|
Spammers take revenge – "Joe jobs" against joewein.de
We don't send spam, we fight spam. Obviously this does't make us very popular with spammers whose websites get listed on our spam domain list. As a result, one or more spammers have done a total of four "Joe jobs" on us so far. That is, a spam run with a message using a fake sender address and or content "advertising" the "Joe job" victim, making it look like an innocent person was the originator of the mail. The intention is to cause trouble for that person (more info about "Joe Jobs" here). The most recent batch went out on 2005-07-23 and (as of 2005-07-28) seems to be continuing. The spam was sent using a bulk email software called DMS ("Direct Mail Sender"), written by Alexey Panov who ranks in the top ten of the Spamhaus ROKSO list. Here is an example of this spam:
From: "Stagger I. Unhooked" <autoconf@kyokofukada.net>Below are some message headers from spam forwarded to us, which list the infected hosts from which the spam was sent. You can see that some are addressed to address a1aaa1azzzz1zaaaaa@domain, an address that is unlikely to exist on those mailservers. These mails will be delivered to the "catch all" account on the server, if enabled. This is normally read by the administrator of the host. It is as if the spammer was specifically trying to get administrators upset about our website, maybe because he thought they would know how to contact the abuse handling department of our webhoster. Normal users, if they send any complaints at all, tend to either write directly to a contact address listed the advertised website or they tend to complain to the abuse department for the sender address (which is fake in this case). Therefore I think the spammer was trying to get our website suspended. The more likely outcome however is that the spam gang will lose many of the DMS proxies via which the spam was sent, as the admins report the DMS proxies to the abuse departments in charge of the abused hosts. A number of other anti-spam sites or personal sites of anti-spam activists were targetted by Joe jobs during the last couple of months. These include:
c51449b22.cable.wanadoo.nl (Netherlands): Received: from crewstart.com (c51449b22.cable.wanadoo.nl [81.68.155.34]) by hostname (8.9.3-A/8.9.3) with SMTP id VAA08519.37078 for <emailaddress> sent by <greenwood@evafan.com>; Sun, 24 Jul 2005 21:13:14 -0500 (CDT) X-Authentication-Warning: hostname: Host c51449b22.cable.wanadoo.nl [81.68.155.34] claimed to be crewstart.com Received: from evafan.com (evafan.com [216.152.252.58]) by crewstart.com (Postfix) with ESMTP id 817C6687AA for <emailaddress>; Sat, 23 Jul 2005 23:16:23 -0500 From: "Crucifixes U. Ampler" Lt;greenwood@evafan.com> To: Username <emailaddress> Subject: Hi dear Date: Sat, 23 Jul 2005 23:16:23 -0500 Message-ID: <001001c59006$2931d486$fa5b060c@evafan.com> MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2605 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1123 X-Virus-Scanned: by Ameriserv.net Anti-Virus E-Gateway
200-171-190-136.dsl.telesp.net.br (São Paulo, Brasil): Received: from 200-171-190-136.dsl.telesp.net.br ([200.171.190.136]) by mail.powerviewsystems.com (Merak 8.2.2) with SMTP id KME38518 for
222.96.121.165: (KORNET, South Korea) Return-Path: <tanghus@mail.com> Received: from futbolamericano.com ([222.96.121.165]) by mailserver4.nebula.fi (8.12.10/8.12.10) with SMTP id j6P5Id5T023332 for <a1aaa1azzzz1zaaaaa@domain>; Mon, 25 Jul 2005 08:18:42 +0300 Received: from mail.com (mail-com-bk.mr.outblaze.com [64.71.166.194]) by futbolamericano.com (Postfix) with ESMTP id 2C32445668 for <a1aaa1azzzz1zaaaaa@domain>; Sun, 24 Jul 2005 19:21:40 -0500 From: "Ransomed I. Jason" <tanghus@mail.com> To: A <a1aaa1azzzz1zaaaaa@domain> Subject: Hi dear Date: Sun, 24 Jul 2005 19:21:40 -0500 Message-ID: <101101c590ae$3fe02c44$fb6e1c3c@mail.com> MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1123 X-Virus-Scanned: Norton
cpc2-ruth1-5-0-cust111.renf.cable.ntl.com: Return-Path: <fliptop@guanajuato.com> Received: from cpc2-ruth1-5-0-cust111.renf.cable.ntl.com ([80.5.137.111] verified) by X (CommuniGate Pro SMTP 4.3.5) with SMTP id 8636265 for X; Sun, 24 Jul 2005 02:15:58 +0200 Received: from guanajuato.com (guanajuato-com-bk.mr.outblaze.com [64.62.181.94]) by cpc2-ruth1-5-0-cust111.renf.cable.ntl.com (Postfix) with ESMTP id 0B142AA183 for <X>; Sat, 23 Jul 2005 14:18:49 -0500 From: "Preteen V. Slathering" <fliptop@guanajuato.com> To: X <X> Subject: Hi dear Date: Sat, 23 Jul 2005 14:18:49 -0500 Message-ID: <101101c58fbb$98272312$1adaa87e@guanajuato.com> MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2605 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1123 X-RAV-Antivirus: This e-mail has been scanned for viruses on host: cpc2-ruth1-5-0-cust111.renf.cable.ntl.com X-Antivirus: AVG for E-mail 7.0.338 [267.9.4]
