Here's our dataset :
Return-path: <email@example.com> Delivery-date: Mon, 31 Mar 2014 13:32:55 -0400 Received: from [18.104.22.168] (port=47460 helo=cuadripol.ro) by eleusis.polimedia.us with esmtp (Exim 4.82) (envelope-from <firstname.lastname@example.org>) id 1WUg4n-0007NZ-BC Received: from cuadripol.ro (22.214.171.124) by scan.polimedia.us (10.0.4.75) with Microsoft SMTP Server (TLS) id 15.0.712.24 via Frontend Transport; 31 Mar 2014 10:29:39 GMT Received: from p3plsmtpa07-08.prod.phx3.secureserver.net (p3plsmtpa07-05.prod.phx3.secureserver.net [126.96.36.199]) by us-mta-1.us.mimecast.lan; 31 Mar 2014 10:21:37 GMT Received: from MFP33543226 ([188.8.131.52]) by p3plsmtpa08-06.prod.phx3.secureserver.net with id gLSc1n0084JJIRQ02JS9N4;31 Mar 2014 10:24:36 GMT Date: 31 Mar 2014 10:25:30 GMT From: <email@example.com> Subject: New Fax : 5 pages Message-ID: <TTEC99dff903firstname.lastname@example.org> MIME-Version: 1.0 X-Mailer: Uacett 4.0 X-MC-Unique: IE78L43SIZB3CH44ZX0LQT-1 Content-Type: multipart/mixed; boundary="TTEC99dff903-e466-859e-b025-bcac3d6e1aaa" X-MS-Exchange-Organization-Network-Message-Id: TTEC99dff903- email@example.com X-MS-Exchange-Organization-AVStamp-Enterprise: 1.0 X-MS-Exchange-Organization-AuthSource: FAX.polimedia.us X-MS-Exchange-Organization-AuthAs: Anonymous X-Spam-Status: No, score=4.8 X-Spam-Score: 48 X-Spam-Bar: ++++ X-Ham-Report: ---- ---------------------- -------------------------------------------------- 1.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net [Blocked - see <http://www.spamcop.net/bl.shtml? 184.108.40.206>] 1.6 RCVD_IN_BRBL_LASTEXT RBL: RCVD_IN_BRBL_LASTEXT [220.127.116.11 listed in bb.barracudacentral.org] 0.7 SPF_NEUTRAL SPF: sender does not match SPF record (neutral) 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS
So now let's dig in.
- polimech.com is a Russian website of some sort of plastics processor. It could be either a legitimate company with inept IT support that failed to notice the unauthorised fax@ email address, or else actually operated by the would-be malware peddler.
- 18.104.22.168 is a RDS Net IP, allocated to cuadripol.ro, operated by SC Imsat Cuadripol SA, CIF 1093431 J08/3782/1992, a 20+ year old real-estate services firm in Brasov, Romania. The company itself is perfectly legitimate, but its IT department is either completely absent or outright incompetent. In any case, it is involved in fraud by forwarding this crap to my server, at least inasmuch EU and local regulations are concerned. At this point I could sue them, and definitely extract a few Bitcents through the working of Romanian courts, for their wanton negligence.
- scan.polimedia.us is an inexistent domain, about which the spammer purports to a) be bound to 10.0.4.75, b) have received mail through Microsoft SMTP Server and c) have received mail from [22.214.171.124] (port=47460 helo=cuadripol.ro). All these are false, but coadripol.ro [126.96.36.199] accepted them as factual.
- secureserver.net is a legitimate domain, which does provide legitimate (and large scale) email services. The spammer purports it to be the origin of his spam, but this is false : it either originated directly on cuadripol.ro or else at an unknown location from whence it was forwarded to cuadripol.ro. The webmaster should, at least in principle, be able to find which through parsing the logs.
- 188.8.131.52 is listed by spamcop and barracudacentral, which means this would not be the first time they fraudulently forward malware ladden emails.
- The payload, as you'd expect, is a 9kb FAX397395.zip.
So how does something like this work ? Well, the spammer first forges a bit of malware, using whatever 0day exploits and other leet haxxory he finds on whatever "dark web" forums. Then he either buys a beer for whatever famished kid working in whatever poor quality "website design shop" to obtain credentials, or perhaps just simply is the famished kid in question, and so subverts the webservers of otherwise respectable businesses. He feeds his crap to a list of addresses, meanwhile listening on the Return-path: address to see if there's any bouncing going on.
Statistically, about ten percent of clueless small businesses which perceive they need "a web presence" for unclear reasons and do not have either the intellectual nor the technical resources to actually manage one fall for this, resulting in a number of infected computers (mostly running Windows). Which are useful... for what exactly ?
For nothing, really. But being a leet haxxor living dangerously and fuck-da-police.biz (the *business* of fucking da police, riddle me that one!) is a phase in the normal development of the teenager mind, especially male, especially on the fringe of civilisation. And so, just like pashtun young men shoot guns and rifles for weddings, because gotta take the edge off not getting to shoot that other thing, Russian and Romanian young men are leet haxxors and spammers and whatnot.
That's about all.