I have an email address set up that customers can send false negative SPAM to should it get through the Email gateways.  One I received the other day shows just how allowing country IP blocks to be searched would benefit anti-spam gateways to clean up the relatively few number of false negatives they let through. I blogged about that below.

 The below is a cleaned up part header of an email one of my coworkers received that was a 419 SPAM with a word attachment delivering the social engineering “payload.”  It was sent from what I believe to be a Sun OS webmail server from a large well known east coast university ( I have notified the who-is abuse contact already.)   The IP from Nigeria ( 78.138.3.237), is what directly connected to the webmail server with an account of a college user and sent the SPAM through an already trusted infrastructure.  If the college or I was able to search for Nigerian IPs anywhere in the received lines this would have been dropped or quarantined.

Received: from iron1-smtp.xx.xxxx.edu ([xxx.xxx.127.241])  by
SannetSmtp1-in.sannet.gov with ESMTP; 25 Jun 2009 10:09:32 -0700
X-SenderBase: None
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AhMJAEZMQ0qApIMj/2dsb2JhbACONYhfgkyocIc9iE6EDQU
X-IronPort-AV: E=Sophos; i=”4.42,291,1243828800“; d=”scan’208″;a=”44717911″
Received: from optimus.xx.xxxxx.edu (HELO xxxx.edu) ([xxx.xxx.131.35])  by iron1-smtp.xx.xxxxx.edu with ESMTP; 25 Jun 2009 13:09:34 -0400
Received: from [78.138.3.237] by prime.xx.xxxxx.edu (mshttpd); Thu, 25 Jun
2009 18:09:34 +0100
From: Rxxxxx Hxxxxx <rxxx@xxxxx.edu>
Message-ID: <fce1a4442b7d.4a43bd5e@xxxx.edu>
Date: Thu, 25 Jun 2009 18:09:34 +0100
X-Mailer: Sun Java(tm) System Messenger Express 6.2-7.04 (built Aug 17 2006)
MIME-Version: 1.0
Content-Language: en
Subject: Respond ASAP
X-Accept-Language: en
Priority: normal
Content-Type: text/plain; charset=”us-ascii”
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
Return-Path: rxxxx@xxxx.edu

My displeasure for the “send me money” scammers has been documented in previous entries so I won’t bore you with that again, although I did want to talk about an idea I had to fight those losers.  Basically I want to write SMTP gateway Anti-SPAM policy that can filter for IP address ranges (dashed range or CIDR) in ANY received header.  I have a feature request into our vendor for this very ability and am looking forward to seeing how well it will work if they can make it happen.

My reasoning behind this is to fill in a gap that I see in the current Anti-SPAM tactics, which are mainly sender IP reputation and content matching.  419 emails seem to be best making it through those traps because the “last hop” before your SMTP server is some bot host here in US or the most commonly they are sent from a free email service directly (Yahoo, Gmail, Hotmail, etc) so sender reputation isn’t all that effective (neither is SPF, SenderID, DKIM) and since they are very businesslike text, content catching the Spammyness is also hard.   However, if I was able to look for trouble country IP ranges in any of the SMTP Received lines there’s a good chance I could catch many of these sent from or through foreign nations.

See some of the free webmail providers include this line to show the IP address of the computer that sent the through the browser.

Received: from [79.80.169.10] by web36802.mail.mud.yahoo.com via HTTP; Sun, 31 May 2009 17:00:44 PDT

Being able to filter on the CIDR ranges (countryipblocks.net or maxmind.com) in any received line, not just the last one with sender reputation, would greatly increase the granularity for keyword lists.  For example you can write a 419 keyword policy but you will get MANY false positives if you apply it to all email, whereas I’d like to check it only if the email was sent from or through for example Nigeria, China,  Romania,  Russia, or Poland IP ranges.  Pseudo policy below….

#SPAMKeywordsfromNigeria

SPAM_KeywordsInBodyorAttachment:

If (dictionary-contains (‘SPAM_Keywords_BodyorAttachments’)) AND

If (header-dictionary-received-contains (‘NigerianIPs’))

{

Quarantine (’419 from Nigeria’);

}

I’ll update my blog if I’m able to apply this and how effective it is.

   You know it’s hard for me to talk about the 419, stock pump/dump, bank phishers and the rest, without using excessive profanity which isn’t quite appropriate for a blog.  So recently there was a customer of mine that forwarded an email through the SMTP gateways I manage that was caught in a custom word filter list.  While I tried determine if I should release the email it became apparent the scam has already been effective to the tune of 900.00.  And the Nigerian loser was trying to get an extra 300 out of the victim.  The scam involves posting a house for rent on Craig’s list, after searching for real houses for rent or sale in the area.  So if the mark drives by the address the pics match and there is a for rent or sale sign out front.  The response to the initial inquiry about the house, is usually about getting called away on business to Nigeria and needing first month’s and security deposit sent through Western Union.  I’ve been seeing more and more of these idiots trying whatever they can to steal money from others as if they are entitled to it; because they were born in a 3rd world country anything they do to “the rich” in America is justified.  I really can’t understand the upbringing these people must have had to be able to sleep at night ripping people off.  Although I know it’s not true, it’s really hard to not generalize and see the entire country of Nigeria as a bunch of cheats, crooks, and liars when you are exposed to the these emails on a daily basis. 

  Craig’s list highlights that anyone asking for payment from Western Union is a scam link.  But unfortunately people are busy and trusting when it sounds like a good deal.  All I ask is please be vigilant out there, the Internet is not only the happy joyous place social networking sites want you to believe it is. It has a dark side and like many forms of negativity it often comes with a “pretty face” and a good deal.  Here’s an example reply from one of these piece of #^%@& sons a &^%$* link

PS. And in case you needed more convincing here’s an article about a convicted SPAMMER that escaped from minimum security prison recently and then proceded to kill himself, his wife, and toddler.  Just goes to show the cowards these individuals really are. link