ip-sv.66.249.195.124.telefonica-ca.net: Return-path: <amck@google.com> Envelope-to: emailaddress Delivery-date: Mon, 25 Jul 2005 01:44:43 +0100 Received: from [66.249.195.124] (helo=ip-sv.66.249.195.124.telefonica-ca.net) by emailhost with smtp (Exim 4.24) id 1Dwr5G-000C1h-Vq for emailaddress; Mon, 25 Jul 2005 01:44:43 +0100 Received: from google.com (smtp3.google.com [216.239.57.26]) by ip-sv.66.249.195.124.telefonica-ca.net (Postfix) with ESMTP id 8F46B44695 for <emailaddress>; Sat, 23 Jul 2005 21:48:26 -0500 From: "Rebuff I. Naturalists" <amck@google.com> To: Freespirit <emailaddress> Subject: Hi dear Date: Sat, 23 Jul 2005 21:48:26 -0500 Message-ID: <101101c58ffa$1c0211ef$463fe251@google.com> MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.3416 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2505.0000 X-RAV-Antivirus: This e-mail has been scanned for viruses on host: ip-sv.66.249.195.124.telefonica-ca.net
68-112-75-197.dhcp.jcsn.tn.charter.com (USA): Received: from 68-112-75-197.dhcp.jcsn.tn.charter.com (HELO 68-112-75-197.dhcp.jcsn.tn.charter.com) [68.112.75.197] by mx0.gmx.net (mx057) with SMTP; 25 Jul 2005 02:45:18 +0200 Received: from prodigy.com (prodigy.com [207.115.61.104]) by 68-112-75-197.dhcp.jcsn.tn.charter.com (Postfix) with ESMTP id 6814B3F431 for xxxxx@gmx.xx; Sat, 23 Jul 2005 21:49:01 -0500 From: "Carcinomata C. Villainous" rdkeys@prodigy.com To: xxxxx@gmx.xx Subject: Hi dear Date: Sat, 23 Jul 2005 21:49:01 -0500 Message-ID: <010001c58ffa$29dbf7ff$c89abb55@prodigy.com> MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2505.0000 X-RAV-Antivirus: This e-mail has been scanned for viruses on host: 68-112-75-197.dhcp.jcsn.tn.charter.com
j28107.upc-j.chello.nl (j28107.upc-j.chello.nl: X-Envelope-From: <msingh@queretaro.com> X-Envelope-To: <a1aaa1azzzz1zaaaaa@domain> X-Delivery-Time: 1122490519 Received: from j28107.upc-j.chello.nl (j28107.upc-j.chello.nl [24.132.28.107]) by mailin.webmailer.de (8.13.1/8.13.1) with SMTP id j6RItFSk026883 for <a1aaa1azzzz1zaaaaa@domain>; Wed, 27 Jul 2005 20:55:18 +0200 (MEST) Received: from queretaro.com (queretaro-com.mr.outblaze.com [205.158.62.181]) by j28107.upc-j.chello.nl (Postfix) with ESMTP id 0BF3DCF2F9 for <a1aaa1azzzz1zaaaaa@domain>; Wed, 27 Jul 2005 08:58:01 -0500 From: "Bleakly P. Newsstands" <msingh@queretaro.com> To: A <a1aaa1azzzz1zaaaaa@domain> Subject: Hi dear Date: Wed, 27 Jul 2005 08:58:01 -0500 Message-ID: <100101c592b3$912f5799$3971bd76@queretaro.com> MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1081 X-Virus-Scanned: by Ameriserv.net Anti-Virus E-Gateway Hi Try jwSpamSpy, our spam filter for POP3 mailboxes. We use it to track spammers and scammers. Free full featured 30 day evaluation version available! https://jwde.jp/ static61.17.27-203.vsnl.eth.net (India): Received: from [61.17.27.203] (helo=static61.17.27-203.vsnl.eth.net) by mailhost with smtp (Exim 4.52) id 1Dy52u-0006c3-Hg for a1aaa1azzzz1zaaaaa@domain; Thu, 28 Jul 2005 11:51:22 +0200 Received: from norika-fujiwara.com (norika-fujiwara-com-bk.mr.outblaze.com [208.36.123.75]) by static61.17.27-203.vsnl.eth.net (Postfix) with ESMTP id 25950A25A4 for <a1aaa1azzzz1zaaaaa@domain>; Wed, 27 Jul 2005 23:54:06 -0500 From: "Smiths D. Authorship" <tug@norika-fujiwara.com> To: A <a1aaa1azzzz1zaaaaa@domain> Subject: Hi dear Date: Wed, 27 Jul 2005 23:54:06 -0500 Message-ID: <110001c59330$2a9feddb$f088b5b5@norika-fujiwara.com> MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2605 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2479.0006 X-Virus-Scanned: Symantec AntiVirus Scan Engine
Joe job on 2004-02-27 Previous emails were sent by (as yet) unknown person(s) to thousands of recipients on 16 December 2003 at 07:55 UTC, trying to make us look like spammers. Another batch, with a different message body and a different sender was sent on 19 December 2003. Both a provider in Argentina and in Hong Kong were used for the first spam. The second batch was sent via Comcast, a provider in the USA. This last mail used as a fake sender address the mail abuse handler of the company that hosts our website. Therefore all error messages for undeliverable spam ended up going to our web hoster. If I really was a spammer I'd have to be pretty stupid to dump all spam bounces onto my own webhoster...
