Re: Bogus mails from hijacked accounts
On lør 13 mar 2010 02:14:02 CET, Michelle Konzack wrote The roblem is, accourding to the RFCs, ISP must have an abuse address, but do you have ever tried this with a corporated domain? Even postmaster is rejected on most domains. report them on rfc-ignorant.org Ome tim ago we had a problem on a bnch of Debian mailinglists with a persupermarket and after the ISP was not responsive, I have spidered theire WHOLE Website for corporated E-Mail addresses and put any of them in the Cc: of my ABUSE autoresponder... which normaly forward this crap only to the right abse addresses... this is only the webside owner, not his hoster After geting arround 1800 spams over the Debian mailinglists which where multiplid by the factor 37 by me with a friendly text for the recipients to contact there collegous to stop theire spaming customer way to go there Arround 2 days later the offenting customers domain was offline after more then one year of spaming. super I think, my 37 x 1800 abuse mails have hit the nerv of someone! corp with did no log scan The problem is now, such idiots require heavy manual intervention. from.pm solves it for me -- xpoint http://www.unicom.com/pw/reply-to-harmful.html
Re: Bogus mails from hijacked accounts
Good evening, Am 2010-03-13 14:46:35, schrieb Benny Pedersen: report them on rfc-ignorant.org I know it, but the way you have to report it is to long... Ome tim ago we had a problem on a bnch of Debian mailinglists with a persupermarket and after the ISP was not responsive, I have spidered theire WHOLE Website for corporated E-Mail addresses and put any of them in the Cc: of my ABUSE autoresponder... which normaly forward this crap only to the right abse addresses... this is only the webside owner, not his hoster Oops, I mean, I have send the messages to the hoster which is the bigest ISP of Bresil since ANY messages to petsupermarket failed and ab...@hoster was not responsive. So, writing to ANY employees of a hoster will hopefuly work. It is nearly impossibel that 100% of the staff is incompetent. I think, my 37 x 1800 abuse mails have hit the nerv of someone! corp with did no log scan ACK! -- Unfortunately I know many of them. The problem is now, such idiots require heavy manual intervention. from.pm solves it for me Unfortunately the tries of the Debian Listmasters to contact petsupermarket whee not succesfull. Sometimes it requires the HAMMER method. Thanks, Greetings and nice Day/Evening Michelle Konzack Systemadministrator 24V Electronic Engineer Tamay Dogan Network Debian GNU/Linux Consultant -- Linux-User #280138 with the Linux Counter, http://counter.li.org/ # Debian GNU/Linux Consultant # http://www.tamay-dogan.net/ Michelle Konzack http://www.can4linux.org/ Apt. 917 http://www.flexray4linux.org/ 50, rue de Soultz Jabber linux4miche...@jabber.ccc.de 67100 Strabourg/France IRC#Debian (irc.icq.com) Tel. DE: +49 177 9351947 ICQ#328449886 Tel. FR: +33 6 61925193 signature.pgp Description: Digital signature
Re: Bogus mails from hijacked accounts
On Wed, 2010-03-10 at 13:37 -0600, Dennis B. Hopp wrote: We seem to be having a problem where clients that we interact with regularly are having their hotmail/gmail/yahoo accounts hijacked. We are receiving e-mails from their accounts that legitimately go through the correct servers (hotmail,yahoo, etc.) and so they get passed through our spam filters. The messages have different bodies but basically say the same thing that they were on vacation and had all their money stolen so they need to have money wire transferred to them. Obviously we just have to tell the clients that they need to deal with the various e-mail providers, but is there an effective way that I can filter these messages out before my users see them without blacklisting the address? In one case I had probably 15 users that received the same message and naturally they freaked out. Why only free accounts , The 419'ers hijack legitimate corporate accounts too. Again , As Ips have good reputation and the mails land in the inbox I think the only way of handling this to send proper abuse reports Probably the free mail providers are less reponsive to abuse reports than corporate ones. Thanks Ram
Re: Bogus mails from hijacked accounts
