This is Interesting: Free Magazines for Graphics designers and webmasters
Home > Archive > Webmaster forum > May 2007 > New Spamming tool? (The Bat! (v3.62.03) UNREG) ????
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
New Spamming tool? (The Bat! (v3.62.03) UNREG) ????
|
|
|
| Hi Newsgroup,
Wondering if anyone else has had the dubious honor of being selected
as (apparently) the target of someones sick idea of sending out UCE.
This one is really weird, I thought I had it understood they just forge
the "From:" line, but this is different.
I'm getting a ton of these bounced emails from some creep sending out spam:
(this is one of the "Headers attached" bounces)
---------------------------------------------------------------------------
[-- Type: text/rfc822-headers, Encoding: 7bit, Size: 0.9K --]
armstrong<*>ugoods.com,andy<*>ugoods.com,andrews[*]ugoods.com,alvarez[*]ugoods.com,
[ More email addresses here ]
Received: from dsl.dynamic851002843.ttnet.net.tr (unknown [85.100.28.43])
by musubi.uncommongoods.com (Spam Firewall) with ESMTP
id 4BBC67E900; Mon, 21 May 2007 03:27:38 -0400 (EDT)
Received: from 205.134.237.37 (HELO geniegate.com)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ <---- Whats up with that???
by ugoods.com with esmtp (,,+@.0GL- 'W,W)
id PN<846-P/)/KA-E2
for audrey<*>ugoods.com; Mon, 21 May 2007 07:27:51 -0200
Date: Mon, 21 May 2007 07:27:51 -0200
From: "Sherri Babb" <lecgeniegatepuh@geniegate.com>
X-Mailer: The Bat! (v3.62.03) UNREG / CD5BF9353B3B7091
X-Priority: 3 (Normal)
Message-ID: <707734297.06348204640133@thhebat.net>
----------------------------------------------------------------------------
Note one of the "Recieved" headers actually has my domain name in it. It would really
look as though the email passed through "geniegate.com" at some point.
I did a grep through every single log file looking for 'ugoods' (and several other
"to" email addresses from other spam) and none were found, if sendmail is actually
acting as a relay, it isn't recording it anywhere.
Anyone seen this? "The Bat!" seems to be the spam tool in use. I'm getting bounced
spam at such a high rate it's comming in faster than I can download it. All these
people seem to think I'm the one sending it out. (I thought I was too at first from
seeing the headers, until doing a grep on the log files)
Jamie
--
http://www.geniegate.com Custom web programming
Perl * Java * UNIX User Management Solutions
| |
| Jerry Stuckle 2007-05-21, 6:17 pm |
| Jamie wrote:
> Hi Newsgroup,
>
> Wondering if anyone else has had the dubious honor of being selected
> as (apparently) the target of someones sick idea of sending out UCE.
>
> This one is really weird, I thought I had it understood they just forge
> the "From:" line, but this is different.
>
> I'm getting a ton of these bounced emails from some creep sending out spam:
> (this is one of the "Headers attached" bounces)
>
> ---------------------------------------------------------------------------
> [-- Type: text/rfc822-headers, Encoding: 7bit, Size: 0.9K --]
> armstrong<*>ugoods.com,andy<*>ugoods.com,andrews[*]ugoods.com,alvarez[*]ugoods.com,
> [ More email addresses here ]
>
> Received: from dsl.dynamic851002843.ttnet.net.tr (unknown [85.100.28.43])
> by musubi.uncommongoods.com (Spam Firewall) with ESMTP
> id 4BBC67E900; Mon, 21 May 2007 03:27:38 -0400 (EDT)
>
> Received: from 205.134.237.37 (HELO geniegate.com)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ <---- Whats up with that???
>
> by ugoods.com with esmtp (,,+@.0GL- 'W,W)
> id PN<846-P/)/KA-E2
> for audrey<*>ugoods.com; Mon, 21 May 2007 07:27:51 -0200
> Date: Mon, 21 May 2007 07:27:51 -0200
> From: "Sherri Babb" <lecgeniegatepuh@geniegate.com>
> X-Mailer: The Bat! (v3.62.03) UNREG / CD5BF9353B3B7091
> X-Priority: 3 (Normal)
> Message-ID: <707734297.06348204640133@thhebat.net>
> ----------------------------------------------------------------------------
>
>
> Note one of the "Recieved" headers actually has my domain name in it. It would really
> look as though the email passed through "geniegate.com" at some point.