The bulk mailer employed in all these spams is quite rare - in fact, we only have five
previous specimens of it in our 100,000-odd item spam archive, all five sent in November
or December of 2003. We suspect that the sender of the "Joe job"
and the sender of one or more of these these spam mails is the same person. If you have received any spams using this bulk emailer, send us a copy!
Version #4 (27-Feb-2004):
Version #3 (19-Dec-2003):
Version #2 (16-Dec-2003):
Version #1 (16-Dec-2003):
% Copyright LACNIC lacnic.net % The data below is provided for information purposes % and to assist persons in obtaining information about or % related to AS and IP numbers registrations % By submitting a whois query, you agree to use this data % only for lawful purposes. % 2003-12-16 07:50:28 (BRST -02:00) inetnum: 200.63.144/23 status: reallocated owner: Telefonica de Argentina ownerid: AR-TEAR7-LACNIC responsible: Marcelo A. Muņoz address: Defensa, 390, Piso 5 address: 1065 - Buenos Aires - CF country: AR phone: +54 11 4-3335509 [] owner-c: TEA tech-c: TEA created: 20030916 changed: 20030916 inetnum-up: 200.63.128/18 nic-hdl: TEA person: TELEFONICA DE ARGENTINA e-mail: tasamail@TELEFONICA.COM.AR address: H. Yrigoyen 1556 - 8th floor, 1556, address: 1089 - Capital Federal - BA country: AR phone: +54 11 4332-2364 [] created: 20030618 changed: 20030915 % whois.lacnic.net accepts only direct match queries. % Types of queries are: POCs, ownerid, CIDR blocks, IP % and AS numbers.
inetnum: 218.252.0.0 - 218.255.255.255 netname: HKCABLE-HK descr: HK Cable TV Ltd descr: Cable Multi-Media Services country: HK admin-c: AD23-AP tech-c: AD23-AP mnt-by: APNIC-HM mnt-lower: MAINT-HK-ICABLE remarks: include previous allocations changed: hm-changed@apnic.net 20030922 status: ALLOCATED PORTABLE source: APNIC person: administrator dns address: 12/F., Cable TV Tower, address: 9 Hoi Shing Road, address: Tsuen Wan, address: N.T., address: HK country: HK phone: +852-2112-7516 fax-no: +852-2112-7977 e-mail: dnsadmin@cms.hkcable.com nic-hdl: AD23-AP mnt-by: MAINT-HK-ICABLE changed: dnsadmin@cms.hkcable.com 20000811 source: APNIC
OrgName: University of Pennsylvania OrgID: UNIVER-8 Address: 3401 Walnut Street Address: Suite 221A City: Philadelphia StateProv: PA PostalCode: 19104-6228 Country: US NetRange: 165.123.0.0 - 165.123.255.255 CIDR: 165.123.0.0/16 NetName: UPENN-LANSUB NetHandle: NET-165-123-0-0-1 Parent: NET-165-0-0-0-0 NetType: Direct Assignment NameServer: NOC3.DCCS.UPENN.EDU NameServer: NOC2.DCCS.UPENN.EDU NameServer: DNS1.UDEL.EDU NameServer: DNS2.UDEL.EDU Comment: RegDate: 1993-05-28 Updated: 2001-04-30
A Google search found the same IP address already listed for spamming on a Japanese website on February 26, 2004 i.e. the day before the Joe job against us was sent: The most recent Joe Job tried to display 16 pictures from our website in order to drive up our web hosting bill. We responded by moving those pictures and replacing one of the images with a file that includes the following message:
Anti-Spam Resources: |