describe FORGED_HOTMAIL Hotmail with non-Hotmail Reply-to address header __FORGED_HM1 From ~= /\...@hotmail\.com/i header __FORGED_HM2 Reply-to ~= /\...@hotmail\.com/i meta FORGED_HOTMAIL (__FORGED_HM1 !__FORGED_HM2) scoreFORGED_HOTMAIL 5.0 and write cookie cutter rules for Yahoo and Gmail. OTOH if you're happy that a Japanese test won't generate FPs you can cover all three ISPs with one rule: describe FORGED_FROM Hotmail,Yahoo or Google with Japanese Reply-to header __FF1 From ~= /\@(hotmail|yahoo|gmail)\.com/i header __FF2 Reply-to ~= /\.jp/i meta FORGED_FROM (__FF1 __FF2) scoreFORGED_FROM 5.0 Of course, if its just a few Japanese ISPs being used you can easily make _FF2 more specific. I tried this for yahoo... describe FORGED_YAHOO Yahoo with non-Yahoo Reply-to address header __FORGED_YH1 From =~ /\...@yahoo\.com/i header __FORGED_YH2 Reply-to =~ /\...@yahoo\.com/i meta FORGED_YAHOO (__FORGED_YH1 !__FORGED_YH2) scoreFORGED_YAHOO 0.25 And it triggered on a message with the following header http://pastebin.com/qs18DpYn My best guess is it is using the In-Reply-To header...is there a way to differentiate In-Reply-To and Reply-To ? Thanks, --Dennis
Re: [sa] Re: Bogus mails from hijacked accounts
On Fri, 12 Mar 2010, Dennis B. Hopp wrote: describe FORGED_YAHOO Yahoo with non-Yahoo Reply-to address header __FORGED_YH1 From =~ /\...@yahoo\.com/i header __FORGED_YH2 Reply-to =~ /\...@yahoo\.com/i meta FORGED_YAHOO (__FORGED_YH1 !__FORGED_YH2) The problem with this is that the !__FORGED_YH2 matches when there is *NO* Reply-To header at all! You need something like this: header __FORGED_YH2 Reply-To =~ /\@([^y]|y[^a]|ya[^h]|yah[^o])/i meta FORGED_YAHOO (__FORGED_YH1 __FORGED_YH2) (remove the negation from the meta) This directly tests for an existing Reply-To specifically to a domain that does not begin with 'yaho'. However, keep in mind that the headers for *this* mailing list would trigger your rule. So you will also need to meta this with a rule that tests for yahoo mail server being the sending SMTP client Gets tricky, doesn't it? - C
Re: [sa] Re: Bogus mails from hijacked accounts
The problem with this is that the !__FORGED_YH2 matches when there is *NO* Reply-To header at all! You need something like this: header __FORGED_YH2 Reply-To =~ /\@([^y]|y[^a]|ya[^h]|yah[^o])/i meta FORGED_YAHOO (__FORGED_YH1 __FORGED_YH2) (remove the negation from the meta) This directly tests for an existing Reply-To specifically to a domain that does not begin with 'yaho'. Wouldn't that meta rule trigger when the reply-to contained 'yaho'? I want to trigger when the from contains yahoo.com and the reply-to does not. However, keep in mind that the headers for *this* mailing list would trigger your rule. So you will also need to meta this with a rule that tests for yahoo mail server being the sending SMTP client Good point. I didn't think about that.. --Dennis
Re: [sa] Re: Bogus mails from hijacked accounts
On Fri, 2010-03-12 at 12:52 -0600, Dennis B. Hopp wrote: The problem with this is that the !__FORGED_YH2 matches when there is *NO* Reply-To header at all! You need something like this: header __FORGED_YH2 Reply-To =~ /\@([^y]|y[^a]|ya[^h]|yah[^o])/i meta FORGED_YAHOO (__FORGED_YH1 __FORGED_YH2) (remove the negation from the meta) This directly tests for an existing Reply-To specifically to a domain that does not begin with 'yaho'. Wouldn't that meta rule trigger when the reply-to contained 'yaho'? I want to trigger when the from contains yahoo.com and the reply-to does not. Nevermind..the '^' inside brackets negates..I get it now..
Re: [sa] Re: Bogus mails from hijacked accounts
On Fri, 2010-03-12 at 13:19 -0500, Charles Gregory wrote:
describe FORGED_YAHOO Yahoo with non-Yahoo Reply-to address
header __FORGED_YH1 From =~ /\...@yahoo\.com/i
header __FORGED_YH2 Reply-to =~ /\...@yahoo\.com/i
meta FORGED_YAHOO (__FORGED_YH1 !__FORGED_YH2)
The problem with this is that the !__FORGED_YH2 matches
when there is *NO* Reply-To header at all!
You need something like this:
header __FORGED_YH2 Reply-To =~ /\@([^y]|y[^a]|ya[^h]|yah[^o])/i
meta FORGED_YAHOO (__FORGED_YH1 __FORGED_YH2)
Creative...
However, a better and likely more comprehensible solution would be, to
add an if-unset constraint to the previous rule-set. :) Adding
[if-unset: @yahoo.com]
at the end of the YH2 rule will prevent the match on a missing Reply-To
header, by faking one in its absence.
Of course, there's also always the solution of adding another sub-rule
to the meta that tests a header for existence.
