convincing spam from CNN

driveconsultant · ‎03-08-2007

Quote from: black
I'm a bit thick on this kind of thing and I've read the reply by BarryZubel, but why can't Postini or PN send these spams back to their point of origin cos they include their history details - aka 'return to sender' in the post? If it happens to be a compromised home computer, it should make them sit up and do something about it! (I'll try and solve the world peace problem in my next post)

These are compromised Windows machines and almost certainly won't be running a mail server. Sending a mail back to them would just fail.
I still don't understand why these machines don't get added to the blackhole lists though.

driveconsultant · ‎03-08-2007

Quote from: James_H
Interestingly and IMO related to the explosion in size of this botnet, lots and lots of SMTP servers started refusing mail from my server.
Its something I've known would happen for some time, and hence I was fully aware of the route to 'fix' the issue - out of interest though I'd left the configuration as it was until I had to change it.
Basically it seems that over the last week, lots and lots of big companies have started rejecting emails from servers with addresses from 'Dynamic Pools' - effectively this is just about all ADSL customers in the country who deliver their own mail rather than using their ISP's relay servers as a smart relay, even those like me with static IP addresses.
Its been a best practice for some time to use your ISPs relay servers as a smart host to forward mail for delivery, but as I say curiosity persuaded me to see how long it would be before mails started getting routinely blocked.
I think a lot of the spam lists/blacklists have been updated last week to block mails, whereas up to last Weds they just issued an advisory that the mail was from an IP in the 'Dynamic Pool'
Wonder if anybody else running their own mailserver noticed that they are now more or less forced to smart host via servers at their ISP? (Or was everybody else already doing this?)

I gave up on this earlier this year. I hung on to it for a long time because I typically would connect my laptop via different dial-up ISPs and sometimes via company networks and it was a PITA to have to change my sendmail config each time I was somewhere different.
Times have changed - sites such as hotmail and AOL drop mails from lots of non-ISP mailservers, and I don't do dial-up any longer. The solution came when PN introduced authenticated SMTP - and I was very grateful for this - it made my life just a tiny bit simpler.

zubel · ‎08-06-2007

Quote from: black
I'm a bit thick on this kind of thing and I've read the reply by BarryZubel, but why can't Postini or PN send these spams back to their point of origin cos they include their history details - aka 'return to sender' in the post? If it happens to be a compromised home computer, it should make them sit up and do something about it! (I'll try and solve the world peace problem in my next post)

It's akin to some nasty person sending you a letter, but putting someone else's return address on it, and also using a mailbox in another town to send it to you.
All of the "return" addresses are fake or compromised. The "originator" of the email is safely tucked away behind layers of compromised machines that you can't find them through.
B.

Heloman · ‎30-07-2007

Quote from: Stiggy
Is anybody, anywhere making an effort to track down these spamming scumbags, particularly as they are using the stolen PN email addresses?
Would my sending an abuse report to the (alleged) originating IP addresses make any difference?

There have been many posts explaining why tracking or sending abuse reports is pointless/meaningless.
But let's nail one mis-understanding. It is nothing to do with "stolen PN addresses"!
This is a world-wide problem, not specific to PN and certainly nothing to do with the addresses that were compromised.

Spider · ‎05-04-2007

Quote from: Heloman
....
But let's nail one mis-understanding. It is nothing to do with "stolen PN addresses"!
This is a world-wide problem, not specific to PN and certainly nothing to do with the addresses that were compromised.

The sending of SPAM is nothing to do with the stolen plusnet addresses, however the fact is that those addresses are now in the 'wild' mean that they are readily available for spammers to use. I know this for a fact because with the CNN email I only get it sent to my two compromised mailboxes, not the others. One of those two I have never used apart from sending emails to another one of my plusnet mail boxes!

ChrisL · ‎13-12-2007

Yes, files of harvested email addresses are bought and sold like other commercial information. Part of the harvest from last year's webmail exploit has clearly found its way into the hands of the Rustock spammer, together with a mass of other addresses. At least I'm not getting any OTHER spam at the moment!

oliverb · ‎02-08-2007

I'm curious how its been stopped, looks like the flow of bogus CNN emails stops dead early this morning. Not redirected to spam, just gone.
Presumeably they're being blocked. Don't know whether to thank Plusnet or Postini?