>
> I did a grep through every single log file looking for 'ugoods' (and several other
> "to" email addresses from other spam) and none were found, if sendmail is actually
> acting as a relay, it isn't recording it anywhere.
>
> Anyone seen this? "The Bat!" seems to be the spam tool in use. I'm getting bounced
> spam at such a high rate it's comming in faster than I can download it. All these
> people seem to think I'm the one sending it out. (I thought I was too at first from
> seeing the headers, until doing a grep on the log files)
>
>
> Jamie
Jamie,
It could be a "joe job" - one where someone puts your email in the
sender's address. It's also possible they gimmicked the "Received"
headers to mask the actual route.
But without all the headers (at least up to the Content-Type), it's
impossible to trace back what might be good and what might be falsified.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
| |
|
| In <RcmdnRQOyMJZRczbnZ2dnUVZ_hCdnZ2d@comcast.com>,
Jerry Stuckle <jstucklex@attglobal.net> mentions:
>It could be a "joe job" - one where someone puts your email in the
>sender's address. It's also possible they gimmicked the "Received"
>headers to mask the actual route.
I knew about the "joe job" thing, but, I'd never seen it done to
such a degree.
>But without all the headers (at least up to the Content-Type), it's
>impossible to trace back what might be good and what might be falsified.
Here is another (headers forwarded from automated bounce tool)
-------
Received: with MailEnable Postoffice Connector; Sun, 20 May 2007 10:13:12 -0700
Received: from êîìï1 ([212.96.200.115]) by tynax.com with MailEnable ESMTP; Sun, 20 May 2007 10:13:11 -0700
Return-Path: <lecgeniegatepuh@geniegate.com>
Received: from 205.134.237.37 (HELO geniegate.com)
by zero-to-ipo.com with esmtp (9()48(J99 7:,F29)
id )7*/7)-D4XRQ2-@8
for david<*_AT_*>zero-to-ipo.com; Sun, 20 May 2007 17:13:28 -0500
Date: Sun, 20 May 2007 17:13:28 -0500
From: "Denver Carrillo" <lecgeniegatepuh@geniegate.com>
X-Mailer: The Bat! (v3.5.30) Educational
X-Priority: 3 (Normal)
Message-ID: <943627265.66195394757185@thhebat.net>
To: david<*_AT_*>zero-to-ipo.com
Subject: Get out of the obese crowd
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----------2CD31F4673188F"
X-Spam: Not detected
-------
I changed the @ to <*_AT_*> no need to put these poor peoples email addresses
in public again..
In all the cases, the "Received: from 205.134.237.37 (HELO geniegate.com)" seems
to be the point of origin, (that particular header is always the last one
listed)
I had never heard of forging Received: headers before this, Grr...
Jamie
--
http://www.geniegate.com Custom web programming
Perl * Java * UNIX User Management Solutions
| |
| Ben Jamieson 2007-05-21, 6:17 pm |
| On 2007-05-21 13:20:58 -0400, nospam@geniegate.com (Jamie) said:
> Hi Newsgroup,
>
> Wondering if anyone else has had the dubious honor of being selected
> as (apparently) the target of someones sick idea of sending out UCE.
We've been rejecting the anything with "The Bat" in the X-Mailer header
at a server level for about a year.... non of our clients have
complained, and no reports of a false positive....
I'd recommend this as a standard filter
--
Thyme Online Ltd
Caribbean Web Design
http://www.thymeonline.com/
| |
| Beauregard T. Shagnasty 2007-05-21, 6:17 pm |
| Jamie wrote:
> Anyone seen this? "The Bat!" seems to be the spam tool in use.
The Bat! is a well-respected email client, and is not a spam tool.
