We usually don't see much of the scammy spam and malware. But that one time we went looking for them, we found a campaign where our OpenBSD greylisting setup was 100% effective in stopping the miscreants' messages.
During August 23rd to August 24th 2016, a spam campaign was executed with what appears to have been a ransomware payload. I had not noticed anything particularly unusual about the bsdly.net and friends setup that morning, but then Xavier Mertens' post at isc.sans.edu Voice Message Notifications Deliver Ransomware caught my attention in the tweetstream, and I decided to have a look.
The first step was, as always, to grep the spamd logs, and sure, there were entries with from: addresses of voicemail@ in several of the domains my rigs are somehow involved in handling mail for.
But no message from voicemail@bsdly.net had yet reached any mailbox within my reach at that point. However, a colleague checked the quarantine at one of his private mail servers, and found several messsages from voicemail@ aimed at users in his domains.
Dissecting a random sample confirmed that the message came with an attachment with a .wav.zip filename that was actually a somewhat obfuscated bit of javascript, and I take others at their word that this code, if executed on your Microsoft system, would wreak havoc of some sort.
At this point, before I start presenting actual log file evidence, it is probably useful to sketch how the systems here work and interact. The three machines skapet, deliah and portal are all OpenBSD systems that run spamd in greylisting mode, and they sync their spamd data with each other via spamd's own synchronization mechanism.
All of those machines do greytrapping based on the bsdly.net list of spamtraps, and skapet has the additional duty of dumping the contents of its greytrapping generated blacklist to a downloadable text file once per hour. Any message that makes it past spamd is then fed to a real mail server that performs content filtering before handing the messages over a user's mailbox or, in the case of domains we only do the filtering for, forwards the message to the target domain's mail server.
The results of several rounds of 'grep voicemail $logfile' over the three spamd machines are collected here, or with the relatively uninteresting "queueing deletion of ..." messages removed, here.
From those sources we can see that there were a total of 386 hosts that attempted delivery, to a total of 396 host and target email pairs (annotated here in a .csv file with geographic origin according to whois).
The interesting part came when I started looking at the mail server logs to see how many had reached the content filtering or had even been passed on in the direction of users' mailboxes.
There were none.
The number of messages purportedly from voicemail@ in any of the domains we handle that made it even to the content filtering stage was 0.
Zero. Not a single one made it through even to content filtering.
That shouldn't have been a surprise.
After all I've spent significant time over the years telling people how effective greylisting is, and that the OpenBSD spamd version is the best of the breed.
You could take this episode as a recent data point that you are free to refer to in your own marketing pushes if you're doing serious business involving OpenBSD.
And if you're into those things, you will probably be delighted to learn, if you hadn't figured that out already, that a largish subset of the attempted deliveries were to addresses that were already in our published list of spamtrap addresses.
That means our miscreants automatically had themselves added to the list of trapped spammer IP addresses as intended.
If you're interested in how this works and why, I would suggest taking a peek at the OpenBSD web site, and of course I have a book out (available at that link and via better bookstores everywhere) that explains those things as well.
Relevant blog posts of mine include Keep smiling, waste spammers' time, Maintaining A Publicly Available Blacklist - Mechanisms And Principles, In The Name Of Sane Email: Setting Up OpenBSD's spamd(8) With Secondary MXes In Play - A Full Recipe and a few others, including the somewhat lengty Effective Spam and Malware Countermeasures - Network Noise Reduction Using Free Tools . To fully enjoy the experience of what these articles describe, you may want to get hold of your own CD set from the OpenBSD store.
And again, if you're doing business involving OpenBSD, please head over to the project's donations page and use one or more of the methods there to send the developers some much needed cash.
In addition to the files directly referenced in this article, some related files are available from this directory. I'll be happy to answer any reasonable queries related to this material.
Good night and good luck.
Update 2016-08-30: I've been getting questions about the currently active campaign that has document@ as its sender. The same story there: I see them in the greylist and spamd logs, no trace whatsoever in later steps. Which means they're not getting anyhwere.
Update 2016-09-13: A quick glance at a tail -f'ed spamd log file reveals that today's fake sender of choice is CreditControl@. Otherwise same story as before, no variations. And of course, there may have been dozens I haven't noticed in the meantime.
Update 2016-11-25: Apparently another round of voicemail@ messages is in progress. The first entry in my spamd logs in this round is
Nov 25 12:39:14 skapet spamd[18359]: new entry 117.211.125.18 from <voicemail@skolelinux.no> to <axelb@skolelinux.no>, helo [117.211.125.18]
and the rest so far are listed here. Time and other factors allowing, refreshed data may appear later, possibly along with further analysis.
Monday, August 29, 2016
Monday, August 8, 2016
Chinese Hunting Chinese Over POP3 In Fjord Country
Yes, you read that right: There is a coordinated effort in progress to steal Chinese-sounding users' mail, targeting machines at the opposite end of the Eurasian landmass (and probably elsewhere).
More specifically, here at bsdly.net we've been seeing attempts at logging in to the pop3 mail retrieval service using usernames that sound distinctively like Chinese names, and the attempts originate almost exclusively from Chinese networks.
This table lists the user names and corresponding real life names attempted so far:
That list of some 493 names is up to date as of this writing, 2016-08-23 early evening CEST. A few more turn up with the bursts of activity we have seen every day since June 19th, 2016.
A possibly more up to date list is available here. That's a .csv file, if that sounds unfamiliar, think of it as a platform neutral text representation (to wit, "Comma Separated Values") of a spreadsheet or database -- take a peek with
If your name or username is on either of those lists, you would be well advised to change your passwords right now and to check breach notification sites such as Troy Hunt's haveibeenpwned.com or breachalarm.com for clues to where your accounts could have been compromised.
