Sunday, March 30, 2014

Setting up email

Where The Spam Comes From

  Recently I read a piece from eSet (makers of NOD32).  They claimed that there were 10,000 hacked Linux machines sending out spam and malware.  Could this be the hackers I originally dubbed PeskySpammer and renamed PerniciousMalware that put in 500+ spam per day in one of my email boxes plus occasional malware I asked myself?  No, it cannot be that because you can see yourself that the majority of the IPv4 addresses used are in DSL and cable IP blocks.  You don't believe me?  Here you go:

Public PeskySpammer folder
Originating IPs
Left 0 Pad Filled Originating IPs

  Just look them up in whois.  I stopped keeping records of these about six months ago.  But if you ever wanted proof of what was sending the spam and malware all you had to do is seize the machines at the sending IP addresses.  On the machines which would be running Microsoft Windows you would find specially crafted SMTP engines that only send email.  How do they get around where it was sent from?  They pretend it was sent from some place else.  That is how I first got them.  They were pretending to send from ficititious users at my domain.  It took me over a year to get email admins to learn NOT to boomerang messages to me.  Evidently thinking has gone out of style. Whether the hackers realized that Yahoo and other domains have email set up wrong from a practical point of view but probably correctly from the old RFC is unknown.  It does argue that things need to change and immediately.  There will be more on that in a moment.

Are The Linux Machines Hacked?

  Probably.  But which would you want to send spam from?  A tiny number of Linux boxes (10,000 is tiny) which you can easily map out the IP addresses and take them out of the loop with blocks at major IMSPs (Internet Mail Service Providers)?  Or do you want a huge flotilla of Windows boxes where the machines sending spam come and go regularly in such a way that a preventitive measure based on the originating IP address is almost useless?  The infected Windows machine route will win hands down.  But lets probe the weaknesses of Linux.  The very first one for me is actually not security.  Because of that stupid X-Windows DB I am almost always staring at 640X480 at install time.  Gone are the days of hacking the X Config file and being on with my business.  But I work from Linux and it is a compromize.  Maybe OpenBSD would be a better choice.
   Linux systems have so much software that is hacked into place and the software changes so furiously that it is almost impossible to eradicate problems.  This is especially true for the servers.  But my two machines named GandalfTW and Sauron aren't servers and they eye each other suspiciouly.  They will allow a hello and are you there (ICMP ping) and that is about it.  I don't even let one do print server duty and instead rely on the JetDirect card in the old HP printer to handle things.  Getting that configured took a lot of work.  Yes, it has an old parallel printer interface.  But with this much complexity I have this nagging feeling I have too many holes in my systems.  Blowing down the protection of IPv4 with IPv6 (no NAT, no firewall) doesn't help.  But I do have two routers in place.
   But then I hear that there is an SSL bug in Macintosh, iPhone, and iPad.  I can remember Apple taking over six months to fix a simple problem several years back.  Did they really fix the iPhone in 2-7 days and Macintosh in less than two weeks?  Unbelieveable.  Then the boom was lowered.  Many versions of Linux also had an SSL security flaw.  At least some Linux distors do make use of OpenPGP signing to make the downloads trusted or not.  But is my kernel the real deal or did the NSA hack a SHA1 certificate and give me a modified kernel?  I am paranoid.  I am paranoid enough or too paranoid?
   But the coup-de-grace was when kernel.org was hacked and they sat there saying how super secure SHA1 was.  Pshaw.  I have malware with SHA1 and I know others do too where they hacked the SHA1.  Still, it is more likely that the certs were stolen as in this case:


But it is not Stuxnet!  The cert passed muster until the keys were revoked.  What am I saying?  There are ways around encryption.  But coming from SSL and hitting serious security stuff gives one the idea that SHA1 is powerful.  Not one serious AV company depends on SHA1.  They have shifted to SHA-256 years ago.  My OpenPGP keys have SHA-256 as the preferred Digest algorithm:

Cipher:  TwoFish, Camellia256, Camellia192, Camellia128, BlowFish, Cast5, 3DES.
Digest: SHA256, SHA512, SHA1, SHA384

I used to have 4096 paired RSA keys and SHA512.  It was fine with a dual core and quad core machine.  It was a little too much for older single core machines.  But I get 3DES whether I want it or not.  I don't want it.  Note that both BlowFish and Cast5 precede it and iPhone and Android systems can handle that.  SHA384 is non-standard so I have no choice but to bump SHA1 up in pecking priority.

