Wandering Thoughts archives

Some brief information about a local spam incident

Today, we discovered that we were being exploited to send out a batch of spam. I decided to write up some information about the incident, partly because I don't think I've seen this done very much and who knows, it might be useful to other people. Much of this information is (very) preliminary, since this just happened and it's the weekend so we haven't done any deep investigation yet.

(As peculiar as it may seem for sysadmins, around here we try to take the weekends off.)

So far it looks like only a single local account was used to send the spam. There were two recent large-scale targeted phish spam runs against our users, so it's a decent guess that the user's account was compromised through one of them (we won't know for sure until we've talked to the user, which is probably going to be Monday or later).

The spam incident itself lasted about two and a half hours, ending when we noticed it and started turning things off. During those two and a half hours the spammers generated and sent (I think) 2,339 spam messages, which is a pretty impressive rate (over 14 a minute). The spam seems to have been two versions of your standard advance fee fraud spam (of the 'you have won a prize' variant). All of the spam messages went out with forged origin addresses; one version used info@exxon.fr and the other version used web@live.com.

All of the spamming was done through our webmail system, and there's no current evidence that the compromised user's account was accessed in any other way. Here's where it gets interesting. We have two webmail systems, a newer one using Roundcube and an older one using SquirrelMail that we're migrating away from. Although the Roundcube one is the default webmail environment and the spammers poked through it, they chose to send all of their mail through SquirrelMail instead. I'm going to skip all sorts of speculation about why, at least for now.

The actual spamming run itself was done using multiple ProXad IP addresses, in fact multiple IP addresses connected to webmail at once; this suggests either automation or that the lead spammer had a bunch of 'mules' doing the grunt-work of entering and sending messages (which would certainly help to enter 14 messages a minute). The lead spammer is likely in Nigeria; before the spam run from ProXad IPs started there was a connection to this user's webmail account from a Nigerian IP address (looking around both webmail systems before apparently settling on SquirrelMail).

Unfortunately I suspect that we can look forward to more incidents of this nature, since it seems really optimistic to assume that only one user's account was compromised in this phishing attack. We may wind up with an environment where we filter outgoing mail after all.

Some odd behavior from blog comment spammers

As I've written about before WanderingThoughts has always gotten a certain amount of (more or less automated) comment spam attempts, all of which has bounced off my anti-comment-spam precautions. There has never been very many of these; I would guess less than fifty a day. It was still enough to irritate me, so earlier this year I added some features to make blocking IP addresses easier (including letting me block IPs only from commenting) and then started blocking various frequent sources of comment spam attempts.

What I was expecting was that a decent chunk of the (low) comment spam volume would convert from comment spam attempts to blocked IPs and then perhaps mostly go away as the spammer software noticed that there wasn't any point to trying any more. This is not what actually happened. Even after I started adding blocks, the volume of unblocked comment spam attempts has stayed more or less constant (judged purely from perception and memory). At the same time attempts from blocked IPs have skyrocketed; they now run at several times more blocked HTTP requests than there are unblocked attempts at comment spam. In other words, blocking comment spammers seems have had the perverse twin effects of getting them to find additional IPs to keep trying from while cranking up the attempts from the old, blocked IPs just in case.

In short: blocking IP addresses has encouraged my comment spammers. It feels as if blocking IP addresses convinced them that there was something worthwhile here because there was someone awake enough to do something about their comment spam attempts.

I'm now half-tempted to remove all of my IP address blocks and see if the number of comment spam attempts drops down (or stays at) its current pretty low level. I half expect it to happen; if so, it'd strongly suggest that what spammers (and their software) target is a certain volume of active submission attempts.

(I'm actually not at all sure what the comment spammers are targeting, but that's a big enough subject to call for another entry.)