
you can set up networks of spam zombies to send in low enough volume
that you can bypass their automatic detection of such abuse (if it
exists at present).  In otherwords, it's totally up to Earthlink to
stem this abuse.

In the meantime since it seems to be completely isolated to this one
guy, here's a filter that can be used in JunkMail Pro v1.79i8 or higher:

# HACKEDEARTHLINK v1.0.0

REVDNS        END    NOTENDSWITH    .earthlink.net
MAILFROM    END    CONTAINS    earthlink

SUBJECT        10    CONTAINS    =?windows-1251?b?


This filter will work because he randomizes his Mail From address so it
will frequently be from another domain.  I would consider it to be
quite safe to score high.  The only time you should get a false
positive is when a Earthlink customer relays E-mail that is Windows
1251 encoded through their servers and has configured their mail client
to use a different domain name.  In otherwords, this is about as safe
of a filter as they come.  Let's hope that other spammers are slower in
picking up on the AUTH hacking bandwagon and that ISP's put in place
proper E-mail intrusion detection systems.

Matt







Brad Morgan wrote:

  
Earthlink has for some reason been forwarding spam through this 
server for some time.  I'm not sure what the setup is, but it's
a legitimate Earthlink server and the E-mail originates from a 
spam zombie.

  
  
  
  
I have thought about IPBYPASS'ing this server in order to capture
the real source, but I have yet to confirm if this server is just
used for forwarding or what the case may be.  It could be that 
this is an open relay, a forwarding server, or a full fledged mail
server.  I am guessing the first.

Matt


  
  Can't you use abuse.net's open relay test to determine if its as
simple as an open relay?

I tried and it appears to not be an open relay, but I'm not an
expert at these things so I may not understand what I'm doing.

Regards,

Brad 
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


  


-- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=

Re: [Declude.JunkMail] Message header review

2004-07-22 Thread i360 Support 



I have forwarded several spam emails to [EMAIL PROTECTED] but the only response 
I get back is that the email did not originate from their network.
 
Its really annoying that they don't give a 
shit.
 
I would have blocked them if it had not been for 
one of my clients needing email from that server (they have a client that hosts 
with earthlink).
 
Thanks to all for the responses.
 
Heimir
 
 

  - Original Message - 
  From: 
  Matt 
  To: [EMAIL PROTECTED] 
  
  Sent: Thursday, July 22, 2004 4:07 
  PM
  Subject: Re: [Declude.JunkMail] Message 
  header review
  Earthlink has for some reason been forwarding spam through this 
  server for some time.  I'm not sure what the setup is, but it's a 
  legitimate Earthlink server and the E-mail originates from a spam 
  zombie.I have thought about IPBYPASS'ing this server in order to 
  capture the real source, but I have yet to confirm if this server is just used 
  for forwarding or what the case may be.  It could be that this is an open 
  relay, a forwarding server, or a full fledged mail server.  I am guessing 
  the first.Matti360 Support wrote:
  



Can someone help me with the header of this 
message.
 
I think this came from earthlink.net mail 
server.
According to earthlink abuse they can't do 
anything about this type of spam since it did not originate from their 
network.
 
We get porn spam from this segement all the 
time.
 
 
 
 
Received: from 
asmtp-a063f33.pas.sa.earthlink.net [207.217.120.149] by deepspace.i360.net 
with ESMTP  (SMTPD32-7.15) id A94339680150; Thu, 22 Jul 2004 
10:12:03 -0500Received: from 68-235-252-102.atlsfl.adelphia.net 
([68.235.252.102]) by asmtp-a063f33.pas.sa.earthlink.net with asmtp 
(Exim 4.34) id 1BnfBN-00062N-F4; Thu, 22 Jul 2004 08:08:32 
-0700Message-ID: <[EMAIL PROTECTED]>Reply-To: 
"=?windows-1251?B?Y2FtZWxsaWE=?=" <[EMAIL PROTECTED]>From: 
"=?windows-1251?B?Y2FtZWxsaWE=?=" <[EMAIL PROTECTED]>Subject: 
SPAM: 
=?windows-1251?B?QnJpZGdldCBtb25yb2Ugc3Vja2luZyBhIGhhcmQgY29jayB2ZXJ5IGRlZXA=?=Date: 
Thu, 22 Jul 2004 00:56:07 -0400MIME-Version: 1.0Content-Type: 
text/html; charset="windows-1251"Content-Transfer-Encoding: 
7bitX-Priority: 3X-MSMail-Priority: NormalX-Mailer: Microsoft 
Outlook Express 6.00.2600.X-MimeOLE: Produced By Microsoft MimeOLE 
V6.00.2600.X-ELNK-Trace: 
006cdaaeaf6f69a98241270f52c7d65b7e972de0d01da9401ceba94723fb6a47959954e32e1a9354350badd9bab72f9c350badd9bab72f9c350badd9bab72f9cX-Originating-IP: 
68.235.252.102X-RBL-Warning: NOABUSE: "Not supporting [EMAIL PROTECTED]"X-RBL-Warning: 
NOPOSTMASTER: "Not supporting [EMAIL PROTECTED]"X-RBL-Warning: 
BADHEADERS: This E-mail was sent from a broken mail client 
[840a].X-Declude-Sender: [EMAIL PROTECTED] 
[207.217.120.149]X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for 
spam.X-Spam-Tests-Failed: NOABUSE, NOPOSTMASTER, BADHEADERS, WEIGHT10 
[11]X-Note: This E-mail was sent from asmtp-a063f33.pas.sa.earthlink.net 
([207.217.120.149]).X-RCPT-TO: <[EMAIL PROTECTED]>Status: 
UX-UIDL: 384479918-- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=

