19
Apr 17

Tracing Spam: Diet Pills from Beltway Bandits

Reading junk spam messages isn’t exactly my idea of a good time, but sometimes fun can be had when you take a moment to check who really sent the email. Here’s the simple story of how a recent spam email advertising celebrity “diet pills” was traced back to a Washington, D.C.-area defense contractor that builds tactical communications systems for the U.S. military and intelligence communities.

atballYour average spam email can contain a great deal of information about the systems used to blast junk email. If you’re lucky, it may even offer insight into the organization that owns the networked resources (computers, mobile devices) which have been hacked for use in sending or relaying junk messages.

Earlier this month, anti-spam activist and expert Ron Guilmette found himself poring over the “headers” for a spam message that set off a curious alert. “Headers” are the usually unseen addressing and routing details that accompany each message. They’re generally unseen because they’re hidden unless you know how and where to look for them.

Let’s take the headers from this particular email — from April 12, 2017 — as an example. To the uninitiated, email headers may seem like an overwhelming dump of information. But there really are only a few things we’re interested in here (Guilmette’s actual email address has been modified to “ronsdomain.example.com” in the otherwise unaltered spam message headers below):

Return-Path: <dan@gtacs.com>
X-Original-To: rfg-myspace@ronsdomain.example.com
Delivered-To: rfg-myspace@ronsdomain.example.com
Received: from host.psttsxserver.com (host.tracesystems.com [72.52.186.80])
by subdomain.ronsdomain.example.com (Postfix) with ESMTP id 5FE083AE87
for <rfg-myspace@ronsdomain.example.com>; Wed, 12 Apr 2017 13:37:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gtacs.com;
s=default; h=MIME-Version:Content-Type:Date:Message-ID:Subject:To:From:
Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID:Content-Description:
Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
List-Post:List-Owner:List-Archive;
Received: from [186.226.237.238] (port=41986 helo=[127.0.0.1])
by host.psttsxserver.com with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256)
(Exim 4.87)
(envelope-from <dan@gtacs.com>)
id 1cyP1J-0004K8-OR
for rfg-myspace@ronsdomain.example.com; Wed, 12 Apr 2017 16:37:42 -0400
From: dan@gtacs.com
To: rfg-myspace@ronsdomain.example.com
Subject: Discover The Secret How Movies & Pop Stars Are Still In Shape
Message-ID: <F5E99999.A1F67C94585E5E2F@gtacs.com>
X-Priority: 3
Importance: Normal
Date: Wed, 12 Apr 2017 22:37:39 +0200
X-Original-Content-Type: multipart/alternative;
boundary=”–InfrawareEmailBoundaryDepth1_FD5E8CC5–”
MIME-Version: 1.0
X-Mailer: Infraware POLARIS Mobile Mailer v2.5
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname – host.psttsxserver.com
X-AntiAbuse: Original Domain – ronsdomain.example.com
X-AntiAbuse: Originator/Caller UID/GID – [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain – gtacs.com
X-Get-Message-Sender-Via: host.psttsxserver.com: authenticated_id: dan@gtacs.com
X-Authenticated-Sender: host.psttsxserver.com: dan@gtacs.com

Celebrities always have to look good and that’s as hard as you might
{… snipped…}

In this case, the return address is dan@gtacs.com. The other bit to notice is the Internet address and domain referenced in the fourth line, after “Received,” which reads: “from host.psttsxserver.com (host.tracesystems.com [72.52.186.80])”

Gtacs.com belongs to the Trace Systems GTACS Team Portal, a Web site explaining that GTACS is part of the Trace Systems Team, which contracts to provide “a full range of tactical communications systems, systems engineering, integration, installation and technical support services to the Department of Defense (DoD), Department of Homeland Security (DHS), and Intelligence Community customers.” The company lists some of its customers here.

The home page of Trace Systems.

The home page of Trace Systems.

Both Gtacs.com and tracesystems.com say the companies “provide Cybersecurity and Intelligence expertise in support of national security interests: “GTACS is a contract vehicle that will be used by a variety of customers within the scope of C3T systems, equipment, services and data,” the company’s site says. The “C3T” part is military speak for “Command, Control, Communications, and Tactical.”

Passive domain name system (DNS) records maintained by Farsight Security for the Internet address listed in the spam headers — 72.52.186.80 — show that gtacs.com was at one time on that same Internet address along with many domains and subdomains associated with Trace Systems.

