Mailing List Archive: NANOG: users

New SPAM DOS

Index | Next | Previous | View Threaded

owen at delong

Jan 8, 2010, 11:22 AM

Post #1 of 9 (1389 views)
Permalink

New SPAM DOS

At least this is new for me...

I host scvrs.org on one of my servers, and, it does not have any outlook or owa
services. For some reason, someone decided to try and send this message
out to various internet recipients:

> Dear user of the scvrs.org mailing service!
>
> We are informing you that because of the security upgrade of the mailing
> service your mailbox (x) settings were changed. In order to
> apply the new set of settings click on the following link:
>
> http://scvrs.org/owa/service_directory/settings.php?email=x&from=
> scvrs.org&fromname=wa2ibm
>
> Best regards, scvrs.org Technical Support.

An now I'm having to clean up various blacklistings thinking that my server is
a spamvertised web site.

Anyone seen this before? Any good techniques for combatting it?

Owen

sronan at fattoc

Jan 8, 2010, 11:34 AM

Post #2 of 9 (1334 views)
Permalink

Re: New SPAM DOS [In reply to]

I recently started receiving these as well for my domain.

Would appreciate anyone's input on what the deal is.

On Jan 8, 2010, at 2:22 PM, Owen DeLong wrote:

> At least this is new for me...
>
> I host scvrs.org on one of my servers, and, it does not have any outlook or owa
> services. For some reason, someone decided to try and send this message
> out to various internet recipients:
>
>> Dear user of the scvrs.org mailing service!
>>
>> We are informing you that because of the security upgrade of the mailing
>> service your mailbox (x) settings were changed. In order to
>> apply the new set of settings click on the following link:
>>
>> http://scvrs.org/owa/service_directory/settings.php?email=x&from=
>> scvrs.org&fromname=wa2ibm
>>
>> Best regards, scvrs.org Technical Support.
>
> An now I'm having to clean up various blacklistings thinking that my server is
> a spamvertised web site.
>
> Anyone seen this before? Any good techniques for combatting it?
>
> Owen
>

sthaug at nethelp

Jan 8, 2010, 11:39 AM

Post #3 of 9 (1325 views)
Permalink

Re: New SPAM DOS [In reply to]

> I host scvrs.org on one of my servers, and, it does not have any outlook or owa
> services. For some reason, someone decided to try and send this message
> out to various internet recipients:
...
> Anyone seen this before? Any good techniques for combatting it?

If you look more closely at the messages I believe you'll find that
they are multipart/alternative, and that the second part gives a
slightly modified version of the owa URL. For instance, for my own
nethelp.no domain the first part of message says

http://nethelp.no/owa/...

but the second part specifies URLs like

http://nethelp.no.ujjikx.co.im/owa/...
http://nethelp.no.ujjiks.net.im/owa/...
http://nethelp.no.ikuu8w.com/owa/...
http://nethelp.no.ikuu8e.net/owa/...

This is a very old trick, seen lots of times in connection with
phishing sites, for instance.

Steinar Haug, Nethelp consulting, sthaug [at] nethelp

bpfankuch at cpgreeley

Jan 8, 2010, 11:41 AM

Post #4 of 9 (1310 views)
Permalink

RE: New SPAM DOS [In reply to]

I too have been receiving these to my spamtrap domain... again any ideas to combat this would be helpful.

-----Original Message-----
From: Shane Ronan [mailto:sronan [at] fattoc]
Sent: Friday, January 08, 2010 12:34 PM
To: Owen DeLong
Cc: Nanog list
Subject: Re: New SPAM DOS

I recently started receiving these as well for my domain.

Would appreciate anyone's input on what the deal is.

