Hi, I'm not sure if this is the right place for such a topic or if it is at all possible but please take a minute to read this post and drop a reply if you can.

I work as an IT / Network consultant for a company, recently one of our users have been receiving a LOT of e-mails of the sort you receive if you send an e-mail to an invalid e-mail address.

I'm guessing that most of you know what types of messages I am talking about but here's an example:



a1aaa1azzzz1zaaaaa@dbtec.de den 03.04.2008 12:59
The e-mail account does not exist at the organization this message was sent to.
Check the e-mail address, or contact the recipient directly to find out the correct address.
< mailfb.netuse.de #5.1.1 SMTP; 550 <a1aaa1azzzz1zaaaaa@dbtec.de>:
Recipient address rejected: User unknown in local recipient table>



This has become quite a problem as my colleague has started to receive up to 100 of these mail a day.

As far as I can understand, this is a result of a spammer sending e-mails to addresses over the world and spoofing the source e-mail so that it appears to originate from the e-mail address of my co-worker.

I know it probably is a simple procedure to include some sort of rule in our spamfilter to ensure that these types of system messages won't be sendt to the person in question, but I am curious of nature and I want to see how far I can go in tracing this activity back to the original sender.

The only information I have been able to gather about the source is the following lines from a failure notice mail sendt to my co-worker (however I suspect that this information will only lead to a system the spammer has been able to compromise and is using to send out messages):

Return-Path: <XX@XXXX.no>
Received: (qmail 23974 invoked from network); 3 Apr 2008 03:19:26 -0500
Received: from 213-147-182-209.sta.dsl.ycn.com (HELO 213.147.182.209) (213.147.182.209)
by corp.hovanic.com with SMTP; 3 Apr 2008 03:19:26 -0500

(the XX@XXXXX.no address is the address of my co-worker which I have censored to ensure that he won't be the victim of even more e-mail terror :cool: )

The purpose of the mail in which I found this information was to lead the receiver of the mail to the following URL:

http://compservice.land.ru/video.exe

The server hosting this file is probably compromised as well and I don't believe it will lead directly to the spammer.

But if you have any suggestions for me about how I should proceed with this little project of mine please let me know!

P.S. just to make one thing clear, I have no intentions of engaging in any illegal activities towards the different IP addresses or hostnames that I might come over in this investigation. However I do understand that there is a risk that some of the readers on this forum might not feel the same way but if you decide to help me with this project please lets keep the information gathering on a non-intrusive level so that I can continue to share information with you as I continue the investigation.
I expect that the forum admins and mods here will shut this thread down immediately if this thread was to spark some illegal activities towards any of the innocent systems I might list here, and I do not want this to happen at all - I hope everyone can respect this but still contribute to the investigation if they wish to.

Thank you.

I can guarantee this is an exercise in futility. All you're going to end up finding is the zombie machine that sent the mail. You'll never find the person in control of the zombie. Setup a good SPAM filter, and move on there's other things that are more important.

I can guarantee this is an exercise in futility. All you're going to end up finding is the zombie machine that sent the mail. You'll never find the person in control of the zombie. Setup a good SPAM filter, and move on there's other things that are more important.

True. The guy would have to be a complete idiot to send it from his machine.

Like I stated in my first post, I am aware that both the server sending out the mails and the server hosting the virus or whatever is not his property at all.

What I want to do here is gather as much information about the zombie network as possible and in the end inform whoever actually pays for these servers and their ISP's.

Tracking down the actual person behind this is as far fetched as it gets and there is no way I would ever dream of trying to acheive something like that, however i realize that I might have expressed myself in a way that might have given the impression that I wanted to track the actual spammer down and that was stupid of me.

Like I stated in my first post, I am aware that both the server sending out the mails and the server hosting the virus or whatever is not his property at all.

What I want to do here is gather as much information about the zombie network as possible and in the end inform whoever actually pays for these servers and their ISP's.

Tracking down the actual person behind this is as far fetched as it gets and there is no way I would ever dream of trying to acheive something like that, however i realize that I might have expressed myself in a way that might have given the impression that I wanted to track the actual spammer down and that was stupid of me.

There are much larger groups that are tracking the zombies with much more resources available to them than you can imagine. You might be able to find one or two machines, but you have no idea if they belong to the same botnet, or different botnets. If you're really interested in pursuing this type of thing, then get a job with SANS or any of the other larger groups that have the resources to actually track them down.

There are much larger groups that are tracking the zombies with much more resources available to them than you can imagine. You might be able to find one or two machines, but you have no idea if they belong to the same botnet, or different botnets. If you're really interested in pursuing this type of thing, then get a job with SANS or any of the other larger groups that have the resources to actually track them down.


Point taken, however I was not really planning to transform into the role of internet's very own Dirty Harry here.

All I really wanted was to get a few tips about how I can gather a little more information here (not planning to spend more time than a couple of nights on this, maybe even kill some dead-time at the office).


For instance, what would be the best way to find out who is supplying the Internet Access to the two servers here?

Point taken, however I was not really planning to transform into the role of internet's very own Dirty Harry here.

All I really wanted was to get a few tips about how I can gather a little more information here (not planning to spend more time than a couple of nights on this, maybe even kill some dead-time at the office).


For instance, what would be the best way to find out who is supplying the Internet Access to the two servers here?

Nslookup/whois is always a start. since the server is in Russia, you ain't gonna get a single bit of cooperation from the ISP.

In Soviet Russia, servers spam you.

In Soviet Russia, servers spam you.

Dammit Streaker, That was my line.

you ain't gonna get a single bit of cooperation from the ISP.

I guess thats true, actually, this is the second time that the user in question has experienced this with his e-mail account..


the last time a security consultant was here (no, we did not hire a security consultant for this - he was here on another matter :P ) and traced the ISP to China .. and as you probably can imagine, neither the e-mail to the ISP or to the company who owned the server which was being used to send mail helped.. not even a polite f*ck off :eek:

I guess thats true, actually, this is the second time that the user in question has experienced this with his e-mail account..


the last time a security consultant was here (no, we did not hire a security consultant for this - he was here on another matter :P ) and traced the ISP to China .. and as you probably can imagine, neither the e-mail to the ISP or to the company who owned the server which was being used to send mail helped.. not even a polite f*ck off :eek:

I've been tracking and reporting abuses for several years now, and I know that you will never get any help from ISP's in Russia, China, most of the PacRim or anywhere in Africa.

If you get attacks or abuses from Canada, the US, the UK, you'll get help from those ISP. The other countries in Europe are spotty at best with helping out.

If who you're working with is a smaller local company and chances are they'd have no reason to get anything legitimate from Russia or the PacRim, it's best just to block those subnets from even getting through your router to your Mail server. Where I'm at, I probably have close to 80 or so subnets that in my opinion, don't exist.

The company I work for is a financial institution of medium size (on a Norwegian scale :) ) But I doubt we will be able to get any help on account of our name from any russian company.

However, as far as i can see only the server hosting the video.exe file resides in russia - I followed your tip and tried some nslookup and whois attempts at the source IP listed in the mail and it turned out to be hosted by an Austrian ISP so I will try to contact them to see if they can be helpful in any way.

I'm not even sure if the source IP is legit in any way but since it resolved to an Austrian ISP I thought it might be worth a shot.

I don't believe this is "spam" in the true sense of the word "spam".

At first glance, it appears to me to be a type of SMTP (Simple Mail Transfer Protocol) mail bounce attack.


a1aaa1azzzz1zaaaaa@dbtec.de den 03.04.2008 12:59
The e-mail account does not exist at the organization this message was sent to.
Check the e-mail address, or contact the recipient directly to find out the correct address.
< mailfb.netuse.de #5.1.1 SMTP; 550 <a1aaa1azzzz1zaaaaa@dbtec.de>:
Recipient address rejected: User unknown in local recipient table>And it would appear that now they have your mail servers address as well.

mailfb.netuse.de What the attacker is doing is "Reconnaissance". Their hoping that by sending this email to an address that doesn't exist, that it will "bounce" back an error message in the attackers email with your true email servers address. And it will send a list of host names and IP addresses back to them. The attacker can learn much about your companies IT and networking structure and plan out attacks by running whois and Nmap...along with other various methodologies of enumerating and fingerprinting / foot printing your companies network.

Be careful in how you deal with this. But on the brighter side, this method also exposes the attackers IP address assuming that they aren't using anonymous proxy chains and etc. :p

In that email...there should be an originating IP address if you look at its headers. ;)

Hope this info helps.

Thanks for your reply -=Xploitz=-

I have been on a little vacation so I have not been focusing too much on this case for the last couple of weeks, but I do find it interesting though.

