(Challenge) Tracing a spammer

[lund99]

The company I work for is a financial institution of medium size (on a Norwegian scale ) But I doubt we will be able to get any help on account of our name from any russian company.

However, as far as i can see only the server hosting the video.exe file resides in russia - I followed your tip and tried some nslookup and whois attempts at the source IP listed in the mail and it turned out to be hosted by an Austrian ISP so I will try to contact them to see if they can be helpful in any way.

I'm not even sure if the source IP is legit in any way but since it resolved to an Austrian ISP I thought it might be worth a shot.

[-=Xploitz=-]

I don't believe this is "spam" in the true sense of the word "spam".

At first glance, it appears to me to be a type of SMTP (Simple Mail Transfer Protocol) mail bounce attack.

a1aaa1azzzz1zaaaaa@dbtec.de den 03.04.2008 12:59
The e-mail account does not exist at the organization this message was sent to.
Check the e-mail address, or contact the recipient directly to find out the correct address.
< mailfb.netuse.de #5.1.1 SMTP; 550 <a1aaa1azzzz1zaaaaa@dbtec.de>:
Recipient address rejected: User unknown in local recipient table>

And it would appear that now they have your mail servers address as well.

Code:

mailfb.netuse.de

What the attacker is doing is "Reconnaissance". Their hoping that by sending this email to an address that doesn't exist, that it will "bounce" back an error message in the attackers email with your true email servers address. And it will send a list of host names and IP addresses back to them. The attacker can learn much about your companies IT and networking structure and plan out attacks by running whois and Nmap...along with other various methodologies of enumerating and fingerprinting / foot printing your companies network.

Be careful in how you deal with this. But on the brighter side, this method also exposes the attackers IP address assuming that they aren't using anonymous proxy chains and etc.

In that email...there should be an originating IP address if you look at its headers.

Hope this info helps.

[lund99]

Thanks for your reply -=Xploitz=-

I have been on a little vacation so I have not been focusing too much on this case for the last couple of weeks, but I do find it interesting though.

But the server address you posted does not belong to my company at all, I thought this might be a reply from a mail server to which the spammer/hacker sendt an e-mail to a bogus address..

In the particular mail you are reffering to here, there is no source IP anywhere but in another mail i found the following:

Return-Path: <XX@XXXX.no>
Received: (qmail 23974 invoked from network); 3 Apr 2008 03:19:26 -0500
Received: from 213-147-182-209.sta.dsl.ycn.com (HELO 213.147.182.209) (213.147.182.209)
by corp.hovanic.com with SMTP; 3 Apr 2008 03:19:26 -0500
Message-ID: <000701c89564$0115a292$cc4fb2bc@kagscc>
From: "adolph imsl" <XX@XXXX.no>
To: <eldridge@filethirteen.com>
Subject: Hot nude Rihanna video
Date: Thu, 03 Apr 2008 06:42:44 +0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0004_01C89564.011088F2"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198

This is a multi-part message in MIME format.

I think the ip in this mail belongs to an Austrian ISP named eTel and I thought this IP might belong to a server used to forward the mails to make them appear to originate from this source, or that the IP belongs to a server which the hacker/spammer/whatever has managed to take control of and is using as a mail server for these types of mails... what do you think?

[theprez98]

Here is nice little tutorial on tracking the source IP of an email (this only works when the source of the email was Microsoft Outlook/Outlook Express as they encode the IP in the Message ID field).

Based on the header data:

Message-ID: <000701c89564$0115a292$cc4fb2bc@kagscc>

Break out the important portion (bolded between last $ and @):

cc 4f b2 bc

Reverse by octet and convert from hex:

bc = 188
b2 = 178
4f = 79
cc = 204

Source IP address is 188.178.79.204

Unless the message ID or original IP was spoofed (possible), this is the IP of the computer that originally sent the email.

[Archangel-Amael]

Any one interested in this might also wanna look into fast-flux one of the newer techniques used when rogues (rouges ) are hiding their locations
http://spamtrackers.eu/wiki/index.ph..._using_this.3F

Quickly: Fast flux is a DNS technique used by botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies.

[imported_wyze]

Set up a good SPF record for the domain.

[lund99]

thanks for the replies, I'm learning a lot from this thread already and I especially liked that trick theprez98 came up with - really sweet!

just came to work so if i get some time during the day I will se what more I can come up with and if I can resolve the same IP from more of these e-mails..

[-=Xploitz=-]

Here is nice little tutorial on tracking the source IP of an email (this only works when the source of the email was Microsoft Outlook/Outlook Express as they encode the IP in the Message ID field).

Also, if you have a 30gigs.com account...all emails come with the original senders IP address and a cool little Google map of their exact location.

Like I said earlier..look at the headers, and thanks prez for expanding on what I suggested. Saved me some time.

[streaker69]

Sometimes the replies you'll receive will be less than helpful.

Thank you for contacting Ford Motor Company.

We have received a number of messages recently regarding IP xxx.xxx.xxx.xxx, specifically related to the SQL Slammer worm.

Our investigation into this matter has determined that the recent onset of attacks from this IP is the result of the IP being forged by an external party. External parties will commonly use IP addresses that belong to large organizations to mask network traffic.

Unfortunately, forging IP addresses is a common practice among spammers and it is very difficult to prevent such unethical behavior.

We appreciate your assistance. If we have any further questions or concerns regarding your message/notification, we may attempt to contact you at this e-mail address.

Best regards,

Ford Motor Company
--------------------------------------------------------------------------------
From: xxxxxx xxxxxxxxx [mailto:xxxxxx@xxxxxxx.xxxxx]
Sent: Monday, April 14, 2008 11:37 AM
To: Nsadmin, DNS (D.)
Subject: Attack from Your Network

I have recieved the following two alerts from my Snort box indicating that a machine on your network is probably compromised with the Slammer WORM. I just wanted to let you know so that this machine can be properly sanitized and stop attacking other networks.

"29", "647", "2008-04-11 13:28:43", "xxx.xxx.xxx.xxx", "4405", "xx.xxx.xx.xxx", "1434", "[url/vil.nai.com/vil/content/v_99992.htm] [nessus/11214] [cve/2002-0649] [icat/2002-0649] [bugtraq/5311] [bugtraq/5310] [local/2003] [snort/1:2003] MS-SQL Worm propagation attempt"

"29", "1202", "2008-04-13 06:01:11", "xxx.xxx.xxx.xxx", "4405", "xx.xxx.xxx.xxx", "1434", "[url/vil.nai.com/vil/content/v_99992.htm] [nessus/11214] [cve/2002-0649] [icat/2002-0649] [bugtraq/5311] [bugtraq/5310] [local/2003] [snort/1:2003] MS-SQL Worm propagation attempt"

Attacker WhoIS: http://whois.domaintools.com/xxx.xxx.xxx.xxx

Snort Rule: http://www.snort.org/pub-bin/sigs.cgi?sid=1:2003

Thank you

Since the attack came from Ford Motor Company, I didn't send them my normal email, but sent them a rather nice one to let them know they have a problem. Of course, they don't want to get caught with their pants down so they send me back complete bullshit. The Slammer Worm is not able to forge it's source IP according to the information I found about the Slammer Worm. I think they just don't want to own up to getting caught with a server that was compromised.

[imported_wyze]

I think they just don't want to own up to getting caught with a server that was compromised.

Well it is Ford afterall... they're probably too busy with R&D in making a damn vehicle that will run over 100K miles