But if a Linux system is truly hacked they can steal your keys unless you put in a symlink to a flash drive where your keys are really at and the hacker always hits it with your flash drive removed.  The key logger gets the pass-phrase.  But I doubt most Linux people ever police their shell startup files.  I do look at my shell startup files which have been altered considerably by me;  FREQUENTLY!  I told you I was paranoid.  But what do you expect of somebody that has now handled well over 12,000 Windows malware.

So is it too much to ask that  Linux people shift from SHA1 to SHA256?  I don't think so.  The less services you run the less vulnerable you are.  That is the way it has been forever.

Lest Windows People Snort

  Windows did not wait for IBM to add owner group and other things to the file system which is also used in the processes.  Back then it was called the HPFS and it became the NTFS.  But here is what would have happened if they had waited:


It isn't just limited to the file system.  Look at voodoo.txt.  If Target, Neiman Marcus, and others had used Linux instead of Windows in their POS terminals scraping would not have worked.  Try it!  The SourceBuffer is invaliably out of your process's memory space.  The result?  A segnment violation.  No memory scraping here.  Where did all of those Siemens Nixdorf POS terminals go?  Why did they replace them with Windows?


How To Setup Email

   On to the main reason for this blog entry.  Because of the way that Yahoo (and other IMSPs) set up email I have over 500 spam per day in my mini honey-net.  I don't mind the malware except for those two days I got 500+ malware instead of spam each day.  But really, email should be set up like this as the first step in reducing spam:

1. There are only three email accounts that are extra but for anything other than those three email accounts, your email account, and any other created email accounts, anything sent to any other users than the ones enumerated should be tossed.  Bye, bye mini honey-net!

2. The other three extra users are abuse, postmaster, and webmaster.  Although it may seem nice to not put email for those into the master user's account in case of somebody hacking your computer what if your computer is compromized?

Once that is done, all of my other comments apply.  But if Yahoo set it up this way I would get less than 2% of what I get now.  Their email servers would get a break.  The people that aren't involved in the spam and malware storm would finally see the odd behavior of their email vanish.  No?  Then look at my other points.  I am pretty sure qmail can do it.  It has the richest set of fillter options of any SMTP server.


Saturday, January 25, 2014

PhishTank

Volunteer Reviewers Needed
   I have noticed that Phishtank has gone from something where I could review the phish they had in one session of about two three hours to impossible.  It is not the only thing that has gone down.  Here was what my and others email spam problem used to look like:

(click on picture to enlarge)

Now it is malware as numerous as spam:

(click on picture to enlarge)

So kiss any idea of any help you will get from "the man".  I have been getting many hundreds of malware per day recently.  I have been submitting what I can at VirusTotal but the number has gone way beyond ridiculous.  I can only assume that if the FBI didn't request it that they are in favor of it.  Ditto for the US and Russian governments, the NSA, and the CIA.  Look, we have millions of stolen credit card numbers at Target and Neiman Marcus at the end of 2013.  Except for the contractors working on the problem they seem to be going it alone.  Right now the world is upside down.

First, you need the link to Phishtank.  Here it is with the secure login specified since they shift you to that whether you want it or not if you use their GUI to review..  Trust me; it is to your advantage to use the secure route (port 443) since many Internet Service Providers will interpret it as your machine is infected and no, they will not see that you are going to PhishTank.  Okay, here is where they are at:

