|
|
PGTS Blog ArchiveThread: Internet Security/Malware/Spam |
|
Gerry Patterson. The world's most humble blogger | |
Edited and endorsed by PGTS, Home of the world's most humble blogger | |
| |
Polish Spam on Rye |
|
Chronogical Blog Entries: |
|
| |
Date: Sat, 15 Jan 2005 09:45:56 +1100
|
From: Steven D'Aprano (OSIA Discussion List)
Steve makes a very persuasive case there! I think I'll rush out and spend several thousand dollars on converting to Microsoft. My website is running much too quickly and I need to slow things down. I also need to contribute something to the economy. So buying a whole bunch of extra hardware and anti-virus software might give the economy that extra little boost ... Not to mention the extra revenue that can help Microsoft continue with the worthy projects they have like replacing open standards with their own. Yes, I am sure that would be putting my money to good use. Much better than using it for things like feeding myself and my family ...
Ok, it's hard to tell when I am using a keyboard ... but that previous paragraph should have been enclosed in a <sarcasm> ... </sarcasm> pair.
Now where was I? Blog entry number 2 ... The things to do to set up this blog.
- Setup method for the blog posting.
- Setup a method of editing the blogs after they are published (to fix spelling grammar and errors of fact)
There is a bit of work to be done. However I may be able to borrow some code from the job tracking system, which system is a perl/CGI system that I created to track and bill jobs. The tools that I use are mutt, awk, perl, shell, SQL, etc. So there may be a considerable amount of code there that I could borrow.
And ... now, I see some more spam arrived this morning ... (Hmm this could get a bit tedious). BTW if anyone wants to read the most recent article I published on the topic it is here.
This is a trifle amusing ... I use mutt, a text only MUA. The Subject Line is:
Subject: Your Life Ins. Company does NOT WANT you to see this...
Well I don't know about my Insurance company but I wont see it! Mutt is text only and they have sent the email as HTML-only. Of course if I really wanted to I could view it, by pressing {Enter} and then 'v'. I have set up mutt to pipe HTML through lynx (see an earlier HINT in the feedback column). And, after a campaign to persuade everyone of the foolishness of sending HTML-only mail, most of the people who correspond regularly with me now send either TEXT-only (which is best) or mixed (not so bad). Whereas almost all HTML-only email is spam!
I can tell by the Subject tag that this is not a spam I wish to read ... Usually it isn't.
In this case I will just press 'h' (for headers). This reveals the following:
From carelink@2minutequote.prserv.net Sat Jan 15 07:29:35 2005 Return-Path: <carelink@2minutequote.prserv.net> Received: from smtp.wp.pl (smtp.wp.pl [212.77.101.160]) by pgts04.pgts.com.au (8.11.6/8.11.6) with ESMTP id j0EKTX814966 for <gerry@pgts.com.au>; Sat, 15 Jan 2005 07:29:33 +1100 (EST) (envelope-from carelink@2minutequote.prserv.net) Received: (wp-smtpd smtp.wp.pl 22018 invoked from network); 14 Jan 2005 21:16:57 +0100 Received: from katalog-admin.wp.pl (HELO 212.77.100.201) ([212.77.100.201]) (envelope-sender <carelink@2minutequote.prserv.net>) by smtp.wp.pl (WP-SMTPD) with SMTP for <mands@dailyrecord.com>; 14 Jan 2005 21:16:57 +0100 Message-ID: <00004ec01000$0000716a$00006433@212.77.100.201> To: <PersonalizedQuote> From: "Low-Cost Term Life" <carelink@2minutequote.prserv.net> Subject: Your Life Ins. Company does NOT WANT you to see this... Date: Fri, 14 Jan 2005 14:17:02 -0600 Reply-To: carelink@2minutequote.prserv.net MIME-Version: 1.0 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4510 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 X-WP-AV: skaner antywirusowy poczty Wirtualnej Polski S. A. X-WP-SPAM: NO AS1=NO AS2=YES(1.000000) AS3=NO AS4=NO
And sorry guys, I will never see the body text ... Not that you really care. As long as half a dozen users, out of the 50 million or so that received your message, inquire about your services, you will probably keep sending them.
At first glance, this appears to have come from a Polish dial-in address. The netblock owner is Wirtualna Polska SA. Closer inspection reveals that they do have a DNS entry. The host is registered as smtp.wp.pl. Looking up this address gives the following information:
Authoritative answers can be found from: wp.pl origin = ns1.wp.pl mail addr = dnsmaster.wp-sa.pl serial = 2005011401 refresh = 900 retry = 600 expire = 86400 minimum = 3600 > 212.77.101.160 Non-authoritative answer: 160.101.77.212.in-addr.arpa name = smtp.wp.pl. Authoritative answers can be found from: 101.77.212.in-addr.arpa nameserver = ns2.wp.pl. 101.77.212.in-addr.arpa nameserver = ns1.wp.pl. > set type=mx > 212.77.101.160 Non-authoritative answer: 160.101.77.212.in-addr.arpa name = smtp.wp.pl. Authoritative answers can be found from: 101.77.212.in-addr.arpa nameserver = ns2.wp.pl. 101.77.212.in-addr.arpa nameserver = ns1.wp.pl. ns2.wp.pl internet address = 153.19.102.182 ns1.wp.pl internet address = 212.77.102.200
Overall this appears to have been sent from a spam host. It has an MX record and according to Senderbase is the only host in this netblock that sends a significant quantity of email. In fact the amount is so large it seems strange that it has not been listed yet. Perhaps it is a spamhost startup?