It is true that some of an email’s header information can be forged. For example, spammers and their tools can falsify the email address in the “from:” line of the message, as well as in the “reply-to:” portion of the missive. But neither appears to have been forged in this particular piece of pharmacy spam.

The Gtacs.com home page.

The Gtacs.com home page.

I forwarded this spam message back to Dan@gtacs.com, the apparent sender. Receiving no response from Dan after several days, I grew concerned that cybercriminals might be rooting around inside the networks of this defense contractor that does communications for the U.S. military. Clumsy and not terribly bright spammers, but intruders to be sure. So I forwarded the spam message to a Linkedin contact at Trace Systems who does incident response contracting work for the company.

My Linkedin source forwarded the inquiry to a “task lead” at Trace who said he’d been informed gtacs.com wasn’t a Trace Systems domain. Seeking more information in the face of many different facts that support a different conclusion, I escalated the inquiry to Matthew Sodano, a vice president and chief information officer at Trace Systems Inc.

“The domain and site in question is hosted and maintained for us by an outside provider,” Sodano said. “We have alerted them to this issue and they are investigating. The account has been disabled.”

Presumably, the company’s “outside provider” was Power Storm Technologies, the company that apparently owns the servers which sent the unauthorized spam from Dan@gtacs.com. Power Storm did not return messages seeking comment.

According to Guilmette, whoever Dan is or was at Gtacs.com, he got his account compromised by some fairly inept spammers who evidently did not know or didn’t care that they were inside of a U.S. defense contractor which specializes in custom military-grade communications. Instead, the intruders chose to use those systems in a way almost guaranteed to call attention to the compromised account and hacked servers used to forward the junk email.

“Some…contractor who works for a Vienna, Va. based government/military ‘cybersecurity’ contractor company has apparently lost his outbound email credentials (which are probably useful also for remote login) to a spammer who, I believe, based on the available evidence, is most likely located in Romania,” Guilmette wrote in an email to this author.

Guilmette told KrebsOnSecurity that he’s been tracking this particular pill spammer since Sept. 2015. Asked why he’s so certain the same guy is responsible for this and other specific spams, Guilmette shared that the spammer composes his spam messages with the same telltale HTML “signature” in the hyperlink that forms the bulk of the message: An extremely old version of Microsoft Office.

This spammer apparently didn’t mind spamming Web-based discussion lists. For example, he even sent one of his celebrity diet pill scams to a list maintained by the American Registry for Internet Numbers (ARIN), the regional Internet registry for Canada and the United States. ARIN’s list scrubbed the HTML file that the spammer attached to the message. Clicking the included link to view the scrubbed attachment sent to the ARIN list turns up this page. And if you look near the top of that page, you’ll see something that says:

”  … xmlns:m=”http://schemas.microsoft.com/office/2004/12/omml” …”

“Of course, there are a fair number of regular people who are also still using this ancient MS Office to compose emails, but as far as I can tell, this is the only big-time spammer who is using this at the moment,” Guilmette said. “I’ve got dozens and dozens of spams, all from this same guy, stretching back about 18 months.  They all have the same style and all were composed with “/office/2004/12/”.

Guilmette claims that the same spammers who’ve been sending that ancient Office spam from defense contractors also have been spamming from compromised “Internet of Things” devices, like a hacked video conferencing system based in China. Guilmette says the spammer has been known to send out malicious links in email that use malicious JavaScript exploits to snarf credentials stored on the compromised machine, and he guesses that Dan@gtacs.com probably opened one of the booby-trapped JavaScript links.

“When and if he finds any, he uses those stolen credentials to send out yet more spam via the mail server of the ‘legit’ company,” Guilmette said. “And because the spams are now coming out of ‘legit’ mail servers belonging to ‘legit’ companies, they never get blocked, by Spamhaus or by any other blacklists.”

We can only hope that the spammer who pulled this off doesn’t ever realize the probable value of this specific set of login credentials that he has managed to make off with, among many others, Guilmette said.

“If he did realize what he has in his hands, I feel sure that the Russians and/or the Chinese would be more than happy to buy those credentials from him, probably reimbursing him more for those than any amount he could hope to make in years of spamming.”

This isn’t the first time a small email oops may have created a big problem for a Washington-area cybersecurity defense contractor. Last month, Defense Point Security — which provides cyber contracting services to the security operations center for DHS’s Immigration and Customs Enforcement (ICE) division — alerted some 200-300 current and former employees that their W-2 tax information was given away to scammers after an employee fell for a phishing scam that spoofed the boss.