That's your scoop for now. If you're interested in some more background and data, keep reading.
If you are a regular or returning reader of this column, you are most likely aware that I am a Unix sysadmin. In addition to operating and maintaining variuos systems in my employers' care, I run a small set of servers of my own that run a few Internet-facing services for myself and a small circle of friends and family.
For the most part those systems are roundly ignored by the world at large, but when they are not, funny, bizarre or interesting things happen. And mundane activities like these sometimes have interesting byproducts. When you run a mail service, you are bound to find a way to handle the spam people will try to send, and about ten years ago I started publishing a blacklist of known spamming hosts, generated from attempts to deliver mail to a slowly expanding list of known bad, invalid, never to be deliverable addresses in the domains we handle mail for.
After a while, I discovered that the list of spamtrap addresses (once again, invalid and destined never to be deliverable, ever) had been hilariously repurposed: The local parts (the string before the @ or 'at sign') started turning up as usernames in failed attempts to log on to our pop3 mail retrieval service. That was enough fun to watch that I wrote that article, and for reasons known only to the operators of the machines at the other end, those attempts have never stopped entirely.
These attempts to log in as our imaginary friends is a strong contender for the most bizarre and useless activity ever, but when those attempts were no longer news, there was nothing to write about. The spamtrap login attempts make up sort of a background noise in the authentication logs, and whenever there is an attempt to log in as a valid user from somewhere that user is clearly not, the result is usually that an entire network (whatever I could figure out from
There are of course also attempts to log in as
Then recently, something new happened. The first burst looked like this in my logs (times given in local timezone, CEST at the time):
-- and so on, for a total of 78 attempts to log in as the non-existing user
and so on, for a total of 76 attempts. Over the next few days I noticed an uptick in failed pop3 access attempts that were not for valid users and did not match any entry on our spamtraps list. Still, those attempts were for users that do not exist, and would produce no useful result so I did not do anything much about them.
It was only during the early weeks of July that it struck me that the user name attempted here
(a total of 54 attempts for that user name) might actually be based on the name of a Chinese person. "Li Xing" sounded plausible enough as a possible real person. It's perhaps worth noting that at the time I had just finished reading the first two volumes of Cixin Liu's The Three Body Problem, so I was a bit more in tune than usual with what could be plausible Chinese names than I had been. (And yes, the books are very much to my taste and I have the yet unpublished translation of the third volume on pre-order.)
Unsurprisingly, a quick
Once I realized I might be on to a new pattern, I went back over a few days' worth of failed pop3 login attempts and found more than a handful of usernames that looked like they could be based on Chinese names. Checking the whois data for the IP addresses in those attempts, all turned out to be from Chinese networks.
That was in itself an interesting realization, but a small, random sample does not make for proof. In order to establish an actual data set, it was back to collecting data and analysing the content.
First, collect all log data on failed pop3 attempts for a long enough period that we have a reasonable baseline and can distinguish between the background noise and new, exciting developements.
The file bigauthlog is that collection of data. Digging through my archives going back in time, I stopped at January 16, 2016 for no other reason than this would be roughly six months' worth of data, probably enough to give a reasonable baseline and to spot anomalies.
If you've read the previous columns, you will be familiar with the scripts that produce various text and CSV reports from log data input: A text report of user names by number of access attempts, a CSV dump of the same, with first and last spotted, a text report of hosts attempting access, sorted by number of attempts, a CSV dump of the same, with first and last seen dates as for the user names.
But what I wanted to see was where the login attempts were coming from for which usernames, so I started extracting the unique host to username mappings. For each entry in this CSV file, there is a host and a user name it has tried at least once (if you import that somewhere, make sure you mark the Username column as text -- LibreOffice Calc at least becomes confused when trying to parse some of those strings). The data also records whether that particular username was part of the spamtrap database at the time. If you want to do that particular check on your own greytrapping database, any matching output from
$ doas spamdb | grep -i username@
on your greytrapper box will mean it is in your list. And then finally for each entry there is the expected extract from available whois info: network address range, the network name and the country.
The most useful thing to do with that little database is to play with sorting on various fields and field combinations. If you sort on the "In spamtraps" field, the supposed Chinese names turn up with "No"s, along with a few more random-seeming combinations.
While I was building the data set I decided to add those new usernames with
Just browsing the data or perhaps sorting by IP address will show you that the pop3 gropers are spread across a large number of networks in a number of countries and territories with numbers roughly in proportion to the size of that country or territory's economy. Some, such as a particular Mexican ISP and cable TV operator stand out as being slightly over-represented, and as expected networks in the US and China stand for a large number of the total.
If you sort on the In spamtraps field, you will see that a large number of the entries that were not in the spamtraps are the ones identified as Chinese personal names, but not all. Some of the No entries are the RFC mandated mailboxes, some are aliases that are in use here for other reasons, and finally more than a handful that would fit the general description of the rest of the spamtraps: Strings superficially resembling personal names or simply random strings. These may be parts of the potential spamtraps I missed while fishing spamtrap candidates out of logfiles some time over the decade of weirdness that has gone into maintaining the spamtraps list.
But if you sort the data primarily on the fields Name, Country, and if you like IP address and User name, you will see that as anticipated the attempts on Chinese-sounding user names come exclusively from Chinese networks, except only the "Fa Dum" (
Now that we have established that the attempts at Chinese user names come exclusively from Chinese networks, the next questions become: Who are the cyber criminals behind this activity, and what are their motivations? And why are they bothering with hosts in faraway Europe to begin with?
