Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: I'm fine, thanks! - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
I'm fine, thanks!

I woke up this morning to my Spam box full of email from a variety of people, to a variety of my email boxes, greeting me and checking into my well being.  One example of this is

From: Luella Winkler <sacrilegioush@real-time-vision.com>
Date: Sat, Sep 18, 2010 at 1:03 PM
Subject: hello
To: XXXXXX@XXXXXXX.ca


how are you?

 

To Luella and the other 54 email addresses that checked up on me...I would just like to thank all of you for caring so much and reassure you that I am quite well.

Seriously though, there is no solicitation, no attempt at phishing, and no embedded crap, just warm regards.  Is this a dry run for something big to come?

 

UPDATE 2010-09-21:  Today the same IP addresses are delivering emails with subjects such as "Deposit", "demands for payment", "schedule of bridging loan payments", and "June Voice".  They each have a .html attachment and lots of bad English.  I haven't had time to look into the attachment, but if any of you has, safely of course, I would love to hear what you found.

-- Rick Wanner - rwanner at isc dot sans dot org - http://rwanner.blogspot.com/

Rick

286 Posts
ISC Handler
Could it be a way to verify email addresses? Make sure they don't bounce?
Anonymous
My company is also getting these emails. They appear to be going to addresses that normally receive a fair amount of spam (and I mean spam, not annoying UCE). This includes invalid addresses that I regularly see spammed.
They're doing quite well at getting through our spam filters as well - about 60% of the emails got through.
I think Steve could be right. An innocuous email designed to evade filters and elicit bouncebacks on the invalid addresses.
However I can't see spammers ever actually removing email addresses from their lists. I have enough trouble getting email marketers to remove addresses for people who have left or died.
Rabbi

7 Posts
Steve, that was my first thought. Validating emails through bounces, out of office replies, and the occasional reply. But the question still remains...to what longer-term end.

I agree with Rabbi. With email essentially being free why go to the cost and effort of cleaning up the list?
Rick

286 Posts
ISC Handler
Just a guess.. but the thing about the scattergun directory harvesting attacks that botnets do is that they are quite easy to detect. This could be an attempt to find valid mailboxes so that directory harvesting is not needed, leading to increased deliverability.

http://blog.dynamoo.com/2010/09/hello-how-are-you-mystery-spam.html
Conrad

15 Posts
My first thought would be poisoning Bayesian filters by pumping stuff through initially to lower their score and get whitelisted.
Conrad
2 Posts
My second thought would be mapping IP block policy blockages. By mapping out what address blocks produce delivery rejections and which do not you could target future deliveries to a server to come only from the unblocked IP address ranges.
Conrad
2 Posts
About half the originating IPs from the spam I just checked were from Russia or the Ukraine. The seems to be an unusually high proportion, so perhaps it IS IP address mapping
Conrad

15 Posts
I just started seeing these as well. Last week, there was a lot of the folks who liked my profile asking if I wanted to see their pic with an email address to request it.
Conrad
1 Posts
Or.. perhaps it is looking for the responses from the mail server in order to find vulnerable servers? Enumerate them now.. attack them all later.

Or.. it's just a prank.
Conrad

15 Posts
.. or there is a TRY IT NOW / LIVE DEMO button on the marketing pages of a new spam tool that is just too tempting to click on ..

.. or a new spammers 101 course that people are following too literally ..

Well - either way I wish they'd all just roll over and get a proper job. I don't mind them making money, but why not deserve them?
dotBATman

66 Posts
From what we are seeing, they all seem to be tied to the a specific range of domain names. The subjects are mail or hello. If the behavior follows past patterns, a Zeus botnet spamflood will follow in a day or 2.
CBob

21 Posts
This past saturday morning, about once per hour from 3 am until 9 am, I got 6 spams to the same account from these IP addresses:

62.24.127.28
217.203.84.22
78.3.224.9
79.115.208.166
178.90.69.185
87.252.227.84

My SMTP server rejects all connection attempts from IP's located in Russia, China and all of South and Central America.

These spams were all similar in that:

- The subject was simply -> hello
- The body was simply -> how are you?
- The header contained a second Return-Path: line (unusual for the direct-to-mx spam I usually get)
- The header contained a second Received: line that contained a port=nnnn and helo=(string) parameter (which I believe is indicative of Exim software).

There seems to be some history of abuse using servers running Exim where the operators are having a hard time securing them or even properly logging their operations.
CBob
3 Posts
This past saturday morning, about once per hour from 3 am until 9 am, I got 6 spams to the same account from these IP addresses:

62.24.127.28
217.203.84.22
78.3.224.9
79.115.208.166
178.90.69.185
87.252.227.84

My SMTP server rejects all connection attempts from IP's located in Russia, China and all of South and Central America.

These spams were all similar in that:

- The subject was simply -> hello
- The body was simply -> how are you?
- The header contained a second Return-Path: line (unusual for the direct-to-mx spam I usually get)
- The header contained a second Received: line that contained a port=nnnn and helo=(string) parameter (which I believe is indicative of Exim software).

There seems to be some history of abuse using servers running Exim where the operators are having a hard time securing them or even properly logging their operations.
CBob
3 Posts
This past saturday morning, about once per hour from 3 am until 9 am, I got 6 spams to the same account from these IP addresses:

62.24.127.28
217.203.84.22
78.3.224.9
79.115.208.166
178.90.69.185
87.252.227.84

My SMTP server rejects all connection attempts from IP's located in Russia, China and all of South and Central America.

These spams were all similar in that:

- The subject was simply -> hello
- The body was simply -> how are you?
- The header contained a second Return-Path: line (unusual for the direct-to-mx spam I usually get)
- The header contained a second Received: line that contained a port=nnnn and helo=(string) parameter (which I believe is indicative of Exim software).

There seems to be some history of abuse using servers running Exim where the operators are having a hard time securing them or even properly logging their operations.
CBob
3 Posts
This attempt may be like, spammer hoping that receiver will reply to the mail. And apparently, the email id gets into victims contact list, so whitelisted.
CBob
1 Posts
It was indeed a trial run. At the moment I get from the same IP adresses hundreds of attempts to spread malware W32/Sasfis.MA!tr.
CBob
1 Posts
I just started receiving gibberish emails with no apparent intent, as below:
Received:

From: from For good <izyjyb6570@cgocable.net>
To: xxxxxxxx
Subject: He Wessex premiered is Sir
Date: Wed, 22 Sep 2010 08:39:15 -0400
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
X-Mlf-Connecting-IP: 209.51.186.102
Return-Path: izyjyb6570@cgocable.net

However World with of fast Lazar in on
CBob
2 Posts
It looks like the malware attacks may have started - I have begun receiving emails with HTML attachments : all these attachments purporting to come from Amazon.com, with an unescape sequence which I, frankly, do not have the skills to decipher.
CBob
3 Posts
It looks like the malware attacks may have started - I have begun receiving emails with HTML attachments : all these attachments purporting to come from Amazon.com, with an unescape sequence which I, frankly, do not have the skills to decipher.
CBob
3 Posts
Sorry to post a a comment to my own comment. It looks like this is a virus, and has very poor detection, as per virustotal : 1 in 43, with Sophos being the only one to detect it as JS/WndRed-B
CBob
3 Posts

Sign Up for Free or Log In to start participating in the conversation!