dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
1040

sm5w2
Premium Member
join:2004-10-13
St Thomas, ON

sm5w2

Premium Member

Spam with viral attachment received from Sympatico IP

A spam came in to $dayjob yesterday at 5 pm from:

=======
Return-Path: (service@dnb.com)
Received: from dnb.com ([76.70.29.15]) by (SMTP.$dayjob.com)
=======

Claims to be from HSBC (even though return-path is forged as dnb.com), attachment is a .zip file which claims to be "payment e-Advice for your reference" pdf document.

Unpacking zip file gives PaymentAdvice.exe, which when scanned at virustotal is detected by 50% of the 47 AV programs as malicious (Fareit / Tepfer / ZBot).

We operate our own SMTP server, our ISP is Teksavvy, and as far as I know Bell blocks out-bound port-25 on Sympatico IP space - but apparently not from this IP (76.70.29.15) or net-block. The IP is pingable, but there is no rDNS record.
taraf
join:2011-05-07
Ottawa, ON

taraf

Member

Did you try to forward the e-mail with attachment to abuse@bell.ca?
Expand your moderator at work

sm5w2
Premium Member
join:2004-10-13
St Thomas, ON

sm5w2

Premium Member

Re: Spam with viral attachment received from Sympatico IP

Just got another viral spam from Bell/sympatico IP in the Montreal area:

===========
Return-Path: (heartsxh67@vodafone.com)
Received:
from bell.ca ([174.94.154.30]) by (smtp.$dayjob.com);
Wed, 24 Jul 2013 23:38:29 -0400

Received:
from [43.135.80.72] (helo=eijjjuh.lmugcqcucq.com) by bell.ca with esmtpa
(Exim 4.69) (envelope-from ) id (yada.yada) for me@$dayjob.com;
Wed, 24 Jul 2013 22:38:28 -0500

From: verafrazier@vodafone.com
Subject: MMS id#nnnnnnnn
Date: Wed, 24 Jul 2013 22:38:28 -0500
============

The second received line (indicating the ultimate source IP is 43.135.80.72) is undoubtedly forged.

This spam contained a zip file attachment which unpacked to MMS_IMAGE.jpg.exe, which is identified variously at VirusTotal as:

- TR/Spy.Flarbate.A
- W32/Gamarue.JLXR-9264
- Win32/TrojanDownloader.Wauchos.K
- Downloader.Dromedan
- BKDR_ANDROM.JN

The source IP reverses to MTRLPQ02-2925435422.sdsl.bell.ca (again, Montreal).

Trying that IP:

»174.94.154.30

gives:

===========
Forbidden

You don't have permission to access /UI on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
============
sm5w2

sm5w2

Premium Member

Another spam (direct-to-mx on port 25) from a Bell IP in the Montreal area:

=================
Return-Path: salesidmi@aluchem.com.au

Received:
from bas1-montreal30-2925414850.dsl.bell.ca ([174.94.73.194])
Sun, 28 Jul 2013 15:28:29 -0400

X-VirtualServer:
Default, smailer1.service.aluchem.com.au, 10.10.5.8

Errors-To: errors@aluchem.com.au
Reply-To: noreply@aluchem.com.au

Subject: Dr. Oz's Best Advice Ever!
From: "Dr.OZ Tips" (salesidmi@aluchem.com.au)
===================

Either there is a rash of Bell Business customers in Montreal getting their PC's hacked and turned into spam zombies, or there is a single infected machine that has a dynamic IP *AND* for which Bell allows to have unlimited port-25 outbound access.

So here's the list so far:

76.70.29.15
174.94.154.30
174.94.73.194

Anyone know how those IP's are assigned (Residential or Business) ?

Guspaz
Guspaz
MVM
join:2001-11-05
Montreal, QC

1 recommendation

Guspaz to sm5w2

MVM

to sm5w2
Send it to Bell abuse, there's no point in you spamming here about it. If you really want to do that, try the direct Bell forums.

sm5w2
Premium Member
join:2004-10-13
St Thomas, ON

sm5w2

Premium Member

> there's no point in you spamming here about it

There is if I want to shame Bell into doing something about it by posting them here in public. They should be reading these posts anyways. All the details are in my posts for them to do be able to do something about it - even if it means changing their policy on port-25 for the accounts involved.
sm5w2

sm5w2

Premium Member

This IP is trying to do *something* with my mail-server:

20130729115656-0400:SMTP-Accept:Connect:[69.159.211.214]
20130729115656-0400:SMTP-Accept:Timeout:[69.159.211.214]:5:0:110
20130729115727-0400:SMTP-Accept:Connect:[69.159.211.214]
20130729115727-0400:SMTP-Accept:Timeout:[69.159.211.214]:4:0:110

Can't quite tell what it's trying to do. But it is trying to interact with my SMTP server on port 25.

It's a Bell IP address, no rDNS, geo-ip puts it in Guelph. It has a history of being a "dictionary attacker": »www.projecthoneypot.org/ ··· .211.214

It is operating some sort of web-server: »69.159.211.214/video.html

So here's the list of misbehaving Bell IP's so far:

76.70.29.15
174.94.154.30
174.94.73.194
69.159.211.214
taraf
join:2011-05-07
Ottawa, ON

taraf to sm5w2

Member

to sm5w2
said by sm5w2:

> there's no point in you spamming here about it

There is if I want to shame Bell into doing something about it by posting them here in public. They should be reading these posts anyways. All the details are in my posts for them to do be able to do something about it - even if it means changing their policy on port-25 for the accounts involved.

I know for a fact that Bell employees do read this forum.... I also know for a fact that most of them are quite happy to let you continue making an ass of yourself by posting stuff like this publicly, rather than taking it to the appropriate place. Something about taking a horse to water, but not being able to make it drink?

If you expect them to do something about it, you need to actually tell the people whose job it is to do something about it.

I mean, seriously... what do you expect them to do about it? E-mail can *easily* be spoofed to look like it's coming from somewhere it isn't (even the originating IP address can be spoofed with a compromised mail server), and it's not illegal to port sniff or attempt to connect to a server on the web. You have, at best, a minor annoyance on your hands, and one that could be solved by implementing greylisting on your server.

And even if you *did* expect them to do something about it, you're not posting anything even remotely resembling full headers from the so-called spam messages. You really should know that you need to provide full headers, and ideally the full and unredacted message itself in raw format to the appropriate people if you expect them to be able to trace back its source.

As a real life example, if I were to be making this kind of complaint myself, I would be SSH'ing into the mail server, copying the message in question from the mail queue into a text file, and sending that text file as an attachment to the abuse team for the source. If that's too daunting to you, perhaps you should reconsider whether you're the right person to be dealing with this matter.