Wandering Thoughts archives


A spammer misses a glorious opportunity

Most of the spam that I collect on the machines that I run my sinkhole SMTP server on is boring spam. Since it's boring, I've tried to block as much of it as possible; still, there are plenty of cases that get through, because that sort of spam can come from all over. Today I got what initially looked like one of those boring spams that sneak through. It appeared in my log like this:

[...] from / <REDACTED@justice.gov.za> to <REDACTED>: [...] helo 'mail3.justice.gov.za' [...]

I saw that and shrugged; clearly it was another forged advance fee fraud spam, just like the ones claiming to be from the FBI. But when I looked at the full metadata of the logged message, I got a surprise. There in the metadata was the resolved, verified DNS name of the sending IP and it was mail3.justice.gov.za. This wasn't email pretending to be from the South Africa's Department of Justice; this actually was email from one of the DoJ's mail servers. The reverse DNS is real and valid, and in fact this IP is one of the four MX servers for justice.gov.za (a second MX server is right beside it in that /24).

So why do I call this a spammer missing a glorious opportunity? Well, let me show you the important bits of the spam message itself:

From: REDACTED <REDACTED@justice.gov.za>
To: "info@cc.com" <info@cc.com>

To All,

Today Monday 12th of March 2018. We are shutting down your present web-mail to create space for 2018 Outlook Web Access with a high visual definition and Space.
This service creates more space and easy access to email. Please update your account by clicking on the link below and fill information for Activation.


That's right. Given the golden opportunity of access to the real, legitimate mail servers of the Department of Justice of South Africa (likely via a compromised account), the spammer used it to send not the most genuine looking advance fee fraud you could imagine, but a garden variety, completely untargeted phish spam.

Of course there's decent, boring reasons for this. For a start, the actual IP address source of advance fee fraud spam is completely unimportant, because the recipients who will even think of checking that aren't the kind of people who will fall for the spam in the first place. If anything, advance fee fraud spammers apparently may deliberately make their spam look bad and suspicious, so that anyone who actually answers is highly likely to be gullible enough to go through with the whole thing, instead of wasting their time. If that's so, sending from the real justice.gov.za is, if anything, a thing to avoid.

Still, I wish the spam message had been advance fee fraud. That's the way the universe should be when you get the chance to use justice.gov.za for your spam.

spam/SpammerMissedOpportunity written at 22:54:33; Add Comment

Linux is good at exposing the truth of how motherboards are wired

One of the things I've learned over time, sometimes the hard way, is that Linux (and other open source operating systems) are brutally honest about how various things on motherboards are actually hooked up. As a result, they are a good way of exposing any, well, let us call them 'convenient inaccuracies' in how motherboard manuals present things. The major source of inaccuracies that I've tended to run across has been SATA port numbering, and on servers we've also had Ethernet port numbering issues.

(Non-servers tend not to have issues with Ethernet port numbering because they only have at most one. Servers can have multiple ones, sometimes split between multiple chipsets for extra fun.)

Typical motherboards present a nice clear, coherent picture of their SATA port numbering and how it winds up in physical ports on the motherboard. Take, for example, the Asus Prime X370-Pro, a Ryzen motherboard that I happen to have some recent experience with. The manual for this motherboard, the board itself, and the board's BIOS, will all tell you that it has eight SATA ports, numbered 1 through 8. Each set of ports uses a dual connector and those connectors are in a row, with 1-2 on the bottom running up through 7-8 at the top.

(As usual, the manual doesn't tell you whether the top port or the bottom port in a dual connector is the lower numbered one. It turns out to be the top one. I don't count this as an inaccuracy as everything agrees on it once you can actually check.)

Linux will tell you that this is not accurate. From the bottom up, the ports actually run 1-2, 5-6, 3-4, 7-8; that is, the middle pairs of ports have been flipped (but not the two ports within a pair of ports; the lower numbered one is still on the top connector). This shows up in Linux's /dev/sd* enumeration, the underlying ataN kernel names, and Linux SCSI host names, and all of them are consistent with this reversed numbering. I assume that any open source OS would show the same results, since they're all likely looking directly at what the hardware tells them and ignoring any BIOS tables that might attempt to name various things.

(I don't know if the BIOS exposes its port naming in any OS-visible tables, but it seems at least plausible that the BIOS does. Certainly it seems likely to cause confusion in Windows users if the OS calls the devices one thing and the BIOS calls them another, and BIOS vendors are usually pretty motivated to not confuse Windows users. The motherboard's DMI/SMBIOS data does appear to have some information about the SATA ports, although I don't know if DMI contains enough detail to match up specific SATA ports with their DMI names.)

I have to assume that motherboard makers have good reasons for such weird port numbering issues. Since I have very little knowledge here, all I can do is guess and speculate, and the obvious speculation is wire routing issues that make it easier to flip some things around. Why only the middle two sets of ports would be flipped is a mystery, though.

(This is not the first time I've had to figure out the motherboard SATA port numbering; I think that was one of the issues here, for example, although there is no guarantee that the BIOS mapping matches the mapping on the physical motherboard and in the manual.)

tech/MotherboardWiringLies written at 00:42:29; Add Comment

Page tools: See As Normal.
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.