PC pages - Rant: Distributed spam

More computer tips

October 9, 2003:

Yesterday as I downloaded my mail from one of my other domains, I noticed there were many mailer-daemon failure messages. Irritating, but I soon got fascinated by what I found:

1) The failure messages were all from AOL.

2) They were all from different addresses on my domain - non-existent ones (the domain has catch all e-mail).

4) The sender addresses were all random series of numbers and letters.

3) There was always a name given as the sender, not just an e-mail address.

4) All of the mails were sent to three to six AOL recipients. One in the To field, and the rest in the CC field.

5) The mails were apparently sent from different hosts - different IP numbers on virtually all of them.

6) Many of the e-mail addresses used in the spam-run failed, but not all. Some mails got through for each of the failure messages I got. Who knows how many succeeded without any failures! I really hope people understand I had nothing to do with this!

7) One mail garnered a different response from AOL, and this response was given for each addressee (I've munged the address it was sent to that I'm showing here):

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

xxxxxxx@aol.com
SMTP error from remote mailer after initial connection:
host mailin-03.mx.aol.com [64.12.138.120]: 554- (RTR:SC) The information presently available to AOL indicates
554- that this server has been repeatedly used to transmit unsolicited
554- bulk e-mail to AOL. Based on AOL's e-mail policies at
554- http://postmaster.info.aol.com/standards.html, AOL cannot accept
554- further e-mail transactions from this server for an extended
554- period of time. Please have your ISP/ASP contact AOL to resolve

8) Here are the hosts that apparently was used for this (apparently) distributed spam-run. These are the ones I've received to date:

See separate page

9) Another thing I noticed that may or may not mean something:

Those that originated with AOL had this line (I've munged the address):

X-Apparently-From: xxxxx@aol.com

So my question is if this was done by the spamming software, or if it was added by AOL after the PC was hijacked?

10) Here's the actual headers (the AOL mail daemon sends the headers, but not the complete message, of failed messages back to the apparent sender) of one message, with lots of munging of e-mail addresses:

Received: from d-43-88.dhcp-149-159.indiana.edu (d-43-88.dhcp-149-159.indiana.edu [149.159.43.88]) by rly-yb02.mx.aol.com (v96.8) with ESMTP id MAILRELAYINYB22-17e3f842e57d5; Wed, 08 Oct 2003 11:33:44 -0400
Message-ID: <u7$$134$kify2$-r-s8945-$$$7@1lp1.3up>
From: "Kelsey Pope" <oyucqh8@xxxxxxx.com>
Reply-To: "Kelsey Pope" <oyucqh8@xxxxxx.com>
To: xxxxxx@aol.com
Cc: <xxxxxx@aol.com>, <xxxxxx@aol.com>, <xxxxx@aol.com>,
<xxxx@aol.com>, <xxxx@aol.com>
Subject:  Fw:You can order Anti-depressants, weight loss meds,and pain relief meds online with NO PRESCRIPTION wronshzhwlptlrwdwxktqqludwsfketrx daov p lqzdhffdmctwpudlqepy jei n oozl o d c
Date: Wed, 08 Oct 2003 10:20:09 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="8_6_B.9.5."
X-AOL-IP: 149.159.43.88
X-AOL-SCOLL-SCORE: 0:XXX:XX
X-AOL-SCOLL-URL_COUNT: 0

11) Here are part of the headers of a mail I once sent, where I got a 550 failure in return from AOL. As usual, I'll munge it (if you receive mail from me, I don't mind that you know my IP address, but I don't put it on the web when I don't have to. I have no qualms about revealing IP addresses of compromised machines though, how's that for double standards?)... Also note that different mail programs will result in slightly different headers, and mine is not OE...:

