Spoofed by a spammer

© 2005-2006 Paolo Attivissimo. Some rights reserved.

First published: 19/3/2005. Latest update: 15/10/2006.

E' disponibile una versione italiana di questa pagina.

Abstract

On March 19, 2005, my e-mail address topone@pobox.com was spoofed (i.e., faked and used as an apparent sender) in a massive spamming campaign (the "bounced" messages alone were over one thousand). A similar attack on me took place a few days later, and a third attack occurred on the 31st of March, spoofing my other addresses pattivis@tin.it and paolo.attivissimo@gmail.com. A further attack, with over 3000 bounces, occurred on December 31, 2005. This page provides information about the first of these attacks and on the December 31, 2005 attack.

The first spam message "advertised" my website as "THE MOST BEAUTIFUL WEBSITE ON THE INTERNET" and seemed to originate from my e-mail address. Clearly, therefore, this was a personal attack, not just the usual e-mail spoofing used, for example, by some viruses (worms). The purpose of the attack was presumably to get me blacklisted. Fortunately, this attack and its sequels failed thanks to the cooperation of many members of the Internet community who know me.

I'm posting this information so that all the people involved can know what actually happened. You might also find it useful as a general method for analyzing spam and e-mail headers and for telling whether a sender's address is spoofed or not.

Although I'm not responsible for these spam attacks, I'd like to apologize for any inconvenience they may have caused you.

Timeline

On March 19, 2005, around 2200 Italian time, I found approximately one thousand e-mails in my mailbox, originating from several mail servers and warning me that one of my e-mails could not be delivered because the recipient's mailbox was full.

An example of this warning is provided below: I've replaced the recipient's address with asterisks for the sake of privacy. Please note that my address topone@pobox.com is an alias that points to my current mailbox, which is pattivis@tin.it.

- These recipients of your message have been processed by the mail server:
*******@libero.it; Failed; 5.2.2 (mailbox full)
Remote MTA ims4a.libero.it: SMTP diagnostic: 552 RCPT TO:<*****@libero.it> Mailbox disk quota exceeded
Reporting-MTA: dns; smtp6.libero.it
Received-from-MTA: dns; [213.73.149.120] (213.73.149.120)
Arrival-Date: Sat, 19 Mar 2005 22:11:12 +0100
Final-Recipient: rfc822; *****@libero.it
Action: Failed
Status: 5.2.2 (mailbox full)
Remote-MTA: dns; ims4a.libero.it
Diagnostic-Code: smtp; 552 RCPT TO:<*****@libero.it> Mailbox disk quota exceeded

The warning message also includes part of the e-mail that I apparently sent and was bounced back:

Return-Path: <topone@pobox.com>
Received: from [213.73.149.120] (213.73.149.120) by smtp6.libero.it (7.0.027-DD01)
id 41C1542F0E174FD3; Sat, 19 Mar 2005 22:11:12 +0100
Reply-To: <topone@pobox.com>
From: "WEBMASTER" <topone@pobox.com>
Subject: WEBSITE                                            GVKHNPNYUG
Date: Sat, 19 Mar 2005 21:11:04 +0300
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-2"
Content-Transfer-Encoding: 7bit
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2800.1081
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1081

To me, this confirms beyond doubt that I didn't send that message: I don't use, and have never used, Outlook Express (if you really want to know, at the time I used Thunderbird, on a Mac; I've since moved to Mail 2.0 on the Mac). Moreover, the subject of the message is clearly in the style of spam (the sequence of random letters, very often used by spammer for tracking purposes, is a dead giveaway).

What's puzzling is that nearly all these messages originate from a single provider: Libero.it. Moreover, the addresses seem to be generated by a random username generator, which is another typical tool of spammers and viruses. At first I am inclined to suspect that a new virus is loose and has used by address as a fake sender (as often happens), but then I find messages from other servers (Interbusiness.it and Tiscali.it) that attach the full text of the message I allegedly sent (but that I certainly did not send). Here's an example (the bold part):

