October 25, 2006

Crafty Spammers

Filed under: T3city — pj @ 4:01 pm

Yesterday, T3city started receiving complaints from AOL about spam received from our mail servers. This is not so unusual – some of our users forward email to their @aol.com email address and whenever spam is forwarded and the user complains to AOL, AOL complains to us. Even though we aren’t the source of the spam, from AOL’s perspective, forwarded spam comes from our mail servers.

At first, I incorrectly assumed that, as often happens, one of our users was reporting the forwarded mail to AOL as spam. Usually when this happens, I figure out who is reporting the spam to AOL and ask them to turn off forwarding or stop reporting spam to AOL. Sometimes the AOL spam complaint messages we get don’t have enough information to figure who is reporting the spam, so I have to wait for a message that has a header I can use.

In this case, I never got a message I could use. The spam looked pretty obnoxious and the source was mostly systems in China. I decided to start blocking the IPs of the systems that were sending us the spam. A lot of the IPs were from one ISP in China that has some huge IP address allocations. Blocking the IPs slowed down the AOL spam complaints, but there were other IPs from all over the world sending spam through us to AOL addresses.

Finally, I figured out that a spammer was using our mail server to relay mail directly to AOL addresses. The spammers had figured out how to login via SMTP to a legitimate mail account with the common username of “webmaster”. Over the years, we have integrated email accounts from several businesses. Because of this, I have customized the authentication process used by the mail servers. It turns out that there was a bug in the code I wrote to authenticate users against our database. Because of this bug, any password would work for the username “webmaster”. I fixed this bug.

I guess the spammers just go looking for systems with easy to guess usernames and passwords for SMTP authentication. With all the different infected systems these guys were using, I don’t understand why they wanted to relay through us. It gives them one more layer of indirection, I guess.

The spam they were sending out was pretty unique. The body was just a word or two and link to google (http://www.google.com/url?q=%68%[...]). I did a little research on these kinds of spams. The spammers are using these URLS to redirect people that click the URLs through Google and other servers. Eventually, the┬ávictim lands on a web page with the spammers’ advertisement. Of course, the redirection makes it a bit harder to track them down, but, more importantly to the spammers, they are harder for the spam filters to recognize – to help decide if a message is spam, most spam filters consult lists of banned URLs. With this type of indirection, the spammers can change the URL to appear many different ways yet have all victims be taken to the same web page.

Leave a Reply

Powered by Teztech