Hacked webmail accounts (BTInternet/Yahoo)

[Ned Slider <ne...@unixmail.co.uk>]

Hi,

I'm looking at try to write some rules to detect these. Specifically, 
I'd like to target btinternet.com accounts (one of the largest UK 
telecom companies) who have recently outsourced their email to Yahoo.

An example (spam) crossed my path today that only hit bayes_99. Looking 
at the mail it is hard to see anything much to go on (sorry, I don't 
really want to post the example as it contains quite a few email 
addresses in the To: field). The body contains a URL which wasn't 
detected at the time but which I've since submitted to URIBL and is now 
detected.

My only thought is to try to score the mail based on the IP address 
submitting it to the Yahoo webmail service. For example, the first 
received header in my spam example is:

Received: from [88.178.198.52] by web87104.mail.ird.yahoo.com via HTTP; 
Fri, 25 Nov 2011 16:37:29 GMT


whereas some legitimate mails look like this:

Received: from [86.155.137.177] by web86507.mail.ird.yahoo.com via HTTP; 
Fri, 25 Nov 2011 18:13:12 GMT

Received: from [86.128.88.173] by web87309.mail.ird.yahoo.com via HTTP; 
Sun, 06 Nov 2011 10:31:58 GMT

So my spam example is clearly originating from France:

$ host 88.178.198.52
52.198.178.88.in-addr.arpa domain name pointer 
bop62-1-88-178-198-52.fbx.proxad.net.


whereas my legitimate examples (mostly) originate on BT's own ranges:

$ host 86.128.88.173
173.88.128.86.in-addr.arpa domain name pointer 
host86-128-88-173.range86-128.btcentralplus.com.

I *know* it's not fool-proof (people use webmail when travelling), but 
I'm thinking it's possibly worth a point or two (or maybe useful in a 
further meta rule) to score webmail submissions From: btinternet.com 
which don't originate from a BT IP range.

So any suggestions on the best way to construct the rule? I could try to 
catch each BT IP address range like so:

header		__LOCAL_FROM_BT_COM	From:addr =~ /\@btinternet\.com$/i
header		__LOCAL_MAILER_YAHOO	X-Mailer =~ /YahooMailWebService/
header		__L_BT_YAHOO_WEBMAIL01	Received =~ /from 
\[86\.1[2-9][0-9]\.\d{1,3}\.\d{1,3}] by 
web\d{4,6}\.mail\.\w{3}\.yahoo\.com via HTTP/i
meta		LOCAL_BT_YAHOO_WEBMAIL	(__LOCAL_FROM_BT_COM && 
__LOCAL_MAILER_YAHOO && !__L_BT_YAHOO_WEBMAIL01)
describe	LOCAL_BT_YAHOO_WEBMAIL	Submitted to BT/Yahoo Webmail from 
foreign IP
score		LOCAL_BT_YAHOO_WEBMAIL	0.001

but it would be far easier if I could somehow do a rDNS lookup on the 
IP, see if it matches btcentralplus.com and score those that don't.


Any thoughts or ideas?

Re: Hacked webmail accounts (BTInternet/Yahoo)

[Ned Slider <ne...@unixmail.co.uk>]

On 26/11/11 01:21, Karsten Bräckelmann wrote:
> On Fri, 2011-11-25 at 20:27 +0000, Ned Slider wrote:
>> header		__L_BT_YAHOO_WEBMAIL01	Received =~ /from
>> \[86\.1[2-9][0-9]\.\d{1,3}\.\d{1,3}] by
>> web\d{4,6}\.mail\.\w{3}\.yahoo\.com via HTTP/i
>
>> but it would be far easier if I could somehow do a rDNS lookup on the
>> IP, see if it matches btcentralplus.com and score those that don't.
>
> No, it would not be easier. It would require writing a plugin, rather
> than the IP-range catching Received header rule. ;)
>

Alas that's where I was hoping you would say there was a plugin that 
would do this type of thing that I wasn't aware of. Or maybe some geoip 
type plugin to establish if the County of origin was the UK or not 
(assuming that most hacked attempts probably originate outside of the UK).

> Since you mentioned rDNS, you probably had the RDNS_NONE and friends
> rules in mind. SA does not do these rDNS lookups, but depends on the MTA
> to do them and note it in the Received headers.
>
>
> There *might* be one alternative. The ASN plugin. I once had a similar
> problem with a really spammy ASN [1], continuing to send out specific
> German junk that for some reason managed to fly low and definitely under
> the radar of Bayes. Alas, the ASN metadata was not available for rules.
>
> IIRC there are some changes in trunk, that might fix this, and actually
> make the ASN metadata also available for rules (and Bayes).
>
> Without this option, I ended up writing a few X-Spam-Relays-External
> rules with RE-encoded IP-ranges.
>

Looks like I'll be doing similar here. I just need to collect the BT ranges.

Thanks for the ideas though - much appreciated.

Re: Hacked webmail accounts (BTInternet/Yahoo)

[Karsten Bräckelmann <gu...@rudersport.de>]

On Fri, 2011-11-25 at 20:27 +0000, Ned Slider wrote:
> header		__L_BT_YAHOO_WEBMAIL01	Received =~ /from 
> \[86\.1[2-9][0-9]\.\d{1,3}\.\d{1,3}] by 
> web\d{4,6}\.mail\.\w{3}\.yahoo\.com via HTTP/i

> but it would be far easier if I could somehow do a rDNS lookup on the 
> IP, see if it matches btcentralplus.com and score those that don't.

No, it would not be easier. It would require writing a plugin, rather
than the IP-range catching Received header rule. ;)

Since you mentioned rDNS, you probably had the RDNS_NONE and friends
rules in mind. SA does not do these rDNS lookups, but depends on the MTA
to do them and note it in the Received headers.


There *might* be one alternative. The ASN plugin. I once had a similar
problem with a really spammy ASN [1], continuing to send out specific
German junk that for some reason managed to fly low and definitely under
the radar of Bayes. Alas, the ASN metadata was not available for rules.

IIRC there are some changes in trunk, that might fix this, and actually
make the ASN metadata also available for rules (and Bayes).

Without this option, I ended up writing a few X-Spam-Relays-External
rules with RE-encoded IP-ranges.


[1] Hello AQUATIX, AS25489.

-- 
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}