Spam Server Analysis by Javantea aka. Joel R. Voss

Spam Server Analysis

by Javantea aka. Joel R. Voss
Analysis: Jan 9-Aug 26, 2006
Write-up: Sept 8, 2006
Botnets
Spam Server Analysis 0.6 [sig]
Spam Server Analysis 0.4 [sig]
Spam Server Analysis 0.1 [sig]
50 MB of Test Spam [sig]

Introduction

Spam servers are generally accepted to be among the worst netizens currently residing on the net. Most are zombie botnets, some are open relays or proxies, but some are legitimate businesses in foreign countries. Since spam is illegal in the US, any server sending spam (with quite a few exceptions) is committing a crime. Of course, legislators have no concept of legitimate enforcement, so the fact that spam is a crime does not affect the level of spam that users receive.

Detection, analysis, and blacklisting of spam servers is the proper method to eradicate spam servers. While certain methods of unblacklisting will be required, blacklisting has no downsides. Occasional spammers will not be blocked until they make themself a nuisance.

Spam servers hide by using the obscurity of their origin and unwillingness of network admins to blacklist them. My intent in writing software to analyze spam servers is to give the security and anti-spam community accurate data on the origin of spam. There are different methods to be tried against different spam methods. Knowing the numbers and the types of spam systems will give us the ability to decide upon what methods to use against them.

Blacklisting of known offenders works well against repeated spam offenders. Blacklisting of ranges works well against a widespread botnet problem or the use of dynamic ips and anonymous wireless access, but has the unintended consequence of blocking legitimate senders from those ranges. Bayesian filterning works well against widespread botnets and ipv6 networks (where ranges are impractical). Statistical filtering works with low entropy spam senders. SpamD works against poorly implemented attack systems, which is not future-proof. Obsfucation of e-mails works against unsophisticated spiders. Free anti-virus services will work against large groups of infected machines with users that have time to use them properly. Anti-virus services are vulnerable to more advanced viruses (polymorphic, etc).

Methods of Spam Server Analysis

When a spam server sends spam, most of the data is unreliable. In fact, the URLs could be joe jobs. Therefore, the only reliable data is the data written by the local mail server on the ip address of what server it received the mail from. This can be found in the Received: header. Since the received header can be rather ugly, a Perl script must be written to ensure proper filtering.

Process

4 types of Received messages:
from domain.com (domain [ip])
by domain.com (blah) with blah id blah
for <email@ext.domain.com>; date
via service

The script simply searches with regex for:
Received: from ([^ ]+) \(([^ ]*) ?\[([^\]]*)\]\)

Certain e-mails will have more than one match. This is a flaw in the program and has been corrected in version 0.4. 256 ips (out of 2982 emails) were found to be added erroneously (including 127.0.0.1, 10.1.0.10, etc.) to version 0.1 by this method. This method can only add a Received line and mark a non-spam server as a spam server. The solution to this is to only accept the Received header written by the local known good mail server. This way there are no false positives or false negatives.

Data

A typical spam:

Received: from localhost by ASLinWs01.altsci.com
        with SpamAssassin (version 3.1.3);
        Fri, 25 Aug 2006 18:06:17 -0700
From: "Rhonda Nicholas" <lauren@ringve.com>
To: <uucp@recordsportal.com>
Subject: $888 Deposit Bonus
Date: Fri, 25 Aug 2006 23:34:30 -0300
Message-Id: <53032102247942.F5CF32FB0E@AKQYFZ>
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on
        ASLinWs01.altsci.com
X-Spam-Level: **********
X-Spam-Status: Yes, score=10.4 required=10.0 tests=RCVD_IN_XBL,SUBJ_DOLLARS
        autolearn=disabled version=3.1.3
MIME-Version: 1.0
Content-Type: multipart/mixed;
  boundary="----------=_44EF9E89.D986D298"
X-UID:
Status: R
X-Status: NPC
X-KMail-EncryptionState:
X-KMail-SignatureState:
X-KMail-MDN-Sent:

...

------------=_44EF9E89.D986D298
Content-Type: message/rfc822; x-spam-type=original
Content-Description: original message before SpamAssassin
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

Received: from 85uom7uo.fe45i.ameritech.net ([200.115.206.200]) by ---------------- with Microsoft
 SMTPSVC(6.0.3790.1830);
         Fri, 25 Aug 2006 17:56:42 -0700
Message-ID: <53032102247942.F5CF32FB0E@AKQYFZ>
From: "Rhonda Nicholas" <lauren@ringve.com>
To: <uucp@-------------.com>
Subject: $888 Deposit Bonus
Date: Fri, 25 Aug 2006 23:34:30 -0300
MIME-Version: 1.0
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Thread-Index: K7Xv5km5HgnpYUmghBEtoi4DyOrPMRqKL5M5
Content-Type: text/plain;
        charset="Windows-1252"
Content-Transfer-Encoding: 7bit
Return-Path: lauren@ringve.com
X-OriginalArrivalTime: 26 Aug 2006 00:56:43.0443 (UTC) FILETIME=[7F6C3030:01C6C8AA]

At Vegas Lounge Casino, we are so sure you are going to love our games
that we are giving you  up to $888.00 FREE
just for trying our Casino.
$ 888.00 FREE!
Click Here Now!
http://chelate.info.stainmayjon.com/v/v22

Output of the script:

200.115.206.200

Future

Obvious improvements can be easily made to this script:

~~Removing the possibility of false headers~~
~~Removing duplicate entries~~
~~Automated portscanning and reporting~~
Who is naming the server as spam
What is the dns name

If you are interested in developing Spam Server Analysis, feel free to e-mail me.