2014-01-22
Microsoft has become a spam emitter
I'll start by quoting my tweet:
I admire how Microsoft IP address space with no reverse DNS has now become a source of spam emitters using forged HELOs. Thanks, uSoft!
Let me show you the specific log entry that sparked this:
remote from [23.96.34.64] EHLO mail.rackspace.com 550 Unknown command 'EHLO' HELO mail.rackspace.com 250 [...] Hello mail.rackspace.com MAIL FROM:<ps@mail.com> 554 unacceptable from address: <ps@mail.com>
This IP address space is registered to Microsoft and has no reverse DNS. It is certainly not Rackspace. As it turns out this was probably a Windows Azure customer since this appears to be a Windows Azure datacenter range (in their 'useast' region). To determine this I had to dig up a Microsoft document on Azure Datacenter IP ranges from Internet searches.
I'm blaming Microsoft directly here because Microsoft consciously passed up the chance to clarify what the IP address was and who it might belong to. That's what reverse DNS is for, as shown by eg Amazon AWS (which gives their AWS IPs clear reverse DNS). Microsoft opted to keep their Azure IPs anonymous, so Microsoft gets to take the blame.
(Certainly as a sysadmin investigating a problem I'm not going to bother looking further when there is no functioning reverse DNS. Nor can I really do anything more precisely calibrated than acting on the entire registered netblock (not unless I want to pull that Microsoft data on a regular basis and examine it for changes).)
PS: The cynic in me is muttering that Microsoft decided to not do reverse DNS so that people like me couldn't just block based on the domain name being in whatever magic domain. I'm not sure I believe that, but it's certainly a tempting idea. (Anti-spam work makes one a cynic.)
PPS: This is apparently causing problems for Azure customers. I'm a little bit surprised that any large ISPs have started to reject email if you don't have reverse DNS; the last time I looked at this I assumed it was far too risky and not likely to be adopted by anyone major any time soon.
2014-01-10
An interesting recent spam run against one of my machines
A couple of days ago, the SMTP logs on one of my machines lit up with a whole bunch of attempted inbound connections from all over the world. The first striking thing about these connection attempts is that they all seemed to be from people's home machines (what would once have been called 'dialups' but now uses cable modems, DSL, and various other technologies). Many of these machines were on the PBL and a couple that I just checked now are currently on the CBL.
The second striking thing is the interesting way that the spammer behind this snatched defeat from the jaws of potential victory. A few of these IP addresses actually got to talk to my SMTP daemon; when they did, they all reacted like this:
remote from [94.174.75.128] HELO tvbtzzg.virginm.net 554 Unresolvable HELO name: tvbtzzg.virginm.net remote from [172.10.0.198] HELO koridl.sbcglobal.net 554 Unresolvable HELO name: koridl.sbcglobal.net
That's right. The spammer's software carefully worked out what the
proper top level domain name was for the particular IP being used, put
it in the HELO, and then made up a random hostname to go with it.
Given my usual views that spammers are by and large not stupid and are
highly motived to do what works, I suspect that such HELO names must
help their spam get through at least some spam filters (or, to put it
another way, that other HELO names increase the risks of the spam
email being filtered out). That very small operations like mine can use
this to immediately reject their spam is presumably unimportant.
(I don't have any idea what would cause a spammer to think that my particular machine was worth turning a corner of a botnet on, instead of just using a compromised machine or two and then moving on. Perhaps it's a very big botnet. It seems to have moved on now.)