header __HAS_REPLY_TO exists:Reply-To
But that's just plain boring rules, no funky REs there. Sorry. ;)
guenther
--
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Bogus mails from hijacked accounts
Hello, Am 2010-03-12 13:38:57, schrieb Benny Pedersen: On tor 11 mar 2010 19:52:01 CET, Michelle Konzack wrote I mean, on one of my domains tdwave.net it should be ALWAYS the same From: and Reply-To:. i have a plugin that does this, contact me offlist if you like to have it, its alpha stable here, warning i am not a perl geek yet :=) but why not remove reply-to in all outgoing mails ?, and make sure all users need to verify the reply-to email is there own, still not perfect but tigthen it more I mean exactly, IF Reply-To: is set, verify, that it match the sender, otherwise reject if it does not match From:. Thanks, Greetings and nice Day/Evening Michelle Konzack Systemadministrator 24V Electronic Engineer Tamay Dogan Network Debian GNU/Linux Consultant -- Linux-User #280138 with the Linux Counter, http://counter.li.org/ # Debian GNU/Linux Consultant # http://www.tamay-dogan.net/ Michelle Konzack http://www.can4linux.org/ Apt. 917 http://www.flexray4linux.org/ 50, rue de Soultz Jabber linux4miche...@jabber.ccc.de 67100 Strabourg/France IRC#Debian (irc.icq.com) Tel. DE: +49 177 9351947 ICQ#328449886 Tel. FR: +33 6 61925193 signature.pgp Description: Digital signature
Re: Bogus mails from hijacked accounts
Hello, Am 2010-03-12 18:24:14, schrieb ram: Why only free accounts , The 419'ers hijack legitimate corporate accounts too. Again , As Ips have good reputation and the mails land in the inbox I think the only way of handling this to send proper abuse reports Probably the free mail providers are less reponsive to abuse reports than corporate ones. The roblem is, accourding to the RFCs, ISP must have an abuse address, but do you have ever tried this with a corporated domain? Even postmaster is rejected on most domains. Ome tim ago we had a problem on a bnch of Debian mailinglists with a persupermarket and after the ISP was not responsive, I have spidered theire WHOLE Website for corporated E-Mail addresses and put any of them in the Cc: of my ABUSE autoresponder... which normaly forward this crap only to the right abse addresses... After geting arround 1800 spams over the Debian mailinglists which where multiplid by the factor 37 by me with a friendly text for the recipients to contact there collegous to stop theire spaming customer Arround 2 days later the offenting customers domain was offline after more then one year of spaming. I think, my 37 x 1800 abuse mails have hit the nerv of someone! The problem is now, such idiots require heavy manual intervention. The only solution is: 1) Check wheher a Reply-To: is set 2) If no, continue normal. 3) If yes, check it against the From: and if it is different reject this crap Thanks, Greetings and nice Day/Evening Michelle Konzack Systemadministrator 24V Electronic Engineer Tamay Dogan Network Debian GNU/Linux Consultant -- Linux-User #280138 with the Linux Counter, http://counter.li.org/ # Debian GNU/Linux Consultant # http://www.tamay-dogan.net/ Michelle Konzack http://www.can4linux.org/ Apt. 917 http://www.flexray4linux.org/ 50, rue de Soultz Jabber linux4miche...@jabber.ccc.de 67100 Strabourg/France IRC#Debian (irc.icq.com) Tel. DE: +49 177 9351947 ICQ#328449886 Tel. FR: +33 6 61925193 signature.pgp Description: Digital signature
Re: Bogus mails from hijacked accounts
Michelle Konzack wrote: I mean exactly, IF Reply-To: is set, verify, that it match the sender, otherwise reject if it does not match From:. Thanks, Greetings and nice Day/Evening Michelle Konzack Systemadministrator 24V Electronic Engineer Tamay Dogan Network Debian GNU/Linux Consultant Hi Michelle, what exactly is wrong with a reply-to that is not the sender? Of course, I cannot see much sense in a private email sending from hotmail.jp and wanting replies to yahoo.cn On the other side, it is a natural way for somebody's web forms: the from should be valid, so it would match the webserver, and the reply-to is the person completing the form Wolfgang
Re: Bogus mails from hijacked accounts
David B Funk wrote: On Wed, 10 Mar 2010, Dennis B. Hopp wrote: I have put a sample at: http://pastebin.com/9BDXrxmm Note I did change the real e-mail address in this message but the hotmail address used is valid just masked. Look at that X-Originating-IP: [41.155.87.236] header, its a dial-up pool in Lagos Nigeria. It may seem stereotyped, but it's amazing the percentage of this kind of spam that -does- come out of that part of the world. How about: # Catch spam originating from 41.0.0.0/8 (Africa, incl S.Africa) describeLOCAL_ORIG_FROM_41 Originates from 41.0.0.0/8 header LOCAL_ORIG_FROM_41 X-Originating-IP =~ /\[41\./ Unless you're expecting mail originating from Africa, you can go further and detect all mail injected from 41/8 with few FPs. # Catch spam injected from 41.0.0.0/8 (Africa, incl S.Africa) describeLOCAL_RCVD_FROM_41 Received from 41.0.0.0/8 header LOCAL_RCVD_FROM_41 Received =~ /\[41\./ I've found these safe to score quite highly, but YMMV so score as suits your mail flow.