For the first question, it is hard to tell from this perch, but whoever runs those attempts apparently have the run of large swathes of network real estate and seem to not take any special care not to be detected, other than of course distributing the attempts widely across the network ranges and coming in only in short bursts.
So are those attempts by, let us say the public sector, to steal political dissidents' email? Or perhaps, still with a public sector slant, simply hunting for any and all overseas assets belonging to Chinese nationals? Or are we simply seeing the activities of Chinese private sector cyber criminals who are trying out likely user names wherever they can find a service that listens?
Any of all of these things could be true, but in any case it's not unlikely that what we are seeing somebody trying to find new places where username and password combinations from a recent breach might work. After all, username and password combinations that have been verified to work somewhere are likely worth more on the market than the unverified ones.
Looking at the log entries, there are sequences there that could plausibly have been produced by humans typing at keyboards. Imagine if you please vast, badly lit and insufficiently ventilated Asian cyber-sweatshops, but I would not be too surprised to find that this is actually a highly automated operation, with timing tuned to avoid detection.
Security professionals have been recommending that people stop using the pop3 protocol since as long as I care to remember, but typing "pop3" into shodan.io still produces a whopping 684,291 results, meaning that the pop3 service is nowhere near as extinct as some would have preferred.
The large number of possible targets is a likely explanation for the burstiness of the activity we are seeing: with that many hosts to cover, the groping hosts will need to set up some sort of rotation, and in addition there is the need to stay below some volume of traffic per host in order to avoid detection. This means that what any one site sees is only a very small part of the total activity. The pop3 hunt for Chinese users is most likely not exclusive to the fjord country.
If you run a pop3 service, please do yourself a favor and check your setup for any weaknesses including any not yet applied updates, as you were about to do anyway. Once you've done that, take some moments to browse your logs for strange looking login attempts.
If you find something similar to what I've reported here, I would like to hear from you. Please note that at least one of the pop3 deaemons out there by default does not report the username for failed authentication attempts but notes that the username was unknown instead. Anyway, your war stories will be appreciated in email or comments.
If your name or username appears in the table at the start of this article or in this CSV file, please start checking for unusual activity involving your accounts and start changing passwords right away. Ask your service providers if they offer more secure alternatives, and if they do, consider using these alternatives. And as I mentioned earlier, do check breach notification sites such as haveibeenpwned.com or breachalarm.com for clues to help find out whether your data could be at risk in any of the services you do use. And of course, feedback in comments or email is welcome.
And finally, if you have information on one or more breaches that may have been the source of this list of likely Chinese user names, I'd like to hear from you too.
Good night and good luck.
Update 2016-10-15: The attempts at logging in with Chinese-sounding user names from hosts in Chinese networks became incrementally less frequent over time, and seem to have stopped entirely in early October 2016.
The final entry is this one, from October 6:
That is, an attempt from the IP address range assigned to the Chinanet Anhui province network, for the user name
During the months they were active, the robots or sweatshops in the Chinese networks tried a total of 957 distinct user names, from 3794 distinct hosts for a total of 3998 host-username combinations.
Although the number of failed pop3 attempts have now fallen to almost none (bar a treesome of persistent miscreants in the Quasi Networks, Seychelles IP address range), I will make an effort to publish updates to the data at not too infrequent intervals. You are of course free to use the data in your own analyses, as long as reasonable credit is given for the data collection. If you're unsure what that means, please contact me directly (the address in the whois information works).
Update 2016-12-07: Even though the campaign that prompted me to write this article has ended or moved its attention elsewhere, I do update the data occasionally. Returning readers may be happy to hear about a slight enhancement in presentation of the data: Startiing with today's edition, I've added an 'Attempts' column to the main .csv file, denoting the number of attempts for each host-username pair.
Update 2017-02-08: Another round of attempts at usernames that are likely Chinese user names started on February 8th, 2017.
The first few hours brought the following user names, with the likely corresponding real life name in the second column:
These names have been added to the full data as well as the 2017-only portion. The log file (2016 and 2017 version or 2017-only data) contains the entries starting at Feb 8 15:26:45 (times are CET local time). It will be interesting to see how long this cycle lasts. Look for updates to the data at irregular but hopefully frequent intervals.
If you are seeing similar activity, I would like to hear from you, in comments or (these most recent attempts all originate in the 49.64.0.0/11 network (range 49.64.0.0 - 49.95.255.255, also known as CHINANET-JS or the CHINANET jiangsu province network). The previous cycle involved several distinct Chinese networks, and as we all know, stretched over several months of low intensity activity.
I would like to thank Tore Nordstrand and Øystein Alsaker for valuable input on various aspects of this article.
The data referenced in this article will likely be updated on a roughly daily basis while the Chinese episode lasts. You can fetch them from the links in the article or from this directory, which also contains some trivial data extraction and data massaging scripts I use. If you find any errors or have any concerns, please let me know.
More specifically, here at bsdly.net we've been seeing attempts at logging in to the pop3 mail retrieval service using usernames that sound distinctively like Chinese names, and the attempts originate almost exclusively from Chinese networks.