Unless a spammer is using it to send spam, but that is not the fault of
the client.
http://www.ritlabs.com/en/products/thebat/
--
-bts
-Motorcycles defy gravity; cars just suck
| |
| Jerry Stuckle 2007-05-21, 6:17 pm |
| Jamie wrote:
> In <RcmdnRQOyMJZRczbnZ2dnUVZ_hCdnZ2d@comcast.com>,
> Jerry Stuckle <jstucklex@attglobal.net> mentions:
>
> I knew about the "joe job" thing, but, I'd never seen it done to
> such a degree.
>
>
> Here is another (headers forwarded from automated bounce tool)
>
> -------
> Received: with MailEnable Postoffice Connector; Sun, 20 May 2007 10:13:12 -0700
> Received: from êîìï1 ([212.96.200.115]) by tynax.com with MailEnable ESMTP; Sun, 20 May 2007 10:13:11 -0700
> Return-Path: <lecgeniegatepuh@geniegate.com>
> Received: from 205.134.237.37 (HELO geniegate.com)
> by zero-to-ipo.com with esmtp (9()48(J99 7:,F29)
> id )7*/7)-D4XRQ2-@8
> for david<*_AT_*>zero-to-ipo.com; Sun, 20 May 2007 17:13:28 -0500
> Date: Sun, 20 May 2007 17:13:28 -0500
> From: "Denver Carrillo" <lecgeniegatepuh@geniegate.com>
> X-Mailer: The Bat! (v3.5.30) Educational
> X-Priority: 3 (Normal)
> Message-ID: <943627265.66195394757185@thhebat.net>
> To: david<*_AT_*>zero-to-ipo.com
> Subject: Get out of the obese crowd
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
> boundary="----------2CD31F4673188F"
> X-Spam: Not detected
> -------
>
> I changed the @ to <*_AT_*> no need to put these poor peoples email addresses
> in public again..
>
> In all the cases, the "Received: from 205.134.237.37 (HELO geniegate.com)" seems
> to be the point of origin, (that particular header is always the last one
> listed)
>
> I had never heard of forging Received: headers before this, Grr...
>
> Jamie
Jamie,
Interesting. Normally I expect to see the Received: headers following
the Return-Path: But in this case there is one before that.
Just out of curiosity, I tried to relay a message through your sever,
and it (correctly) replied RELAY DENIED. So you're not an open relay,
anyway.
But is it possible your contact form got hacked? It's been known to
happen. Also, it could be that your email server has been hacked - and
someone is signing into it.
However, if this were the case I would expect to see something in your
mail logs - but you indicate there is none.
212.96.200.115 resolves to hotmail.com - I don't think it's possible to
insert headers like this through hotmail. I could be wrong - but you
really need to inject the headers directly into the SMTP stream, and you
can't do that unless you're communicating directly with an SMTP server.
All in all, it's quite puzzling - but from this end it does look like it
went through your smtp server. I'd suggest you check your logs very
closely at the time the mail supposedly went through (Sun, 20 May 2007
17:13:28 -0500) and see if there is any unusual activity there.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
| |
| Mark Goodge 2007-05-21, 6:17 pm |
| On Mon, 21 May 2007 18:54:19 GMT, Beauregard T. Shagnasty put finger
to keyboard and typed:
>Jamie wrote:
>
>
>The Bat! is a well-respected email client, and is not a spam tool.
>Unless a spammer is using it to send spam, but that is not the fault of
>the client.
The Bat! (What is it with the Yahoo!-like! exclamation! mark!?) is
often used as a forged UA because it is a real client but on that's
not so well known, and hence is more likely to get beneficial points
on score-based anti-spam systems such as SpamAssassin (unlike
Microsoft Outlook, which is also often forged but more easily
detectable as such as it's more familiar).
Mark
--
Visit: http://www.MotorwayServices.info - read and share comments and opinons
"I need someone to hide under, should the sky fall on my car"
| |
|
| In <h5CdnfFq2L1HaczbnZ2dnUVZ_tyinZ2d@comcast.com>,
Jerry Stuckle <jstucklex@attglobal.net> mentions:
>Interesting. Normally I expect to see the Received: headers following
>the Return-Path: But in this case there is one before that.
