Wandering Thoughts archives

Somewhat to my surprise, classical viruses by email are still a thing

Normally, my sinkhole spam-capturing SMTP server is set up so that it rejects as much as possible of what I consider boring spam. The other day I decided to run it completely unfiltered for a while, accepting everything no matter how obviously bad it was or whether it was going to an address that had ever existed. Already something interesting to me has turned up in the results.

In statistics drawn from our production mail system, I've previously noticed that viruses in email are way, way down. Much to my surprise, the first day of operating my sinkhole server completely unfiltered got me no less than five classical virus-laden email messages (out of 60 messages received so far). And when I say they're classical, they're really classical:

• all are Windows executables, one straight as a .pif file and four inside .jpg.zip files (the one that I extracted was a .jpg.exe file).

• all appear to have come directly from end-user machines, not relayed through anyone's mail systems (based partly on DNS PTRs associated with them, network areas, etc). Three out of the four IPs involved are listed in the PBL.

• all four IPs involved are currently listed in the CBL.

Four of the five arrived in one burst and are all the same zipfile and executable; although they came from three different IPs and had different MAIL FROMs, they only went to two different destination addresses. The one IP address that sent two messages sent them to different addresses (and in different SMTP sessions, although it was one right after the other).

(In an interesting little detail the most recent message was forged as a bounce message from my own system, although it also had a X-Mailer claiming it had been produced by Outlook Express.)

In contrast to a bunch of copies of the same Chinese spam message that have been sent to message-ids here, all of the destination addresses are at least plausible and two out of the three actually existed at one point.

All of this is what I think of as classical old-fashioned virus behavior that I thought had died out some time ago, partly because so many places had made it hard to get such email through when it was sent directly from end-user machines. After all, any anti-spam system that scored highly based on being on the CBL would have rejected these emails even before running them past virus checking. I guess the old ways are not dead after all, especially if I got five messages within 24 hours of opening my sinkhole server up.

At this point I'll admit I haven't checked our main system's stats recently to see if we're seeing more virus emails there than we used to a year or so ago. If we aren't, I'm not entirely sure what might be causing the difference. While the addresses that these viruses are being spammed to are old addresses, our main system has plenty of equally old addresses (and I believe any number of them get regular spam). Oh well, that's an analysis for another day.

A steady change in the source of blog comment spam attempts

Wandering Thoughts has been in operation for long enough that I've been able to observe a slow shift in the sources of comment spam attempts over the years. Roughly speaking (and relying on a fallible memory), in the beginning much of the comment spam attempts came from what appeared to be open proxies or otherwise compromised machines, to the point where I tried using DNS blocklists like the CBL and SBL as defenses (which didn't work out in the end). Then, at least as I perceived it, the comment spam sources largely shifted to dodgy foreign hosting providers broadly located where you'd expect them to be (Eastern Europe, Russia, and China). And then lately the majority of the still-unblocked sources have shifted to US based hosting providers and datacenters.

At the moment, the largest group of sources seem to emerge from IP address space assigned to 'DataShack LC' and 'WholeSale Internet, Inc'. Where sub-delegation information is readily accessible through whois, the specific IP addresses appear to have been delegated in very small slices to entities that appear to be Chinese based on their names; a typical example is 69.197.128.163, currently assigned to 'Zhou Pizhong' via 69.197.128.160/29. The IP addresses almost never have reverse DNS information available.

For a long time I've been reluctant to explicitly block US hosting providers, for various reasons. I've now decided that that's over for me; large netblocks for these persistent sources are now going in my blocks. Hopefully it will never affect someone using a VPN (or a personal cloud Unix machine) to try to leave a legitimate comment here.

One of several reasons that this depresses me is that it implies that being a source of repeated persistent comment spamming is no longer enough to get people terminated from even US-based hosting (if it ever was). Or at least from second-tier US hosting, since I still don't see much or any comment spam attempts from the large but inexpensive providers like AWS, Linode, and so on.

(I noticed part of this shift to hosting providers a couple of years ago, but back then it was mostly to European hosting providers and many of them were in dodgy areas.)

PS: Mind you, some of this apparent shift in comment spam sources turns out to be a bit illusory. My very first spam comment came from a US hosting provider, as did a lot of sources from a big incident early on. And I haven't kept any sort of records over the years, or even often tried particularly hard to identify the sources and keep notes. The most extensive sort of 'notes' I have are all of the various network areas I've blocked from leaving comments because their volume of comment attempts irritated me, and that's not exactly a scientific process.