There's a new morph of the porn extortion campaign, with some
interesting under-the-hood changes.
The previous ones were always:
- two "quoted-printable" parts (plain text, html)
- "From" Outlook accounts
- sent via Outlook/Hotmail/MS IPs (no other IPs in route)
- passed both DKIM and SPF
The new version has:
- one base64 html part
- pure numeric "From" domain&account (same address in SMTP & header)
- sent via compromised computers (and typically 3 or 4 Received IPs)
- bogus domains so neither DKIM nor SPF possible
- 8 of 13 samples had a Reply-To, with the same address as the From,
and the RealNames were different
Unchanged:
- html part has hundreds of comments containing just the To account
- pretty much the same message
(new versions have some potentially useful HTML/comment chaff)
- _ALL_ have snuck thru plain vanilla SA :(
(old Outlooks ones were consistently less than 1.0;
new: 92% in 2s, 8% in very low 4s)
Currently, all IPs except one (the oldest) are on the CBL.
Full raw spample:
http://puffin.net/software/spam/samples/0058_extortion_numeric_domain.txt
I MUNGED the "To" and the Body.
Since I munged the account name to "target", I had to re encode the
Body.
** John Hardin & KAM: if you'd like some unmunged spamples, I'd be
happy to send a zip. :)
Here's the SA test stats for 13 of this new morph:
FORGED_MUA_MOZILLA 1
HTML_MESSAGE 13
HTML_MIME_NO_HTML_TAG 13
LOCALPART_IN_SUBJECT 13
MIME_BASE64_TEXT 9
MIME_HTML_ONLY 13
RCVD_IN_SORBS_DUL 1
RDNS_DYNAMIC 3
TVD_RCVD_SPACE_BRACKET 6
UNPARSEABLE_RELAY 6
This new variant should be easy to exterminate. :)
1. The quick and easy combo of "HTML_MIME_NO_HTML_TAG" and
"LOCALPART_IN_SUBJECT" is worth a meta.
The latter test is _VERY_ rare in Ham.
2. Another meta with those two and "MIME_BASE64_TEXT" is even safer.
3. Pure numeric TLDs appear to be non existent (so far!), so I look
forward to you regex wizards doing your thing. :)
4. There's lots of low risk phrases worth scoring (KAM rules?).
5. Riskier & more complex: The pattern of the account name occurring
hundreds of times in HTML comments is distinctive, and "feels"
safe, however Thick Hammers are unpredictable.
I will be releasing a regression test for my volunteers.
Once I get sufficient Ham stats, I'll report back.
Three other unusual things (all demonstrated in this spample):
1. 9 of the 13 had a two part pure numeric claimed host (see below).
I don't recall seeing that before.
** Is that a botnet fingerprint?
2. 9 of the 13 lacked a trailing "=".
I don't recall seeing that before.
It's probably worth a quick test, if easy to implement.
There was no correlation with the numeric host pattern.
3. 4 of the 13 failed to hit "MIME_BASE64_TEXT".
I'm curious what the issue is.
The trailing "=" was not a factor.
The main thing that stood out is that the hits all had this CT:
Content-Type: text/html;
charset="us-ascii"
The misses all had:
Content-Type: text/html;
charset="iso-8859-1"
Here are the IPs, and the claimed hostnames in square brackets:
1.52.117.145 [738.521]
5.76.183.251 [926.664]
14.231.121.148 [253.975]
41.212.106.159 [41.212.106.159.wananchi.com]
42.113.254.123 [303.494]
49.205.51.26 [broadband.actcorp.in]
94.233.89.142 [dsl-94-233-89-142.avtlg.ru]
103.86.161.66 [439.461]
109.60.246.66 [842.384]
180.252.178.204 [742.584]
196.190.63.7 [982.491]
197.248.154.10 [197-248-154-10.safaricombusiness.co.ke]
202.138.244.76 [344.393]
Here are the actual (unmunged) From headers:
"Sofia Kirby" <066@842.384>
"Eugenia Koch" <340@145.390>
"Trisha Savage" <907@344.393>
"Debra Arnold" <367@439.461>
"Christine Waller" <294@982.491>
"Lawrence Bender" <516@303.494>
"Rey Wooten" <381@738.521>
"Elvira Nguyen" <977@557.566>
"Mai Mullins" <556@742.584>
"Darrick Hendricks" <540@926.664>
"Pablo Hess" <692@442.947>
"Elba Olsen" <255@434.964>
"Millie Weber" <041@253.975>
We're killing 100% of these (post plain-vanilla SA), mainly due to
IP Nation tests, lots of custom body phrase tests, and some body
"stupid tricks" tests.
I've just added the above suggested SA metas, and a
low level (non-regex) pure numeric TLD test.
I expect more morphs.
- "Chip"
P.S. It occurred to me that the complete lack of Sender Verification
in these could benefit spammers. There's zero DKIM processing
overhead, so these should be processed a wee bit faster by
non-graylisting receivers. That could make the difference in whether
it hits a post-gateway blocklist.
** Does anyone have performance stats on how long DKIM processing
takes?
That might explain the drop in DKIM usage by snowshoers.
