Sponsored by..

Sunday 19 September 2010

"hello / how are you?" mystery spam

I'm probably not alone in receiving a shedload of spam with the subject "hello" and the only content of "how are you?" A quick look at my spam filters shows hundreds of these with a small number getting through, presumably because filters are having a hard time blocking on this little data.

It's hard to be sure exactly what it is, but it reminds me the the mystery "podmena traffica test" spam from last year that appeared to be a widescale enumeration of mail systems that allowed spoofing, and those that blocked it. So, this could well be something similar.. an enumeration attempt to see which mailboxes DON'T reject a tiny, simple message like this, and then to use that data in the future to target those mailboxes.

"OK", you may be asking.. "why would you do that if you have the almost unlimited computing power of a botnet at your hands? Why would you need to be selective in your spamming when it does cost you anything?"

One good reason to attack only valid mailboxes with spam and not go for a scattergun "directory harvesting" attack is that mail spam filters specifically look for directory harvesting attacks and then block them and use the data to identify the characteristics of the spam attack. By acting more stealthily, it might be possible to avoid detection for longer and get a higher deliverability rate for spam.

Well, that's a theory anyway.. the best that I can come up with. Any ideas?

Added: here's another idea - the spammer could be looking for vulnerable mail servers to exploit later, this is  a data collection phase to be followed by something evil. Or it could just be a weird prank, of couse.

3 comments:

Anonymous said...

This past saturday morning, about once per hour from 3 am until 9 am, I got 6 spams from these IP addresses:

62.24.127.28
217.203.84.22
78.3.224.9
79.115.208.166
178.90.69.185
87.252.227.84

They were all similar in that:

- The subject was simply -> hello
- The body was simply -> how are you?
- The header contained a second Return-Path: line (unusual)
- The header contained a second Received: line (probably forged) that contained a port=nnnn and helo=(string) parameter

All of them seemed to involve a machine running Exim SMTP software according to the second Received: header line.

There seems to be some history of abuse using servers running Exim where the operators are having a hard time securing them or even properly logging their operations.

Anonymous said...

Unfortunately the return path is invalid, so the spammer would never receive the bounce/rejection notice. It can't be that...

Conrad Longmore said...

@aetherworld

Actually, you can.. Unix-based systems tend to reject during the SMTP session with something like a 550 or 554 error code, so this can be detected by the bot sending the spam.

If the target system is something like Microsoft Exchange then this accepts *all* mail regardless and then tries to send an "asynchronous bounce" to the (faked) sender address.

You can try it yourself with a list of SMTP commands and telnetting to port 25 of a mail server.