This table lists the user names and corresponding real life names attempted so far:
Name | Username |
Chen Qiang | chenqiang |
Fa Dum | fadum |
Gao Dang | gaodang |
Gao Di | gaodi |
Gao Guan | gaoguan |
Gao Hei | gaohei |
Gao Hua | gaohua |
Gao Liu | gaoliu |
Gao Yang | gaoyang |
Gao Zhang | gaozhang |
He An | hean |
He Biao | hebiao |
He Bing | hebing |
He Chang | hechuang |
He Chao | hechao |
He Chen | hechen |
He Cheng | hecheng |
He Chun | hechun |
He Cong | hecong |
He Da | heda |
He Di | hedi |
He Die | hedie |
He Ding | heding |
He Dong | hedong |
He Duo | heduo |
He Fa | hefa |
He Ging | heqing |
He Guo | heguo |
He Han | hehan |
He Hao | hehao |
He Heng | heheng |
He Hui | hehui |
He Jia | hejia |
He Jian | hejian |
He Jiang | hejiang |
He Jie | hejie |
He Jin | hejin |
He Juan | hejuan |
He Kai | hekai |
He Kan | hekan |
He Kong | hekong |
He La | hela |
He Le | hele |
He Leng | heleng |
He Li | heli |
He Lian | helian |
He Lie | helie |
He Mu | hemu |
He Niang | heniang |
He Quan | hequan |
He Ran | heran |
He Sha | hesha |
He Shan | heshan |
He Shi | heshi |
He Si | hesi |
He Song | hesong |
He Xiao | hexiao |
He Yao | heyao |
He Yi | heyi |
He Yin | heyin |
He Yu | heyu |
He Yun | heyun |
He Zeng | hezeng |
He Zeng | hezhan |
He Zhang | hezhangxxxx |
He Zhe | hezhe |
He Zheng | hezheng |
He Zhi | hezhi |
He Zhong | hezhong |
He Zhuang | hezhuang |
Li An | lian |
Li Biao | libiao |
Li Bin | libin |
Li Bo | libo |
Li Cheng | licheng |
Li Chi | lichi |
Li Chong | lichong |
Li Chuang | lichuang |
Li Chun | lichun |
Li Da | lida |
Li Deng | lideng |
Li Di | lidi |
Li Die | lidie |
Li Ding | liding |
Li Dong | lidong |
Li Duo | liduo |
Li Fa | lifa |
Li Fang | lifang |
Li Fen | lifen |
Li Feng | lifeng |
Li Gang | ligang |
Li Gao | ligao |
Li Guan | liguan |
Li Guang | liguang |
Li Hai | lihai |
Li Ka | lika |
Li Kai | likai |
Li La | lila |
Li Le | lile |
Li Lei | lilei |
Li Lin | lilin |
Li Ling | liling |
Li Liu | liliu |
Li Long | lilong |
Li Man | liman |
Li Mei | limei |
Li Mu | limu |
Li Neng | lineng |
Li Niang | liniang |
Li Peng | lipeng |
Li Pian | lipian |
Li Qian | liqian |
Li Qu | liqu |
Li Rang | lirang |
Li Ren | liren |
Li Ru | liru |
Li Sha | lisha |
Li Shi | lishi |
Li Shuai | lishuai |
Li Shun | lishun |
Li Si | lisi |
Li Song | lisong |
Li Tao | litao |
Li Teng | liteng |
Li Tian | litian |
Li Ting | liting |
Li Wang | liwang |
Li Wei | liwei |
Li Wen | liwen |
Li Xiang | lixiang |
Li Xing | lixing |
Li Xiu | lixiu |
Li Ying | liying |
Li You | liyou |
Li Ze | lize |
Li Zeng | lizeng |
Li Zheng | lizheng |
Li Zhong | lizhong |
Li Zhu | lizhu |
Li Zhuang | lizhuang |
Li Zhuo | lizhuo |
Liang Min | liangmin |
Liang Ming | liangming |
Liang Qiang | liangqiang |
Liang Rui | liangrui |
Lin Chen | linchen |
Lin Cheng | lincheng |
Lin He | linhe |
Lin Hua | linhua |
Lin Huang | linhuang |
Lin Neng | linneng |
Lin Pian | linpian |
Lin Qu | linqu |
Lin Ru | linru |
Lin Zhang | linzhang |
Liu Bin | liubin |
Liu Duo | liuduo |
Liu Fang | liufang |
Liu Han | liuhan |
Liu Hao | liuhao |
Liu Heng | liuheng |
Liu Hong | liuhong |
Liu Hui | liuhui |
Liu Jia | liujia |
Liu Jiang | liujiang |
Liu Jiao | liujiao |
Liu Ju | liuju |
Liu Juan | liujuan |
Liu Kai | liukai |
Liu Kan | liukan |
Liu Kang | liukang |
Liu Ke | liuke |
Liu Kong | liukong |
Liu Lang | liulang |
Liu Long | liulong |
Liu Mu | liumu |
Liu Nuo | liunuo |
Liu Qin | liuqin |
Liu Qing | liuqing |
Liu Qiong | liuqiong |
Liu Rong | liurong |
Liu Sen | liusen |
Liu Sha | liusha |
Liu Shun | liushun |
Liu Si | liusi |
Liu Tian | liutian |
Liu Wang | liuwang |
Liu Wei | liuwei |
Liu Xia | liuxia |
Liu Xiu | liuxiu |
Liu Yao | liuyao |
Liu Yi | liuyi |
Liu Ying | liuying |
Liu Yu | liuyu |
Liu Yuan | liuyuan |
Liu Yun | liuyun |
Liu Zhen | liuzhen |
Liu Zheng | liuzheng |
Liu Zhi | liuzhi |
Liu Zun | liuzun |
Lou Liu | luoliu |
Lu Huang | lihuang |
Luo Chang | luochuang |
Luo Chen | luochen |
Luo Cheng | luocheng |
Luo Deng | luochi |
Luo Deng | luodeng |
Luo Di | luodi |
Luo Dian | luodian |
Luo Gao | luogao |
Luo Guai | luoguai |
Luo Hang | luohuang |
Luo Hua | luohua |
Luo Lie | luolie |
Luo Neng | luoneng |
Luo Pian | luopian |
Luo Qi | luoqi |
Luo Qin | luoqin |
Luo Qing | luoqing |
Luo Qu | luoqu |
Luo Rong | luorong |
Luo Ru | luoru |
Luo Rui | luorui |
Luo Shuang | luoshuang |
Luo Ting | luoting |
Luo Tong | luotong |
Luo Wang | luowang |
