Tricky spammer!

As usual, spammers trying to fool me and many others, and the best way to protect you against them is by sharing how they operate. (And by using a proper spam filter, which is part of Google mail. And today some message was in my spam folder which seemed to be legitimate. Well, okay… There was another hint telling me something wasn’t right. Multiple hints even.

Received-SPF: pass (google.com: domain of  designates 188.65.149.28 as permitted sender) client-ip=188.65.149.28;
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
From: Security Team <security@security-fix-required.com>
To: 
Subject: Your website has a security leak!
Message-ID: 
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101
 Thunderbird/24.3.0
Date: Thu, 05 Jun 2014 17:35:15 +0200

Hello,

during a routine check, we discovered that the server hosting your domain h=
as a security leak and is currently vulnerable. Your website is at risk of =
being hacked! It's also running an outdated PHP version.

For further security details and secure managed server offers, please visit=
 our website:

http://www.security-fix-required.com//

Thank you,

Security Division
Managed Root Server

So, what did they do to make it seem legitimate? Well, it was a simple plain-text email with just a small amount of text. Apparently someone discovered a security leak in my website and is warning me about it. Since there are always white-hat hackers on the Internet who search for such things to warn the site owners, it could be legitimate. It even seems an automated message from an automated vulnerability scanner. So, it will probably fool a few people into clicking on the link in the email.

And that was the first thing that set me off. The domain name is a bit long and the URL ends with what seems to be a GUID or other identifier. If I would click on it, the site would confirm my address as legitimate and perhaps it would redirect me to some online advertisement or even a malware site. So, first lesson: If a URL has a weird number in it, it should be automatically suspicious!

Of course, the message doesn’t give me any information, just a warning. If they had detected something, they could have included a few more details. At least, they could have named the domain that they’ve checked. I have multiple domain names so this warning tells me nothing about the site.

They also mentioned a leak in an older version of PHP in my website, but my website doesn’t use PHP. I know this blog does, but this blog is hosted. It’s not on my server. And the host is making sure it stays safe with the latest updates. (At least, I hope they do but fortunately they have many other customers too.) If they had left away the remark about PHP, it might have looked more legitimate.

The fact that they don’t leave a name is reasonable, since hackers prefer to be anonymous. But hackers would use an alias instead, not some name of some server.

Of course, it also helped that this email ended up in my spam folder. Reporting spam thus helps protect others.If it had not been in my spam folder I would have reported it as spam myself, so Google would recognise it as spam in the future.

Some further analysis by using RobTex tells me the domain is very new. It was registered today, so probably not blacklisted yet. A Google search for the domain name is also interesting. These two should offer plenty of warnings about the site.

Of course, this wasn’t the only spam message, but it was the most tempting. Another message I received tried to sell me a specific kind of blue pills. A third one tempted me with some video but not only did Google detect it as spam, My virus scanner detected the URL inside the spam as potentially malicious. And Ruby Palace wants me as visitor, even though online gambling sites are illegal in the Netherlands if they target Dutch consumers. Since the email was in Dutch, one extra law was broken.

Again, the best weapon against spam is educating people about all the tricks spammers use and to make sure spam gets reported as such. If you use Yahoo mail, Windows Live email or Google mail, reporting spam as such should be a simple option.

2 thoughts on “Tricky spammer!”

Bookworm says:

2014/06/05 at 22:19

Unfortunately, Yahoo mail isn’t a good idea. They’re a significant spam generator on their own, and their servers constantly end up on honeypot lists, as well as SpamCop (and others). I regularly get complaints from customers that their customers (or friends/relatives) that use Yahoo (or AT&T Business accounts) are being blocked by my mail servers.

You can’t even white list their servers, because they don’t provide an accurate list of servers to go with.
- W.A. ten Brink says:
  
  2014/06/07 at 08:30
  
  Yahoo used to be big as email provider, especially since they used to be free. I still have a Yahoo mailbox, which is forwarded to my regular mailbox. But Yahoo shares the same problem as Outlook and GMail accounts: people can create these accounts for free and try to misuse them. Its just that Yahoo has a bad reputation nowadays. (And their spam filters don’t work very well compared to Google.)
  Whitelisting their servers should be done by domain name anyways, not IP addresses. People tend to forget that IP addresses don’t have to be permanent. Big companies tend to have a range of IP addresses assigned to them but they can always decide to use different IP addresses.
  It does make more sense to use IP addresses when you’re blacklisting servers. A spambot can use multiple domains but generally uses the same server to send spam. A legitimate sender will generally use the same domain name but might change IP addresses. Thus whitelisting based on domain name (*.yahoo.com) and blacklisting on IP address should be the best approach.

Comments are closed.

Wim ten Brink

Software engineering and CGI art

2 thoughts on “Tricky spammer!”

Wim ten Brink

Software engineering and CGI art

Share this:

Like this:

Related

2 thoughts on “Tricky spammer!”