Re: Bogus mails from hijacked accounts
On Thu, 2010-03-11 at 12:26 +, Ned Slider wrote: David B Funk wrote: On Wed, 10 Mar 2010, Dennis B. Hopp wrote: I have put a sample at: http://pastebin.com/9BDXrxmm Note I did change the real e-mail address in this message but the hotmail address used is valid just masked. Look at that X-Originating-IP: [41.155.87.236] header, its a dial-up pool in Lagos Nigeria. It may seem stereotyped, but it's amazing the percentage of this kind of spam that -does- come out of that part of the world. How about: # Catch spam originating from 41.0.0.0/8 (Africa, incl S.Africa) describe LOCAL_ORIG_FROM_41 Originates from 41.0.0.0/8 headerLOCAL_ORIG_FROM_41 X-Originating-IP =~ /\[41\./ Unless you're expecting mail originating from Africa, you can go further and detect all mail injected from 41/8 with few FPs. # Catch spam injected from 41.0.0.0/8 (Africa, incl S.Africa) describe LOCAL_RCVD_FROM_41 Received from 41.0.0.0/8 headerLOCAL_RCVD_FROM_41 Received =~ /\[41\./ I've found these safe to score quite highly, but YMMV so score as suits your mail flow. Good quality advice from Ned (LOL). Just make sure none of your users will be communicating with South Africa during the world cup..
Re: Bogus mails from hijacked accounts
1) Spammers rotate sender addresses and hijacked account info more often than most of us change our underwear. An account *may* get reused; chances are it'll be months before it does, and the spammers will have rotated through hundreds or thousands of others - both phish-cracked and those set up just to send their junk. Blacklisting a sender is reduced to blocking the persistent friend-of-a-friend who refuses to remove you from the endless stream of chain-forwards, and legitimate-but-totally-clueless mailing list operators who can't figure out how to unsubscribe you from their list. :( 2) You noted originally that these appear to be fully legitimate freemail accounts, legitimately used in the past to correspond with your customers/clients, that have been compromised and then used to send spam. How do you propose to still allow the legitimate account holders to email your clients if you blacklist the sender? I don't want to blacklist the address, hence the reason why in my original e-mail I said other then blacklisting. I know blacklisting would block these bogus e-mails as well as legit e-mails as soon as the clients get access back (they currently don't have access to their accounts because their passwords have been changed). Martin's suggestion followup should point you in the right direction. Sets of phrase rules (how similar are these messages? do you have ten or fifteen you can compare sentence-by-sentence?) with low scores will likely help some too. Meta rules that bump the score up depending on how many phrases hit, or phrase+mismatched-sender/reply also work tolerably well on this class of spam... if you can get enough samples to build a complete enough set of phrase rules. I'm going to look at what Martin suggested and compare it to what samples I have. Thanks, --Dennis
Re: Bogus mails from hijacked accounts
Its not conditional, just using a meta rule and negating the Reply-to test in the meta: describe FORGED_HOTMAIL Hotmail with non-Hotmail Reply-to address header __FORGED_HM1 From ~= /\...@hotmail\.com/i header __FORGED_HM2 Reply-to ~= /\...@hotmail\.com/i meta FORGED_HOTMAIL (__FORGED_HM1 !__FORGED_HM2) scoreFORGED_HOTMAIL 5.0 and write cookie cutter rules for Yahoo and Gmail. OTOH if you're happy that a Japanese test won't generate FPs you can cover all three ISPs with one rule: describe FORGED_FROM Hotmail,Yahoo or Google with Japanese Reply-to header __FF1 From ~= /\@(hotmail|yahoo|gmail)\.com/i header __FF2 Reply-to ~= /\.jp/i meta FORGED_FROM (__FF1 __FF2) scoreFORGED_FROM 5.0 Thanks Martin. This is actually far simpler then I was thinking it would be. --Dennis
Re: Bogus mails from hijacked accounts
On Thu, 2010-03-11 at 07:55 -0600, Dennis B. Hopp wrote: 1) Spammers rotate sender addresses and hijacked account info more often than most of us change our underwear. An account *may* get reused; chances are it'll be months before it does, and the spammers will have rotated through hundreds or thousands of others - both phish-cracked and those set up just to send their junk. Blacklisting a sender is reduced to blocking the persistent friend-of-a-friend who refuses to remove you from the endless stream of chain-forwards, and legitimate-but-totally-clueless mailing list operators who can't figure out how to unsubscribe you from their list. :( 2) You noted originally that these appear to be fully legitimate freemail accounts, legitimately used in the past to correspond with your customers/clients, that have been compromised and then used to send spam. How do you propose to still allow the legitimate account holders to email your clients if you blacklist the sender? I don't want to blacklist the address, hence the reason why in my original e-mail I said other then blacklisting. I know blacklisting would block these bogus e-mails as well as legit e-mails as soon as the clients get access back (they currently don't have access to their accounts because their passwords have been changed). Martin's suggestion followup should point you in the right direction. Sets of phrase rules (how similar are these messages? do you have ten or fifteen you can compare sentence-by-sentence?) with low scores will likely help some too. Meta rules that bump the score up depending on how many phrases hit, or phrase+mismatched-sender/reply also work tolerably well on this class of spam... if you can get enough samples to build a complete enough set of phrase rules. I'm going to look at what Martin suggested and compare it to what samples I have. Thanks, --Dennis Don't miss the major key in the body - that is 'Western Union'. I don't know how much legitimate business you do with WU (or Moneygram for that matter) but it may well be worthy of a half decent score.
