Image Spam Analysis
Image spam is very annoying and currently it gets past many filters. I get pump and dump stock spam at my corporate email address. I have some other mail accounts I use to setup for signing up online and they get all kinds of spam. When I had more time, I would go at lengths to report image spam, but these days, I barely have time to check my email accounts. Below I will break down a sample spam that is current (sent to me within the last day). To see more details of the spam above you need to click on it, if you want to bother.
Headers of this image spam - (I removed the recipient address and domains)
==========================
From - Sat Jan 27 18:23:20 2007
X-Account-Key: account3
X-UIDL: 469206877
X-Mozilla-Status: 0001
X-Mozilla-Status2: 10000000
Received: from bugsbunny.MUNGED.com [66.X.X.235] by beatle.MUNGED.net with ESMTP
(SMTPD-9.10) id A15205E4; Fri, 26 Jan 2007 22:04:50 -0500
Received: from vowwaqv ([209.194.72.195])
by bugsbunny.MUNGED (8.13.6/8.13.6) with SMTP id l0R34ZN8025082
for
Received: (qmail 17348 invoked from network); Fri, 26 Jan 2007 21:04:48 -0600
Received: from unknown (HELO xclips) (32.169.85.33)
by vowwaqv with SMTP; Fri, 26 Jan 2007 21:04:48 -0600
Message-ID: <45bac150.2040601@hottomali.org>
Date: Fri, 26 Jan 2007 21:04:48 -0600
From: Peters Jemima
User-Agent: Thunderbird 1.5.0.9 (Windows/20061207)
To: MUNGED@XXXX.com
Subject: By comparison, common kitchen microwaves penetrate several centimetres of skin.
X-RCPT-TO:
Status:
X-UIDL: 469206877
X-IMail-ThreadID: c15201cf00000f64
X-Antivirus: AVG for E-mail 7.1.410 [268.17.12/653]
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="=======AVGMAIL-45BC091A462D======="
==========================
This sample of spam arrived at an email address for which I have no filters on at the moment. I tried to locate an image spam that bypassed the filters, but it was on old example, so I found another one. This particular spam would not have been received by many because the from the location it originated, it had no reverse DNS.
32.169.85.33 - an unpingable host at the time of this post is the origin of this pump and dump spam belongs to which is AT&T Global Network Services, it also has no reverse entry which means most mail servers would reject email from this host.
209.194.72.195 - IP, an unpingable host, with no reverse dns entry belongs to the City Of Mobile, Alabama - This IP is in many blocklisted ranges. Just check it out here. According to the selection below of blacklistings, this host is compromised. The red below are some current blacklists of this IP pulled from DNSSTUFF.com.
| CBL | LISTED (127.0.0.2) | TXT= "Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=209.194.72.195" | 3600 seconds | 0 ms |
| CASA-CBL | LISTED (127.0.8.2) | TXT= "Mail from 209.194.72.195 refused, see http://anti-spam.org.cn/services/rblquery.php?IP=209.194.72.195" | 10800 seconds | 282 ms |
| CASA-CBL+ | LISTED (127.0.8.6) | TXT= "Mail from 209.194.72.195 refused, see http://anti-spam.org.cn/services/rblquery.php?IP=209.194.72.195" | 10800 seconds | 282 ms |
| CASA-CBL- | LISTED (127.0.8.5) | TXT= "Mail from 209.194.72.195 refused, see http://anti-spam.org.cn/services/rblquery.php?IP=209.194.72.195" | 10800 seconds | 282 ms |
| SBL-XBL | LISTED (127.0.0.4) | TXT= "http://www.spamhaus.org/query/bl?ip=209.194.72.195" | 1800 seconds | 63 ms |
| SPAMCOP | LISTED (127.0.0.2) | TXT= "Blocked - see http://www.spamcop.net/bl.shtml?209.194.72.195" | 2100 seconds | 0 ms |
| SORBS-WEB | LISTED (127.0.0.7) | TXT= "Exploitable Server See: http://www.sorbs.net/lookup.shtml?209.194.72.195" | 3600 seconds | 0 ms |
| TQM-SPAMTRAP | LISTED (127.0.0.3) | TXT= "Spam received from 209.194.72.195. Removal Requests: http://tqmcube.com/dnsbl/dnsbl_remove.php" | 2100 seconds | 109 m |
At the top is a screen capture of this spam, notice the nonsense text down at the bottom. The spammers put this text in spam in an attempt to bypass spam filters. It was mentioned in an NBC news broadcast that these spammers use excerpts from sources such as the Harry Potter books to get past spam filters.
Some interesting reading: -
posted by my0p @ 2:43 PM
0 Comments:
Post a Comment
<< Home