Bank fraud spam?

Need help? Ask here.

Moderator: Moderators

Post Reply
jakewestmorley
Posts: 3
Joined: Fri Feb 11, 2005 3:13 am

Bank fraud spam?

Post by jakewestmorley »

Hello,

First I'd like to say how useful I find the rollernet backup mx service, and how grateful I am.

Next: my problem. I've been receiving a few (this is the third) spam 'phishing' emails lately, asking for bank details etc. These mails all 'appear' to come from someone@mail.rollernet.us (at least in the "To" field).

Could someone help me interpret the email headers (shown below) and explain to me how this works? I read the FAQ, and have searched the forums, but this doesn't seem to be addressed anywhere (apart from a big "we are not an open relay" in the faq! 8) )

Here are the headers: (i have replaced my email address with me@myserver.net and my server with myserver.net for privacy)

Lastly, my server runs kerio mailserver, and uses NOD32 antivirus as a plugin, which has probably added quite a few lines to the headers. (NOD32 detected this as a bankfraud.gen trojan).

Code: Select all


Return-Path: <support_id_0421939@wamu.com>
X-Envelope-To: me@myserver.net
X-Virus-Found: HTML/Bankfraud.gen trojan
X-Spam-Status: Yes, hits=10.0 required=8.0
	tests=BAYES_80: 2.442,FROM_ENDS_IN_NUMS: 0.677,FROM_HAS_ULINE_NUMS: 0.628,
	HTML_60_70: 0.516,HTML_FONTCOLOR_UNSAFE: 0.1,HTML_IMAGE_ONLY_02: 1.472,
	HTML_MESSAGE: 0.1,MIME_HTML_ONLY: 0.248,NORMAL_HTTP_TO_IP: 0.617,
	SARE_HTML_COLOR_NWHT: 1.666,SARE_HTML_FONT_INVIS1: 0.924,SARE_HTML_IMG_ONLY: 2.222,
	SARE_HTML_NO_BODY2: 0.1,SARE_HTML_NO_BODY3: 0.1,SARE_HTML_URI_IP: 0.644,
	SARE_SUB_PLEASE_OB1: 1.666
X-Spam-Flag: YES
X-Spam-Level: **********
Received: from mail.rollernet.us ([67.118.43.92])
	by myserver.net (Kerio MailServer 6.0.6)
	for me@myserver.net;
	Fri, 11 Feb 2005 09:41:52 +0000
Received: from bog44-1-82-231-130-140.fbx.proxad.net (bog44-1-82-231-130-140.fbx.proxad.net [82.231.130.140])
	by mail.rollernet.us (Postfix) with SMTP id 9EC1253FD1
	for <me@myserver.net>; Fri, 11 Feb 2005 00:38:43 -0800 (PST)
FCC: mailbox://support_id_0421939@wamu.com/Sent
X-Identity-Key: id1
Date: Fri, 11 Feb 2005 03:38:36 -0500
From: Washington@mail.rollernet.us, Mutual@mail.rollernet.us,
	Inc. <support_id_0421939@wamu.com>
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: me@myserver.net
Subject: Washington Mutual: PIease Confirm Your Data
Content-Type: multipart/related;
 boundary="------------010102090903030109010006"
X-Antivirus: avast! (VPS 0506-0, 08/02/2005), Outbound message
X-Antivirus-Status: Clean
Message-Id: <20050211083843.9EC1253FD1@mail.rollernet.us>

RollerNetSupport
Site Admin
Posts: 598
Joined: Wed Nov 17, 2004 10:05 pm
Location: Nevada
Contact:

Post by RollerNetSupport »

My guess is that when they send out the phishing mail they just throw some random words in front of @target.mx.server.net; in this case, the target MX is mail.rollernet.us. Since there are no restrictions on who claims to be the "from" address (or at a lower level, the MAIL FROM portion of the SMTP session). This, however, is the goal of things like SPF; sender domain verification. Since there are SPF records for rollernet.us, the SPF filter would have caught that and rejected it since it didn't come from an authorized server.

What I can do from an administrative point of view is force SPF lookups on anyone trying to use @*.rollernet.us in their MAIL FROM, since there's only one server (mine) that gets used for that domain. Although this doesn't help anyone not using the Roller Network servers, it will nuke any spam/scam/phishing schemes that try to create a bogus FROM address using the target server's hostname.

As far as non-envolope headers (anything that's not part of the SMTP session), those can be created and added at will by the source. Even if they use SMTP level RCPT TO and MAIL FROM addresses that are valid, random garbage inserted as the "From" or "To" headers will show up as that in the mail client. This is actually how BCC and mailing lists work so you don't see 5,000 email addresses, but it gets abused like you are seeing, too.

(As an aside, the "open relay" FAQ entry happened because some people signed up for the service, ran some test thing that said we were relaying for their domain, and started reporting it as an open relay spam source. Ugly mess that took weeks to sort out.)
Technical Support support@rollernet.us
Roller Network LLC
jakewestmorley
Posts: 3
Joined: Fri Feb 11, 2005 3:13 am

Post by jakewestmorley »

Many thanks for your well explained reply.

I'm curious whether the spammer chooses to send mail to the backup mx (is that possible - even if the primary mx is running?), because it may be less likely to filter from ORDB, spamhaus, etc. (i have not set up this filtering yet on rollernet, but i have on the primary mx - this is my fault).

Yepp, I find that these tests for "open relays" can be very misleading for people who do not understand what or how things are being tested. (not that I particularly fall under the category of those that do understand, just maybe a little better than some!).

Anyway, thanks again for your help and service. I've put a reminder for myself to donate when student loan time of year comes around. 8)
RollerNetSupport
Site Admin
Posts: 598
Joined: Wed Nov 17, 2004 10:05 pm
Location: Nevada
Contact:

Post by RollerNetSupport »

I'm curious whether the spammer chooses to send mail to the backup mx (is that possible - even if the primary mx is running?), because it may be less likely to filter from ORDB, spamhaus, etc. (i have not set up this filtering yet on rollernet, but i have on the primary mx - this is my fault).
That's exactly what they do. Since the vast majority of secondary MX servers do not employ filtering, so a lot of spammers try the secondaries first (all of them) and then the primary afterwards, if at all. Most of my spam never tries my primary MX, only the secondaries. I can also see them hitting each of the secondaries in sequence, probably hoping one of them doesn't have filters.
Technical Support support@rollernet.us
Roller Network LLC
jakewestmorley
Posts: 3
Joined: Fri Feb 11, 2005 3:13 am

Post by jakewestmorley »

Aha! Sneaky! :twisted:
Well I've set up filtering on rollernet now, so problem should be fixed. 8)
Thanks again!
Post Reply