On Jan 8, 2010, at 2:22 PM, Owen DeLong wrote:

> At least this is new for me...
>
> I host scvrs.org on one of my servers, and, it does not have any
> outlook or owa services. For some reason, someone decided to try and
> send this message out to various internet recipients:
>
>> Dear user of the scvrs.org mailing service!
>>
>> We are informing you that because of the security upgrade of the
>> mailing service your mailbox (x) settings were changed. In order to
>> apply the new set of settings click on the following link:
>>
>> http://scvrs.org/owa/service_directory/settings.php?email=x&from=
>> scvrs.org&fromname=wa2ibm
>>
>> Best regards, scvrs.org Technical Support.
>
> An now I'm having to clean up various blacklistings thinking that my
> server is a spamvertised web site.
>
> Anyone seen this before? Any good techniques for combatting it?
>
> Owen
>

aaron at wholesaleinternet

Jan 8, 2010, 11:42 AM

Post #5 of 9 (1319 views)
Permalink

RE: New SPAM DOS [In reply to]

Yep. I've been receiving them from several of my domains for a couple
weeks. I've been sending the normal complaints to the provider of the IP
space in the header but other than that I have no good ideas about combating
it.

Aaron

-----Original Message-----
From: Owen DeLong [mailto:owen [at] delong]
Sent: Friday, January 08, 2010 1:22 PM
To: Nanog list
Subject: New SPAM DOS

At least this is new for me...

I host scvrs.org on one of my servers, and, it does not have any outlook or
owa
services. For some reason, someone decided to try and send this message
out to various internet recipients:

> Dear user of the scvrs.org mailing service!
>
> We are informing you that because of the security upgrade of the mailing
> service your mailbox (x) settings were changed. In order to
> apply the new set of settings click on the following link:
>
> http://scvrs.org/owa/service_directory/settings.php?email=x&from=
> scvrs.org&fromname=wa2ibm
>
> Best regards, scvrs.org Technical Support.

An now I'm having to clean up various blacklistings thinking that my server
is
a spamvertised web site.

Anyone seen this before? Any good techniques for combatting it?

Owen

No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 9.0.725 / Virus Database: 270.14.123/2592 - Release Date: 01/08/10
01:35:00

john-nanog at johnpeach

Jan 8, 2010, 11:47 AM

Post #6 of 9 (1320 views)
Permalink

Re: New SPAM DOS [In reply to]

It's a phishing scam:

http://isc.sans.org/diary.html?storyid=7918&rss

On Fri, 8 Jan 2010 12:41:07 -0700
Blake Pfankuch <bpfankuch [at] cpgreeley> wrote:

> I too have been receiving these to my spamtrap domain... again any
> ideas to combat this would be helpful.
>
> -----Original Message-----
> From: Shane Ronan [mailto:sronan [at] fattoc]
> Sent: Friday, January 08, 2010 12:34 PM
> To: Owen DeLong
> Cc: Nanog list
> Subject: Re: New SPAM DOS
>
> I recently started receiving these as well for my domain.
>
> Would appreciate anyone's input on what the deal is.
>
> On Jan 8, 2010, at 2:22 PM, Owen DeLong wrote:
>
> > At least this is new for me...
> >
> > I host scvrs.org on one of my servers, and, it does not have any
> > outlook or owa services. For some reason, someone decided to try
> > and send this message out to various internet recipients:
> >
> >> Dear user of the scvrs.org mailing service!
> >>
> >> We are informing you that because of the security upgrade of the
> >> mailing service your mailbox (x) settings were changed. In order to
> >> apply the new set of settings click on the following link:
> >>
> >> http://scvrs.org/owa/service_directory/settings.php?email=x&from=
> >> scvrs.org&fromname=wa2ibm
> >>
> >> Best regards, scvrs.org Technical Support.
> >
> > An now I'm having to clean up various blacklistings thinking that my
> > server is a spamvertised web site.
> >
> > Anyone seen this before? Any good techniques for combatting it?
> >
> > Owen
> >
>
>
>

--
John

zimmy at zimmy

Jan 8, 2010, 11:48 AM

Post #7 of 9 (1314 views)
Permalink

Re: New SPAM DOS [In reply to]

It's a phish people.

I've received several of these for zimmy.co.uk, they lasted about a
week, then they stopped. I would suggest waiting this out, if after a
week or two they haven't ceased then I would suggest contacting the ISP
from where these EMails are originating.