Want to know more about how to find and read email headers? This site has a handy reference showing you how to reveal headers on more than two-dozen different email programs, including Outlook, Yahoo!, Hotmail and Gmail. This primer from HowToGeek.com explains what kinds of information you can find in email headers and what they all mean.

Tags: , , , , , , , , , ,

63 comments

  1. The spammers probably have access to another dozen credentials at that contractor. I suspect their incident response effectiveness will decide if we see more or not.

  2. I’ve long given up trying to help companies with infected servers. It is a major time sink. I actually phoned a nearby biotechnology company with an infected server and wasn’t even allowed to talk to the IT department. The “switchboard” sent me to Human Resources, which apparently is their usual procedure for anyone that doesn’t say the magic word. Presumably they think anyone they don’t recognize must be a head hunter.

    This is why compromised servers never get fixed. Yeah you do a whois and get a contact, but nothing happens.

    Steve Gibson has this term “Internet background noise” or maybe “Internet background radiation.” This nonsense will never go away.

    • Gary you are so right in every respect.

      In this so-called enlightened age – try telephoning
      or emailing a company with information absolutely
      of interest to any sane person – but especially to
      that enterprise – “Do not answer your INBOX”
      comes into play as their first Commandment.

      And this is where an email address is provided
      which, today, is becoming more and more of a
      rarity.

    • Jonathan Rosenne

      Fall back to low tech: a paper letter to the CEO, sent by US mail. It usually gets through.

    • One thing that sometimes gets attention is that if you explain to the phone operator that a “hacker” is using their computers to “sell drugs.” That creates enough interest for them to want to be helpful.

      • But now the challenge is trying not to sound like a tech support scammer.

        • Exactly. If some random person phones or emails me, my first thought is that it’s a scam.

          There is no way to initiate anonymous communication (phone and email) and demonstrate that you have no malicious intent.

          I think the person who suggested snail mail is probably correct. That means of communication has the lowest fraud rate. The return address can be somewhat confirmed with the postal cancellation.

          • Tried that. One of the recipients was still so suspicious that he posted the information to a forum asking if anyone knew who I was. It’s still there today. Awkward.

      • The phrase “kiddie porn” might get their attention too… As others have observed, the problem is getting past the phone-drones, whose job it is to prevent the public from bothering somebody important enough to be able to actually do something.

    • Last year I was targeted by an individual claiming to be a HR recruiter for a staffing company. He claimed to have a job in my skilled field and in my geographic area (obviously he pulled my name from my LinkedIn profile). His email was sent from a domain (even in the header) that matched the company’s domain. It turned out he was not spoofing or using stolen credentials. I found 23 identical web sites were the only difference was the name of the company and the HR director/recruiter. I did research and found stories of people that had been conned out of their DOBs and SSNs because the scammer went through a fake phone interview and then said that the candidate’s info would be required to submit to a employer/client company.
      The scammer actually bought the domains and hosting services. I used WHOIS ICAN and traced the hosting services to just four hosting companies all based in the US. I sent warnings to the abuse@ email addresses provided by the hosting companies. Two took down the web sites. DreamHost in california replied that they did not care and left the web sites up until they eventually expired after existing for more than a year.
      I built a web site on blogger explaining all that I found to try to warn others from falling for this scam.
      I was really disgusted by the collusion that existed between DreamHost and the scammer since they allowed him to continue to use their services to target and steal from others (his scam was actually mentioned as a specific violation of Terms of Service).
      http://fakestaffing.blogspot.com/

    • About 10 years ago, a forensic investigation of a break in revealed that one of the compromised machines has been used to scan for vulnerable routers. I located the file where the list was stored and found all the affected IPs belonged to a well known hotel chain. I called their corporate headquarters to try an let them know but was given the run-around. I finally called the ISP that provided the hotel connectivity and was told that the customer had to file a complaint or they were not interested.

      That was a valuable lesson in how little importance people in IT really give to security.

    • I feel you! I tried to warn thousands of MongoDB admins between May 2016 and Jan 2017 when their data was wiped… Less than 1% respond to calls/email and out of those that do respond less than 1% actually fix the security issue(s)… I spent an unknown amount of hours pinging these folks and maybe helped 25-50 out of thousands.

      The Bank of New York Mellon didn’t even care some of their test servers were wide open… head in sand.

    • One humorous exception is contacting community admin types whose departments show up in a search for, “Department of Pubic Works.”
      They usually fix that ASAP!

    • Some magic words:

      “Perhaps your Investor Relations would be interested in this issue. I’ll be happy to contact them myself.”

      And

      “Pardon me, what was your name again?”

    • …”phoned…a company”…that doesn’t own the internet service-hosting company network.

      Another response:
      …”telephoning or emailing a company”… that doesn’t own the internet service-hosting company network.

      I usually don’t deal with individual hosts or companies of sites. I go to the network owners, not site operators that pay internet service-hosting companies, that have “enforceable”–supposedly–terms of service, that often (if it’s a relatively clean network) at some point take corrective action.

    • Gary,

      No doubt, especially after being told to F-Off numerous times years ago.

  3. A fascinating read Brian. Love learning from your articles!

  4. IRS iTunes Card

    I’ve seen some major U.S. Universities email accounts being hacked into. It’s very common that they are used to send 419 scams

  5. Check out SpamCop at http://www.spamcop.net and learn more about what Brian and Guilmette are talking about with respect to headers, etc. and deciphering the metadata.

    This is not an ad. I’m a non-paying user of SpamCop

    You can sign up for free, to report spam either via email or manually via email source (with headers) by copying & pasting the source dump into their web form. Turn on technical details and see how their algorithm pulls out the header data to obtain the sender’s origin and also the links to within the body of the spam message. Once analyzed, I have seen that about 10% of the time the spam originates from Fortune 500 companies as well as major universities. You can also finalize the submission by having the report sent to the listed whois contacts from the email’s origin and/or the owners of the domain links within the email body. It is questionable whether sending reports to domains ending in “.su”, “.cn”, “.ir” is of value. Although SpamCop attempts to strip your email address from the report, the spammers can have other ways of determining who ratted them out. But if you are using a major email provider, like Gmail, Outook.com, etc. any attempt to mail bomb you would most likely fail.

    They also offer a free blocking list, i.e. the SpamCop DNS-based Blocking List for use with your own mailserver to get safe and effective spam filtering.

    They have other services that you can read about there also.

    • IRS iTUNE cards (real)

      Spamcop is extremely outdated , since Julian Haight sold it to Iron Port ( now Cisco ) back in the late nineties

      • True dat, but what’s the alternative?

        Manual reporting is a pain, and I haven’t got the time or inclination to write my own automated UCE submission system.

        So it’s SpamCop… or nothing.

        • There’s Spamhaus.

          I evaluated Spamcop but found them very aggressive when blocking. In my situation, they were too aggressive.

          The Zen list form Spamhaus is good, combine with Spamassassin, Bayes, and some other tricks.

          • Thanks, but I don’t want to BLOCK spam, because my email service providers already do a good-enough job of that. Rather, I want to REPORT the small number of messages that DO get through. And Spamhaus does NOT accept spam reports from mere mortals like me.

            So, as I said, the choices for REPORTING spam appear to be SpamCop, do-it-yourself, or nothing.

            • I don’t know much of the nuances; but:
              Some email providers to some unknown extent and occassionally “report spams” as court cases.

              The most well-known one I can think of is mail.aol.com. It has the common click-this-is-spam feature. I know it’s an old-as-forever mail service, and read people don’t like it; yet, at least anti-spam-wise and myself using it for maybe two decades or longer, I’d say it’s one of the better anti-spam mail services I’ve used–better than Hotmail, the old Excite, and Yahoo which I used for many years, and mostly gave up on anti-spamwise. Gmail and GMX.com seem good so far too.

              And, the three good mail services I mentioned seem to mostly clean themselves as long as I mostly don’t give out the email address and have done minor spam reporting. Also, with GMX I rely heavily on the “alias” feature to protect my main email address while giving out up to nine other forwarding addresses, forwarding addresses that may be created and deleted which I do use immensly as anti-spam measures.

            • Another reporting method; but, greatly time-delayed and it is grouped-reporting from numerous users is to forward the spam to knujoncom, which I do using the a user-entry, pre-defined email address in SpamCop–reporting to SpamCop which I have configured to also chose Knujon to report to.

              Or, there are a very few desktop email clients that have a plugin (or some option, that I’ve never used) to auto-forward the spam to knujon (and/or SpamCop) at the click of a button, I use a plugin.