Luo Wei | luowei |
Luo Yang | luoyang |
Luo Ze | luoze |
Song Chen | songchen |
Song Cheng | songcheng |
Song Chuang | songchuang |
Song Da | songda |
Song Deng | songdeng |
Song Dian | songdian |
Song Die | songdie |
Song Fei | songfei |
Song Fen | songfen |
Song Gang | songgang |
Song Gao | songgao |
Song Guai | songguai |
Song Guan | songguan |
Song Guo | songguo |
Song Hai | songhai |
Song Han | songhan |
Song Hang | songhang |
Song He | songhe |
Song Hei | songhei |
Song Heng | songheng |
Song Hu | songhu |
Song Hua | songhua |
Song Jia | songjia |
Song Jiao | songjiao |
Song Jie | songjie |
Song Jin | songjin |
Song Jing | songjing |
Song Ka | songka |
Song Kan | songkan |
Song Kang | songkang |
Song Kong | songkong |
Song Lan | songlan |
Song Le | songle |
Song Lei | songlei |
Song Lian | songlian |
Song Liang | songliang |
Song Liang | songliao |
Song Liang | songliang |
Song Liao | songliao |
Song Lin | songlin |
Song Liu | songliu |
Song Meng | songmeng |
Song Ming | songming |
Song Mu | songmu |
Song Nan | songnan |
Song Neng | songneng |
Song Ning | songning |
Song Pian | songpian |
Song Pin | songpin |
Song Qi | songqi |
Song Qiang | songqiang |
Song Qing | songqing |
Song Qiu | songqiu |
Song Ran | songran |
Song Rong | songrong |
Song Rui | songrui |
Song Sha | songsha |
Song Shuai | songshuai |
Song Shuang | songshuang |
Song Song | songsong |
Song Song Jun | songsongjun |
Song Tao | songtao |
Song Teng | songteng |
Song Wang | songwang |
Song Wei | songwei |
Song Xi | songxi |
Song Xia | songxia |
Song Xiu | songxiu |
Song Ya | songya |
Song Yang | songyang |
Song Yong | songyong |
Song You | songyou |
Song Yuan | songyuan |
Song Yue | songyue |
Song Yun | songyun |
Song Zhe | songzhe |
Song Zhen | songzhen |
Song Zheng | songzheng |
Song Zhuang | songzhuang |
Tan Qian | tangqian |
Tang Bing | tangbing |
Tang Chi | tangchi |
Tang Chong | tangchong |
Tang Chuang | tangchuang |
Tang Cong | tangcong |
Tang Di | tangdi |
Tang Dian | tangdian |
Tang Duo | tangduo |
Tang Fa | tangfa |
Tang Fan | tangfan |
Tang Fang | tangfang |
Tang Fei | tangfei |
Tang Fen | tangfen |
Tang Feng | tangfeng |
Tang Gang | tanggang |
Tang Guai | tangguai |
Tang Guan | tangguan |
Tang Guang | tangguang |
Tang Guo | tangguo |
Tang Han | tanghan |
Tang Hao | tanghao |
Tang Hei | tanghei |
Tang Heng | tangheng |
Tang Hong | tanghong |
Tang Hu | tanghu |
Tang Hui | tanghui |
Tang Jie | tangjie |
Tang Jin | tangjin |
Tang Jing | tangjing |
Tang Ju | tangju |
Tang Ka | tangka |
Tang Kai | tangkai |
Tang Kan | tangkan |
Tang Kang | tangkang |
Tang Ke | tangke |
Tang Kong | tangkong |
Tang La | tangla |
Tang Lang | tanglang |
Tang Le | tangle |
Tang Leng | tangleng |
Tang Li | tangli |
Tang Lian | tanglian |
Tang Lie | tanglie |
Tang Lin | tanglin |
Tang Ling | tangling |
Tang Liu | tangliu |
Tang Long | tanglong |
Tang Mei | tangmei |
Tang Mo | tangmo |
Tang Mu | tangmu |
Tang Neng | tangneng |
Tang Niang | tangniang |
Tang Nuo | tangnuo |
Tang Peng | tangpeng |
Tang Pian | tangpian |
Tang Ping | tangping |
Tang Qian | tangqian |
Tang Qin | tangqin |
Tang Qu | tangqu |
Tang Quan | tangquan |
Tang Quing | tangqing |
Tang Rang | tangrang |
Tang Ren | tangren |
Tang Ru | tangru |
Tang Ruan | tangruan |
Tang Rui | tangrui |
Tang Sen | tangsen |
Tang Sha | tangsha |
Tang Shan | tangshan |
Tang Shi | tangshi |
Tang Shun | tangshun |
Tang Song | tangsong |
Tang Tang Jun | tangtangjun |
Tang Tao | tangtao |
Tang Tian | tangtian |
Tang Tian | tangyan |
Tang Wei | tangwei |
Tang Xi | tangxi |
Tang Xia | tangxia |
Tang Xing | tangxing |
Tang Xiong | tangxiong |
Tang Yan | tangyan |
Tang Yang | tangyang |
Tang Yao | tangyao |
Tang Yi | tangyi |
Tang Ying | tangying |
Tang Yong | tangyong |
Tang You | tangyou |
Tang Yue | tangyue |
Tang Yun | tangyun |
Tang Ze | tangze |
Tang Zeng | tangzeng |
Tang Zhang | tangzhang |
Tang Zhe | tangzhe |
Tang Zhen | tangzhen |
Tang Zun | tangzun |
Xie An | xiean |
Xie Bin | xiebin |
Xie Bo | xiebo |
Xie Chao | xiechao |
Xie Cong | xiecong |
Xie Da | xieda |
Xie Di | xiedi |
Xie Dian | xiedian |
Xie Die | xiedie |
Xie Ding | xieding |
Xie Dong | xiedong |
Xie Duo | xieduo |
Xie Fang | xiefang |
Xie Fei | xiefei |
Xie Feng | xiefeng |
Xie Gang | xiegang |
Xie Gao | xiegao |
Xie Guai | xieguai |
Xie Guan | xieguan |
Xie Hai | xiehai |
Xie Hang | xiehang |
Xie Heng | xieheng |
Xie Heng | xieneng |
Xie Heng | xieheng |