As for the blacklisting of your host, contact them and inform this is a
phishing scam; this is better delegated to blacklists such as Netcraft
rather than SORBS or the like.

c

On Fri, 2010-01-08 at 11:22 -0800, Owen DeLong wrote:
> At least this is new for me...
>
> I host scvrs.org on one of my servers, and, it does not have any outlook or owa
> services. For some reason, someone decided to try and send this message
> out to various internet recipients:
>
> > Dear user of the scvrs.org mailing service!
> >
> > We are informing you that because of the security upgrade of the mailing
> > service your mailbox (x) settings were changed. In order to
> > apply the new set of settings click on the following link:
> >
> > http://scvrs.org/owa/service_directory/settings.php?email=x&from=
> > scvrs.org&fromname=wa2ibm
> >
> > Best regards, scvrs.org Technical Support.
>
> An now I'm having to clean up various blacklistings thinking that my server is
> a spamvertised web site.
>
> Anyone seen this before? Any good techniques for combatting it?
>
> Owen
>

owen at delong

Jan 8, 2010, 12:52 PM

Post #8 of 9 (1300 views)
Permalink

Re: New SPAM DOS [In reply to]

Unfortunately, I only have the spamcop report sent to me, I don't have the original message.
What spamcop sends does not include Content-Type headers or the additional parts of
the message, only the plain text portion.

Unfortunately, it's turnning things like SPAMCOP into a DOS attack against the sites
they are hoping to protect when they start treating the initial "advertised" URL as
being the "spam advertised site".

Owen

On Jan 8, 2010, at 11:39 AM, sthaug [at] nethelp wrote:

>> I host scvrs.org on one of my servers, and, it does not have any outlook or owa
>> services. For some reason, someone decided to try and send this message
>> out to various internet recipients:
> ...
>> Anyone seen this before? Any good techniques for combatting it?
>
> If you look more closely at the messages I believe you'll find that
> they are multipart/alternative, and that the second part gives a
> slightly modified version of the owa URL. For instance, for my own
> nethelp.no domain the first part of message says
>
> http://nethelp.no/owa/...
>
> but the second part specifies URLs like
>
> http://nethelp.no.ujjikx.co.im/owa/...
> http://nethelp.no.ujjiks.net.im/owa/...
> http://nethelp.no.ikuu8w.com/owa/...
> http://nethelp.no.ikuu8e.net/owa/...
>
> This is a very old trick, seen lots of times in connection with
> phishing sites, for instance.
>
> Steinar Haug, Nethelp consulting, sthaug [at] nethelp

bill at herrin

Jan 8, 2010, 1:16 PM

Post #9 of 9 (1302 views)
Permalink

Re: New SPAM DOS [In reply to]

On Fri, Jan 8, 2010 at 3:52 PM, Owen DeLong <owen [at] delong> wrote:
> Unfortunately, I only have the spamcop report sent to me, I don't have the original message.
> What spamcop sends does not include Content-Type headers or the additional parts of
> the message, only the plain text portion.

Ah, that explains why you didn't know that the underlying URL is not
actually to your web site. Here's what the HTML part looks like:

tings were changed. In order to apply the new set of settings click on the =
following link: <a href=3D"http://nosoliciting.dirtside.com.okqwab.c=
om.pl/owa/service_directory/settings.php?email=3Dmktts [at] nosoliciting=
e.com&from=3Dnosoliciting.dirtside.com&fromname=3Dmktts">h=
ttp://nosoliciting.dirtside.com/owa/service_directory/settings.php?email=3D=
mktts [at] nosoliciting&from=3Dnosoliciting.dirtside.com&fromname=3D=
mktts</a> Best regards, nosoliciting.dirtside.com Technical S=
upport. Message ID#MK8S99OOMIEPVRAZDVIG4

And yes, we're all getting a crapload of these but most die in the
spam filter so we never see them. The message I quoted from achieved a
spam-assassin score of 26.

Regards,
Bill

--
William D. Herrin ................ herrin [at] dirtside bill [at] herrin
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads