Another Morning of Fun

Published: 2010-06-10
Last Updated: 2010-06-10 17:48:57 UTC
by Deborah Hale (Version: 1)
3 comment(s)

Some of you may have noticed that I was a little slow in getting started this morning.  
I wasn't prompt with replying to your emails. For that I apologize.  I thought it would be
good if I explained why.

At my day job/paid job one of my responsibilities is handling abuse complaints, another
responsibility is cleaning up mail servers that are doing bad things.  The two usually go
hand and hand and generally are due to something one or more of the users did. Today
was no exception.  I logged into my email this morning and immediately knew I had a
problem.  I knew how the first half of my day was going to go.  I had several hundred
abuse reports for one of my mail servers.  I immediately began to investigate what
was going on with the server.  I soon discovered that I had over 33,000 emails queued
up and a bunch of bounces for undeliverable emails to domains like hotmail, yahoo,
comcast, aol, etc.  I began to review the emails and soon realized that someone had
logged into the webmail on the server with userid's on the box and sent emails.  All of
the emails indicated the webaccess came from ip's in 41.138.x.x which happens to be
in Africnic's world.  This particular server is a local server and I knew that it was highly
unlikely that someone would be legitmately logging in from Africa.  I immediately blocked
the CIDR from accessing the server and cleaned up the emails so that no more would
get out.  After the cleanup was done I began reviewing the logs for the webmail service.

Sure enough, I discovered that 3 valid userid's had indeed been used to login to the server
from the 41.138.x.x ip's.  I immediately changed the passwords on the 3 accounts so that the
spammers could not login again from a different CIDR.  Once the passwords were changed
I notified the customers of the situation.

I soon discovered that yesterday an email had been sent to the users on this adomain.net
(name changed to protect the domain). Here is what the email said:

Dear adomain.net Subscriber,

 We are currently carrying-out a  maintenance process to your adomain.net account, to
 complete this, you must reply to this mail immediately, and enter your User Name
 here (,,,,,,,,) And Password here (.......)  if you are the rightful owner of
 this account.

 This process we help us to fight against spam mails. Failure to summit your password,
 will render your email address in-active from our database.

 NOTE: If your have done this before, you may ignore this mail. You will be send a
 password reset messenge in next seven (7) working days after undergoing this process
 for security reasons.

 Thank you for using adomain.net!
 THE adomain.net TEAM


Inspite of multiple warnings in the past to the users on this domain, three of them responded
to the email. Those three logins were then used last night to login to the webmail and send
the emails. Now some of you reading this are probably just shaking your head and wondering
why end users are so gullible.  Well, I am with you on that.  If you read the content of the email
you will soon realize that the email contained a number of grammatical errors and it is pretty
obvious that it is a poor attempt at English grammar. Most of us would just ignore the email and
delete it.  Not these users...  They fell for it hook, line and sinker.

I put this out for you because we have received inquiries from several other folks today about this
or a similar phish.  Remind your employees/users that these emails are bogus and bad - not to
respond to them.  If you are on any of my mail servers....   I thank you heartedly.  This mornings
little investigation and cleanup took out 3 otherwise product hours from my day.

Deb Hale Long Lines, LLC

Keywords: Phish Spam
3 comment(s)

Comments

Sorry to hear about your issue, but been there and done that. In my experience, even after making them aware, about 5% of users fall for this kind of scheme.
One would think this would be pretty easy to filter off the top. I've been seeing this exact format for a year or two now. Filtering anything signed "THE [place domain name here] TEAM" should pretty much take care of it. Then you do not have to worry about the 5% that just refuse to not click. I've done just this, I am sure you can too. When you do send things you do not sign the legitimate ones "THE adomain.com TEAM."

Another mitigation for this issue would be using RBLs to filter webmail access.

Diary Archives