Anatomy of a Spammer

Hello there. Let me take a few moments of your day to talk about spam. Spam and Eggs. Spam and Chips. Spam and Spam. God bless Monty Python. As a recipient – the owner of an inbox see the odd one or two arrive, but unless you are running an email server or are a provider you are unlikely to see what it looks like when it kicks off – the source as it were. Here are a few words on how a single users email account being compromised can cause quite a bit of upset, pain, blacklisting, and so on.

It is the afternoon, and a user reports that they are getting a large amount of NDR – non delivery reports… in long – he is getting mails come back to him from people he does not know regarding things he has not sent. Classic.

The mail queue is full, and is trying to clear itself but more and more servers are saying no, and now this has started to happen it is clear that a user is spamming. The two are tied together and so the works start.

Mail logs: Sure enough these are spewing away – but then they always do, a closer look shows the entertainment of most of these being one user.

The fix is simple enough – change that users password. It is apparent that their password (monkeys1?) has been “guessed” and people are logging in as this user, and sending as them.

Now the more naive might imagine this is done from a single host, however their are likely limits on how many emails a single host can send in a specific time, so they will employ an army of compromised machines (coloquially known as Bot’s) that will send with these details. This has a number of advantages, it is less obvious, it is faster, and blocking one will do little or no good.

So here is a log extract with the details change to protect the password challenged. These are logs are created by Exim, and they are set to be verbose and include things like subjects… which is fun – as its clear this user was highly unlikely to be dancing the samber, and didnt know the users he was sending to:

2017-07-12 19:58:14 1dVMpx-0007Ad-5Q <= john@yourdomainname.com H=31-43-11-8.dks.com.ua ([127.0.0.1]) [31.43.11.8]:52160 P=esmtpa A=dovecot_plain:john@yourdomainname.com S=14123 id=4C31281B-2C6D-245A-B579-D4CF2AE79A89@yourdomain.com T=”Street samba dancers perform in carnival parades and contests?” for brandynrandomized@hotmail.com hatsonrandomized@hotmail.com driverrandomized@hotmail.com

2017-07-12 19:58:14 1dVMpx-0007Ad-5Q no immediate delivery: more than 30 messages received in one connection

2017-07-12 20:30:09 1dVMpx-0007Ad-5Q => brandynreandomized@hotmail.com R=smarthost_dkim T=remote_smtp_smart_dkim H=smtpout.notourserver.net [123.123.123.123] X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=yes C=”250 OK id=1dVNKp-0002ka-Lx”

2017-07-12 20:30:09 1dVMpx-0007Ad-5Q -> hatsonrandomized@hotmail.com R=smarthost_dkim T=remote_smtp_smart_dkim H=smtpout.notourserver.net [123.123.123.123] X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=yes C=”250 OK id=1dVNKp-0002ka-Lx”

2017-07-12 20:30:09 1dVMpx-0007Ad-5Q -> driverrandomized@hotmail.com R=smarthost_dkim T=remote_smtp_smart_dkim H=smtpout.notourserver [123.123.123.123] X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=yes C=”250 OK id=1dVNKp-0002ka-Lx”
2017-07-12 20:30:09 1dVMpx-0007Ad-5Q Completed

You will note here – three in three sent – however it also states that in this one connection they TRIED to send over 30 emails. Keep that in mind as we will see the number of mentions very shortly.

So here we have a little command that will pull out all of the occurrences of the email being sent – which will include the sending email address in square brackets… handy.

[root@server101 ~]# grep ‘<= john@yourdomainname.com’ /var/log/exim_mainlog |sed ‘s/.*\[//’ | sed ‘s/\].*//’ | sort -n | uniq -c | sort -n

383 unique IP addresses are returned. On the left hand side is how many connections we have seen from that IP address.

