[nsp-sec] spam bounces - the sending bots
Andreas Bunten
bunten at dfn-cert.de
Thu Jun 19 10:37:51 EDT 2008
Hi teams, I wrote yesterday:
< I am writing on behalf of a German university which is receiving
< massive amounts of spam bounces.
<
< Somebody was and still is sending out great amounts of spam with faked
< 'From' headers which point to <barid AT fht-esslingen.de> and sometimes
< other email addresses under the same domain. The mail server at this
< university are now receiving around 2 million bounces from non
< deliverable spam messages every day.
Many thanks to everyone with good suggestions and who explained (or
even solved) the bounce-problem to their mail admins! This does help
a lot! I'll leave the list online for late comers who still want to
have a look.
Unfortunately, this 'only' mitigates the damage done. I am curious
about the botnet sending the spam.
In order to find the botnet, I am looking for the malware. I have a
couple of thousand bounce-samples. Some of them containing the full
original message. Since the spam was send the same way all around,
it's not that difficult to extract the sending IPs. I checked various
samples and built in some safety catches, so I'm fairly sure that
there should be very few false positives if at all.
The list of spam sending, probably compromised hosts can be found here:
https://www.dfn-cert.de/downloads/irt/spam_sender_compromised.lst
If you have hosts on the list and you are able to retrieve the malware,
that would be greatly appreciated! (and repaid in beer or other beverages
at the next conference) The list of AS is appended to the mailbody.
The list of bounce sending (not compromised!) hosts is still there,
but I did not update it:
https://www.dfn-cert.de/downloads/irt/bounce_sender_top5percent.lst
You will need these credentials:
User: nspsec
Pass: zaYie9si
Regards,
andreas-b, as 680 (German research network)
--
Andreas Bunten (CSIRT), +49 40 808077-555
DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
Sachsenstrasse 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski
Automatische Warnmeldungen https://www.cert.dfn.de/autowarn
The as of the spam sending, probably compromised hosts ->
278
1241
1547
2379
2819
3212
3215
3216
3239
3243
3269
3292
3320
3352
3549
3786
4134
4230
4713
4750
4755
4766
4780
4812
4837
5089
5432
5466
5483
5573
5610
5617
6147
6400
6429
6697
6713
6731
6746
6799
6828
6830
6849
6855
6863
7029
7132
7368
7418
7470
7552
7643
7693
7738
8065
8359
8402
8615
8866
8905
8968
8997
9050
9121
9498
9541
9683
9829
10299
10318
10620
10796
11351
11426
11683
11888
12127
12301
12357
12683
12715
12741
12742
15500
15706
16338
16586
16735
17229
17557
17565
17622
17633
17813
17816
17820
17858
17974
18566
18687
18881
19262
19429
20214
20632
20959
20960
21021
21502
22047
22833
22927
23700
24326
24945
25405
25436
25515
27699
27747
28719
28909
29113
29194
29571
29582
30733
31252
31286
33383
33491
33783
33840
35076
35311
35516
35816
38951
38987
39229
39482
39554
39660
41557
42306
42588
43094
45194
That's all.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5897 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20080619/ed0fcd49/attachment-0001.bin>
More information about the nsp-security
mailing list