Xie Heng | xieneng |
Xie Hong | xiehong |
Xie Hu | xiehu |
Xie Hui | xiehui |
Xie Jia | xiejia |
Xie Jian | xiejian |
Xie Jiang | xiejiang |
Xie Jiao | xiejiao |
Xie Jie | xiejie |
Xie Jing | xiejing |
Xie Ju | xieju |
Xie Kai | xiekai |
Xie La | xiela |
Xie Leng | xieleng |
Xie Liang | xieliang |
Xie Lie | xielie |
Xie Lin | xielin |
Xie Ling | xieling |
Xie Long | xielong |
Xie Man | xieman |
Xie Meng | xiemeng |
Xie Min | xiemin |
Xie Ming | xieming |
Xie Na | xiena |
Xie Niang | xieniang |
Xie Peng | xiepeng |
Xie Pian | xiepian |
Xie Pin | xiepin |
Xie Qi | xieqi |
Xie Qing | xieqing |
Xie Qiong | xieqiong |
Xie Qiu | xieqiu |
Xie Qu | xiequ |
Xie Quan | xiequan |
Xie Ran | xieran |
Xie Ruan | xieruan |
Xie Rui | xierui |
Xie Sha | xiesha |
Xie Shuang | xieshuang |
Xie Si | xiesi |
Xie Tao | xietao |
Xie Ting | xieting |
Xie Tong | xietong |
Xie Wei | xiewei |
Xie Wen | xiewen |
Xie Xi | xiexi |
Xie Xiang | xiexiang |
Xie Xin | xiexin |
Xie Xing | xiexing |
Xie Xiu | xiexiu |
Xie Ya | xieya |
Xie Yi | xieyi |
Xie Yin | xieyin |
Xie Ying | xieying |
Xie Yong | xieyong |
Xie Yu | xieyu |
Xie Yue | xieyue |
Xie Zeng | xiezeng |
Xie Zhan | xiezhan |
Xie Zhang | xiezhang |
Xie Zhe | xiezhe |
Xie Zhuo | xiezhuo |
Zheng Nan | zhengnan |
That list of some 493 names is up to date as of this writing, 2016-08-23 early evening CEST. A few more turn up with the bursts of activity we have seen every day since June 19th, 2016.
A possibly more up to date list is available here. That's a .csv file, if that sounds unfamiliar, think of it as a platform neutral text representation (to wit, "Comma Separated Values") of a spreadsheet or database -- take a peek with
Notepad.exe
or similar if you're not sure. I'll be updating that second list along with other related data at quasi-random intervals as time allows and as long as interesting entries keep turning up in my logs. If your name or username is on either of those lists, you would be well advised to change your passwords right now and to check breach notification sites such as Troy Hunt's haveibeenpwned.com or breachalarm.com for clues to where your accounts could have been compromised.
That's your scoop for now. If you're interested in some more background and data, keep reading.
If you are a regular or returning reader of this column, you are most likely aware that I am a Unix sysadmin. In addition to operating and maintaining variuos systems in my employers' care, I run a small set of servers of my own that run a few Internet-facing services for myself and a small circle of friends and family.
For the most part those systems are roundly ignored by the world at large, but when they are not, funny, bizarre or interesting things happen. And mundane activities like these sometimes have interesting byproducts. When you run a mail service, you are bound to find a way to handle the spam people will try to send, and about ten years ago I started publishing a blacklist of known spamming hosts, generated from attempts to deliver mail to a slowly expanding list of known bad, invalid, never to be deliverable addresses in the domains we handle mail for.
After a while, I discovered that the list of spamtrap addresses (once again, invalid and destined never to be deliverable, ever) had been hilariously repurposed: The local parts (the string before the @ or 'at sign') started turning up as usernames in failed attempts to log on to our pop3 mail retrieval service. That was enough fun to watch that I wrote that article, and for reasons known only to the operators of the machines at the other end, those attempts have never stopped entirely.
These attempts to log in as our imaginary friends is a strong contender for the most bizarre and useless activity ever, but when those attempts were no longer news, there was nothing to write about. The spamtrap login attempts make up sort of a background noise in the authentication logs, and whenever there is an attempt to log in as a valid user from somewhere that user is clearly not, the result is usually that an entire network (whatever I could figure out from
whois
output) would be blocked from any communication with our site for 24 hours. There are of course also attempts to log in as
postmaster
, webmaster
and other IDs, some RFC mandated, that most sites including this one would handle as aliases to make up the rest of the background noise.