Phishtank Home


Here are tips mostly in just what pops into my mind order to help you to review the phish:
  1. I frown on the use of Windows for doing this.  There is malware at Phishtank. Even worse there is no button say it is malware which could be used to winnow those entries out.  I have tried to encourage a redesign that has a malware button but we won't get it.  Use Windows only if you really know what you are doing.  Avoid obvious malware links where the URL ends in ".cpl", ".exe" or similar.  Better yet, use some sort of block mechanism that blocks those for you.  But Firefox on Linux is one recommended phish review combination.  Be aware that Firefox doesn't handle iFrames.  Opera has similar problems where it really is a phish but you don't see it.  Either Firefox or Safari on Macintosh will also do nicely as well.  You don't have to use the GUI since Phishtank does provide lists but I strongly discourage the list approach if you are using Windows.
  2. Okay, you ignored me and you are using Windows anyway.  Then I advise skipping those enties where they don't show you a picture.  Just be aware that if it shows Google Docs in the picture and the URL is definitely not Google Docs that does not mean it is still a phish.  Things come and go quickly here.  What it does mean is that you can probably safely snatch the URL and try it out since it at least was a phish.
  3. While working on these I have two lists showing in vim in an xterm.  They are Phish / Not Phish.  They are the list not of the URLs but just the affected hosts when I notice three or more phish at a domain they go into the phish list.  Rather than blaze away calling them all phish, check them every so often during the session.  Do not be surprised that the host goes the phish list to the no phish list even during the session.  The list I use has dates when I added them.  These are helpful but volatile.  Anything older than 5-7 days in your list is probably gone.
  4. If the URL shown to you is using not a host name but an IP (IPv4) address, if it shows what was a phish, then it is still a phish.  The only question remaining is whether it is an active phish or whether it is gone.  What do I do?  If it shows one of the many banks, Google Docs, or other known phish types in the picture I mark it as a phish.  It is never (well, almost never) a legitimate host.  Instead it is a hacked Windows PC.  See the two pictures in this blog entry?  The machines sending the email messages are hacked Windows PCs.  They are not supposed to be doing web-service duty or sending email directly.  Mark them as phish and let us Linux and Mac reviewers put them to bed.
  5. You just got a redirect to Google so the people fixed the problem, right?  Wrong!  Malware links in web pages frequently let only 5% to 15% of the people through to the malware.  Often, they redirect the others to Google or do nothing.  So how do you "fix a phish?"  First, clean the server and install new web-server code.  Second close the entire folder down where all the phish live.  Third, set all the phish links to redirect to your own home page.  Fourth, set it to just give a blank line.  In Firefox this can be viewed under Tools - Web Developer - Page Source.  You will see a grayed out 1, or 1 and 2 which means that many blank lines.  But it is just as likely that the phisher themselves have set the phish to go to Google or some place else 85% to 95% of the time.  The only valid redirect phish fix is to yourself.  It showed Google docs and now it shows Google?  It is still a phish since you and me don't know who did the redirect.
  6. If your filters caused a block and you know this some way, just click on either "I don't know" or preferably just ask for the next entry.  I use my PAC filter but in a file with all of the phish rules stripped out of it.  I then actually have to add some of the GoodDomains phish rules back in but not the pair.  E.g., the GoodDomains ebay rules may be added back in but I don't put the other Bad rules for ebay in.  We shouldn't be testing your phish filtration.  We are reviewing the phish.
  7. I will put more here as they come to me.  Right now I am handling a slug of malware that despite the scam being the same the malware is not.  I am probably getting 5+ different types of malware per day.

Monday, January 20, 2014

Ridiculous

   PerniciousMalware (nee PeskySpammer), lets review what I have already given you for pruning your lists.  I am doing this because I may be posting to slashdot to shame some people into rectifying major defects in the way things are being done right now.  So here is the code for doing a first pass clean up of your TO list:

Winnow Users

   What is the result of you, Yahoo and other Mail service providers doing it wrong?  Here is how it looks in Thunderbird:




(click on picture to enlarge)
  
   And here is what it looks like in Yahoo's web-mail interface:

(click on picture to enlarge)

