Spam and malware, let's be cool together.

Monday, 31 March, Year 6 d.Tr. | Author: Mircea Popescu

Here's our dataset :

Return-path: <>
Delivery-date: Mon, 31 Mar 2014 13:32:55 -0400
Received: from [] (port=47460
     by with esmtp (Exim 4.82)
     (envelope-from <>)
     id 1WUg4n-0007NZ-BC
Received: from ( by
( with Microsoft SMTP Server
     (TLS) id 15.0.712.24 via Frontend Transport; 31 Mar 2014
10:29:39 GMT
Received: from
 ( []) by; 31 Mar 2014 10:21:37 GMT
Received: from MFP33543226 ([]) by with id
 gLSc1n0084JJIRQ02JS9N4;31 Mar 2014 10:24:36 GMT
Date: 31 Mar 2014 10:25:30 GMT
From: <>
Subject: New Fax : 5 pages
Message-ID: <>
MIME-Version: 1.0
X-Mailer: Uacett 4.0
X-MC-Unique: IE78L43SIZB3CH44ZX0LQT-1
Content-Type: multipart/mixed;
X-MS-Exchange-Organization-Network-Message-Id: TTEC99dff903-
X-MS-Exchange-Organization-AVStamp-Enterprise: 1.0
X-MS-Exchange-Organization-AuthAs: Anonymous
X-Spam-Status: No, score=4.8
X-Spam-Score: 48
X-Spam-Bar: ++++
     ---- ---------------------- --------------------------------------------------
     1.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in
     [Blocked - see <>]
     [ listed in]
     0.7 SPF_NEUTRAL SPF: sender does not match SPF record (neutral)
     1.3 RDNS_NONE Delivered to internal network by a host with
 no rDNS

So now let's dig in.

  • is a Russian website of some sort of plastics processor. It could be either a legitimate company with inept IT support that failed to notice the unauthorised fax@ email address, or else actually operated by the would-be malware peddler.
  • is a RDS Net IP, allocated to, operated by SC Imsat Cuadripol SA, CIF 1093431 J08/3782/1992, a 20+ year old real-estate services firm in Brasov, Romania. The company itself is perfectly legitimate, but its IT department is either completely absent or outright incompetent. In any case, it is involved in fraud by forwarding this crap to my server, at least inasmuch EU and local regulations are concerned. At this point I could sue them, and definitely extract a few Bitcents through the working of Romanian courts, for their wanton negligence.
  • is an inexistent domain, about which the spammer purports to a) be bound to, b) have received mail through Microsoft SMTP Server and c) have received mail from [] (port=47460 All these are false, but [] accepted them as factual.
  • is a legitimate domain, which does provide legitimate (and large scale) email services. The spammer purports it to be the origin of his spam, but this is false : it either originated directly on or else at an unknown location from whence it was forwarded to The webmaster should, at least in principle, be able to find which through parsing the logs.
  • is listed by spamcop and barracudacentral, which means this would not be the first time they fraudulently forward malware ladden emails.
  • The payload, as you'd expect, is a 9kb

So how does something like this work ? Well, the spammer first forges a bit of malware, using whatever 0day exploits and other leet haxxory he finds on whatever "dark web" forums. Then he either buys a beer for whatever famished kid working in whatever poor quality "website design shop" to obtain credentials, or perhaps just simply is the famished kid in question, and so subverts the webservers of otherwise respectable businesses. He feeds his crap to a list of addresses, meanwhile listening on the Return-path: address to see if there's any bouncing going on.

Statistically, about ten percent of clueless small businesses which perceive they need "a web presence" for unclear reasons and do not have either the intellectual nor the technical resources to actually manage one fall for this, resulting in a number of infected computers (mostly running Windows). Which are useful... for what exactly ?

For nothing, really. But being a leet haxxor living dangerously and (the *business* of fucking da police, riddle me that one!) is a phase in the normal development of the teenager mind, especially male, especially on the fringe of civilisation. And so, just like pashtun young men shoot guns and rifles for weddings, because gotta take the edge off not getting to shoot that other thing, Russian and Romanian young men are leet haxxors and spammers and whatnot.

That's about all.

Category: Meta psihoza
Comments feed : RSS 2.0. Leave your own comment below, or send a trackback.
Add your cents! »
    If this is your first comment, it will wait to be approved. This usually takes a few hours. Subsequent comments are not delayed.