Then recently, something new happened. The first burst looked like this in my logs (times given in local timezone, CEST at the time):
Jun 19 06:14:58 skapet spop3d[37601]: authentication failed: no such user: lilei - 59.54.197.34
Jun 19 06:15:01 skapet spop3d[46539]: authentication failed: no such user: lilei - 59.54.197.34
Jun 19 06:15:03 skapet spop3d[8180]: authentication failed: no such user: lilei - 59.54.197.34
-- and so on, for a total of 78 attempts to log in as the non-existing user
lilei
, in the space of about five minutes. A little later, a similar burst of activity came for the user name lika
:Jun 19 14:11:30 skapet spop3d[68573]: authentication failed: no such user: lika - 182.87.253.48
Jun 19 14:12:22 skapet spop3d[22421]: authentication failed: no such user: lika - 182.87.253.28
Jun 19 14:12:26 skapet spop3d[7587]: authentication failed: no such user: lika - 182.87.253.28
Jun 19 14:12:30 skapet spop3d[16753]: authentication failed: no such user: lika - 182.87.253.28
and so on, for a total of 76 attempts. Over the next few days I noticed an uptick in failed pop3 access attempts that were not for valid users and did not match any entry on our spamtraps list. Still, those attempts were for users that do not exist, and would produce no useful result so I did not do anything much about them.
It was only during the early weeks of July that it struck me that the user name attempted here
Jul 8 12:19:08 skapet spop3d[54818]: authentication failed: no such user: lixing - 49.87.78.12
Jul 8 12:19:28 skapet spop3d[1987]: authentication failed: no such user: lixing - 49.87.78.12
Jul 8 12:19:37 skapet spop3d[70622]: authentication failed: no such user: lixing - 49.87.78.12
Jul 8 12:19:49 skapet spop3d[31208]: authentication failed: no such user: lixing - 49.87.78.12
(a total of 54 attempts for that user name) might actually be based on the name of a Chinese person. "Li Xing" sounded plausible enough as a possible real person. It's perhaps worth noting that at the time I had just finished reading the first two volumes of Cixin Liu's The Three Body Problem, so I was a bit more in tune than usual with what could be plausible Chinese names than I had been. (And yes, the books are very much to my taste and I have the yet unpublished translation of the third volume on pre-order.)
Unsurprisingly, a quick
whois
lookup revealed that the machines that tried reading the hypothetical person Li Xing's mail all had IP addresses that belonged to Chinese networks.Once I realized I might be on to a new pattern, I went back over a few days' worth of failed pop3 login attempts and found more than a handful of usernames that looked like they could be based on Chinese names. Checking the whois data for the IP addresses in those attempts, all turned out to be from Chinese networks.
That was in itself an interesting realization, but a small, random sample does not make for proof. In order to establish an actual data set, it was back to collecting data and analysing the content.
First, collect all log data on failed pop3 attempts for a long enough period that we have a reasonable baseline and can distinguish between the background noise and new, exciting developements.
The file bigauthlog is that collection of data. Digging through my archives going back in time, I stopped at January 16, 2016 for no other reason than this would be roughly six months' worth of data, probably enough to give a reasonable baseline and to spot anomalies.
If you've read the previous columns, you will be familiar with the scripts that produce various text and CSV reports from log data input: A text report of user names by number of access attempts, a CSV dump of the same, with first and last spotted, a text report of hosts attempting access, sorted by number of attempts, a CSV dump of the same, with first and last seen dates as for the user names.
But what I wanted to see was where the login attempts were coming from for which usernames, so I started extracting the unique host to username mappings. For each entry in this CSV file, there is a host and a user name it has tried at least once (if you import that somewhere, make sure you mark the Username column as text -- LibreOffice Calc at least becomes confused when trying to parse some of those strings). The data also records whether that particular username was part of the spamtrap database at the time. If you want to do that particular check on your own greytrapping database, any matching output from
$ doas spamdb | grep -i username@
on your greytrapper box will mean it is in your list. And then finally for each entry there is the expected extract from available whois info: network address range, the network name and the country.
The most useful thing to do with that little database is to play with sorting on various fields and field combinations. If you sort on the "In spamtraps" field, the supposed Chinese names turn up with "No"s, along with a few more random-seeming combinations.
While I was building the data set I decided to add those new usernames with
@bsdly.net
appended to the spamtraps, and this is what finally pushed the number of spamtraps past the 30,000 mark.Just browsing the data or perhaps sorting by IP address will show you that the pop3 gropers are spread across a large number of networks in a number of countries and territories with numbers roughly in proportion to the size of that country or territory's economy. Some, such as a particular Mexican ISP and cable TV operator stand out as being slightly over-represented, and as expected networks in the US and China stand for a large number of the total.
If you sort on the In spamtraps field, you will see that a large number of the entries that were not in the spamtraps are the ones identified as Chinese personal names, but not all. Some of the No entries are the RFC mandated mailboxes, some are aliases that are in use here for other reasons, and finally more than a handful that would fit the general description of the rest of the spamtraps: Strings superficially resembling personal names or simply random strings. These may be parts of the potential spamtraps I missed while fishing spamtrap candidates out of logfiles some time over the decade of weirdness that has gone into maintaining the spamtraps list.
But if you sort the data primarily on the fields Name, Country, and if you like IP address and User name, you will see that as anticipated the attempts on Chinese-sounding user names come exclusively from Chinese networks, except only the "Fa Dum" (
fadum
) user, which appears to have been attempted only twice (on June 6th) from an IP address registered in the USA and may very well be a misclassification on my part. That particular sorting, with duplicates removed, is the origin of the list of names and usernames given earlier in this article and this CSV file.