      • When you say “outdated” do you mean you have a low opinion of Spamcop.net, or that it is not effective in the (free or paid) service that it offers?

        I am a paid user who has been using Spamcop to report spam to the admins of the systems where it originates or is relayed for over 15 years. While not always effective for average users, those of us that know a header doesn’t mean falling on your head can often use it to reduce spam and even close the affiliate accounts of some spammers.

        Anyone who thinks Spamcop is not an effective tool can contact me for some suggestions that will make you more effective. But the most effective method would be to forward the spam after looking up the IP WHOIS contact information for the systems involved, Include the URLs found using the redirection links in the spam, and reporting the spam to the domain registrars of all the offending domain names.

        Notifying affiliate program managers and domain registrars has been very, very effective for me in shutting spammers down. Almost all of them have rules against using spam and welcome the reports.

        • making_songs_about_the_spamming_rhythm

          Reporting is useless against networks and registrars that do not care to take action. Take the telltale signs of certain pharma spam as an example, that spews for years, and years, and years…

          I could provide specific networks and registrars that run the dirtiest networks, continuously spewing the exact same telltale signs of specific spam–they don’t care to shut it down.

          • >Reporting is useless against networks and registrars that do not care to take action.

            It accomplishes 2 things: provides information to those who subscribe to Spamcop’s blocklist so they can choose to reject or dump future emails from that source. Secondly, scholars can eventually determine that the network is mostly fraud and put it on community block lists.

            • spamming,spamming,spamming_into_the_future(a_ditty_about_spamming))

              Using SpamCop, I don’t report and will not report to the multitude of of dirty networks I’m continously seeing the exact telltale spam types from; I do use SpamCop to report to clean networks and other non-SpamCop pre-defined reporting addresses.

              An example of dirty networks I do not report to are nine of the top sixteen listed here. Another way of putting it, I don’t report to eight of the top eight, which are continously listed high here, and I continuously see the exact telltale spams from the networks:
              http://www.uceprotect.net/en/l3charts.php
              Many of the same dirty networks are again, and continuously, listed here:
              http://www.spamhaus.org/statistics/botnet-asn
              I could show, what’s already publicly provided, exact IP addresses spamming heavily for weeks from these networks–dirty, dirty networks.

              Another example, concerning a registrar, try to get the registrar to suspend BestKenko.com, operating in violation of Japanese law. In all liklihood it won’t happen in years, if anytime in the foreseeable future, and if it did happen to be suspended I could easily provide another example that will in all likelihood not be suspended in the forseeable future. A little background:
              http://www.legitscript.com/blog/2017/03/beware-new-bestkenko-strategy-uncovered

              Or, registrar Domainers Choice (Nanjing Imperiosus Technology) as another example which keeps nearly 99% of known bad (spamvertised) domains up and running.
              http://www.spamhaus.org/statistics/registrars

      • Alphonse Tomato

        My outbound email is sometimes rejected because it comes from a CenturyLink mail server that’s gotten onto Spamcop’s RBL. While that clearly says bad things about CenturyLink (inbound mail sometimes bounces because CenturyLink thinks they’ve never heard of me, but that’s a different problem), IMHO it says bad things about Spamcop, too.

        • Spamcop is not itself a block list. If your email provider cannot run a clean enough operation to stay off other providers’ email block rules, they can’t expect to have all email delivered.

          • Right about the CenturyLink (or any other mailing network) staying clean. However, SpamCop is a blacklist, with spam detected by SpamCop and user provided reporting: spamcop.net/bl.shtml

      • Says someone too gutless to use their real name…

  6. Brian neglected to mention this one other small bit that also tends to show how inept these high-priced “cybersecurity experts” at Trace Systems are…

    Not only did they allow a small-time spammer to make off with a set of their login/mailer credentials, but they they also allowed the use of those credential from a totally anonymous IPv4 address located IN BRAZIL! (186.226.237.238)

    Doh!

    You gotta ask yourself: If a lowy small-time spammer can manage to get this far in compromising this kind of (DoD contractor) company, then how far could a really DETERMINED adversary get?

    And these guys are holding themselves out as being technically super-savvy “cybersecurity” experts! Sheeesh!

    And these guys apparently have a central role in building the DoD’s next generation *battlefield* communications system!! DOUBLE SHEEESH!

    Your tax dollars at work.

    (I’d call them and offer them my services as a security consultant, but they are probably mad at me now for publically outting their boneheadedness.)

