cancel
Showing results for 
Search instead for 
Did you mean: 

Blatant spam getting through again

paulby
Grafter
Posts: 1,619
Registered: 26-07-2007

Blatant spam getting through again

I've received about 20 of these in the past hour or so, all from domains ending in .es and all going straight to my inbox.
It's being given a X-pn-pstn: Spam 0 score.
The only odd thing I've noticed about these is that the subject line in the header reads
Quote
Subject: =?iso-8859-5?B?WW91IHdhbm5hIHNjcmV3IGhl?=
     =?iso-8859-5?B?ciB3ZXQgaG9sZQ==?=

but is displayed as (or other very similar subject lines)
Quote
You wanna screw [censored][censored] hole
(self censored)
The mails contain links to sites in Russia.
Headers:
Quote
Return-path: <pj.sanchezn@saunierduval.es>
Envelope-to: xxxx@xxxxxxx.plus.com
Delivery-date: Sat, 17 Jan 2009 11:57:26 +0000
Received: from [212.159.7.103] (helo=mx.pcl-ipin04.plus.net)
     by fhw-sunmxcore02.plus.net with esmtp (PlusNet MXCore v2.00) id 1LO9nq-0005V0-FA
     for xxxxxx@xxxxxxxxx.plus.com; Sat, 17 Jan 2009 11:57:26 +0000
Authentication-Results: mx.pcl-ipin04.plus.net; dkim=neutral (message not signed) header.i=none
Received-SPF: None identity=pra; client-ip=203.130.149.1;
     receiver=mx.pcl-ipin04.plus.net;
     envelope-from="pj.sanchezn@saunierduval.es";
     x-sender="pj.sanchezn@saunierduval.es";
     x-conformance=sidf_compatible
Received-SPF: None identity=mailfrom; client-ip=203.130.149.1;
     receiver=mx.pcl-ipin04.plus.net;
     envelope-from="pj.sanchezn@saunierduval.es";
     x-sender="pj.sanchezn@saunierduval.es";
     x-conformance=sidf_compatible
Received-SPF: None identity=helo; client-ip=203.130.149.1;
     receiver=mx.pcl-ipin04.plus.net;
     envelope-from="pj.sanchezn@saunierduval.es";
     x-sender="postmaster@hosting7.ji-net.com";
     x-conformance=sidf_compatible
X-SBRS: -1.0
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: At9xAC9WcUnLgpUBWmdsb2JhbACBaQFVMAETQD9QhBcagWyCZYUQFg9xARYICwgSFKkvgnWLGwaFbYI7
X-IronPort-AV: E=McAfee;i="5100,188,5497"; a="21018498"
X-IronPort-AV: E=Sophos;i="4.37,280,1231113600";
     d="scan'208";a="21018498"
Received: from hosting7.ji-net.com ([203.130.149.1])
     by mx.pcl-ipin04.plus.net with SMTP; 17 Jan 2009 11:57:24 +0000
Received: from vdrw (67.69.227.181)
     by hosting7.ji-net.com; Sat, 17 Jan 2009 19:00:53 +0700
Message-ID: <009101c4792a$20d144f0$54ae71bf@vdrw>
Reply-To: <jhonfer19@yahoo.es>
From: <pj.sanchezn@saunierduval.es>
To: <xxxxx@xxxxxxxx.plus.com>
Date: Sat, 17 Jan 2009 19:00:53 +0700
MIME-Version: 1.0
Content-Type: multipart/mixed;
     boundary="----=_NextPart_000_0098_01C471BF.54AE44F0"
X-Priority: 5
X-MSMail-Priority: Low
X-Mailer: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
X-pn-pstn: Spam 0
Subject: =?iso-8859-5?B?WW91IHdhbm5hIHNjcmV3IGhl?=
     =?iso-8859-5?B?ciB3ZXQgaG9sZQ==?=
4 REPLIES
Superuser
Superuser
Posts: 8,873
Thanks: 407
Fixes: 36
Registered: 06-04-2007

Re: Blatant spam getting through again

The sending MTA (in Thailand) is currently rated "Neutral" by Senderbase so that will be why the messages were let through. If there are large volumes of these around, and inspection identifies them as spam, its reputation may soon change to "Poor" and then they will be refused.
The failure of the spam filters to identify them as spam suggests the spammers have done a good job to disguise them. Hopefully McAfee/Sophos will catch up soon.
David
David
Capvermell
Grafter
Posts: 417
Registered: 16-12-2007

