Tag: spam

More spam from nobistech.net

I get a lot of spam. Most of it, thankfully is blocked by dspam but occasionally i get some through the filter. One that particularly caught my eye was interesting not so much what it was advertising (I don’t read that part of the email) but where it came from and goes to.

Normally there are two service providers involved in spam. The email comes from (or via) one and then the spamvertised website is another. The interesting thing is for this spam both of these were the same service provider. The email came from 174.34.168.85 and the spamvertised website was 70.32.40.194. Both of these addresses are owned by nobistech.net. I punted the email to spamcop and it said that they’re not interested in spam reports.

A few google queries shows that these guys seem quite happy to have spam sources and destinations and have been doing it for years. They either appear as nobistech.net or unbiquity servers but they are one and the same organisation, or at least related.

I won’t bother to send anything to them, it seems this has been done many many times by others with no results. Instead some CIDR blocks will be put into my blacklist.

October 24, 2012
Anti-Spam Fails
A day or two ago I tried sending an email to a friend who happens to use the Road Runner ISP for his mail service. Now this ISP doesn’t like dynamic IP addresses (using the increasing inaccurately named Dial Up List) so I have to punt the email through my ISP’s mailserver first. Now that server is telling me this:

The reason for the problem: 4.3.2 – Not accepting messages at this time 554-‘5.7.1 – ERROR: Mail refused – <150.101.137.131> – See http://sendersupport.senderscore.net’

So their ISP mailserver is refusing connections from my ISP’s mailserver for some reason, probably on some spam list. There’s a URL to look up the problem, so going there gives you three things:
1. A redirection to https://sendersupport.senderscore.net/
2. A badly configured webserver that uses the above URL with a certificate for www.senderscore.net
3. A page that says “It works”
Either Road Runner or Senderscore, preferably both, need to get a clue. Oh and going to https://www.senderscore.net/ gives connection refused. A bit of digging around shows the correct URL is https://senderscore.org/

Now I just realized that my SSL certificate for https://enc.com.au/ expired on the weekend so I know these things can happen, but I’m one person (who was away for a while), why can’t companies get their act together?
October 2, 2012
Lottery from ancient rockers
Apparently I’ve won the lottery. What is even more amazing is that it is one based not in Australia but in the UK ELO (England Lottery Organisation) and I didn’t even buy a ticket. Even more amazing is even though this organisation is based in England, they don’t write English very well; perhaps its declining school standards. They’re so concerned about giving you the maximum return on the dollar (or pound) they don’t even use a proper co.uk email address but a free webmail from umail.

It is, of course a scam. Popularly known as Nigerian 419 or advanced-fee fraud. You can win the money but.. well it seems there is some holdup and you need to pay some “release fee” or some bribe to get your dollars. What makes me a little sad is it was for only 250,000 UK pounds. I feel ripped off as a few google searches showed people being offered over 500,000 pounds on the same scam. Don’t these crooks know I have a high aussie dollar exchange rate to overcome?

About the only interesting thing about it was that my dspam filters missed it but they’ve now been retrained with that miss. I think sending it as a pdf was why it made it through.

And I now cannot get ELO (Electric Light Orchestra) songs out of my head, thanks a lot scammers! (It’s a livin’ thing, ya know)

Related articles
- FBI Warns of Spam, Lottery Scams and Potassium Iodide Price Gouging (walletpop.com)
- Detecting scams (cyberdefend.wordpress.com)
- Getting Scammed, Doesn’t Make You an Idiot, Stupid (socyberty.com)
- Jamaican Lottery Scam: Woman loses $370,000 in Jamaican Lottery Fraud!! (darnellthenewsman.com)
April 17, 2011
Filtering base64 encoded spam
I hate spam, though I get an awful lot of it. About 1/3 of my email is spam, though on a bad day the ratio can be reversed. If you want to see just how much spam I get, I’ve used to have a nice graph of spam. To get rid of it I use a lot of filters. One of these is the Postfix Body Checks feature. This feature allows you to match lines in the body of the email and reject them at the server. I use Perl Compatible Regular Expression (PCRE) matching for the lines.