    • spamming,spamming,spamming,just_killing_time,and_making_songs_about_the_spamming_rhythm

      “totally anonymous IPv4 address located IN BRAZIL! (186.226.237.238)”?

      LACNIC:
      carlos@
      localdatacenter.com.br

      he.net whois:
      “Carlos Augusto Paiva dos Santos”

      LACNIC:
      The next upstream routing network. Using another of their network IP ranges, for example, 177.222.248.0:
      Again, “Carlos Augusto Paiva dos Santos”
      giganetdc.com.br – GIGANET SERVICOS DE INTERNET LTDA

      If those domains wish to be anonymous, then there’s other upstream routes that may have an interest on what’s being routed as peer (likely not):
      alog.com.br – EQUINIX BRASIL at this time.

      And, further up both routing paths for more peer routing, that may have an interest (likely not) in what is running from those downstream networks .

  7. As an email security provider I’ve seen situations where a company’s email reputation score drops very low tied to this type of situation, and then their email gets dropped or declined as a result. (Ok, yes, and then they call and yell at us for dropping their emails.)

    We’ve also seen same circumstance but leveraged for business email compromise, which is a much scarier scenario.

  8. This is a great post to help educate users and admins about the ongoing spam and spoofing problems as well as the user of hacked accounts.

    What I don’t understand is why we have not moved to the standard of blocking all non-USA IP and email traffic from systems that do not need to be exposed? We have effectively blocked a very high percentage of non-USA web traffic from our client’s servers using a freely available firewall application on Linux servers.

    Yes, you are correct that a great deal of web site spam may originate offshore but uses US-based servers. But you know what? We block a very large percentage of that as well after years of working at it. We don’t use this system for blocking email spam, but our client has some need to receive non-US email and I use other methods to limit their exposure, mostly via low-tech methods.

    I wish all ISPs and hosting companies would offer the option for users to have their sites or accounts on systems that only allows US traffic. I think many would pay a little more to have this added measure of security.

    • making_songs_about_the_spamming_rhythm

      Mentioned that to Yahoo perhaps 17 years ago.
      My outcome: Left them as an email provider.

    • I have also gone the route of UFW (Uncomplicated Fire Wall) for my Linux systems, because I host a secure shell server at my office. However, it’s not that easy to block all non-USA addresses because the address space is fragmented. I’ve been able to block most of Asia, Africa, and Europe. But South America is harder and so is Canada.

      What I get is continuous brute force attacks on SSH, which I control with Fail2Ban. As I see repeat upper level domains, I block them with UFW. I.e. it’s easy to block xxx.0.0.0/8 when they are in Africa, but that is not possible with South America, as xxx.0.0.0/8 is, lets say, MX, mixed with UY, mixed with US addresses.

      Now having blocked most of the world, the attacks are now predominantly coming from the Amazon Cloud, GoDaddy, Comcast, and similar US hosted domains. Those I may be able to do something about, in a legal sense…

    • I block all IP space except countries where I might want to send or receive email. That is all ports except for 25 are block from countries I don’t expect to be in. These password guessing bots must create their own “do not call” lists since they seem to just stop knocking on the port.

      I supplement the list with a handful of USA based universities and data centers that are either researchers or have bots (intentional or unintended)

      A commercial email service would just need a database per user of which countries they would want email access.

      I know about fail2ban but my cellphone seems to do a little port knocking, perhaps part of imap sync. So it creates a false positive. Hence fail2ban might lock me out.

  9. Just as an addition: A spammer can not only forge the from: header, but also some of the Received: headers. In this e-mail there is only one, so this is obviously not forged. But if you see more than 2, some of these may be forged. A spammer can add as many of these headers as he wants to. Then, on its way through the internet, the mail gets more of these headers, which can not be forged. But still these lines are helpful in detecting spam. So f.ex. if you are sure you will never get e-mail from Russia, you might scan these headers for russian IPs, and if there is at least one, move the e-mail to spam folder. Even if the from: line says the mail comes directly from your neightborhood, if there is a russian server involved, forget it. Luckily a spammer can not remove this header, because it is added after he sent the mail.
    Another good criteria for automatic removing of spam is the character set. F.ex. i can not read japanese or chinese text. So no matter what the contents of the mail is, i know in advance that i can not read it, and the robot throws it away.
    Next point, but that has to be manually set up, if a person i know sends me an e-mail, my robot expects a specific combination of sender, mail server and character set. If these criteria don’t match, it’s spam.
    There could be more, but i did not have the time to investigate this. F.ex. it would be possible to do some speech statistics of known persons. The words and grammar used by a specific person is like a fingerprint. If that fingerprint does not match, it’s spam. In general, there _are_ ways to defend against spam. You just have to _use_ them 🙂

    • I’ve received legitimate messages from Japanese, Russian, and German people who wrote in English but had native-language signatures. Plus, more and more software these days just uses Unicode, including software used by spammers. Character set/encoding is a pretty poor indicator in 2017.