Re: Blatant spam getting through again

I have had no really obvious blatant criminal spam (as opposed to legitimate organisations who have acquire emails lists from dodgy sources but who do honour unsubscribe requests) for ages since moving to Ironport and enabling spam and edge filtering and with Catch All disabled.
However this real nasty just received tries to download a blatant likely virus exe file from the website's supposed "Privacy Policy" link Shocked
According to the headers it has definitely been passed as not spam by Ironport and nor was it edge filtered either. Angry
Quote
-------- Original Message --------
From: - Tue Feb 17 16:54:05 2009
X-Account-Key: account4
X-UIDL: UID21359-1149066516
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
Return-path: <conwaymonger60@live.com>
Envelope-to: blackhole@abuse.plus.net
Delivery-date: Tue, 17 Feb 2009 16:53:02 +0000
Received: from [212.159.7.39] (helo=mx.ptn-ipin04.plus.net) by fhw-inmx18.plus.net with esmtp (PlusNet MXCore v2.00) id 1LZTBt-0004GA-Fu for blackhole@abuse.plus.net; Tue, 17 Feb 2009 16:53:01 +0000
Authentication-Results: mx.ptn-ipin04.plus.net; dkim=neutral (message not signed) header.i=none
Received-SPF: None identity=pra; client-ip=65.55.116.47; receiver=mx.ptn-ipin04.plus.net; envelope-from="conwaymonger60@live.com"; x-sender="conwaymonger60@live.com"; x-conformance=sidf_compatible
Received-SPF: Pass identity=mailfrom; client-ip=65.55.116.47; receiver=mx.ptn-ipin04.plus.net; envelope-from="conwaymonger60@live.com"; x-sender="conwaymonger60@live.com"; x-conformance=sidf_compatible
Received-SPF: None identity=helo; client-ip=65.55.116.47; receiver=mx.ptn-ipin04.plus.net; envelope-from="conwaymonger60@live.com"; x-sender="postmaster@blu0-omc1-s36.blu0.hotmail.com"; x-conformance=sidf_compatible
X-SBRS: 4.5
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AioDAHh6mklBN3QvkWdsb2JhbACCRC2EBIUNgUaFf4ECAQEBAQkLEREDvjmEEwY
X-IronPort-AV: E=McAfee;i="5300,2777,5528"; a="27806998"
X-IronPort-AV: E=Sophos;i="4.38,224,1233532800"; d="scan'208,217";a="27806998"
Received: from blu0-omc1-s36.blu0.hotmail.com ([65.55.116.47]) by mx.ptn-ipin04.plus.net with ESMTP; 17 Feb 2009 16:53:01 +0000
Received: from BLU125-W14 ([65.55.116.8]) by blu0-omc1-s36.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, 17 Feb 2009 08:53:00 -0800
Message-ID: <BLU125-W143E450B09CAF825295986B4B40@phx.gbl>
Content-Type: multipart/alternative; boundary="_dbc554d1-e44e-4812-a449-410bc641a497_"
X-Originating-IP: [69.126.18.56]
From: <conwaymonger60@live.com>
To: <blackhole@abuse.plus.net>
Date: Tue, 17 Feb 2009 16:53:00 +0000
Importance: Normal
MIME-Version: 1.0
X-OriginalArrivalTime: 17 Feb 2009 16:53:00.0760 (UTC) FILETIME=[31397580:01C99120]
X-PN-Virus-Filtered: by PlusNet MXCore (v5.00)
X-PN-Spam-Filtered: by PlusNet MXCore (v5.00)
Subject: Julian double your bankroll with our exclusive bonus
X-Antivirus: avast! (VPS 090216-1, 16/02/2009), Inbound message
X-Antivirus-Status: Clean
Deposit today and receive a 350% bonus today
Visit the website http://xrnuldpfozxtx.blogspot.com/
Enjoy your 350 FREE !!!
Enjoy!
See how Windows connects the people, information, and fun that are part of your life. See Now

Moderator's Note: Made the website link non-clickable for safety. David (spraxyt)
Superuser
Superuser
Posts: 8,873
Thanks: 407
Fixes: 36
Registered: 06-04-2007

Re: Blatant spam getting through again

Thanks, this does demonstrate one can never be too careful.
The senders used a Hotmail server which has a good reputation and presumably the link is short-lived too to make any reaction from malware detection systems burrowing into the site ineffective. Add to this the contents look innocent and it's easy to see how users could be fooled.
Overall I don't think classing this as "blatant spam" is a fair assessment.
David
David
Capvermell
Grafter
Posts: 417
Registered: 16-12-2007

Re: Blatant spam getting through again

Quote from: spraxyt

The senders used a Hotmail server which has a good reputation and presumably the link is short-lived too to make any reaction from malware detection systems burrowing into the site ineffective.

The innocent looking blogspot link has something on the page that makes it immediately redirect to www.8pow77.com ; Those behind the so called Golden Crown Casino website (www.8pow77.com) look pretty disreputable though:-
Quote
Domain Name : 8pow77.com
PunnyCode : 8pow77.com
Registrant:
Organization : chang chen
Name : changchen
Address : nanchangshichangshouqubeibenlu145hao101shi
City : nanchang
Province/State : jiangxi
Country : cn
Postal Code : 326523
Administrative Contact:
Name : changchen
Organization : changchen
Address : nanchangshichangshouqubeibenlu145hao101shi
City : nanchang
Province/State : jiangxi
Country : cn
Postal Code : 326523
Phone Number : 86-132-6548545
Fax : 86-132-6548545
Email : ftgy23fge@126.com
Technical Contact:
Name : changchen
Organization : changchen
Address : nanchangshichangshouqubeibenlu145hao101shi
City : nanchang
Province/State : jiangxi
Country : cn
Postal Code : 326523
Phone Number : 86-132-6548545
Fax : 86-132-6548545
Email : ftgy23fge@126.com
Billing Contact:
Name : changchen
Organization : changchen
Address : nanchangshichangshouqubeibenlu145hao101shi
City : nanchang
Province/State : jiangxi
Country : cn
Postal Code : 326523
Phone Number : 86-132-6548545
Fax : 86-132-6548545
Email : ftgy23fge@126.com

Quote
Add to this the contents look innocent and it's easy to see how users could be fooled.

The "see how windows connects the people" link is also directly to a dodgy website page rather than an intermediate one like blogspot - it points to http://clk.atdmt.com/MRT/go/msnnkwxp1020093175mrt/direct/01/
Quote
Overall I don't think classing this as "blatant spam" is a fair assessment.

The Subject line is "double your bankroll with our exclusive bonus".  I suppose that could be used by a legitimate gambling site.
What I meant is that the intent behind the email is clearly that of random aggressive commercial spam and there is no question of it being a legitimate promotion carefully targeted as to its recipients.
Moderator's Note: Made the links non-clickable for safety. David (spraxyt)