>
>Just out of curiosity, I tried to relay a message through your sever,
>and it (correctly) replied RELAY DENIED. So you're not an open relay,
>anyway.
Thanks!
>But is it possible your contact form got hacked? It's been known to
>happen. Also, it could be that your email server has been hacked - and
>someone is signing into it.
I'm pretty sure the contact form wasn't hacked (I sometimes see people trying
to hack it, but I was pretty careful about implementing it, IE, you can't
"force" a \r or a \n in there to fake out the headers (or specify a bogus
"To:" address)
>However, if this were the case I would expect to see something in your
>mail logs - but you indicate there is none.
There really isn't anything all that unusual in the logs, if the contact
form were hacked, I should expect to see hundreds of email messages going
through it (the contact form uses a local SMTP server) and there really aren't
that many (except those I normally get)
Only "unusual" thing I'm seeing are thousands of messages with
<whatever>[at]geniegate.com, relating to the bounced email from all these
people who (understandably) think I'm spamming them.
>212.96.200.115 resolves to hotmail.com - I don't think it's possible to
>insert headers like this through hotmail. I could be wrong - but you
>really need to inject the headers directly into the SMTP stream, and you
>can't do that unless you're communicating directly with an SMTP server.
I didn't think it was possible for forge Recieved: headers, unless perhaps,
you were the very first in the chain. But, I see all kinds of different
routes in the Recieved: lines from different hosts. (perhaps windows boxes
people left unsecured?)
>All in all, it's quite puzzling - but from this end it does look like it
>went through your smtp server. I'd suggest you check your logs very
>closely at the time the mail supposedly went through (Sun, 20 May 2007
>17:13:28 -0500) and see if there is any unusual activity there.
Haven't seen any, here is yours (with possible personal info snipped)
May 21 12:21:21 sendmail[19399]: l4LJL8h19399: ruleset=check_rcpt,
arg1=[SNIPPED YOUR EMAIL], relay=[SNIP YOUR IP].comcast.net [0.0.0.0], reject=550 5.7.1
[snip, your email address] ... Relaying denied
May 21 12:21:26 sendmail[19399]: l4LJL8h19399: from=[snip]@[snip], size=0,
class=0, nrcpts=0, proto=SMTP, daemon=MSA, relay=[snip].comcast.net [0.0.0.0]
The above ("Relaying denied") seems to indicate all is well?
Thanks for testing it though, much appreciated!
Jamie
--
http://www.geniegate.com Custom web programming
Perl * Java * UNIX User Management Solutions
| |
| Beauregard T. Shagnasty 2007-05-21, 6:17 pm |
| Mark Goodge wrote:
> The Bat! (What is it with the Yahoo!-like! exclamation! mark!?)
Who knows? Only the author knows!
The Bat! ... Yahoo! ... Avast! ... must be "marketing."
--
-bts
-Motorcycles defy gravity; cars just suck
| |
| Mark Goodge 2007-05-21, 6:17 pm |
| On Mon, 21 May 2007 20:50:50 GMT, Beauregard T. Shagnasty put finger
to keyboard and typed:
>Mark Goodge wrote:
>
>
>Who knows? Only the author knows!
>
>The Bat! ... Yahoo! ... Avast! ... must be "marketing."
I think it's just Bollocks!
Mark
--
Visit: http://names.orangehedgehog.com - British surname distribution profiles
"When your thoughts are too expensive to ever want to keep"
| |
| Jerry Stuckle 2007-05-21, 10:21 pm |
| Jamie wrote:
> In <h5CdnfFq2L1HaczbnZ2dnUVZ_tyinZ2d@comcast.com>,
> Jerry Stuckle <jstucklex@attglobal.net> mentions:
>
> Thanks!
>
>
> I'm pretty sure the contact form wasn't hacked (I sometimes see people trying
> to hack it, but I was pretty careful about implementing it, IE, you can't
> "force" a \r or a \n in there to fake out the headers (or specify a bogus
> "To:" address)
>
OK, just making sure. Sometimes the things you're "sure of" will come
back to bite you.