Re: [Declude.JunkMail] Message header review

2004-07-22 Thread R. Scott Perry 

Can someone help me with the header of this message.
I think this came from earthlink.net mail server.
According to earthlink abuse they can't do anything about this type of 
spam since it did not originate from their network.

We get porn spam from this segement all the time.
You can always trust the IP address that IMail adds to the E-mail (which is 
normally the top one).  In this case:

Received: from asmtp-a063f33.pas.sa.earthlink.net [207.217.120.149] by 
deepspace.i360.net with ESMTP
  (SMTPD32-7.15) id A94339680150; Thu, 22 Jul 2004 10:12:03 -0500
the IP is 207.217.120.149.  Although it *looks* like it came from 
earthlink.net, you can't be sure from that header.  But looking at the 
reverse DNS entry of that IP:

X-Note: This E-mail was sent from asmtp-a063f33.pas.sa.earthlink.net 
([207.217.120.149]).
shows that it did indeed come from an IP that claims to be an Earthlink 
IP.  It is technically possible that a spammer could forge the reverse DNS 
entry, so you need to check that asmtp-a063f33.pas.sa.earthlink.net has an 
A record of  207.217.120.149, or you can check the IPWHOIS information for 
207.217.120.149.

   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers 
since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver 
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

RE: [Declude.JunkMail] Message header review

2004-07-22 Thread Brad Morgan 
> Earthlink has for some reason been forwarding spam through this 
> server for some time.  I'm not sure what the setup is, but it's
> a legitimate Earthlink server and the E-mail originates from a 
> spam zombie.

> I have thought about IPBYPASS'ing this server in order to capture
> the real source, but I have yet to confirm if this server is just
> used for forwarding or what the case may be.  It could be that 
> this is an open relay, a forwarding server, or a full fledged mail
> server.  I am guessing the first.
>
> Matt
>
Can't you use abuse.net's open relay test to determine if its as
simple as an open relay?

I tried and it appears to not be an open relay, but I'm not an
expert at these things so I may not understand what I'm doing.

Regards,

Brad 
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Re: [Declude.JunkMail] Message header review

2004-07-22 Thread Matt 




Earthlink has for some reason been forwarding spam through this server
for some time.  I'm not sure what the setup is, but it's a legitimate
Earthlink server and the E-mail originates from a spam zombie.

I have thought about IPBYPASS'ing this server in order to capture the
real source, but I have yet to confirm if this server is just used for
forwarding or what the case may be.  It could be that this is an open
relay, a forwarding server, or a full fledged mail server.  I am
guessing the first.

Matt



i360 Support wrote:

  
  
  
  Can someone help me with the header
of this message.
   
  I think this came from earthlink.net
mail server.
  According to earthlink abuse they
can't do anything about this type of spam since it did not originate
from their network.
   
  We get porn spam from this segement
all the time.
   
   
   