Re: Bogus mails from hijacked accounts
Dennis B. Hopp wrote: I don't want to blacklist the address, hence the reason why in my original e-mail I said other then blacklisting. Whups, got your original message confused with something you replied with later. I know blacklisting would block these bogus e-mails as well as legit e-mails as soon as the clients get access back (they currently don't have access to their accounts because their passwords have been changed). Ouch. :( Offhand, I'd say you might as well go ahead and blacklist them anyway, because if the passwords on these freemail accounts have been changed, I don't think there's much chance the original users will get access back. It might be a different story if the accounts are actually paid accounts. -kgd
Re: Bogus mails from hijacked accounts
On Thu, 2010-03-11 at 07:55 -0600, Dennis B. Hopp wrote: I'm going to look at what Martin suggested and compare it to what samples I have. FWIW, I have 2 or three portmanteau rules that are effectively collections of misspelled words (such as v1agra, improove, ...), medspamming phrases, throwaway URI patterns, etc that I've built up from a number of spams. All are scored low (around 0.01) so I can see them fire but with little impact in the overall score. I use them in meta-rules with rather higher scores. This approach is surprisingly effective at catching previously unseen spam, due to spammers not being very creative when it comes to generating readable misspelled words or their insistence on continuing to send spam via inappropriate channels, such as technical mailing lists. Martin
Re: Bogus mails from hijacked accounts
On Thu, 2010-03-11 at 10:22 -0500, Kris Deugau wrote: Ouch. :( Offhand, I'd say you might as well go ahead and blacklist them anyway, because if the passwords on these freemail accounts have been changed, I don't think there's much chance the original users will get access back. It might be a different story if the accounts are actually paid accounts. I don't think the accounts were hijacked: the headers showed that the messages the OP posted were not sent from the domain hosting the mail accounts. It looked to me as if somebody has sold on lists of valid hotmail etc. accounts. I smell an inside job, or at least some careful preparation, because the OP reckons that these accounts (forged as sender) were paired with valid accounts he hosts that would be used by the owner of the forged account. The messages I saw took the form: - From:forged hotmail/yahoo/gmail account To: same person's account at the OP's ISP Subject: Help! I was ROBBED of my money and cards but not my passport. PLEASE send me $$$ via Western Union. Signed: me.myself - A scam of this type needs to be pretty tightly targeted to work. The scammer would need at least a matched pair of addresses and a good probability that the supposed sender could be somewhere near the place where the alleged robbery was said to have happened. Martin
Re: Bogus mails from hijacked accounts
A scam of this type needs to be pretty tightly targeted to work. The scammer would need at least a matched pair of addresses and a good probability that the supposed sender could be somewhere near the place where the alleged robbery was said to have happened. If I've got access to your freemail account, I've got access to your address book. The one of these I encountered at $DAYJOB was sent to the account owner's wife's ex-husband-- not my first choice when asking for emergency funds. The email also claimed he was traveling in London-- the guy AFAIK hasn't left Texas, let alone the US, in the past few years-- and used a number of phrases that a native speaker of American so-called-English wouldn't. -- Dave Pooser Cat-Herder-in-Chief, Pooserville.com ...Life is not a journey to the grave with the intention of arriving safely in one pretty and well-preserved piece, but to slide across the finish line broadside, thoroughly used up, worn out, leaking oil, and shouting GERONIMO!!! -- Bill McKenna
Re: Bogus mails from hijacked accounts
On Thu, 2010-03-11 at 11:56 -0600, Dave Pooser wrote: A scam of this type needs to be pretty tightly targeted to work. The scammer would need at least a matched pair of addresses and a good probability that the supposed sender could be somewhere near the place where the alleged robbery was said to have happened. If I've got access to your freemail account, I've got access to your address book. ...and I suppose the same would apply to social networks. I don't use either, so am somewhat clueless about what goodies are available if you can access their accounts. The one of these I encountered at $DAYJOB was sent to the account owner's wife's ex-husband-- not my first choice when asking for emergency funds. The email also claimed he was traveling in London-- the guy AFAIK hasn't left Texas, let alone the US, in the past few years-- and used a number of phrases that a native speaker of American so-called-English wouldn't. OK, looks like I hugely overestimated the intelligence of recipients of such scams and hence the care needed to target an attack. Martin
Re: Bogus mails from hijacked accounts
I don't think the accounts were hijacked: the headers showed that the messages the OP posted were not sent from the domain hosting the mail accounts. It looked to me as if somebody has sold on lists of valid hotmail etc. accounts. I smell an inside job, or at least some careful preparation, because the OP reckons that these accounts (forged as sender) were paired with valid accounts he hosts that would be used by the owner of the forged account. The messages I saw took the form: We got one owner of the hijacked accounts to admit he got an e-mail that basically said Hi we are trying to get rid of dead accounts so please click here to verify your information. The site then very nicely asked for his username/password which he gave and then viola, no more access to his account. The message was then sent to every address in his address book (which is why many of my users got the same message). Sadly, we have had this happen a couple of times with hotmail and yahoo addresses. What can I say, some of our clients aren't exactly the most tech savvy. --Dennis
Re: Bogus mails from hijacked accounts
...and I suppose the same would apply to social networks. I don't use either, so am somewhat clueless about what goodies are available if you can access their accounts. I have some free e-mail accounts that I use as throw away accounts. When a site just HAS to have a valid e-mail so you can read the news article or whatever. I might login to the accounts about once a month. The one of these I encountered at $DAYJOB was sent to the account owner's wife's ex-husband-- not my first choice when asking for emergency funds. The email also claimed he was traveling in London-- the guy AFAIK hasn't left Texas, let alone the US, in the past few years-- and used a number of phrases that a native speaker of American so-called-English wouldn't. OK, looks like I hugely overestimated the intelligence of recipients of such scams and hence the care needed to target an attack. It's a sad thing, but a lot of people fall for stupid scams every day...
