Wandering Thoughts archives


Somewhat to my surprise, classical viruses by email are still a thing

Normally, my sinkhole spam-capturing SMTP server is set up so that it rejects as much as possible of what I consider boring spam. The other day I decided to run it completely unfiltered for a while, accepting everything no matter how obviously bad it was or whether it was going to an address that had ever existed. Already something interesting to me has turned up in the results.

In statistics drawn from our production mail system, I've previously noticed that viruses in email are way, way down. Much to my surprise, the first day of operating my sinkhole server completely unfiltered got me no less than five classical virus-laden email messages (out of 60 messages received so far). And when I say they're classical, they're really classical:

  • all are Windows executables, one straight as a .pif file and four inside .jpg.zip files (the one that I extracted was a .jpg.exe file).

  • all appear to have come directly from end-user machines, not relayed through anyone's mail systems (based partly on DNS PTRs associated with them, network areas, etc). Three out of the four IPs involved are listed in the PBL.

  • all four IPs involved are currently listed in the CBL.

Four of the five arrived in one burst and are all the same zipfile and executable; although they came from three different IPs and had different MAIL FROMs, they only went to two different destination addresses. The one IP address that sent two messages sent them to different addresses (and in different SMTP sessions, although it was one right after the other).

(In an interesting little detail the most recent message was forged as a bounce message from my own system, although it also had a X-Mailer claiming it had been produced by Outlook Express.)

In contrast to a bunch of copies of the same Chinese spam message that have been sent to message-ids here, all of the destination addresses are at least plausible and two out of the three actually existed at one point.

All of this is what I think of as classical old-fashioned virus behavior that I thought had died out some time ago, partly because so many places had made it hard to get such email through when it was sent directly from end-user machines. After all, any anti-spam system that scored highly based on being on the CBL would have rejected these emails even before running them past virus checking. I guess the old ways are not dead after all, especially if I got five messages within 24 hours of opening my sinkhole server up.

At this point I'll admit I haven't checked our main system's stats recently to see if we're seeing more virus emails there than we used to a year or so ago. If we aren't, I'm not entirely sure what might be causing the difference. While the addresses that these viruses are being spammed to are old addresses, our main system has plenty of equally old addresses (and I believe any number of them get regular spam). Oh well, that's an analysis for another day.

spam/VirusMailStillThere written at 00:48:58; Add Comment

Page tools: See As Normal.
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.