1 103.15.81.15
1 160.202.14.55
1 167.58.92.119
1 187.84.170.93
1 213.114.107.6
1 36.255.67.192
1 43.228.226.112
1 62.78.39.208
1 77.234.243.70
1 79.171.34.46
1 79.171.34.47
1 84.252.7.210
2 190.105.215.11
2 201.48.88.111
11 95.86.43.1
12 177.38.251.106
17 186.226.5.95
23 186.232.25.220
27 181.175.146.13
44 177.72.17.202
46 201.139.88.107
52 178.239.24.57
52 190.122.134.229
52 78.90.10.13
64 212.104.112.207
64 212.87.191.72
68 177.38.251.11
80 181.175.216.100
80 186.251.109.77
92 177.38.251.50
94 177.20.248.57
98 177.53.199.94
108 186.227.161.99
117 179.49.123.81
117 190.246.22.195
118 187.121.145.13
122 187.108.71.9
123 131.0.166.234
124 201.55.182.56
134 87.97.169.139
138 103.41.196.171
152 178.254.218.177
159 187.84.247.176
162 138.36.62.75
177 200.142.181.12
178 138.36.142.226
194 189.127.27.219
205 78.90.205.132
229 191.5.194.213
232 191.7.100.31
236 177.46.112.234
250 188.227.216.19
258 87.92.44.222
264 179.49.123.175
267 177.75.198.113
271 186.23.7.26
271 191.7.100.159
272 103.59.6.60
275 152.231.57.90
278 177.222.191.242
288 186.66.176.14
308 177.104.205.239
312 190.122.134.162
313 188.122.25.6
315 186.71.212.65
319 116.90.103.94
319 201.55.151.72
332 131.72.157.161
338 187.102.32.220
348 187.84.183.231
353 179.108.33.65
357 131.0.33.207
357 190.122.134.170
357 27.147.229.213
367 186.137.251.3
367 186.233.180.129
369 177.46.113.116
374 138.94.12.71
377 190.122.134.219
388 186.71.141.82
393 190.122.128.115
399 186.227.169.251
401 186.227.234.124
404 187.109.87.203
405 190.11.172.95
405 87.100.200.46
409 201.140.227.107
421 181.175.137.208
426 190.122.192.214
426 95.42.92.47
427 177.85.57.164
446 201.20.68.137
447 181.175.220.158
450 46.47.121.108
453 187.85.14.226
455 212.43.51.97
464 186.68.152.66
478 190.122.134.249
479 91.92.99.235
499 124.109.22.156
501 187.108.67.102
534 84.238.25.26
540 181.175.148.239
540 181.175.188.136
543 138.94.34.240
548 201.55.181.142
553 201.140.224.246
557 186.71.182.194
557 187.84.244.170
557 37.220.77.208
561 138.0.203.65
563 187.17.202.142
565 89.215.136.158
579 186.124.218.210
582 190.52.37.91
585 201.55.180.28
596 151.237.8.218
599 177.91.118.97
607 130.0.93.248
616 138.36.60.121
617 181.16.182.46
619 190.122.134.204
639 190.1.9.73
639 200.9.90.177
640 177.129.246.7
653 186.69.217.168
678 186.71.250.235
687 143.137.159.92
702 186.227.27.138
714 87.92.11.91
716 186.208.199.175
723 190.52.32.214
725 86.52.34.242
727 143.137.159.144
733 177.126.195.185
736 186.71.141.8
757 77.71.48.63
760 92.247.153.166
768 103.82.74.107
768 168.167.86.251
769 131.100.122.164
773 190.109.43.51
784 94.156.87.98
788 189.196.49.14
791 109.172.211.206
800 168.121.90.106
800 31.43.11.8
819 46.44.60.178
820 177.87.3.129
827 92.247.225.108
831 103.85.242.198
831 186.71.212.199
849 186.71.5.193
857 190.216.12.36
858 187.84.244.176
861 177.154.236.230
873 186.71.212.108
879 177.53.198.214
898 213.91.120.67
908 177.66.228.3
917 94.190.187.68
924 187.84.163.117
928 187.102.66.170
934 191.37.3.234
935 186.71.1.11
936 177.224.242.221
940 190.122.134.184
943 187.94.119.77
971 190.155.2.43
973 190.10.198.220
980 77.71.67.165
981 186.71.142.113
985 130.204.123.31
988 138.186.77.231
989 177.70.220.120
1000 103.12.193.237
1000 103.194.195.100
1000 103.194.195.189
1000 103.30.81.82
1000 109.121.246.212
1000 109.227.96.64
1000 109.239.24.76
1000 109.74.230.103
1000 109.74.235.89
1000 130.204.185.167
1000 130.204.206.90
1000 130.204.245.89
1000 130.204.95.80
1000 131.108.67.78
1000 131.255.133.12
1000 131.72.130.13
1000 138.36.117.122
1000 138.59.216.73
1000 138.94.12.61
1000 14.34.219.89
1000 151.237.13.242
1000 151.237.8.213
1000 151.251.22.62
1000 168.167.89.209
1000 168.197.222.190
1000 168.227.228.195
1000 176.102.86.8
1000 176.12.24.145
1000 176.98.97.178
1000 177.10.224.185
1000 177.131.123.18
1000 177.185.103.136
1000 177.193.238.156
1000 177.200.34.159
1000 177.222.189.144
1000 177.222.210.244
1000 177.222.226.140
1000 177.223.2.94
1000 177.23.114.21
1000 177.38.251.48
1000 177.47.230.152
1000 177.74.234.46
1000 177.75.214.84
1000 177.87.3.153
1000 177.91.118.177
1000 178.118.98.139
1000 178.169.189.186
1000 178.169.200.236
1000 178.169.200.6
1000 178.75.226.142
1000 181.167.79.190
1000 181.175.216.92
1000 186.15.173.56
1000 186.194.108.239
1000 186.227.234.71
1000 186.237.190.222
1000 186.68.10.7
1000 186.69.147.2
1000 186.69.246.178
1000 186.71.138.68
1000 186.71.138.85
1000 186.71.139.228