Re: Bogus mails from hijacked accounts
I've seen an increase of pop3 dictionary attacks. The cracking daemons usually are running from china. []s Fosforo -- O caminho do homem justo é rodeado por todos os lados pelas injustiças dos egoístas e pela tirania dos homens de mal. Abençoado é aquele que, em nome da caridade e da boa-vontade pastoreia os fracos pelo vale da escuridão, para quem ele é verdadeiramente seu irmão protetor, e aquele que encontra suas crianças perdidas. E Eu atacarei, com grande vingança e raiva furiosa àqueles que tentam envenenar e destruir meus irmãos. E você saberá: chamo-me o Senhor quando minha vingança cair sobre você. -Jules (e um tal de Ezequiel) 2010/3/10 Dennis B. Hopp dh...@coreps.com: We seem to be having a problem where clients that we interact with regularly are having their hotmail/gmail/yahoo accounts hijacked. We are receiving e-mails from their accounts that legitimately go through the correct servers (hotmail,yahoo, etc.) and so they get passed through our spam filters. The messages have different bodies but basically say the same thing that they were on vacation and had all their money stolen so they need to have money wire transferred to them. Obviously we just have to tell the clients that they need to deal with the various e-mail providers, but is there an effective way that I can filter these messages out before my users see them without blacklisting the address? In one case I had probably 15 users that received the same message and naturally they freaked out. I have put a sample at: http://pastebin.com/9BDXrxmm Note I did change the real e-mail address in this message but the hotmail address used is valid just masked. The message doesn't hit any rules of significance on my system. BAYES_00=-1.9,FREEMAIL_FROM=0.001,HTML_MESSAGE=0.001,RCVD_IN_DNSWL_NONE=-0.0001,SPF_PASS=-0.001,T_RP_MATCHES_RCVD=-0.01,T_TO_NO_BRKTS_FREEMAIL=0.01 Thanks --Dennis
Re: Bogus mails from hijacked accounts
Hello, Am 2010-03-10 13:37:20, schrieb Dennis B. Hopp: We seem to be having a problem where clients that we interact with regularly are having their hotmail/gmail/yahoo accounts hijacked. We are receiving e-mails from their accounts that legitimately go through the correct servers (hotmail,yahoo, etc.) and so they get passed through our spam filters. The messages have different bodies but basically say the same thing that they were on vacation and had all their money stolen so they need to have money wire transferred to them. Obviously we just have to tell the clients that they need to deal with the various e-mail providers, but is there an effective way that I can filter these messages out before my users see them without blacklisting the address? In one case I had probably 15 users that received the same message and naturally they freaked out. I have such problem too, but because spam is filtered in the users account from procmail include, I use a global procmail include which check for such problems, speak, I use a global SA installation with striped down checks plus some additional procmail recipes and after this is passed, it goes to the second stage into the uses account. If I detect this on legitimate domains the user and abuse will be informed through an automated bounce. Note: I have on the domain tdwave.net arround 2000 users and if I do not automated spam processing, I have to look manualy at more the 180.000 spams per day. = ~2 mesage per seond. Thanks, Greetings and nice Day/Evening Michelle Konzack Systemadministrator 24V Electronic Engineer Tamay Dogan Network Debian GNU/Linux Consultant -- Linux-User #280138 with the Linux Counter, http://counter.li.org/ # Debian GNU/Linux Consultant # http://www.tamay-dogan.net/ Michelle Konzack http://www.can4linux.org/ Apt. 917 http://www.flexray4linux.org/ 50, rue de Soultz Jabber linux4miche...@jabber.ccc.de 67100 Strabourg/France IRC#Debian (irc.icq.com) Tel. DE: +49 177 9351947 ICQ#328449886 Tel. FR: +33 6 61925193 signature.pgp Description: Digital signature
Re: Bogus mails from hijacked accounts
Hello Martin, Am 2010-03-10 22:13:59, schrieb Martin Gregorie: describe FORGED_HOTMAIL Hotmail with non-Hotmail Reply-to address header __FORGED_HM1 From ~= /\...@hotmail\.com/i header __FORGED_HM2 Reply-to ~= /\...@hotmail\.com/i meta FORGED_HOTMAIL (__FORGED_HM1 !__FORGED_HM2) scoreFORGED_HOTMAIL 5.0 How can this simplified with any SLD/TLDs? I mean, on one of my domains tdwave.net it should be ALWAYS the same From: and Reply-To:. Thanks, Greetings and nice Day/Evening Michelle Konzack Systemadministrator 24V Electronic Engineer Tamay Dogan Network Debian GNU/Linux Consultant -- Linux-User #280138 with the Linux Counter, http://counter.li.org/ # Debian GNU/Linux Consultant # http://www.tamay-dogan.net/ Michelle Konzack http://www.can4linux.org/ Apt. 917 http://www.flexray4linux.org/ 50, rue de Soultz Jabber linux4miche...@jabber.ccc.de 67100 Strabourg/France IRC#Debian (irc.icq.com) Tel. DE: +49 177 9351947 ICQ#328449886 Tel. FR: +33 6 61925193 signature.pgp Description: Digital signature
Bogus mails from hijacked accounts
