Hacked webmail accounts (BTInternet/Yahoo)

Fri, 25 Nov 2011 12:28:21 -0800 

Hi,
I'm looking at try to write some rules to detect these. Specifically, I'd like to target btinternet.com accounts (one of the largest UK telecom companies) who have recently outsourced their email to Yahoo. 


An example (spam) crossed my path today that only hit bayes_99. Looking 
at the mail it is hard to see anything much to go on (sorry, I don't 
really want to post the example as it contains quite a few email 
addresses in the To: field). The body contains a URL which wasn't 
detected at the time but which I've since submitted to URIBL and is now 
detected.



My only thought is to try to score the mail based on the IP address 
submitting it to the Yahoo webmail service. For example, the first 
received header in my spam example is:



Received: from [88.178.198.52] by web87104.mail.ird.yahoo.com via HTTP; 
Fri, 25 Nov 2011 16:37:29 GMT



whereas some legitimate mails look like this:


Received: from [86.155.137.177] by web86507.mail.ird.yahoo.com via HTTP; 
Fri, 25 Nov 2011 18:13:12 GMT



Received: from [86.128.88.173] by web87309.mail.ird.yahoo.com via HTTP; 
Sun, 06 Nov 2011 10:31:58 GMT


So my spam example is clearly originating from France:

$ host 88.178.198.52

52.198.178.88.in-addr.arpa domain name pointer 
bop62-1-88-178-198-52.fbx.proxad.net.



whereas my legitimate examples (mostly) originate on BT's own ranges:

$ host 86.128.88.173

173.88.128.86.in-addr.arpa domain name pointer 
host86-128-88-173.range86-128.btcentralplus.com.



I *know* it's not fool-proof (people use webmail when travelling), but 
I'm thinking it's possibly worth a point or two (or maybe useful in a 
further meta rule) to score webmail submissions From: btinternet.com 
which don't originate from a BT IP range.



So any suggestions on the best way to construct the rule? I could try to 
catch each BT IP address range like so:


header          __LOCAL_FROM_BT_COM     From:addr =~ /\@btinternet\.com$/i
header          __LOCAL_MAILER_YAHOO    X-Mailer =~ /YahooMailWebService/

header		__L_BT_YAHOO_WEBMAIL01	Received =~ /from 
\[86\.1[2-9][0-9]\.\d{1,3}\.\d{1,3}] by 
web\d{4,6}\.mail\.\w{3}\.yahoo\.com via HTTP/i
meta		LOCAL_BT_YAHOO_WEBMAIL	(__LOCAL_FROM_BT_COM && 
__LOCAL_MAILER_YAHOO && !__L_BT_YAHOO_WEBMAIL01)
describe	LOCAL_BT_YAHOO_WEBMAIL	Submitted to BT/Yahoo Webmail from 
foreign IP

score           LOCAL_BT_YAHOO_WEBMAIL  0.001


but it would be far easier if I could somehow do a rDNS lookup on the 
IP, see if it matches btcentralplus.com and score those that don't.



Any thoughts or ideas?























					Reply via email to