The next entry in the Intruders-series is an example of what will happen if an SMTP (mail) server is configured insecurely.So, we set up a SMTP honeypot that appears to be an open relay to outsiders. After setting it up we had to wait for a day before the first SMTP scanner knocked on the honeypot. The first attempt wasn’t spam itself, but it was a test e-mail that the spammers use in an attempt to test whether the SMTP server they are querying really is an open relay or not:
OUT: 220 <removed> SMTP server ready to serve.
IN : HELO <removed>
OUT: 250 <removed> Hello <removed>, pleased to meet you.
IN : MAIL FROM:<k6u5f3s2k5@yahoo.com>
OUT: 250 OK
IN : RCPT TO:<sseenndd1201@yahoo.com.hk>
OUT: 250 User not local; will forward
IN : DATA
OUT: 354 Start mail input; end with <CRLF>.<CRLF>
IN : Subject: Super webscan open relay check succeded, hostname = <removed>
IN : .
OUT: 250 OK
IN : QUIT
Since the spammers don’t start sending the spam through the SMTP server before they’ve successfully sent and received the above kind of testmail we decided to forward that one particular piece of mail ourselves. After we sent the mail, basically letting the spammer know that he has found a new open relay it took only 10 minutes for the spam to start rolling in.
Interestingly enough, great majority of the targets are in Taiwan. This could be due to us stumbling into the operations of a spammer who targets a small geolocation. But anyway, here are some numbers from the first 3 hours when the spam started flowing in:
In all, we received 1008 incoming spam messages that had 12877 recipients. So in average a single piece of spam mail had about 13 receivers. Out of the 1008 mails we extracted 990 unique URLs, leading to either the spamvertized site itself or into a picture displayed in the message body.
From the 990 unique URLs we found 878 unique DNS RRs (Resource Records)
All the spam messages we captured were written in chinese. Just out of interest we decided to visit one of the URLs to see what the spam was actually about. Was it Viagra? or Mortage spam? or for “Quality Replicas”? This is what we found:
So, Video CD’s… What could they contain so precious that someone wants to spam their existence to the millions? Could it be movies, not in theaters yet? We tossed the site into Google Translate and here are the results:
“Genuine boxed VCD attached 12 teaching manual”
Teaching manuals!? In case Google made an error, we translated the content list also:
VCD1. Received the court summons, notices, judgments, etc. The first time, how to deal with?
VCD2. Improper financial management刷爆cards, and owe to be debt, card slave how to do?
VCD3. Civil unions should pay attention to, it will have to do? Owe not yet been fraud, how to recover the money was owed?
VCD4. On housing transactions, leasing matters Particular attention should be paid, they can not get the rent or a tenant refusing to move out, how to do?
VCD5. Relating to marriage, divorce, adoption, unclaimed, custody, alimony should pay attention to?
VCD6. Related to cases involved in an accident the attention vehicle damage insurance claims, injury claims
VCD7. On the identity card (original copy) used by Notes? Related instruments (promissory notes, checks) of the relevant laws, lost applications, Movements, invasion and occupation?
VCD8. What circumstances a lawyer must be the best? Resolve their legal problems in three steps
VCD9. Bureau of Investigation by the police or interviews, the transcripts for which we should pay attention right?
VCD10. Books on various reconciliation, cut knot book, undertaking contract, agreement, letter of the law?
VCD11. Husband and wife quarrel, family disputes or domestic violence should be how to deal with?
VCD12. Relating to a variety of writing a will, inheritance of the relevant laws? How to make the best use of the township, the city of the functions of the mediation?
We can’t help but wonder how many buy teaching VCDs that have been spamvertized. We’ll continue tracking the honeypot and post updates at some point.
Tags: open relay, spam