We seem to be having a problem where clients that we interact with regularly are having their hotmail/gmail/yahoo accounts hijacked. We are receiving e-mails from their accounts that legitimately go through the correct servers (hotmail,yahoo, etc.) and so they get passed through our spam filters. The messages have different bodies but basically say the same thing that they were on vacation and had all their money stolen so they need to have money wire transferred to them. Obviously we just have to tell the clients that they need to deal with the various e-mail providers, but is there an effective way that I can filter these messages out before my users see them without blacklisting the address? In one case I had probably 15 users that received the same message and naturally they freaked out. I have put a sample at: http://pastebin.com/9BDXrxmm Note I did change the real e-mail address in this message but the hotmail address used is valid just masked. The message doesn't hit any rules of significance on my system. BAYES_00=-1.9,FREEMAIL_FROM=0.001,HTML_MESSAGE=0.001,RCVD_IN_DNSWL_NONE=-0.0001,SPF_PASS=-0.001,T_RP_MATCHES_RCVD=-0.01,T_TO_NO_BRKTS_FREEMAIL=0.01 Thanks --Dennis
Re: Bogus mails from hijacked accounts
On Wed, 2010-03-10 at 13:37 -0600, Dennis B. Hopp wrote: Obviously we just have to tell the clients that they need to deal with the various e-mail providers, but is there an effective way that I can filter these messages out before my users see them without blacklisting the address? There's nothing in SA that can blacklist a sending MTA, so blacklisting can't happen unless you've added something to your MTA set-up that does auto-blacklisting. The question then comes down to marking the message as spam and dealing with it however you normally deal with spam. You'll probably need custom rule(s) to handle that. You say the message bodies are quite variable, but I notice that the Reply-to: header doesn't remotely match the From: header. Is this a common factor? If it is, and the body texts have no common features that could also be used, the only obvious approach would be a rule for each forged sending domain that fires if the sending domain doesn't match the Reply-to domain. Only you can know if these rules would cause false positives: I can't possibly tell from a single sample message. Martin
Re: Bogus mails from hijacked accounts
On Wed, 2010-03-10 at 20:22 +, Martin Gregorie wrote: On Wed, 2010-03-10 at 13:37 -0600, Dennis B. Hopp wrote: Obviously we just have to tell the clients that they need to deal with the various e-mail providers, but is there an effective way that I can filter these messages out before my users see them without blacklisting the address? There's nothing in SA that can blacklist a sending MTA, so blacklisting can't happen unless you've added something to your MTA set-up that does auto-blacklisting. I meant blacklisting the sender address, not the MTA. The question then comes down to marking the message as spam and dealing with it however you normally deal with spam. You'll probably need custom rule(s) to handle that. You say the message bodies are quite variable, but I notice that the Reply-to: header doesn't remotely match the From: header. Is this a common factor? The ones that I have seen the reply-to doesn't match the from and I think the reply-to have all been something.jp If it is, and the body texts have no common features that could also be used, the only obvious approach would be a rule for each forged sending domain that fires if the sending domain doesn't match the Reply-to domain. There isn't anything in common that I can see that wouldn't be susceptible to false positives. One even left the clients signature intact. I've written fairly simple custom rules before but I'm not sure how to do conditional rules. I'll have to dig into the docs a little more. Only you can know if these rules would cause false positives: I can't possibly tell from a single sample message. I wasn't expecting anybody to give me a magic rule that would fix it, just suggestions since I would only be able to blacklist the sender address after the e-mail had been received and I was notified of the problem. And obviously blacklisting all of gmail/hotmail/yahoo isn't an option. Thanks, --Dennis
Re: Bogus mails from hijacked accounts
On Wed, 2010-03-10 at 15:08 -0600, Dennis B. Hopp wrote: I meant blacklisting the sender address, not the MTA. From what you're describing the senders are all forged by somebody who bought or stole a list of valid hotmail etc. addresses and the corresponding addresses in your domain, so blacklisting anything is probably a bad idea because it wouldn't do anything except annoy the actual owner of the address. There isn't anything in common that I can see that wouldn't be susceptible to false positives. One even left the clients signature intact. I've written fairly simple custom rules before but I'm not sure how to do conditional rules. I'll have to dig into the docs a little more. Its not conditional, just using a meta rule and negating the Reply-to test in the meta: describe FORGED_HOTMAIL Hotmail with non-Hotmail Reply-to address header __FORGED_HM1 From ~= /\...@hotmail\.com/i header __FORGED_HM2 Reply-to ~= /\...@hotmail\.com/i meta FORGED_HOTMAIL (__FORGED_HM1 !__FORGED_HM2) scoreFORGED_HOTMAIL 5.0 and write cookie cutter rules for Yahoo and Gmail. OTOH if you're happy that a Japanese test won't generate FPs you can cover all three ISPs with one rule: describe FORGED_FROM Hotmail,Yahoo or Google with Japanese Reply-to header __FF1 From ~= /\@(hotmail|yahoo|gmail)\.com/i header __FF2 Reply-to ~= /\.jp/i meta FORGED_FROM (__FF1 __FF2) scoreFORGED_FROM 5.0 Of course, if its just a few Japanese ISPs being used you can easily make _FF2 more specific. Martin