Received: from xxxxx (xxxx [xxxx]) by rly-xd04.mx.aol.com (v95.1) with ESMTP id MAILRELAYINXD44-11c3f51f0433dc; Sun, 31 Aug 2003 08:55:31 -0400
Received: from xxxnameofmycomputer (xxxxx [xxxx])
by xxxxx (8.9.3p2/8.9.3) with ESMTP id OAA28152
for <xxxxx@aol.com>; Sun, 31 Aug 2003 14:55:00 +0200 (MEST)
From: "xxxx" <xxxxx@xxxx.com>
Organization: xxxx.com
To: xxxx@aol.com
Date: Sun, 31 Aug 2003 14:55:57 +0200
MIME-Version: 1.0
Subject: xxxxxxxxxxxxxxxx
Reply-to: xxxx@xxxx.com
Message-ID: <3F520C7D.16277.D2AFAD@localhost>
Priority: normal
X-mailer: xxxxx
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT
Content-description: Mail message body
X-AOL-IP: xxxxx
X-AOL-SCOLL-SCORE: 0:XXX:XX
X-AOL-SCOLL-URL_COUNT: 0

12) Here are the headers of a mail with my return address, that was sent by another machine, and then stopped by AOL because it contained a virus (again, munged):

Received: from CASH4MODELS (mtl-ppp-152843.qc.sympatico.ca [65.94.35.135]) by rly-xn04.mx.aol.com (v95.1) with ESMTP id MAILRELAYINXN43-6433f379b79184; Mon, 11 Aug 2003 09:34:49 -0400
From: <xxxxx@xxxx.com>
To: <xxxx@aol.com>
Subject: Approved
Date: Thu, 29 May 2003 9:28:05 --0400
Importance: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MSMail-Priority: Normal
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="CSmtpMsgPart123X456_000_004F59C7"
X-AOL-IP: 65.94.35.135
X-AOL-SCOLL-SCORE: 0:XXX:XX
X-AOL-SCOLL-URL_COUNT: 0
Message-ID: <200308110934.6433f379b79184@rly-xn04.mx.aol.com>

13) So, conclusion? It's probably a distributed spam-run caused by virus-infected single computers. Their owners are probably completely unaware of what their computers are doing.

14) November 7, 2003: 
I still receive these messages now and then, but these days I receive more of these:

----- Transcript of session follows -----
... while talking to air-xh04.mail.aol.com.:
>>> RCPT To:<xxxmunged@aol.com>
<<< 550 xxxmunged IS NOT ACCEPTING MAIL FROM THIS SENDER
550 <xxxmunged@aol.com>... User unknown

In other words, this aol user has received spam from my domain name before, and is now blocking any mail from it. To mail servers, this message looks like a failure message of the same type that is generated when an address doesn't exist (550). But when you open it up and check it, you'll see that the text is different. You can imagine that this is getting to be a big problem. I don't know if these people think *I* spammed them. I imagine they might if they don't know me. That's distressing! I really hope somebody finds a cure for this problem, and makes it known so the number of zombie machines will sink dramatically!

15) Note that all the spam messages I've seen are different (I usually see the subject line, and when the sending IP address has been blocked I'll get a copy of the full mail), so I imagine there must be some kind of communication between the spammer and these machines.

16) I just noticed that all the user agent strings on some of the latest batch are different. There's another sub-group without any user agent strings at all. Two different trojans?

17) I sent a bunch of abuse complaints today, and in my haste, I read some headers incorrectly. One nice admin sent a reply explaining what had happened in one case - a forged header that made the mail seem to come from his IP-address, while the mail had instead come from China! I then checked a few more headers, and saw that there are several ways these mails are sent. He gave me a useful tool for checking IP numbers:

http://www.openrbl.org/ 

When checking some of the IP numbers I found, I found, I found this line:

CBL/abuseat.org: 553 CBL Proxy/Trojan

The description reads: Fully automated feed from very large spamtraps, lists open proxies and trojans of any kind

Interesting, so in spite of very few news reports about this, it's known in the spam fighting biz that there are trojanized zombies out there! Interesting!