>
> There really isn't anything all that unusual in the logs, if the contact
> form were hacked, I should expect to see hundreds of email messages going
> through it (the contact form uses a local SMTP server) and there really aren't
> that many (except those I normally get)
>
I wouldn't necessarily say "hundreds of email messages". I've seen
spammers who try to space their spam so that the domain owner doesn't
see it. However, if you're seeing all of those bounces and nothing
else, I suspect that's not the problem.
> Only "unusual" thing I'm seeing are thousands of messages with
> <whatever>[at]geniegate.com, relating to the bounced email from all these
> people who (understandably) think I'm spamming them.
>
Ok, you've been subjected to a "joe job" then. My sympathies. However,
any site which actually looks at the headers will see that.
>
> I didn't think it was possible for forge Recieved: headers, unless perhaps,
> you were the very first in the chain. But, I see all kinds of different
> routes in the Recieved: lines from different hosts. (perhaps windows boxes
> people left unsecured?)
>
It's quite easy to insert any headers you want if you're running your
own MTA (Mail Transfer Agent). No, you can't affect anything after it
leaves your site - but you can insert anything you want early on. Often
times it makes the headers somewhat confusing (as are here).
>
> Haven't seen any, here is yours (with possible personal info snipped)
>
> May 21 12:21:21 sendmail[19399]: l4LJL8h19399: ruleset=check_rcpt,
> arg1=[SNIPPED YOUR EMAIL], relay=[SNIP YOUR IP].comcast.net [0.0.0.0], reject=550 5.7.1
> [snip, your email address] ... Relaying denied
>
> May 21 12:21:26 sendmail[19399]: l4LJL8h19399: from=[snip]@[snip], size=0,
> class=0, nrcpts=0, proto=SMTP, daemon=MSA, relay=[snip].comcast.net [0.0.0.0]
>
> The above ("Relaying denied") seems to indicate all is well?
>
> Thanks for testing it though, much appreciated!
>
> Jamie
Yep, that was me checking it out. And it failed, as it should.
BTW - I appreciate you snipping the personal info - but I *never* use
this email anyway, so it doesn't make a difference :-)
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
| |
| Toby A Inkster 2007-05-22, 6:26 pm |
| Jamie wrote:
> Anyone seen this? "The Bat!" seems to be the spam tool in use. I'm
> getting bounced spam at such a high rate it's comming in faster than I
> can download it.
"The Bat!" is a fairly decent, and entirely innocent Windows mail client.
It's likely that some spammer has just forged the X-Mailer header. This is
quite a common practise, as a fake-looking X-Mailer header, or no X-Mailer
header at all is a fairly good indication of spam, so spam filters are
more likely to flag.
--
Toby A Inkster BSc (Hons) ARCS
[Geek of HTML/SQL/Perl/PHP/Python/Apache/Linux]
[OS: Linux 2.6.12-12mdksmp, up 87 days, 23:12.]
The Great Wi-Fi Controversy
http://tobyinkster.co.uk/blog/2007/05/22/wifi-scare/
| |
| Toby A Inkster 2007-05-22, 6:26 pm |
| Jamie wrote:
> I didn't think it was possible for forge Recieved: headers, unless perhaps,
> you were the very first in the chain.
It's easy to forge them -- if a piece of mail passes through my server, I
could tamper or remove any existing "Received" headers. After it's left my
server, any later headers are beyond my control.
--
Toby A Inkster BSc (Hons) ARCS
[Geek of HTML/SQL/Perl/PHP/Python/Apache/Linux]
[OS: Linux 2.6.12-12mdksmp, up 87 days, 23:17.]
The Great Wi-Fi Controversy
http://tobyinkster.co.uk/blog/2007/05/22/wifi-scare/
| |
| Garrie 2007-05-24, 6:26 pm |
| Jamie wrote:
> Anyone seen this? "The Bat!" seems to be the spam tool in use.
The Bat! is obviously NOT a spam tool. It's a quite good mail client:
http://www.ritlabs.com/en/products/thebat/
But it's paid software, so I prefer to use my Thunderbird.
|
|
|
| | Copyright 2003 - 2008 forum4designers.com Software forum Computer Hardware reviews |
|