1000 186.71.140.218
1000 186.71.160.123
1000 186.71.211.36
1000 187.120.220.189
1000 187.17.228.50
1000 187.84.162.48
1000 187.87.83.100
1000 188.173.7.53
1000 189.127.26.115
1000 189.90.211.252
1000 189.90.211.51
1000 190.10.168.9
1000 190.121.177.217
1000 190.121.177.98
1000 190.122.134.183
1000 190.122.134.235
1000 190.122.134.246
1000 190.122.20.18
1000 190.154.193.147
1000 190.154.216.40
1000 190.155.209.16
1000 190.228.36.185
1000 190.52.34.7
1000 191.37.4.8
1000 191.5.208.125
1000 191.53.110.43
1000 200.115.55.69
1000 200.126.242.31
1000 200.215.174.197
1000 200.25.142.126
1000 200.55.249.37
1000 212.231.190.195
1000 212.43.42.71
1000 213.247.0.80
1000 217.72.57.151
1000 31.192.197.59
1000 31.7.156.240
1000 37.143.244.32
1000 37.143.247.242
1000 43.229.208.64
1000 46.237.77.92
1000 46.238.62.121
1000 46.30.237.132
1000 46.47.101.216
1000 46.47.102.88
1000 5.133.234.119
1000 5.134.55.75
1000 5.53.188.201
1000 60.243.82.33
1000 62.221.151.103
1000 77.48.208.98
1000 77.70.123.21
1000 77.78.52.223
1000 77.85.57.66
1000 78.154.234.163
1000 78.158.206.166
1000 78.83.33.221
1000 78.90.0.63
1000 78.90.148.156
1000 78.90.76.69
1000 79.100.59.188
1000 81.170.129.167
1000 84.211.133.212
1000 84.216.142.97
1000 84.238.193.81
1000 84.246.161.24
1000 84.54.149.133
1000 85.11.170.10
1000 85.187.210.206
1000 85.23.149.36
1000 85.23.4.25
1000 87.100.137.206
1000 87.100.140.119
1000 87.100.153.198
1000 87.100.157.160
1000 87.100.202.115
1000 87.100.232.245
1000 87.100.243.224
1000 87.120.55.116
1000 87.92.16.125
1000 87.97.171.135
1000 87.97.194.203
1000 88.112.1.12
1000 88.112.190.32
1000 88.203.197.132
1000 89.106.97.161
1000 89.165.196.5
1000 89.215.207.25
1000 89.21.64.57
1000 91.211.48.63
1000 92.221.51.144
1000 93.155.222.113
1000 93.183.159.86
1000 93.90.212.212
1000 93.91.50.85
1000 94.113.102.23
1000 94.137.184.152
1000 94.155.67.246
1000 94.155.71.18
1000 94.156.82.222
1000 94.156.87.103
1000 94.156.87.192
1000 95.158.157.64
1000 95.42.8.62
1076 177.75.145.37
1093 186.227.173.21
1107 131.72.158.151
1235 177.87.3.219
1363 186.66.114.70
1402 201.20.123.84
1476 201.49.203.115
1542 118.179.180.233
1556 109.160.60.39
1573 190.122.134.210
1601 189.90.220.11
1669 190.105.215.56
1675 168.232.89.218
1748 93.155.197.197
1750 176.12.5.134
1783 186.69.76.162
1872 181.175.250.10
1883 186.249.71.26
1936 188.254.183.143
2000 178.169.206.226
2000 179.49.122.3
2000 181.175.128.49
2000 185.189.197.205
2000 186.66.83.203
2000 186.71.8.46
2000 188.254.163.216
2000 201.46.40.180
2000 213.91.148.213
2000 77.78.41.97
2000 79.100.94.56
2000 84.113.133.21
2000 84.43.233.60
2000 87.100.190.44
2000 91.92.78.247
2000 93.123.8.167
2000 94.156.87.143
2000 94.156.87.156
2230 177.10.226.144
2428 179.127.155.44
2808 213.240.210.201
2984 78.90.24.229
3000 78.23.115.210

Now some of these MAY have been legitimate. However. This gives you an idea of scale. Almost 400 machine addresses involved. Each one between 1 and 3000 connections. Each connection will have been able to sent up to 30 emails. A mail server will push 300,000 emails an hour without getting too upset. People are sending out legitimate mail shots all of the time – the flags start getting raised with a spike in bounces, around the same time that the attentive user starts getting snowed under with bounces.

This is ONE of the ways we see spam ‘happen’.

There are of course those who ‘legitimately‘ own servers and ranges that are sending out spam day in day out.

There are those who compromise machines and send directly.

We get those who sign up for accounts with fake details and stollen cards and send directly.

….it’s a real pain. In fact – it is more of a pain for those who administer the platforms than it is for those who collect and send email. Bear this in mind when you complain to your provider, engineer, postmaster, support person. There is not just the clear up (which involves telling hundreds of thousands of real mails from bad ones) – but also the reputation management, load, backlog, and resulting support load.

Do yourselves a favour. Use TLS/SSL where you can to send and receive emails (yes, the very same end to end encryption that must be stamped out says the state). Use passwords with high entropy. Connect to trusted networks. Patch your stuff. …have an epic weekend… and be excellent to each other.

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this:
Skip to toolbar