   I call the first one DOS because that is exactly what it is. a Denial Of Service.  There are no fake pharmacy URLs or malware.  In fact the supposedly real world user names are nothing more than the titles of the articles whose contents you put into the messages.  In short, how stupid can you be?  Sending somebody hundreds of messages like this makes me wonder if the FBI requested that you do it.  As bad as you are there are some others this message is addressed to.
   To Yahoo - stop changing your web-mail GUI and take care of your hack-in.  You have been shoving out malware through your ad-servers and I have detected the hackers still have various levels of internal access.  Make it so your paying customers get the email addressed to the users for the given domain with mail for the users postmaster, webmaster, and abuse delivered to the master user.  For me that means only four email accounts.  All other email to other non-existent users should be stapled, mutilated, spindled, and shredded.  This especially includes email like this that isn't even coming from the domains it purportedly comes from.  Search for previous blog entries to learn to handle them.  If you did this your email volume would be reduced to a trickle of what is now.
   To Comcast - after about the fourth time it seems you would have a log that once you talked to Yahoo your check would result in the proper action for me and others like me that are victims of this type of abuse - complain to Yahoo or other Mail Service Providers to fix their problems.  Instead you have blocked me from sending email repeatedly due to your stupid no white-list rule.  If I was rich I would sue you for slander and anything else an attorney would be willing to go after you on.  All I know is you must be stupid to have not figured it out by now. Almost all the mail is coming DOWN to me.  I send out less than 1% of what I receive.
   To the FBI, Interpol, and NSA.  The sending IP addresses are in the saved email messages.  It would be a simple matter to do forensic analysis on one of the machines and track it back to the Russian (sometimes the stupidity of PerniciousMalware makes me disbelieve they could be Russian) or Chinese hackers.  It isn't just spam.  I just made information on their two malware today and will make the malware available to the AV companies on demand (as if they really need it - they are swamped).
   To the Russian and / or Chinese governments.  Find these people and put them where the sun doesn't shine. 
 

Friday, November 22, 2013

PerniciousMalware

I have renamed PeskySpammer PerniciousMalware due to the large amount of malware they keep shoving out.  Will it ever end?  Who knows.

But I do know ever since they sucked in all of the fake email addresses out of their from list and added them to their to list I have had a steady diet of several hundred spam messages per day when they are sending spam and almost a dozen malware per day when they are sending malware.  This has gone on for over a year and a half now.

Let me see if I can explain this to the PerniciousMalware people who don't seem to know how mail works.  Many IWSPs (Internet Web Service Providers) set their customers up with email that is compliant with the old RFC when they get a combo email + web-site.  What that means is that for any user that is not known, those email messages go the postmaster. for the domain  Who is the postmaster for my SecureMecca.com domain?  Me.  But after looking at PerniciousMalware's list of users that they use to send to my domain, I noticed that almost all of the user names are just hexadecimal hashes.  So I wrote a program that PernciousMalware can use to remove not only the fake users at my domain, but it will remove the fake users at all domains.  Here is the folder that contains the programs:

Winnow Hash Users

The 0-Instructions.txt file shows how to make it work and is also included in the zips.

Use the program in good health to remove all of those fake users from your send-to lists.  All you are doing by sending hundreds of spam messages per day is making who ever you are doing it to mad as hell.  So I advise you alter the program (it is covered by the GNU license) in your bot email address gathering to exclude the hexadecimal-hash user-names before they even get added as well.

The hexadecimal-hash users aren't the only kind of bogus users you have but you have to start some place.  I suspect that some of those people may even purchase your wares once the flood of spam becomes just one message every so many weeks.

Finally sending Windows malware to somebody using Linux isn't going to get you anything but more people knowing about it faster and the AV companies detecting faster.  I faithfully make them known to as many other people as time permits.

You are welcome.

Tuesday, November 12, 2013

FanBoy For AdBlockPlus Gone

I just went to replace my EasyList + EasyPrivacy lists with FanBoy-AdBlock + Fanboy-Tracking and let Liste-FR handle it however only to find they were gone!
Please say it isn't so.  Just yesterday I blocked several hosts in the lphbs.com tracker domain that I block in my PAC filter and FanBoy-Tracking also blocks the hosts in the domain.  But EasyPrivacy doesn't.  You have proof right there that FanBoy was needed and is still needed.  I always recommended to others to take the FanBoy lists because they were less obtrusive and less likely to cause you problems.

So FanBoy, please come back.  If you need other people, find local people willing to take it over for you.  As I see it, nobody can do this for more than 3-4 years before they get jaded and finally burned out.

FanBoy, if you are never are coming back, thanks for all of the hard work.  You have no idea how much you have helped other people.  That especially includes me.  Thanks!

Oh. you don't believe me about the Tracker rule?  Here mine is:

BadDomains[i++] = ".lphbs.com";

EasyPrivacy does not have it and many other rules that you have.  We really do need FanBoy revived, so people with a PayPal account with funds, make a donation to keep their good work going.