But the server address you posted does not belong to my company at all, I thought this might be a reply from a mail server to which the spammer/hacker sendt an e-mail to a bogus address..

In the particular mail you are reffering to here, there is no source IP anywhere but in another mail i found the following:



Return-Path: <XX@XXXX.no>
Received: (qmail 23974 invoked from network); 3 Apr 2008 03:19:26 -0500
Received: from 213-147-182-209.sta.dsl.ycn.com (HELO 213.147.182.209) (213.147.182.209)
by corp.hovanic.com with SMTP; 3 Apr 2008 03:19:26 -0500
Message-ID: <000701c89564$0115a292$cc4fb2bc@kagscc>
From: "adolph imsl" <XX@XXXX.no>
To: <eldridge@filethirteen.com>
Subject: Hot nude Rihanna video
Date: Thu, 03 Apr 2008 06:42:44 +0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0004_01C89564.011088F2"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198

This is a multi-part message in MIME format.



I think the ip in this mail belongs to an Austrian ISP named eTel and I thought this IP might belong to a server used to forward the mails to make them appear to originate from this source, or that the IP belongs to a server which the hacker/spammer/whatever has managed to take control of and is using as a mail server for these types of mails... what do you think?

Here is nice little tutorial on tracking the source IP of an email (this only works when the source of the email was Microsoft Outlook/Outlook Express as they encode the IP in the Message ID field).

Based on the header data:

Message-ID: <000701c89564$0115a292$cc4fb2bc@kagscc>

Break out the important portion (bolded between last $ and @):

cc 4f b2 bc

Reverse by octet and convert from hex:

bc = 188
b2 = 178
4f = 79
cc = 204

Source IP address is 188.178.79.204

Unless the message ID or original IP was spoofed (possible), this is the IP of the computer that originally sent the email.

Any one interested in this might also wanna look into fast-flux one of the newer techniques used when rogues (rouges :D) are hiding their locations
http://spamtrackers.eu/wiki/index.php?title=Fast-flux#What_phishing_schemes_are_using_this.3F

Quickly: Fast flux is a DNS technique used by botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies.

Set up a good SPF record for the domain.

thanks for the replies, I'm learning a lot from this thread already and I especially liked that trick theprez98 came up with - really sweet!

just came to work so if i get some time during the day I will se what more I can come up with and if I can resolve the same IP from more of these e-mails..

Here is nice little tutorial on tracking the source IP of an email (this only works when the source of the email was Microsoft Outlook/Outlook Express as they encode the IP in the Message ID field).


Also, if you have a 30gigs.com account...all emails come with the original senders IP address and a cool little Google map of their exact location. ;)

Like I said earlier..look at the headers, and thanks prez for expanding on what I suggested. Saved me some time. :p

Sometimes the replies you'll receive will be less than helpful.


Thank you for contacting Ford Motor Company.

We have received a number of messages recently regarding IP xxx.xxx.xxx.xxx, specifically related to the SQL Slammer worm.

Our investigation into this matter has determined that the recent onset of attacks from this IP is the result of the IP being forged by an external party. External parties will commonly use IP addresses that belong to large organizations to mask network traffic.

Unfortunately, forging IP addresses is a common practice among spammers and it is very difficult to prevent such unethical behavior.

We appreciate your assistance. If we have any further questions or concerns regarding your message/notification, we may attempt to contact you at this e-mail address.

Best regards,

Ford Motor Company
--------------------------------------------------------------------------------
From: xxxxxx xxxxxxxxx [mailto:xxxxxx@xxxxxxx.xxxxx]
Sent: Monday, April 14, 2008 11:37 AM
To: Nsadmin, DNS (D.)
Subject: Attack from Your Network

I have recieved the following two alerts from my Snort box indicating that a machine on your network is probably compromised with the Slammer WORM. I just wanted to let you know so that this machine can be properly sanitized and stop attacking other networks.

