Groups | Search | Server Info | Login | Register

Groups > alt.spam.sightings > #1

SPF? DKIM? spammers can do them too

Cross-posted to 3 groups.

Show all headers | View raw

	To put it short, for about a month, I see a new kind of spam
	coming to (strangely) just one of my (many) mailboxes.  This one
	has DKIM-Signature: (and DomainKey-Signature:) headers in place,
	comes from domains with SPF and MX DNS records properly set up,
	and, overall, apart from its "unsolicited nature," looks just
	like legitimate email.  (IPs and MAIL FROM: data shown below.)

	There're some characteristics common to all these messages,
	however, hinting at possible "common origin" (be it person,
	organization, or specific software used.)  For instance:

	* all the Message-ID: headers follow the same [0-9A-F]{32}@HOST
	  pattern;

	* the domains are all under the "ru" ccTLD, and all registered
	  via NETHOUSE-RU; also, most were created February or March
	  this year, but some (r-vl.ru, sarvtb.ru, sm-1.ru,
	  taxi-five.ru) are just a few days old, created on 2016-10-01;

	* all the IPs the messages come from belong to MAROSNET.

	I've sent a letter last week reporting the issue to abuse at
	marosnet dot ru (per the Whois data), but yet to see any
	response.

	Meanwhile, I've configured the firewall to drop any traffic from
	the addresses in question (but also log incoming TCP "SYN"
	connection attempt packets.)

	For those interested, the IPs and MAIL FROM: data is as follows
	(per ISO week.)

$ gawk '! /\sid=[0-9A-Z]{32}@/ { next; }
        1 {
            "date +%GW%V --date=" $1 "T" $2 | getline key;
            save[key] = save[key] "\t" $5 " " $7 "\n";
        }
        END {
            PROCINFO["sorted_in"] = "@ind_str_desc";
            for (key in save) { print key "\t" save[key]; }
        }'  /var/log/exim... 
2016W40	nzbhuf@sarvtb.ru [185.58.205.96]
	hlkkn@proteus-spb.ru [194.67.208.8]
	rerxboy@kaminfo.ru [193.124.176.209]
	jaqxujp@r-vl.ru [185.58.206.163]
	njlcyy@sab-moskau.ru [193.124.190.134]
	feud@taxi-five.ru [185.58.206.232]

2016W39	bcswvsv@network-asp.ru [194.67.208.143]
	yyl@sinex-real.ru [194.67.208.219]
	sstyqp@network-asp.ru [194.67.208.143]
	yqe@karaaltyn.ru [194.67.210.159]
	qbinq@cameraforme.ru [185.87.48.186]
	maq@lagorta.ru [193.124.191.224]
	szzliot@sinex-real.ru [194.67.208.219]
	iuqdjn@intra-m.ru [94.142.141.60]
	jkety@eureka-service.ru [193.124.186.253]
	vvpxww@karaaltyn.ru [194.67.210.159]
	gylay@sirius-87.ru [194.67.208.224]
	lhhg@eureka-service.ru [193.124.186.253]
	rgi@sinex-real.ru [194.67.208.219]
	qhtlw@karaaltyn.ru [194.67.210.159]
	uavvf@cameraforme.ru [185.87.48.186]
	bue@network-asp.ru [194.67.208.143]
	jmpdlx@lambdafsu.ru [193.124.189.172]
	tgan@biomedex.ru [193.124.189.192]
	zxxemip@kaminfo.ru [193.124.176.209]
	mnvi@lambdafsu.ru [193.124.189.172]
	lcsktjt@sab-moskau.ru [193.124.190.134]
	swsxv@securityprint.ru [185.5.248.60]
	vbqd@sm-1.ru [185.58.206.76]
	kxrjc@ghtersale.ru [194.67.208.7]

2016W38	pvtll@mtvigroup.ru [194.67.208.216]
	cpdve@php-art.ru [194.67.209.151]
	lhona@sirius-87.ru [194.67.208.224]
	hqphzjp@lagorta.ru [193.124.191.224]
	mewmb@cristallgrad.ru [185.87.48.131]
	dxb@php-art.ru [194.67.209.151]
	zadh@lagorta.ru [193.124.191.224]

2016W37	bct@butovo-net.ru [194.67.210.18]
	tjlwhlp@carveryachts.ru [85.93.145.29]
	orgf@butovo-net.ru [194.67.210.18]
	luaj@olympus-team.ru [194.67.209.7]
	fagvf@polexpack.ru [194.67.208.220]
	cxjqyrw@polexpack.ru [194.67.208.220]
	uyhtz@siae.ru [194.67.209.56]
	mlfpawb@delst.ru [194.67.208.249]
	jgt@php-art.ru [194.67.209.151]
	fakeb@instaltek.ru [194.67.208.232]

2016W36	vziykt@tyumfair.ru [194.67.208.60]
	rvn@fordlimo.ru [194.67.208.50]
	kqeoin@r-c-g.ru [194.67.208.101]
	vkf@e-dvd.ru [194.67.210.222]
	mwodhs@lk-prom.ru [194.67.211.17]
	otpqos@avtobogatir.ru [194.67.210.2]

-- 
FSF associate member #7257  58F8 0F47 53F5 2EB2 F6A5  8916 3013 B6A0 230E 334A

Back to alt.spam.sightings | Find similar

Thread

SPF? DKIM? spammers can do them too Ivan Shmakov <ivan@siamics.net> - 2016-10-04 16:12 +0000

csiph-web