18) December 21, 2003: A new type of spam run started November 29 or earlier. This time the e-mail addresses used as "from" consist of a name or two and two random characters. Here are some examples:

sami.shepard_kn
b_beeman_me
y.cchasse_qw
claybrook_xc

Those bounces I got from November 29 and later all report to be produced by:

X-Mailer: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165

One of my friends uses this version of OE. It may be a forge job, or it could be a case of using a flaw in OE, I don't know.

19) December 21, 2003: Since December 5, 2003 I no longer get bounces (except a few 550 bounces) from AOL. AOL is refusing to deliver the e-mails for these reasons. Bear in mind that the bounces are actually from other mail servers, so they don't necessarily include the right language that an AOL bounce would:

December 5 and onwards:

• (reason: 554 TRANSACTION FAILED 554 AOL will not accept delivery of this message)
• SMTP error from remote mailer after end of data:
  host mailin-01.mx.aol.com [205.188.159.57]: 554 TRANSACTION FAILED:
  (HVU:B1) The URL contained in your email to AOL members has generated\302\240a high volume of complaints.\302\240 Per our Unsoli
• SMTP error from remote mailer after initial connection:
  host mailin-04.mx.aol.com [64.12.138.152]: 554-(RLY:B2) The information presently available to AOL indicates this
  554-server is transmitting unsolicited e-mail to AOL. Based on AOL's
  554-Unsolicited Bulk E-mail policy at http://www.aol.com/info/bulkemail.html
  554-AOL cannot accept further e-mail transactions from this server.
  554-Please have your ISP/ASP or server admin call AOL at 1-888-212-5537,
  554 or visit http://postmaster.info.aol.com for more information.
• Action: failed
  Status: 5.4.4 (Illegal host/domain name found)
  Remote-MTA: dns;mailin-02.mx.aol.com (TCP|167.206.5.112|43090|64.12.138.89|25)
  ([RLY:B1] The information presently available to AOL indicates this)
• <<< 554-(RLY:B1) The information presently available to AOL indicates this
  <<< 554-server is generating high volumes of member complaints from AOL's
  <<< 554-member base. Based on AOL's Unsolicited Bulk E-mail policy at
  <<< 554-http://www.aol.com/info/bulkemail.html AOL may not accept further
  <<< 554-e-mail transactions from this server or domain. For more information,
  <<< 554 please visit http://postmaster.info.aol.com.  
• Action: Failed
  Status: 5.3.0 (other or undefined mail system status)
  Remote-MTA: dns; mailin-01.mx.aol.com
• Reason: SMTP transmission failure has occurred
  Diagnostic code: smtp;554 TRANSACTION FAILED: (HVU:B3) AOL is unable to parse the URL contained in this message.?? Per our anti-spam, Unsolicited Bulk Email polic
  Remote system: dns;mailin-03.mx.aol.com (rly-xh03.mx.aol.com ESMTP mail_relay_in-xh3.6; Sat, 13 Dec 2003 07:02:24 -0500)

20) Until today, I haven't had any problems apart from an occasional slew of bounces because of these spam runs. But today an e-mail to a friend on AOL bounced back! This is the error message I got back:

----- Transcript of session follows -----
... while talking to mailin-03.mx.aol.com.:
<<< 554-(RLY:B1) The information presently available to AOL indicates this
<<< 554-server is generating high volumes of member complaints from AOL's
<<< 554-member base. Based on AOL's Unsolicited Bulk E-mail policy at
<<< 554-http://www.aol.com/info/bulkemail.html AOL may not accept further
<<< 554-e-mail transactions from this server or domain. For more information,
<<< 554 please visit http://postmaster.info.aol.com.
... while talking to mailin-04.mx.aol.com.:

• Tracing distributed spam attacks (this one is good!)
• Sobig.a and the Spam You Received Today
• Sinit P2P Trojan Analysis
• Reverse-Proxy Spam Trojan - Migmaf
• iMeme theories about just this problem

Read these usenet message that talk about this problem: 

• Why spam can't be stopped
• Russian hijacked PCs