Tuesday, July 16, 2013

Fake Health Ads

Fake Health Ads (PeskySpammer)

Some may think that since I have not posted for a long time that all is well.  Well you are wrong.  PeskySpammer still pumps in several hundred messages per day into one of my email boxes and I even occasionally get their messages in another of my email boxes.  It may even be them or Comcast that complained about the torrent with Comcast believing I am sending the messages that caused it so I could not send any mail messages at all from the account that is flooded via SMTP and Thunderbird.  I am not sending the messages.  I am receiving them!  Here is what the latest scheme looks like:

Fake Health Scheme (2013-07-15)
(click on picture to enlarge)


For those not in the know, these are not what they first appear to be.  Here is the Repy-To host name:  anachel.com.  Can we send to it:

host -t MX anachel.com
anachel.com mail is handled by 0 anachel.com
hdns anachel.com
anachel.com has address 69.89.31.111

I don't think you will be able to reply.  A value of 0 means it doesn't want mail.  The same can be said for me and the millions of other people receiving a torrent of messages from PeskySpammer's bots.  What about where it is supposedly from  akinkything.com?

host -t MX akinkything.com
akinkything.com mail is handled by 0 mail.akinkything.com
hdns mail.akinkything.com
mail.akinkything.com has address 74.220.219.58

The email really came from:
X-Originating-IP: 61.64.103.28

That means it is probably a DSL connected Windows machine on "Sony Network Taiwan Limited" network which runs from 61.64.64.0 ... 61.64.119.255 that is sending the message.  I would still like to believe the people that are receiving the messages PeskySpammer's bots are sending are just as unhappy as I am but perhaps the last two lines of my current email sig really are apropos:

Thinking has been suspended indefinitely.
Anybody caught thinking will be immediately shot!

I wonder if Vladimir Putin is getting a cut of the action that these Russian hackers that are living in both Moscow and the Ukraine are up to?  Here is the latest DNS run for the hosts I did (take the 15.7z folder):


This time around their servers are in Moscow Russia, Tabriz Iran, and GuiZhou GuiYang China.  Don't hold your breath.  They change where the hosts are hosted at every 2-3 days.  I suspect they will be filling our email boxes as long as people order what they sell.  Well, I hope the people like me with an any user that goes MX server like I have where you get several hundred of these messages per day aren't buying the stuff.  If the people that set up this disservice had it coming into their email box at the rate it pours into mine, maybe they would change the code for their bots to at least remove all specious email addresses.  These hackers deserve to be shot.

Wednesday, January 16, 2013

PeskySpammer

PeskySpammer

    PeskySpammer, I have added the recent two messages you have sent via user hash-user to both the PeskySpammer.7z zip and to the PeskySpammer folder:


   I at first sent this message only to my colleagues to prove to them that even though bots may be sending the bulk of the messages, you people know about it.  Here are the salient points so people understand them.

   No matter how you send them using my domain SecureMecca.com domain, I get them:

1. Your bots sending email messages pretending to be a hashed user at securemecca.com (e.g., EF24A232D@securemecca.com in the "From:" field) will end up in the postmaster's email box (me, hhhobbit, the only user at the domain) if the "X-Apparently-To:" or "To:" domain mail servers deem it necessary to bounce a message back to the purported sender. If they do that I am the one that gets the bounce (always).  They should not do this with bot email messages and I will have pseudo-code in a moment for them to avoid it and the proper course of action.

2. If you send it directly to any user including the "hash-user" in the MDL and WackoBot messages linked to above, again, the postmaster which is the one and only user at the domain (me), gets the email message.

3.  No matter how you slice it or dice it, I get these email messages and have taken actions I deem as appropriate.  I would encourage you to not allow any of these patterns in your bots sending patterns (from or to) vis-a-vis me:  hhhobbit, henryhertzhobbit, securemecca.  There is a problem with that.  Any time you abuse others that share similar mail handling arrangements as mine you are going to piss the hell out of them.  So although you think you know how email works you don't!  Because you do not understand how email works you will continue to make a lot of people like me mad as hell at you!  I am pretty sure I am not the only one.