Recently though, I noticed a lot of spam, usually about Viagra, that was passing through my spam traps. I noticed the emails all talk about a small set of webservers, so I’ll just filter on the urls. It didn’t work.
SpamAssassin in the end gave me the hint.
```
X-Spam-Status: No, hits=0.0 required=5.0
       tests=BASE64_ENC_TEXT,EMAIL_ATTRIBUTION,HTML_60_70,
           HTML_IMAGE_ONLY_04,MIME_HTML_ONLY,PENIS_ENLARGE,REMOVE_PAGE
            version=2.53
```
It was base64 encoded email! That’s why my simple PCRE text matches would not work. So I needed to use something else.

This page is about how to filter on base64 text that appears in emails. I have used examples of PCRE and postfix but you can use this anywhere else, with the appropriate adjustments of where the files go and their syntax.

How to filter

A standard filter line in a postfix body_check file looks something like this:
```
//   REJECT
```
This is the old iframe hack that some spammers use to sneak URLs into your email.They are nice and clear and we just reject them. All we have to do now is change the stuff between the “toothpicks” // to what we want.

Here’s an example spam I got today, its offering the usual garbage this shonks usually offer. Remember if they don’t advertise ethically, it is often a sign of their entire operation.
In this case, I’ve decided I cannot be bothered getting any emails that advertise stuff on www.sellthrunet.net, I get enough junk already and it’s probably a front for spammers anyway, so I’ll filter on that domain. You need to make the string reasonably long as you are effectively cutting off parts of it.

Debian systems have this program called mimencode, some of you might have mmencode, which is part of the Metamail package. This does the base64 encoding for you.

So all you need to do is take the string you want filtered on, put it into mimencode and then put the resulting string into the postfix configuration. You need to do this three times, deleting a character at the front each time because base64 is done by cutting the strings up into groups of three characters each and you don’t know in advance if the your string is going to start at position 1,2 or 3.
```
gonzo$ echo -n "http://www.sellthrunet.net/" | mimencode
HR0cDovL3d3dy5zZWxsdGhydW5ldC5uZXQv
gonzo$ echo -n "ttp://www.sellthrunet.net/" | mimencode
dHRwOi8vd3d3LnNlbGx0aHJ1bmV0Lm5ldC8=
gonzo$ echo -n "tp://www.sellthrunet.net/" | mimencode
dHA6Ly93d3cuc2VsbHRocnVuZXQubmV0Lw==
```
Next you need to remove part of the encoded string at the end. Remember that 3 characters are encoded into 4 symbols. So character one contributes to symbol 1 and 2, two to 2 and 3 and three to 3 and 4. The = means the string was not a multiple of 3 and it needs padding. If the encoded string has no =, you can use it as-is, otherwise remove all = plus one more character at the end of the string. Remember that you are cutting off up to two characters from your regular expression from both ends so be careful it is still meaningful. The last string for example is only matching “tp://www.sellthrunet.ne” which still looks ok.

Finally, you can join the strings using the regular expression “or” symbol. Also be careful to escape any strings that use special regular expression characters. Base64 can have plus ‘+’ and slash ‘/’ which need
escaping with a backslash .
```
(HR0cDovL3d3dy5zZWxsdGhydW5ldC5uZXQv|dHRwOi8vd3d3LnNlbGx0aHJ1bmV0Lm5ldC|dHA6Ly93
d3cuc2VsbHRocnVuZXQubmV0L)
```
I have a bypass line in my setup so usually any lines that are base64 encoded are bypassed, so if you have the same thing make sure this line goes before your bypass line or it will never match. We also need to tell postfix to use case sensitive matching because it is base64 hash we are matching and not the real string itself, so we use the i flag after the last slash . The relevant lines in the body_checks file are now:
```
#
# sellthrunet.net
/(HR0cDovL3d3dy5zZWxsdGhydW5ldC5uZXQv|dHRwOi8vd3d3LnNlbGx0aHJ1bmV0Lm5ldC|dHA6Ly93d3cuc2VsbHRocnVuZXQubmV0L)/i REJECT Spamvertised website
# don't bother checking each line of attachments
/^[0-9a-z+/=]{60,}s*$/                OK
```
To test it, I use pcregrep and mimencode again, on the mail file. This will show in clear text the spamming line and gives you an idea that it should work.
```
$ pcregrep 'dHRwOi8vd3d3LnNlbGx0aHJ1bmV0Lm5ldC' /var/mail/csmall  | mimencode -u
http://www.sellthrunet.net/pek/m2b.php?man=ki921">&ltl;im//www.sellthrunet.net/pek/m2b.php?man=ki
```
August 7, 2007