Site Navigation
Christmas is a time when we all get together with our families and think about peace and good will for all men (and women). But some of us have to work. In fact for some people, Christmas is the busiest time of year.
This is true also of spammers. The amount of spam always steps up an extra notch during the end-of year hoiliday season. And spammers, scammers and crooks everywhere put in the extra inches and try to deliver a little bit more Yuletide spam and malware to your inbox ... Oh Joy to the World!
Recently at PGTS, there has been a surge in the amount of phony failed delivery emails arriving at the mailhub. I refer to this as Bounce Spam These might have been constructed to look like a failed delivery, but they are more likely to be a genuine bounce message, returning a (supposed) failed message to the email address specified in the Return-Path.
Perhaps we should just revise what happens when email is sent.
When you press the send button on your mail program, a number of things happen quite quickly. A copy of the email, consisting of headers and body is sent to the Mail Transport Agent (MTA) for your domain. Your MTA than looks at the domain of the recipient(s) and tries to work out where and how the email should be delivered.
Now if the recipient is in small.domain.com.au, for example, then your MTA may go and talk directly to the recipient MTA. If there is something wrong with the email ... you might have typed the address wrong (e.g. you sent it to fred.nork@small.domain.com.au rather than fred.nurk@small.domain.com.au), then the recipient MTA will reject the message and your MTA will send a notification straight back to you. This is sometimes referred to as a bounce notification
Sometimes however you might be sending to the large.complex.domain.com, for example. There are a whole bunch of MTAs behind a firewall, or maybe there are a whole bunch of domains. In this case the recipient MTA might try to send the message on, and if it fails, it will send a failure notification back to the sender (specified in the Return-Path with the original message encapsulated.
After all, that would be the polite thing to do. And in a perfect world such polite behaviour would be quite acceptable.
But in the real world of today we have spammers. They seek out such sites and send their spam to non-existent addresses which purports to be from a real email address. For example, dear reader, they might even use your very own email address, which they have harvested with a spambot. The remote MTA then reply to you (even though you never sent a message) and kindly includes the original message with the notification.
And that's why I refer to it as bounce spam.
This is a rather indirect way of sending spam, however it has the advantage of adding some complexity to the task of determining the spammer's IP address. And apart from the fact that it has been configured to reply like this, the offending domain is not deliberately sending spam.
Personally, I think that if an MTA has been configured to reply like this, it should not include the original message. Subject and date should suffice. But since we do live in a real world, with spammers, it is probably best to just discard the email. And if the MTA was up to date and was employing some form of spam prevention, it would probably reject the original mail in any case.
Spam Assasin does seem to learn how to cope with bounce spam. However, I am concerned that once I've sicced it onto bounce spam it might go for future genuine bounce messages from a foreign MTA. This is a bit of quandary. For the time being, Spam Assassin does seem to be learning about bounce spam and is now beginning to sink its pearly white teeth into any bounce spam that comes knocking on the mailhub door. And I figure, if I am ever looking for a bounce notification I can go and search for it in the assinated folder.
Also there is a new money laundering scheme that has come to our attention.
A sample of this spam is as follows:
Headers:
Body:Hello We are offering a temporary job which really do not require any professional skills. You really don't need to have any professional skills for this. All we are looking for right now is UK,USA and Australia based trustworthy, honest, and loyal individuals to handle paper work, file documents and handle payroll administration to our clients in UK ,USA and Australia. What will be required from youis few hours a day and also to pay very close attention to all instructions given to you. Your Job will be; Handling all applications with regards to new clients that will like to register a company in UK,USA and Australia what you will be doing is Filing all papers from these individual companies which will be sent over to you under that companies name. Salary terms; 100Pounds/$150 for each transaction Get back to us through the email address below if you are interested in the job offer michaelloucas2@gmail.com Kindly get back to us if you are interested in the job We will be glad if you accept our proposal. Regards, Michael A. Loucas |
The host at 66.135.59.155 appears to be a Red Hat server owned by fsbopede.com. It seems to be using qmail as the MTA. It may be hosting virtual domains. If you are an adminstrator of this host, you should go and hunt down the offending account and suspend it. There are several other reports of this spam, using the same name of Michael A. Loucas. As usual it comes from various IP addresses. The telephone number looks as though it is a UK number.
The gmail address (above) has been constructed as a front for this scam. It probably involves money laundering, false invoices and/or forged documents, with very little prospects of career advancement. i.e. if any of you kids are thinking about a new career move, don't expect a career path that takes you to the top of the spam gang. Workers in this industry will be spam fodder for the syndicate running this scheme.