Significant Others

   I don't know what domains block me, but byu.edu was and probably still is blocking access to my securemecca.com domain but not to this blog.  Why?  There is one of two possibilities.  First, despite people saying that they have both a black-listing and a white-listing approach you really cannot have both.  White-listing means you black out the entire world and then start adding the hosts or IP addresses  you want to allow,  Many banks like the local Zion's bank use the white-list approach.  If it isn't explicitly allowed it is denied.  They don't allow you to see any more at Zion's bank than is absolutely necessary to get the job done.  You might think my PAC filter does white-listing but the GoodDomain rules are really to make sure that it doesn't block security downloads.  Those paired with Bad rules also block phish.  For example, if you pretend to be Bank Of America for example, my PAC filter will stop all hosts with "bankofamerica" in them except for bankofamerica.com.  So I guess the PAC filter is a limited form of white-listing.

    White-listing  works fine for a bank but not too well for an educational institution.  For educational sites you need some pretty hefty black-listing and Comcast's (was Damabala) is so sensitive that they have blocked my mass emailing of user's in my contact list.  I don't know how you teach a bot sensor what the difference is but I am beginning to suspect Comcast's actions may have got my domain in the black-lists.   But it is actually more likely your activity that got it there.  Why?  There is an awful lot of incompetent admins that look at email and think it always comes from the "From:" email address.  Weill for all of yours it comes from what is identified as the "X-Originating-IP:" in my email messages.  Ergo, your activity is getting mine and lot of other innocent people's domains blocked, many times without them knowing it.  Now others should know why I prefer mail that has been signed with the other person's OpenPGP key.  When I see that I am pretty much assured the message (which can optionally be enciphered) came from that other person.  What you doing demonstrates this point so overwhelmingly I don't understand why people don't get a POP / IMAP email account and use it as their primary email account.  They should use web-mail for signing up for various things to keep their POP email accounts for only personal contacts.

   Where is the FBI and other police organizations in all of this?  Well, it seems the prosecution of Aaron Swartz which bordered on prosecutorial misconduct has ground to a screeching halt.  Maybe the FBI will pay attention to you but I doubt it since you are so small.  Despite that and despite me calling you a spammer, you have filled my email box with: low order phish (fake pharmacies), high order phish (steal financial information like user names and passwords or money or both), links to malware, and malware attachments.  I have listed ithem in order of threat from least to most.  The attachments have usually been in the form of files pretending to be PDF files that were zipped but when unzipped were files ending in ".pdf.exe".  Usually the detection by the AV companies was deplorable.  More than once all 40+ of the Anti-Virus programs at VirusTotal.com failed to detect it.

Mail Admins

One mail admin cleverly added a test of doing a reverse IP to host lookup.  Well, not exactly what is needed but then he did the gross faux-pas.  He sent the message back to the "From:" saying they didn't match.  Why are you sending the boomerang to me?  I didn't send the message.  Thinking is in short supply here.  Here is the pseudo-code for showing how it should be done:

Find the MX hosts for the From domain.
if there are no MX hosts for the From domain then
    drop the message like a hot scalding potato
else
    Find the IP addresses for the MX hosts
    if the sending IP address is not one of the MX IP addresses
    then
        drop the message like a hot scalding potato
    else
        do what you want with it
    end if
end if
(Note:  I modfied this pseudo-code on 2012-April-12 to handle the parked hosts or even hosts that are not in DNS that PeskySpammer uses.)

What else you do from there is up to you but bouncing messages for bot sent messages creates more problems than it solves.  This is especially true for me if the mail filtration strips the URLs or attachments.  Since I don't have the original sending IP address it is just useless clutter filling up my email box.  I can block URLs and identify malware but that is about it unless I have the sending IP address which I do extract and keep in several lists.  Okay, so a bot sent you some email making it look like it came from my domain.  I already know that to the tune of up to and even over a hundred messages per day.  They have even gone as high as about a thousand messages per day.  And the FBI still doesn't care?   Yup, that is the norm these days.  I hope the Sheriff department in Georgia has not only the link you stabbed into their server removed (they have removed it) but any other damage you have done to them undone.  In short, some of your actions PeskySpammer make me think you are rank amateurs.  Either that or stupid is in vogue right now.  Actually it is probably both.