Now that we have established that the attempts at Chinese user names come exclusively from Chinese networks, the next questions become: Who are the cyber criminals behind this activity, and what are their motivations? And why are they bothering with hosts in faraway Europe to begin with?
For the first question, it is hard to tell from this perch, but whoever runs those attempts apparently have the run of large swathes of network real estate and seem to not take any special care not to be detected, other than of course distributing the attempts widely across the network ranges and coming in only in short bursts.
So are those attempts by, let us say the public sector, to steal political dissidents' email? Or perhaps, still with a public sector slant, simply hunting for any and all overseas assets belonging to Chinese nationals? Or are we simply seeing the activities of Chinese private sector cyber criminals who are trying out likely user names wherever they can find a service that listens?
Any of all of these things could be true, but in any case it's not unlikely that what we are seeing somebody trying to find new places where username and password combinations from a recent breach might work. After all, username and password combinations that have been verified to work somewhere are likely worth more on the market than the unverified ones.
Looking at the log entries, there are sequences there that could plausibly have been produced by humans typing at keyboards. Imagine if you please vast, badly lit and insufficiently ventilated Asian cyber-sweatshops, but I would not be too surprised to find that this is actually a highly automated operation, with timing tuned to avoid detection.
Security professionals have been recommending that people stop using the pop3 protocol since as long as I care to remember, but typing "pop3" into shodan.io still produces a whopping 684,291 results, meaning that the pop3 service is nowhere near as extinct as some would have preferred.
The large number of possible targets is a likely explanation for the burstiness of the activity we are seeing: with that many hosts to cover, the groping hosts will need to set up some sort of rotation, and in addition there is the need to stay below some volume of traffic per host in order to avoid detection. This means that what any one site sees is only a very small part of the total activity. The pop3 hunt for Chinese users is most likely not exclusive to the fjord country.
If you run a pop3 service, please do yourself a favor and check your setup for any weaknesses including any not yet applied updates, as you were about to do anyway. Once you've done that, take some moments to browse your logs for strange looking login attempts.
If you find something similar to what I've reported here, I would like to hear from you. Please note that at least one of the pop3 deaemons out there by default does not report the username for failed authentication attempts but notes that the username was unknown instead. Anyway, your war stories will be appreciated in email or comments.
If your name or username appears in the table at the start of this article or in this CSV file, please start checking for unusual activity involving your accounts and start changing passwords right away. Ask your service providers if they offer more secure alternatives, and if they do, consider using these alternatives. And as I mentioned earlier, do check breach notification sites such as haveibeenpwned.com or breachalarm.com for clues to help find out whether your data could be at risk in any of the services you do use. And of course, feedback in comments or email is welcome.
And finally, if you have information on one or more breaches that may have been the source of this list of likely Chinese user names, I'd like to hear from you too.
Good night and good luck.
Update 2016-10-15: The attempts at logging in with Chinese-sounding user names from hosts in Chinese networks became incrementally less frequent over time, and seem to have stopped entirely in early October 2016.
The final entry is this one, from October 6:
Oct 6 18:11:23 skapet spop3d[97769]: authentication failed: no such user: maxiang - 114.99.9.152
That is, an attempt from the IP address range assigned to the Chinanet Anhui province network, for the user name
maxiang
which may very well map to
Ma Xiang (or Xiang Ma) as a person's name. During the months they were active, the robots or sweatshops in the Chinese networks tried a total of 957 distinct user names, from 3794 distinct hosts for a total of 3998 host-username combinations.
Although the number of failed pop3 attempts have now fallen to almost none (bar a treesome of persistent miscreants in the Quasi Networks, Seychelles IP address range), I will make an effort to publish updates to the data at not too infrequent intervals. You are of course free to use the data in your own analyses, as long as reasonable credit is given for the data collection. If you're unsure what that means, please contact me directly (the address in the whois information works).
Update 2016-12-07: Even though the campaign that prompted me to write this article has ended or moved its attention elsewhere, I do update the data occasionally. Returning readers may be happy to hear about a slight enhancement in presentation of the data: Startiing with today's edition, I've added an 'Attempts' column to the main .csv file, denoting the number of attempts for each host-username pair.
Update 2017-02-08: Another round of attempts at usernames that are likely Chinese user names started on February 8th, 2017.
The first few hours brought the following user names, with the likely corresponding real life name in the second column:
Name | Username |
Luo Chun | luochun |
Luo Fa | luofa |
Luo Feng | luofeng |
Luo Hai | luohai |
These names have been added to the full data as well as the 2017-only portion. The log file (2016 and 2017 version or 2017-only data) contains the entries starting at Feb 8 15:26:45 (times are CET local time). It will be interesting to see how long this cycle lasts. Look for updates to the data at irregular but hopefully frequent intervals.
If you are seeing similar activity, I would like to hear from you, in comments or (these most recent attempts all originate in the 49.64.0.0/11 network (range 49.64.0.0 - 49.95.255.255, also known as CHINANET-JS or the CHINANET jiangsu province network). The previous cycle involved several distinct Chinese networks, and as we all know, stretched over several months of low intensity activity.
I would like to thank Tore Nordstrand and Øystein Alsaker for valuable input on various aspects of this article.
The data referenced in this article will likely be updated on a roughly daily basis while the Chinese episode lasts. You can fetch them from the links in the article or from this directory, which also contains some trivial data extraction and data massaging scripts I use. If you find any errors or have any concerns, please let me know.
Subscribe to:
Posts (Atom)