1. Forum
  2. Usenet
  3. COMP.UNIX.BSD.OPENBSD.MIS

  • [CM] openBSD vs the spam onslaught

    From polymorph self@21:1/5 to RS Wood on Tue Oct 4 02:48:24 2016
    On Sunday, September 25, 2016 at 9:03:41 AM UTC-4, RS Wood wrote:
    From the «keeping Nigeria in Nigeria» department:
    Title: The Voicemail Scammers Never Got Past Our OpenBSD Greylisting
    Author: Peter N. M. Hansteen
    Date: Mon, 29 Aug 2016 13:28:00 -0400
    Link: http://bsdly.blogspot.com/2016/08/the-voicemail-scammers-never-got-past.html

    We usually don't see much of the scammy spam and malware. But that one time we
    went looking for them, we found a campaign where our OpenBSD[1] greylisting setup was 100% effective in stopping the miscreants' messages.

    During August 23rd to August 24th 2016, a spam campaign was executed with what
    appears to have been a ransomware payload. I had not noticed anything particularly unusual about the bsdly.net and friends setup that morning, but then Xavier Mertens' post at isc.sans.edu Voice Message Notifications Deliver Ransomware[2] caught my attention in the tweetstream, and I decided to have a look.

    The first step was, as always, to grep the spamd[3] logs, and sure, there were
    entries with from: addresses of voicemail@ in several of the domains my rigs are somehow involved in handling mail for.

    But no message from voicemail@bsdly.net had yet reached any mailbox within my reach at that point. However, a colleague checked the quarantine at one of his
    private mail servers, and found several messsages from voicemail@ aimed at users in his domains.

    Dissecting a random sample confirmed that the message came with an attachment with a .wav.zip filename that was actually a somewhat obfuscated bit of javascript, and I take others at their word that this code, if executed on your
    Microsoft system, would wreak havoc of some sort.

    At this point, before I start presenting actual log file evidence, it is probably useful to sketch how the systems here work and interact. The three machines skapet, deliah and portal are all OpenBSD[1] systems that run spamd[3]
    in greylisting mode, and they sync their spamd data with each other via spamd's
    own synchronization mechanism.

    All of those machines do greytrapping based on the bsdly.net list of spamtraps[4]
    , and skapet has the additional duty of dumping the contents of its greytrapping generated blacklist to a downloadable text file[5] once per hour.
    Any message that makes it past spamd is then fed to a real mail server that performs content filtering before handing the messages over a user's mailbox or, in the case of domains we only do the filtering for, forwards the message to the target domain's mail server.

    The results of several rounds of 'grep voicemail $logfile' over the three spamd
    machines are collected here[6], or with the relatively uninteresting "queueing
    deletion of ..." messages removed, here[7].

    From those sources we can see that there were a total of 386 hosts[8] that attempted delivery, to a total of 396 host and target email pairs (annotated here[9] in a .csv file with geographic origin according to whois[10]).

    The interesting part came when I started looking at the mail server logs to see
    how many had reached the content filtering or had even been passed on in the direction of users' mailboxes.

    There were none.

    The number of messages purportedly from voicemail@ in any of the domains we handle that made it even to the content filtering stage was 0.

    Zero. Not a single one made it through even to content filtering.

    That shouldn't have been a surprise.

    After all I've spent significant time over the years telling people how effective greylisting is, and that the OpenBSD[1]spamd[3] version is the best of the breed.

    You could take this episode as a recent data point that you are free to refer to in your own marketing pushes if you're doing serious business involving OpenBSD[1].

    And if you're into those things, you will probably be delighted to learn, if you hadn't figured that out already, that a largish subset of the attempted deliveries were to addresses that were already in our published list[4] of spamtrap addresses.

    That means our miscreants automatically had themselves added to the list of trapped spammer IP addresses as intended.

    If you're interested in how this works and why, I would suggest taking a peek at the OpenBSD web site, and of course I have a book[11] out (available at that
    link and via better bookstores everywhere) that explains those things as well.

    Relevant blog posts of mine include Keep smiling, waste spammers' time[12], Maintaining A Publicly Available Blacklist - Mechanisms And Principles[13], In
    The Name Of Sane Email: Setting Up OpenBSD's spamd(8) With Secondary MXes In Play - A Full Recipe[14] and a few others, including the somewhat lengty Effective Spam and Malware Countermeasures - Network Noise Reduction Using Free
    Tools [15]. To fully enjoy the experience of what these articles describe, you
    may want to get hold of your own CD set from the OpenBSD store[16].

    And again, if you're doing business involving OpenBSD[1], please head over to the project's donations[17] page and use one or more of the methods there to send the developers some much needed cash.

    In addition to the files directly referenced in this article, some related files are available from this directory[18]. I'll be happy to answer any reasonable queries related to this material.

    Good night and good luck.

    ------------------------------------------------------------------------------
    Update 2016-08-30: I've been getting questions about the currently active campaign that has document@ as its sender. The same story there: I see them in
    the greylist and spamd logs, no trace whatsoever in later steps. Which means they're not getting anyhwere.

    Update 2016-09-13: A quick glance at a tail -f'ed spamd[3] log file reveals that today's fake sender of choice is CreditControl@. Otherwise same story as before, no variations. And of course, there may have been dozens I haven't noticed in the meantime.

    Links:
    [1]: http://www.openbsd.org/ (link)
    [2]: https://isc.sans.edu/forums/diary/Voice+Message+Notifications+Deliver+Ransomware/21397/ (link)
    [3]: http://man.openbsd.org/OpenBSD-current/man8/spamd.8 (link)
    [4]: http://www.bsdly.net/~peter/traplist.shtml (link)
    [5]: http://home.nuug.no/~peter/bsdly.net.traplist (link)
    [6]: http://home.nuug.no/~peter/voicemail/all-voicemails.txt (link)
    [7]: http://home.nuug.no/~peter/voicemail/all-voicemails_nodelete.txt (link) [8]: http://home.nuug.no/~peter/voicemail/voicemail_sender_ip.txt (link)
    [9]: http://home.nuug.no/~peter/voicemail/voicemail_ipfromto_all.csv (link) [10]: http://man.openbsd.org/OpenBSD-current/man1/whois.1 (link)
    [11]: http://nostarch.com/pf3 (link)
    [12]: http://bsdly.blogspot.no/2013/05/keep-smiling-waste-spammers-time.html (link)
    [13]: http://bsdly.blogspot.no/2013/04/maintaining-publicly-available.html (link)
    [14]: http://bsdly.blogspot.no/2012/05/in-name-of-sane-email-setting-up-spamd.html (link)
    [15]: http://bsdly.blogspot.no/2014/02/effective-spam-and-malware.html (link) [16]: https://openbsdstore.com/ (link)
    [17]: http://www.openbsd.org/donations.html (link)
    [18]: https://home.nuug.no/~peter/voicemail/ (link)

    awesome!!!

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)