    • Remember, the only header you can trust is the one added by a server under your control. On a gmail/yahoo/etc. account, the most recent header (at the top) is fairly reliable.

  10. I’ve tried contacting e-mail providers before when phishy messages actually manage to get through Rspamd. In most cases an enforceable DMARC policy would stop all sorts of messages, but sometimes it’s been compromised hosts sending messages with valid DKIM signatures. I’ve found it very difficult to get in touch with anyone. When I have managed to get a hold of someone they promise to get IT to fix it—and it doesn’t get fixed.

    I’ve since given up. It’s a shame, because I truly do want to ameliorate the situation, but I have more interesting things to get frustrated with.

  11. Thanks again for the great article, Brian! However, from personal experience I’ve been down this rabbit trail so many times that I no longer bother. Just one email account, not counting Gmail, gets 60-80 spam messages a day. I tried using the very same methods you document, perusing the header and then using different tools to get to an actual sender. My result for the effort was very frustrating and ineffective in even stopping one spammer from spamming. Most hosting providers don’t give a crap about doing anything, and many of the most guilty ones are outside of the continental USA.

    I found it of greater efficiency to use Thunderbird as my email browser and training the filter to block spam content. Currently it’s at a 90%-95% efficiency in blocking spam and gets better every day with further training. And if the sender is on the contact list, it keeps them from getting marked as spam.

    I would LOVE to follow every spammer to the source, but with the volume that comes in, it would be a full time job with plenty of overtime, and without a salary it’s not a volunteer position I want…

  12. Brian,

    Sure, headers can be daunting for ordinary users. However, there’s a really simple answer that will let you know instantly that something’s a spam: TURN OFF HTML EMAIL. Set your mailtool to display in plain text.

    For example, if you do that, you’d instantly see, for example, the spam/phish that got through to me at work today, that alleged I had a traffic ticket, signed by police department. Oddly enough, since I’m using thunderbird set to plain test, I don’t see just the sender’s name, I see that it was sent by “Police Department uwqdxadh@restaurant-lapommedepin.com“, which seems an odd source for a police dept.

    Or you’d see, as I did, months ago, that the spam/phish allegedly from the IRS wanted me to click a link… to a website in Brazil (.br).

    The side benefit to plain text is that you are encouraged to pay attention to content, not style.

    mark

  13. I had an outlook.com email that I used to troll scammers on Craigslist. Once a scammer didn’t BCC their list of recipients so I replied to all telling them that it was spam and such trying to be a good community team player. That account got suspended for spamming, oops. They wanted a phone number to text a code to and I don’t have a burner so that pastime is gone now.

  14. Nice article and comments.

    I had a client’s domain get blacklisted because it was hosted the same server as a the actual culprit. What a hassle.

    About 10 years ago talked to an ISP owner whose company was blacklisted because some motel customer had horribly infected WinPCs that spammed relentlessly and the motel did nothing about. To save his own company’s reputation, the ISP sent people to clean the WinPCs at the motel free of charge.

    About 12 years ago during my first visit of a new client, a medical office, I opened a pinhole in the Firewall and saw the previous tech had completely exposed the Window Server on the DMZ. This server hosted the office’s patient data and also unbeknownst to the office hosted a porn spam server, which I removed after I disabled the DMZ.

    Lazy technicians with poor judgment are huge cause of vulnerabilities that lead to breaches. The laziness mainly comes into play with remote access. They don’t change default passwords or make really short ones (6 characters) they use at all their client sites or they turn on access from the WAN.

    The world of tech isn’t configured to protect against sociopath Slavs protected by their paid-off governments.

  15. I feel like we’re barking up the wrong tree with this…

    Rather than going after spammers, perhaps we need to make an attempt to embarrass the people who actually are dumb enough to buy stuff from spam. While cheap, spamming isn’t a free way of advertising and if people had a reason to believe that if they bought diet pills from that “too good to be true” email they were not only going to lose their money, but were also going to be humiliated in front of friends and family they would quit doing it.