   
  Received: from
asmtp-a063f33.pas.sa.earthlink.net [207.217.120.149] by
deepspace.i360.net with ESMTP
  (SMTPD32-7.15) id A94339680150; Thu, 22 Jul 2004 10:12:03 -0500
Received: from 68-235-252-102.atlsfl.adelphia.net ([68.235.252.102])
 by asmtp-a063f33.pas.sa.earthlink.net with asmtp (Exim 4.34)
 id 1BnfBN-00062N-F4; Thu, 22 Jul 2004 08:08:32 -0700
Message-ID: <[EMAIL PROTECTED]>
Reply-To: "=?windows-1251?B?Y2FtZWxsaWE=?=" <[EMAIL PROTECTED]>
From: "=?windows-1251?B?Y2FtZWxsaWE=?=" <[EMAIL PROTECTED]>
Subject: SPAM:
=?windows-1251?B?QnJpZGdldCBtb25yb2Ugc3Vja2luZyBhIGhhcmQgY29jayB2ZXJ5IGRlZXA=?=
Date: Thu, 22 Jul 2004 00:56:07 -0400
MIME-Version: 1.0
Content-Type: text/html;
 charset="windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.
X-ELNK-Trace:
006cdaaeaf6f69a98241270f52c7d65b7e972de0d01da9401ceba94723fb6a47959954e32e1a9354350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c
X-Originating-IP: 68.235.252.102
X-RBL-Warning: NOABUSE: "Not supporting [EMAIL PROTECTED]"
X-RBL-Warning: NOPOSTMASTER: "Not supporting [EMAIL PROTECTED]"
X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail
client [840a].
X-Declude-Sender: [EMAIL PROTECTED]
[207.217.120.149]
X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam.
X-Spam-Tests-Failed: NOABUSE, NOPOSTMASTER, BADHEADERS, WEIGHT10 [11]
X-Note: This E-mail was sent from asmtp-a063f33.pas.sa.earthlink.net
([207.217.120.149]).
X-RCPT-TO: <[EMAIL PROTECTED]>
Status: U
X-UIDL: 384479918


-- 
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=

Re: [Declude.JunkMail] Message header review

2004-07-22 Thread Roderick A. Anderson 
dig -x
;; ANSWER SECTION:
102.252.235.68.in-addr.arpa. 86286 IN   PTR
68-235-252-102.atlsfl.adelphia.net.

dig -x 207.217.120.149
;; ANSWER SECTION:
149.120.217.207.in-addr.arpa. 86400 IN  PTR
asmtp-a063f33.pas.sa.earthlink.net.

Seems it indicate so.

Rod
-- 

i360 Support wrote:

>Can someone help me with the header of this message.
>
>I think this came from earthlink.net mail server.
>According to earthlink abuse they can't do anything about this type of spam since it 
>did not originate from their network.
>
>We get porn spam from this segement all the time.
>
>
>
>
>Received: from asmtp-a063f33.pas.sa.earthlink.net [207.217.120.149] by 
>deepspace.i360.net with ESMTP
>  (SMTPD32-7.15) id A94339680150; Thu, 22 Jul 2004 10:12:03 -0500
>Received: from 68-235-252-102.atlsfl.adelphia.net ([68.235.252.102])
> by asmtp-a063f33.pas.sa.earthlink.net with asmtp (Exim 4.34)
> id 1BnfBN-00062N-F4; Thu, 22 Jul 2004 08:08:32 -0700
>Message-ID: <[EMAIL PROTECTED]>
>Reply-To: "=?windows-1251?B?Y2FtZWxsaWE=?=" <[EMAIL PROTECTED]>
>From: "=?windows-1251?B?Y2FtZWxsaWE=?=" <[EMAIL PROTECTED]>
>Subject: SPAM: 
>=?windows-1251?B?QnJpZGdldCBtb25yb2Ugc3Vja2luZyBhIGhhcmQgY29jayB2ZXJ5IGRlZXA=?=
>Date: Thu, 22 Jul 2004 00:56:07 -0400
>MIME-Version: 1.0
>Content-Type: text/html;
> charset="windows-1251"
>Content-Transfer-Encoding: 7bit
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Mailer: Microsoft Outlook Express 6.00.2600.
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.
>X-ELNK-Trace: 
>006cdaaeaf6f69a98241270f52c7d65b7e972de0d01da9401ceba94723fb6a47959954e32e1a9354350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c
>X-Originating-IP: 68.235.252.102
>X-RBL-Warning: NOABUSE: "Not supporting [EMAIL PROTECTED]"
>X-RBL-Warning: NOPOSTMASTER: "Not supporting [EMAIL PROTECTED]"
>X-RBL-Warning: BADHEADERS: This E-mail was sent from a broken mail client [840a].
>X-Declude-Sender: [EMAIL PROTECTED] [207.217.120.149]
>X-Note: This E-mail was scanned by Declude JunkMail (www.declude.com) for spam.
>X-Spam-Tests-Failed: NOABUSE, NOPOSTMASTER, BADHEADERS, WEIGHT10 [11]
>X-Note: This E-mail was sent from asmtp-a063f33.pas.sa.earthlink.net 
>([207.217.120.149]).
>X-RCPT-TO: <[EMAIL PROTECTED]>
>Status: U
>X-UIDL: 384479918
>  
>

-- 
Roderick A. Anderson
Project Manager
Technology Services Management Group 

Spokane WA, 99202

---
[This E-mail scanned for viruses by Declude Virus]

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.