Re: Bogus mails from hijacked accounts
Dennis B. Hopp wrote: On Wed, 2010-03-10 at 20:22 +, Martin Gregorie wrote: On Wed, 2010-03-10 at 13:37 -0600, Dennis B. Hopp wrote: Obviously we just have to tell the clients that they need to deal with the various e-mail providers, but is there an effective way that I can filter these messages out before my users see them without blacklisting the address? There's nothing in SA that can blacklist a sending MTA, so blacklisting can't happen unless you've added something to your MTA set-up that does auto-blacklisting. I meant blacklisting the sender address, not the MTA. Welcome to Whack-A-Spammer! Here's your pea-shooter; the targets are behind 3 feet of concrete on the other side of this mile-wide canyon. Sarcasm aside, there are two problems with blacklisting the sender to block spam: 1) Spammers rotate sender addresses and hijacked account info more often than most of us change our underwear. An account *may* get reused; chances are it'll be months before it does, and the spammers will have rotated through hundreds or thousands of others - both phish-cracked and those set up just to send their junk. Blacklisting a sender is reduced to blocking the persistent friend-of-a-friend who refuses to remove you from the endless stream of chain-forwards, and legitimate-but-totally-clueless mailing list operators who can't figure out how to unsubscribe you from their list. :( 2) You noted originally that these appear to be fully legitimate freemail accounts, legitimately used in the past to correspond with your customers/clients, that have been compromised and then used to send spam. How do you propose to still allow the legitimate account holders to email your clients if you blacklist the sender? The question then comes down to marking the message as spam and dealing with it however you normally deal with spam. You'll probably need custom rule(s) to handle that. You say the message bodies are quite variable, but I notice that the Reply-to: header doesn't remotely match the From: header. Is this a common factor? The ones that I have seen the reply-to doesn't match the from and I think the reply-to have all been something.jp If it is, and the body texts have no common features that could also be used, the only obvious approach would be a rule for each forged sending domain that fires if the sending domain doesn't match the Reply-to domain. There isn't anything in common that I can see that wouldn't be susceptible to false positives. One even left the clients signature intact. I've written fairly simple custom rules before but I'm not sure how to do conditional rules. I'll have to dig into the docs a little more. Martin's suggestion followup should point you in the right direction. Sets of phrase rules (how similar are these messages? do you have ten or fifteen you can compare sentence-by-sentence?) with low scores will likely help some too. Meta rules that bump the score up depending on how many phrases hit, or phrase+mismatched-sender/reply also work tolerably well on this class of spam... if you can get enough samples to build a complete enough set of phrase rules. You'll have to decide how to balance aggressiveness on the content vs still allowing legitimate messages through. Feeding these to Bayes should also help some. -kgd
Re: Bogus mails from hijacked accounts
On Wed, 10 Mar 2010, Dennis B. Hopp wrote:
We seem to be having a problem where clients that we interact with
regularly are having their hotmail/gmail/yahoo accounts hijacked. We
are receiving e-mails from their accounts that legitimately go through
the correct servers (hotmail,yahoo, etc.) and so they get passed through
our spam filters. The messages have different bodies but basically say
the same thing that they were on vacation and had all their money stolen
so they need to have money wire transferred to them.
Obviously we just have to tell the clients that they need to deal with
the various e-mail providers, but is there an effective way that I can
filter these messages out before my users see them without blacklisting
the address? In one case I had probably 15 users that received the same
message and naturally they freaked out.
I have put a sample at:
http://pastebin.com/9BDXrxmm
Note I did change the real e-mail address in this message but the
hotmail address used is valid just masked.
Look at that X-Originating-IP: [41.155.87.236] header, its a dial-up
pool in Lagos Nigeria.
It may seem stereotyped, but it's amazing the percentage of this kind
of spam that -does- come out of that part of the world.
Does anybody have an SA plugin that will grab those X-Originating-IP
headers and throw the address at an RBL? Points for hits by CBL
or a ip-geolocation table for Central Africa.
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
