Field notes and occasional musings by Peter on Stuff that happens, from a free software perspective, mainly OpenBSD, FreeBSD.
Monday, August 29, 2016
The Voicemail Scammers Never Got Past Our OpenBSD Greylisting
During August 23rd to August 24th 2016, a spam campaign was executed with what appears to have been a ransomware payload. I had not noticed anything particularly unusual about the bsdly.net and friends setup that morning, but then Xavier Mertens' post at isc.sans.edu Voice Message Notifications Deliver Ransomware caught my attention in the tweetstream, and I decided to have a look.
The first step was, as always, to grep the spamd logs, and sure, there were entries with from: addresses of voicemail@ in several of the domains my rigs are somehow involved in handling mail for.
But no message from voicemail@bsdly.net had yet reached any mailbox within my reach at that point. However, a colleague checked the quarantine at one of his private mail servers, and found several messsages from voicemail@ aimed at users in his domains.
Dissecting a random sample confirmed that the message came with an attachment with a .wav.zip filename that was actually a somewhat obfuscated bit of javascript, and I take others at their word that this code, if executed on your Microsoft system, would wreak havoc of some sort.
At this point, before I start presenting actual log file evidence, it is probably useful to sketch how the systems here work and interact. The three machines skapet, deliah and portal are all OpenBSD systems that run spamd in greylisting mode, and they sync their spamd data with each other via spamd's own synchronization mechanism.
All of those machines do greytrapping based on the bsdly.net list of spamtraps, and skapet has the additional duty of dumping the contents of its greytrapping generated blacklist to a downloadable text file once per hour. Any message that makes it past spamd is then fed to a real mail server that performs content filtering before handing the messages over a user's mailbox or, in the case of domains we only do the filtering for, forwards the message to the target domain's mail server.
The results of several rounds of 'grep voicemail $logfile' over the three spamd machines are collected here, or with the relatively uninteresting "queueing deletion of ..." messages removed, here.
From those sources we can see that there were a total of 386 hosts that attempted delivery, to a total of 396 host and target email pairs (annotated here in a .csv file with geographic origin according to whois).
The interesting part came when I started looking at the mail server logs to see how many had reached the content filtering or had even been passed on in the direction of users' mailboxes.
There were none.
The number of messages purportedly from voicemail@ in any of the domains we handle that made it even to the content filtering stage was 0.
Zero. Not a single one made it through even to content filtering.
That shouldn't have been a surprise.
After all I've spent significant time over the years telling people how effective greylisting is, and that the OpenBSD spamd version is the best of the breed.
You could take this episode as a recent data point that you are free to refer to in your own marketing pushes if you're doing serious business involving OpenBSD.
And if you're into those things, you will probably be delighted to learn, if you hadn't figured that out already, that a largish subset of the attempted deliveries were to addresses that were already in our published list of spamtrap addresses.
That means our miscreants automatically had themselves added to the list of trapped spammer IP addresses as intended.
If you're interested in how this works and why, I would suggest taking a peek at the OpenBSD web site, and of course I have a book out (available at that link and via better bookstores everywhere) that explains those things as well.
Relevant blog posts of mine include Keep smiling, waste spammers' time, Maintaining A Publicly Available Blacklist - Mechanisms And Principles, In The Name Of Sane Email: Setting Up OpenBSD's spamd(8) With Secondary MXes In Play - A Full Recipe and a few others, including the somewhat lengty Effective Spam and Malware Countermeasures - Network Noise Reduction Using Free Tools . To fully enjoy the experience of what these articles describe, you may want to get hold of your own CD set from the OpenBSD store.
And again, if you're doing business involving OpenBSD, please head over to the project's donations page and use one or more of the methods there to send the developers some much needed cash.
In addition to the files directly referenced in this article, some related files are available from this directory. I'll be happy to answer any reasonable queries related to this material.
Good night and good luck.
Update 2016-08-30: I've been getting questions about the currently active campaign that has document@ as its sender. The same story there: I see them in the greylist and spamd logs, no trace whatsoever in later steps. Which means they're not getting anyhwere.
Update 2016-09-13: A quick glance at a tail -f'ed spamd log file reveals that today's fake sender of choice is CreditControl@. Otherwise same story as before, no variations. And of course, there may have been dozens I haven't noticed in the meantime.
Update 2016-11-25: Apparently another round of voicemail@ messages is in progress. The first entry in my spamd logs in this round is
Nov 25 12:39:14 skapet spamd[18359]: new entry 117.211.125.18 from <voicemail@skolelinux.no> to <axelb@skolelinux.no>, helo [117.211.125.18]
and the rest so far are listed here. Time and other factors allowing, refreshed data may appear later, possibly along with further analysis.
1 comment:
Note: Comments are moderated. On-topic messages will be liberated from the holding queue at semi-random (hopefully short) intervals.
I invite comment on all aspects of the material I publish and I read all submitted comments. I occasionally respond in comments, but please do not assume that your comment will compel me to produce a public or immediate response.
Please note that comments consisting of only a single word or only a URL with no indication why that link is useful in the context will be immediately recycled so those poor electrons get another shot at a meaningful existence.
If your suggestions are useful enough to make me write on a specific topic, I will do my best to give credit where credit is due.
Hi Peter,
ReplyDeleteSpamd is wonderfully effective. It's proved effective enough that I actually got rid of my SpamAssassin, because it wasn't really doing very much work and it was taking up resources that I decided could be otherwise better used. Very few spams ever get through, and the greytrapping is the most potent of the anti-spam weapons in my arsenal. With just spamd--nothing more--I have achieved an over 99% spam reduction rate.
Think about that...a Free Software solution that is also low-cost (the price of an old Pentium III, essentially) and nails over 99% of spam, all by itself. My logs were very revealing about this.
It's so effective and economical that I give workshops on OpenBSD and spamd to schools that don't have huge budgets. Once they learn of the value proposition provided by OpenBSD/spamd, their eyes start twinkling and they get kinda excited by it. Some have even implemented it, using my ruleset, which I publish for anyone to read and use if it fits their needs.
Your articles and your books have helped me in learning how to develop good PF rulesets. Your style of writing and your ruleset philosophy is pretty easy to follow, and for the most part, we seem to think the same way in that regard.
One difference: I use the "quick" keyword throughout my ruleset, because I came originally from a Cisco ACL and Linux ipfwadm/ipchains/iptables environment. I'd imagine that doing PF rules in this way also saves a bit of CPU since you don't have to go through the entire ruleset for every new packet stream. It's probably not a lot, but I just like efficiency for its own sake.
Thanks for your efforts, both there and here on your blog.
--TP