    I’m all about making stupidity painful.

    • Lottery tickets have been described as “a tax on people who are bad at math.” I’m sure many people know about the statistically-zero odds of lottery tickets and statistically-near-certain benefits of savings and (conditionally) investing. And yet they buy lottery tickets, likely because they FEEL GOOD doing it.

      So also is spam, I reckon.

  16. Given the nature of the affected org here, I would almost be concerned that this is a smokescreen. While their incident response teams are running around dealing with PR etc. something more serious could still be going on.

    In fact I’d bet five bucks on it.

  17. Spamhaus type black lists help a lot but we reduced our remaining spam by about 80% just by doing this one thing:

    We now analyze inbound mail to get whois info on the domain in the Return-Path. We won’t accept mail from domains with a registration dates that are newer than 48 hours.

    I suspect that if you look at the return-path domains you’ll see they’re very frequently from domains registered the same day the mail is sent.

    This doesn’t block the kind of email in Brian’s story, but it works like a charm on big chunk of them.

  18. I’m an email administrator at a major US public university. The behavior described here has been a plague on university email systems (and probably others), for at least 10 years now. The pattern is the same every time: Use some sort of minor trickery, usually phishing or other similar social engineering, to acquire email credentials, then use them to send spam from well regarded mail servers with high reputations and good connectivity. The spam is a combination of money-maker messages and more phish to get the next set of cracked accounts to use. The only thing that makes this story interesting is the irony of a defense contractor getting hit. I’m not criticizing Brian, that angle and everything that goes with it makes the story worth publishing. I’m just saying that this behavior is both appallingly and boringly ubiquitous.

    It’s also no surprise that the spammer didn’t realize the value of what he had. It’s been my observation that they aren’t very smart, and tend to stick with what they know. Guilmette has been chasing this one pill spammer since 2015, so it’s pretty clear that spamming is his thing. I’ll take that $5 bet about it being a smoke screen. 🙂

  19. Brian,

    Sorry for the off-topic nature of this post. I remember that some time ago you published a long article discussing one particular individual whom you suspected of perpetrating DDoS levels of attacks whilst simultaneously trying to sell protection to the companies they were targeting.

    I recall that one class of target happened to be Minecraft servers. I am not sure if this is in any way related, but wondered if you had seen this article,

    https://www.theguardian.com/uk-news/2017/apr/21/teenage-hacker-made-300000-from-selling-malware-court-hears

    covered by the UK Guardian newspaper, which describes a UK teenager that has been found guilty of attacking Minecraft, Runescape and others. No idea if they are related to your story, but thought you might be interested in cross-checking.

    • Yeah apparently Mudd had some medical testimony given to the court, which is now expected to rule on sentencing next Tuesday, I’m told.

  20. As a SA I’m seeing this more and more lately, compromised email accounts being used to send spam – mostly pornographic in nature and often using exploits to gather more accounts.

  21. 03AOP2lf5av-8FzLHWgQ_4XklIGl_E7W8qHrP-fonjFIOY1fJwpWRFA3f5WPbPzHA-hje4QAFar2NIHHxmD0stTkJwJifD3iMrNgf9xjcxVjFy6zNRxy94vXCQ6uTPx5HP0b_CN2hDkLNRNHydjQSgxxw9zrbqKT1vfxce2atGX4Y7X_D8xx1aJnx5uI-Gir-nR6MRBA-lr29BqE_KoLGWLQV9p4tSK0x6Ba-PSkPlKzO0zZZRNk3qLjnsEvo5DnV1qaG5HkvBO6KAoipSvqDusJldimCZVCwjZAHN_u2OIbhCXpxARRPDt37xW3QNdK4oYlNEiDhYqduf1_EXTFVuRegKMoaXFO8SKIcLQLG-JLBpMy7LfIJfIjw

  22. The curious thing to me is the IP in Brazil mentioned. Wouldn’t that be the origin? Can we assume they have access to tracesystems mail server? btw most spam I see has been bounced around through various yourhostingaccount servers, perhaps in an attempt to “clean up” the headers to bypass spam filters.

  23. You’re an idiot. Reply-to: is the first field that the spammers will forge. The only non-forged headers is the first Received:, which is placed on the email by your own email server.