PGTS PGTS Pty. Ltd.   ACN: 007 008 568

point Site Navigation

point Other Blog Threads



  Valid HTML 4.01 Transitional

   Download Kubuntu Today

   Ubuntu

   The Power Of KDE + Ubuntu






PGTS Blog Archive

Thread: Internet Security/Malware/Spam

GP JPG
When you have eliminated the impossible, whatever remains, however improbable, must be the truth.

Polish Spam on Rye


Chronogical Blog Entries:



Date: Sat, 15 Jan 2005 09:45:56 +1100

There are many reasons to buy Microsoft, not all of them financial:
  1. Empire building. You have a nice little IT empire with 30 servers, 300 staff and a $20 million budget, and some upstart comes along and suggests that Linux can do the same with 10 servers, 100 staff and a budget of $10 million.
  2. Familiarity. You know Windows. You like to tell yourself that if your system administrators all got killed in a freak coffee-poisoning massacre, you could roll up your sleeves and do their job all by yourself, and now there is this fellow who comes along and tries to sell you a solution that will make all your IT experience obsolete.
  3. Friends in high places. You play golf with the local Microsoft branch manager, and he takes your boss out for dinner occasionally. Once in a blue moon, Steve or Bill himself fly out in their corporate jet and wine and dine your boss' boss for a week, and now this fellow comes along who tries to sell you a solution that will mean Steve rings your boss' boss and ask "What is going on?"
  4. Butt-covering. Nobody ever got fired for buying IBM^H^H^H Microsoft.
  5. Concerns about the ability of Linux to do the job. You have a solution that works. Sure, there are warts, but it does most of what you want and if it costs a lot, that's the price you pay. Now somebody comes along and tries to sell you an unproven (to you) solution that costs a lot less and may or may not do the job.

From: Steven D'Aprano (OSIA Discussion List)

Steve makes a very persuasive case there! I think I'll rush out and spend several thousand dollars on converting to Microsoft. My website is running much too quickly and I need to slow things down. I also need to contribute something to the economy. So buying a whole bunch of extra hardware and anti-virus software might give the economy that extra little boost ... Not to mention the extra revenue that can help Microsoft continue with the worthy projects they have like replacing open standards with their own. Yes, I am sure that would be putting my money to good use. Much better than using it for things like feeding myself and my family ...

Ok, it's hard to tell when I am using a keyboard ... but that previous paragraph should have been enclosed in a <sarcasm> ... </sarcasm> pair.

Now where was I? Blog entry number 2 ... The things to do to set up this blog.

  1. Setup method for the blog posting.
  2. Setup a method of editing the blogs after they are published (to fix spelling grammar and errors of fact)

There is a bit of work to be done. However I may be able to borrow some code from the job tracking system, which system is a perl/CGI system that I created to track and bill jobs. The tools that I use are mutt, awk, perl, shell, SQL, etc. So there may be a considerable amount of code there that I could borrow.

And ... now, I see some more spam arrived this morning ... (Hmm this could get a bit tedious). BTW if anyone wants to read the most recent article I published on the topic it is here.

This is a trifle amusing ... I use mutt, a text only MUA. The Subject Line is:

Subject: Your Life Ins. Company does NOT WANT you to see this...

Well I don't know about my Insurance company but I wont see it! Mutt is text only and they have sent the email as HTML-only. Of course if I really wanted to I could view it, by pressing {Enter} and then 'v'. I have set up mutt to pipe HTML through lynx (see an earlier HINT in the feedback column). And, after a campaign to persuade everyone of the foolishness of sending HTML-only mail, most of the people who correspond regularly with me now send either TEXT-only (which is best) or mixed (not so bad). Whereas almost all HTML-only email is spam!

I can tell by the Subject tag that this is not a spam I wish to read ... Usually it isn't.

In this case I will just press 'h' (for headers). This reveals the following:

 From carelink@2minutequote.prserv.net Sat Jan 15 07:29:35 2005
 Return-Path: <carelink@2minutequote.prserv.net>
 Received: from smtp.wp.pl (smtp.wp.pl [212.77.101.160])
 	by pgts04.pgts.com.au (8.11.6/8.11.6) with ESMTP id j0EKTX814966
 	for <gerry@pgts.com.au>; Sat, 15 Jan 2005 07:29:33 +1100 (EST)
 	(envelope-from carelink@2minutequote.prserv.net)
 Received: (wp-smtpd smtp.wp.pl 22018 invoked from network); 14 Jan 2005 21:16:57 +0100
 Received: from katalog-admin.wp.pl (HELO 212.77.100.201) ([212.77.100.201])
           (envelope-sender <carelink@2minutequote.prserv.net>)
           by smtp.wp.pl (WP-SMTPD) with SMTP
           for <mands@dailyrecord.com>; 14 Jan 2005 21:16:57 +0100
 Message-ID: <00004ec01000$0000716a$00006433@212.77.100.201>
 To: <PersonalizedQuote>
 From: "Low-Cost Term Life" <carelink@2minutequote.prserv.net>
 Subject: Your Life Ins. Company does NOT WANT you to see this...
 Date: Fri, 14 Jan 2005 14:17:02 -0600
 Reply-To: carelink@2minutequote.prserv.net
 MIME-Version: 1.0
 Content-Type: text/html;
 	charset="us-ascii"
 Content-Transfer-Encoding: 7bit
 X-Priority: 3 (Normal)
 X-MSMail-Priority: Normal
 X-Mailer: Microsoft Outlook, Build 10.0.4510
 Importance: Normal
 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
 X-WP-AV: skaner antywirusowy poczty Wirtualnej Polski S. A.
 X-WP-SPAM: NO AS1=NO AS2=YES(1.000000) AS3=NO AS4=NO

And sorry guys, I will never see the body text ... Not that you really care. As long as half a dozen users, out of the 50 million or so that received your message, inquire about your services, you will probably keep sending them.

At first glance, this appears to have come from a Polish dial-in address. The netblock owner is Wirtualna Polska SA. Closer inspection reveals that they do have a DNS entry. The host is registered as smtp.wp.pl. Looking up this address gives the following information:

    Authoritative answers can be found from:
    wp.pl
            origin = ns1.wp.pl
            mail addr = dnsmaster.wp-sa.pl
            serial = 2005011401
            refresh = 900
            retry = 600
            expire = 86400
            minimum = 3600
    > 212.77.101.160

    Non-authoritative answer:
    160.101.77.212.in-addr.arpa     name = smtp.wp.pl.

    Authoritative answers can be found from:
    101.77.212.in-addr.arpa nameserver = ns2.wp.pl.
    101.77.212.in-addr.arpa nameserver = ns1.wp.pl.
    > set type=mx
    > 212.77.101.160

    Non-authoritative answer:
    160.101.77.212.in-addr.arpa     name = smtp.wp.pl.

    Authoritative answers can be found from:
    101.77.212.in-addr.arpa nameserver = ns2.wp.pl.
    101.77.212.in-addr.arpa nameserver = ns1.wp.pl.
    ns2.wp.pl       internet address = 153.19.102.182
    ns1.wp.pl       internet address = 212.77.102.200

Overall this appears to have been sent from a spam host. It has an MX record and according to Senderbase is the only host in this netblock that sends a significant quantity of email. In fact the amount is so large it seems strange that it has not been listed yet. Perhaps it is a spamhost startup?


Other Blog Posts In This Thread:

Copyright     2005, Gerry Patterson. All Rights Reserved.