Stiggy · ‎11-08-2008

Quote from: Spider
Quote from: Heloman
....
But let's nail one mis-understanding. It is nothing to do with "stolen PN addresses"!
This is a world-wide problem, not specific to PN and certainly nothing to do with the addresses that were compromised.

The sending of SPAM is nothing to do with the stolen plusnet addresses, however the fact is that those addresses are now in the 'wild' mean that they are readily available for spammers to use.

Yes, that was my point. I don't want to open old wounds, but I only get spam to addresses involved in the webmail security breach. I have a personal email address which I have had for years which gets virtuall no spam at all, just because I'm really careful how I use it.
I'm glad the CNN mails have been stopped.... until the spammer changes his tactics again!

rsarwar · ‎28-07-2007

The fix is now live guys.

bobpullen · ‎04-04-2007

Thanks Rizwan!

Just to elaborate a little, the CNN emails should now be getting identified as spam (assuming you have spam filtering switched on of course).
From now on any email containing the header X-pstn-xfilter: y will be given the highest spam score by our systems. Depending on your settings, these messages will then be tagged/moved to your spam folder/moved to another mailbox etc.
I will mention that the hit rate for this marking is about 2 emails per second per server. That means we're identifying 22 emails per second that have the X-pstn-xfilter: y header! Not all of these are CNN emails, but the non-CNN ones we've checked do seem to be spam.

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵

Gimpy · ‎06-08-2007

Quote from: Bob
Not all of these are CNN emails, but the non-CNN ones we've checked do seem to be spam.

You read people's emails?

bobpullen · ‎04-04-2007

No, you can generally tell from the logs whether or not a message is spam just by looking at the sending server address, it's reverse DNS, the To and From addresses etc.

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵

andyrogers · ‎30-07-2007

Bob
This morning I had in excess of 400 of these CNN messages which I had cleared them out late last night, and now since this morning not 1 has come through into my email account or into my spam folder.
Should this cause any alarm or am i just being overcautions?
Thanks
Andy

driveconsultant · ‎03-08-2007

Quote from: Stiggy
Yes, that was my point. I don't want to open old wounds, but I only get spam to addresses involved in the webmail security breach. I have a personal email address which I have had for years which gets virtuall no spam at all, just because I'm really careful how I use it.

Then you are very lucky. I kept my main address spam-free for years by only giving it to actual people and not using it for usenet, mailing-lists etc. Eventually it went "wild" and my assumption is that it was just guessed because it is my first name at my domain. I advised one of my users to use firstname.lastname@.... and she has a fairly obscure surname, but she still gets spam. If just one person's PC becomes compromised and you have ever sent them a mail or received a mail from them, the chances are that your email address will get spammed. Can you vouch for the security of the PC of everyone you ever correspond with by email? I doubt it. Thus your email address is at risk of being spammed, sooner or later, however careful you try to be.
The only safe email address is one that is really obscure and that has never been used for anything, and even then I wouldn't count on it.

bobpullen · ‎04-04-2007

Quote from: andyrogers
Bob
This morning I had in excess of 400 of these CNN messages which I had cleared them out late last night, and now since this morning not 1 has come through into my email account or into my spam folder.
Should this cause any alarm or am i just being overcautions?

How do you have your spam filter configured under 'Email Settings' > 'Manage My Mail' in the Member Centre? These messages should be getting identified as spam as opposed to getting blocked outright.

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵

convincing spam from CNN

Re: convincing spam from CNN

Re: convincing spam from CNN

Re: convincing spam from CNN

Re: convincing spam from CNN

Re: convincing spam from CNN

Re: convincing spam from CNN

Re: convincing spam from CNN

Re: convincing spam from CNN

Re: convincing spam from CNN

Re: convincing spam from CNN

Re: convincing spam from CNN

Re: convincing spam from CNN

Re: convincing spam from CNN

Re: convincing spam from CNN

Re: convincing spam from CNN