"29", "647", "2008-04-11 13:28:43", "xxx.xxx.xxx.xxx", "4405", "xx.xxx.xx.xxx", "1434", "[url/vil.nai.com/vil/content/v_99992.htm] [nessus/11214] [cve/2002-0649] [icat/2002-0649] [bugtraq/5311] [bugtraq/5310] [local/2003] [snort/1:2003] MS-SQL Worm propagation attempt"

"29", "1202", "2008-04-13 06:01:11", "xxx.xxx.xxx.xxx", "4405", "xx.xxx.xxx.xxx", "1434", "[url/vil.nai.com/vil/content/v_99992.htm] [nessus/11214] [cve/2002-0649] [icat/2002-0649] [bugtraq/5311] [bugtraq/5310] [local/2003] [snort/1:2003] MS-SQL Worm propagation attempt"

Attacker WhoIS: http://whois.domaintools.com/xxx.xxx.xxx.xxx

Snort Rule: http://www.snort.org/pub-bin/sigs.cgi?sid=1:2003

Thank you


Since the attack came from Ford Motor Company, I didn't send them my normal email, but sent them a rather nice one to let them know they have a problem. Of course, they don't want to get caught with their pants down so they send me back complete bullshit. The Slammer Worm is not able to forge it's source IP according to the information I found about the Slammer Worm. I think they just don't want to own up to getting caught with a server that was compromised.

I think they just don't want to own up to getting caught with a server that was compromised.

Well it is Ford afterall... they're probably too busy with R&D in making a damn vehicle that will run over 100K miles :eek:

Sometimes the replies you'll receive will be less than helpful.

Since the attack came from Ford Motor Company, I didn't send them my normal email, but sent them a rather nice one to let them know they have a problem. Of course, they don't want to get caught with their pants down so they send me back complete bullshit. The Slammer Worm is not able to forge it's source IP according to the information I found about the Slammer Worm. I think they just don't want to own up to getting caught with a server that was compromised.

I suspect their so called investigation went as far as far as a "quick search" and read "on the net" and think somehow it's all related.
http://www.infodev-security.net/handbook/part1.shtml

You're right streaker69. They're just trying to bullshit you into thinking they know exactly what's going on when in fact they have no potential clue... clueless!!!

swc666 is correct in saying that they probably have "better" things to do.

If and when the shit hits the fan... however, don't be surprised if they contact you, desperately :D

@swc666 - imo they spend all their time and money making a car that WONT go over 100k miles ;)

@streaker - had to deal with the Department for Work and Pensions months back, their website's certificate was self signed so I dropped them an email just to let them know or remind them. Long story short, several emails later they were adamant it was as good and did the same job as a proper signed one, and didnt understand the concept of a mitm attack :-/ And these are government people lol

@cormega - This will not help except in blocking it maybe (warning very messy but does have an advantage). Had same problem a bit ago for an employee where I work. What I proposed (but the spam stopped as quick as it had started so never implemented) was:
Give them a second SMTP in exchange
Set it to primary
Set a rule in their inbox saying 'delete all bounces that are returned to old address'

This way, for 'robustness' (god I hate that word!) people can still email the old address.
If she sent out an email that bounced she would get it
However any bounced emails, that originated from the first address were binned.

Sucky, messy but in theory should work, I know your not after but thought I would add anyway lol

Thanks for a lot of helpfyl replies so far - as of this moment the problem with these bounced mails has spread to more users in the company, so adding an additional SMPT account to every affected user would cause a lot of extra work ...

for now i will look in to the abilities of a proper SPF solution as well as configure the spam filter to block bounced mails for the affected accounts..



P.S. if anyone could tell me how to provoce an invalid e-mail bounce I would be forever grateful :)

I am currently working on our mail filter now to enable it to tag outgoing e-mails so that un-tagged incoming e-mail bounces will be rejected, but to test this properly I will have to be able to generate invalid e-mail bounces to a given address but I am not sure how this is done, can anyone give me a hand here?

I asked about this in another thread of mine:

( http://forums.remote-exploit.org/showthread.php?t=13170 )

But I haven't got any replies for a few days and because this isn't directly related to the topic in my other thread I created this one as well, as I wouldn't consider this Cross- / double-posting.

So I really hope this thread won't be locked, deleted or moved to the idiots corner :o


The case:

I have just finished setting upp a bounce verification system on our mail filter to ensure that invalid mail bounces won't pass through, however its kinda hard to test this considering that I don't know how to provoke a "fake" e-mail bounce.

So I need some assistance or for someone to give me a couple of hints as to how I can provoce an invalid bounce towards an e-mail address of my choice.

This way I can test if the e-mail tagging system that I now have enabled is doing the job or if I have to do some more work here.


EDIT - Tried to post this in a new thread but since it ended up in here after just 15 minutes I guess the mods don't share my view of cross- / double posting :)