Phish spammers who make it easy

July 4, 2008

For my sins, I watch the SMTP logs on a relatively low-activity machine. Recently a number of machines started trying to send it email with the envelope sender of support@PayPal.Inc.com, which to a human is about as clear a sign of phish spam as you could ask for (although computers are not that smart).

As it happens, all of the email (from all of those hosts) was rejected. Not because the mail system detected it as spam, but because there is no such PayPal.Inc.com (sub)domain. So all this phish spam run did was burn a bunch of compromised servers, at least as far as I'm concerned.

(Nor is this the first time that I've seen this sort of thing; for example, not too long ago any number of hosts tried sending me email claiming to be from service@paycpal.com, a domain that helpfully had unresponsive nameservers. In fact, looking at the logs shows previous attempts using PayPal.Inc.com from a couple of months ago.)

One of the things that's interesting to me is what it suggests about the phish spam ecology. These phish spam attempts come from what look like compromised servers, and I tend to believe (perhaps incorrectly) that people who are competent to crack servers wouldn't make such a basic and easily checked mistake with mail (given that Internet mailers have been verifying that the envelope sender domain exist for something like a decade now). This suggests that the crackers don't send the phish spam themselves but instead rent the outgoing mail capacity to the actual spammers, some of whom apparently have relatively little technical skills and don't bother with test runs.

(I wouldn't be surprised if the crackers rent out the entire technical infrastructure, from spam sending to phish site hosting to collecting the information that people submit and sending it on to the phish spammer.)


Comments on this page:

From 99.236.189.35 at 2008-07-04 06:25:49:

They do get rented out, but it doesn't take much competence to crack machines with a few scripts. Scan the tubes for root accounts with stupid passwords on machines running ssh, and nancy's your uncle. Scan for common userids with stupid passwords too, and jill can be your uncle as well. Who's dumb enough to set weak passwords on system accounts? Well, three guesses how the last several compromised machines I've had to investigate had been compromised.

MikeP

Written on 04 July 2008.
« Why system administrators like interpreted languages
How OOXML is a complete failure, even for Microsoft »

Page tools: View Source, View Normal, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Fri Jul 4 00:17:12 2008
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.