Wednesday, January 16, 2013

PeskySpammer

PeskySpammer

    PeskySpammer, I have added the recent two messages you have sent via user hash-user to both the PeskySpammer.7z zip and to the PeskySpammer folder:


   I at first sent this message only to my colleagues to prove to them that even though bots may be sending the bulk of the messages, you people know about it.  Here are the salient points so people understand them.

   No matter how you send them using my domain SecureMecca.com domain, I get them:

1. Your bots sending email messages pretending to be a hashed user at securemecca.com (e.g., EF24A232D@securemecca.com in the "From:" field) will end up in the postmaster's email box (me, hhhobbit, the only user at the domain) if the "X-Apparently-To:" or "To:" domain mail servers deem it necessary to bounce a message back to the purported sender. If they do that I am the one that gets the bounce (always).  They should not do this with bot email messages and I will have pseudo-code in a moment for them to avoid it and the proper course of action.

2. If you send it directly to any user including the "hash-user" in the MDL and WackoBot messages linked to above, again, the postmaster which is the one and only user at the domain (me), gets the email message.

3.  No matter how you slice it or dice it, I get these email messages and have taken actions I deem as appropriate.  I would encourage you to not allow any of these patterns in your bots sending patterns (from or to) vis-a-vis me:  hhhobbit, henryhertzhobbit, securemecca.  There is a problem with that.  Any time you abuse others that share similar mail handling arrangements as mine you are going to piss the hell out of them.  So although you think you know how email works you don't!  Because you do not understand how email works you will continue to make a lot of people like me mad as hell at you!  I am pretty sure I am not the only one.


Significant Others

   I don't know what domains block me, but byu.edu was and probably still is blocking access to my securemecca.com domain but not to this blog.  Why?  There is one of two possibilities.  First, despite people saying that they have both a black-listing and a white-listing approach you really cannot have both.  White-listing means you black out the entire world and then start adding the hosts or IP addresses  you want to allow,  Many banks like the local Zion's bank use the white-list approach.  If it isn't explicitly allowed it is denied.  They don't allow you to see any more at Zion's bank than is absolutely necessary to get the job done.  You might think my PAC filter does white-listing but the GoodDomain rules are really to make sure that it doesn't block security downloads.  Those paired with Bad rules also block phish.  For example, if you pretend to be Bank Of America for example, my PAC filter will stop all hosts with "bankofamerica" in them except for bankofamerica.com.  So I guess the PAC filter is a limited form of white-listing.

    White-listing  works fine for a bank but not too well for an educational institution.  For educational sites you need some pretty hefty black-listing and Comcast's (was Damabala) is so sensitive that they have blocked my mass emailing of user's in my contact list.  I don't know how you teach a bot sensor what the difference is but I am beginning to suspect Comcast's actions may have got my domain in the black-lists.   But it is actually more likely your activity that got it there.  Why?  There is an awful lot of incompetent admins that look at email and think it always comes from the "From:" email address.  Weill for all of yours it comes from what is identified as the "X-Originating-IP:" in my email messages.  Ergo, your activity is getting mine and lot of other innocent people's domains blocked, many times without them knowing it.  Now others should know why I prefer mail that has been signed with the other person's OpenPGP key.  When I see that I am pretty much assured the message (which can optionally be enciphered) came from that other person.  What you doing demonstrates this point so overwhelmingly I don't understand why people don't get a POP / IMAP email account and use it as their primary email account.  They should use web-mail for signing up for various things to keep their POP email accounts for only personal contacts.

   Where is the FBI and other police organizations in all of this?  Well, it seems the prosecution of Aaron Swartz which bordered on prosecutorial misconduct has ground to a screeching halt.  Maybe the FBI will pay attention to you but I doubt it since you are so small.  Despite that and despite me calling you a spammer, you have filled my email box with: low order phish (fake pharmacies), high order phish (steal financial information like user names and passwords or money or both), links to malware, and malware attachments.  I have listed ithem in order of threat from least to most.  The attachments have usually been in the form of files pretending to be PDF files that were zipped but when unzipped were files ending in ".pdf.exe".  Usually the detection by the AV companies was deplorable.  More than once all 40+ of the Anti-Virus programs at VirusTotal.com failed to detect it.

Mail Admins

One mail admin cleverly added a test of doing a reverse IP to host lookup.  Well, not exactly what is needed but then he did the gross faux-pas.  He sent the message back to the "From:" saying they didn't match.  Why are you sending the boomerang to me?  I didn't send the message.  Thinking is in short supply here.  Here is the pseudo-code for showing how it should be done:

Find the MX hosts for the From domain.
if there are no MX hosts for the From domain then
    drop the message like a hot scalding potato
else
    Find the IP addresses for the MX hosts
    if the sending IP address is not one of the MX IP addresses
    then
        drop the message like a hot scalding potato
    else
        do what you want with it
    end if
end if
(Note:  I modfied this pseudo-code on 2012-April-12 to handle the parked hosts or even hosts that are not in DNS that PeskySpammer uses.)

What else you do from there is up to you but bouncing messages for bot sent messages creates more problems than it solves.  This is especially true for me if the mail filtration strips the URLs or attachments.  Since I don't have the original sending IP address it is just useless clutter filling up my email box.  I can block URLs and identify malware but that is about it unless I have the sending IP address which I do extract and keep in several lists.  Okay, so a bot sent you some email making it look like it came from my domain.  I already know that to the tune of up to and even over a hundred messages per day.  They have even gone as high as about a thousand messages per day.  And the FBI still doesn't care?   Yup, that is the norm these days.  I hope the Sheriff department in Georgia has not only the link you stabbed into their server removed (they have removed it) but any other damage you have done to them undone.  In short, some of your actions PeskySpammer make me think you are rank amateurs.  Either that or stupid is in vogue right now.  Actually it is probably both.