This Message was undeliverable due to the following reason:
The user(s) account is temporarily over quota.
<******@cgi.interbusiness.it>
Please reply to Postmaster@cgi.interbusiness.it
if you feel this message to be in error.
Reporting-MTA: dns; fep06.flexmail.it
Arrival-Date: Sat, 19 Mar 2005 22:16:12 +0100
Received-From-MTA: dns; vmx15.multikabel.net (212.127.254.144)
Final-Recipient: RFC822; <*****@cgi.interbusiness.it>
Action: failed
Status: 4.2.2
Subject: WEBSITERSVOGCHQPS
From: "WEBMASTER" <topone@pobox.com>
Date: Sat, 19 Mar 2005 21:16:50 +0300
*******************
THE MOST BEAUTIFUL WEBSITE ON THE INTERNET
http://www.attivissimo.net/
******************
QYHMDNFTHJQGBLIFZSWRLLGZPSUDHQTCWBYXZM

That explains a lot: it's a personal attack. Someone is disseminating a pathetic "advert" for my website and is faking the sender, pretending to be me. The goal, I assume, is to get me rated as a spammer and therefore get me blacklisted by antispam systems, making it difficult for me to send my newsletter and my business e-mails.

This is a rather futile attempt, since I have several backup addresses. So it's worth taking this opportunity as an exercise in attack analysis.

At this point, the "mailbox full" messages can be explained: they are presumably originating from mailboxes that were already full for other reasons. In practice, the spammer/attacker spammed far more than a thousand addresses: the mailboxes that weren't full received the spam message without complaining, while the mailboxes that were already full had returned the error message.

The random letter sequence at the end of the message, typical of spammers' work, is the same in all the messages and therefore was generated by hand. This would suggest the work of someone who is not a professional spammer, because a professional would have inserted an automatically-generated different sequence in each message.

The full headers of the spam message contain further traces of amateurish work, highlighted in bold:

Received: from mail-mx-int-1.tiscali.com ([10.39.115.250]) by root-front2-priv2.tiscali.com with Microsoft SMTPSVC(6.0.3790.211);
Sat, 19 Mar 2005 22:17:13
Received: from mail-mx-2.tiscali.it (213.205.33.32) by mail-mx-int-1.tiscali.com (7.2.034.7)
id 4219C0EA00543FDA for info@it.tiscali.com; Sat, 19 Mar 2005 22:17:13
Received: from vmx10.multikabel.net (212.127.254.136) by mail-mx-2.tiscali.it (7.2.034.7)
id 421AE619030E0647 for info@it.tiscali.com; Sat, 19 Mar 2005 22:17:13
Received: from vmx90.multikabel.net ([212.127.254.146])
by vmx10.multikabel.net with esmtp (Exim 4.44)
id 1DClJn-0002yB-KM
for info@tiscali.it; Sat, 19 Mar 2005 22:17:11
Received: from attivissimo (213-73-149-120.cable.quicknet.nl [213.73.149.120])
by vmx90.multikabel.net (8.12.10/8.12.8) with SMTP id j2JLGWhr014315;
Sat, 19 Mar 2005 22:16:34
Message-Id: <200503192116.j2JLGWhr014315@vmx90.multikabel.net>
Reply-To: <topone@pobox.com>
From: "WEBMASTER"<topone@pobox.com>
Date: Sat, 19 Mar 2005 21:16:50
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-2"
Content-Transfer-Encoding: 7bit
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-MultiKabel-MailScanner-Information: Please contact helpdesk@quicknet.nl for more information
X-MultiKabel-MailScanner: Found to be clean
X-MultiKabel-MailScanner-SpamCheck:
Subject: WEBSITERSVOGCHQPS
X-MultiKabel-MX-MailScanner-Information: Please contact helpdesk@quicknet.nl for more information
X-MultiKabel-MX-MailScanner: Found to be clean
X-MultiKabel-MX-MailScanner-SpamCheck:
X-MailScanner-From: topone@pobox.com
Bcc:
Return-Path: topone@pobox.com
X-OriginalArrivalTime: 19 Mar 2005 21:17:13.0257 (UTC) FILETIME=[04EC4990:01C52CC9]

The spammer/attacker simulated my online identity by using attivissimo as my computer's name (hostname), but I'm not that vain: the hostname is wrong. All the spammer had to do to avoid this mistake was look at the headers of one of my genuine messages to determine my hostname (or at least the hostname as given in my e-mails). Furthermore, the attacker simulated Outlook Express, but OE is most definitely not the e-mail client I use.

In more general terms, the header of a message contains the history of its route (together with other information), and even if altered, as it often is on spam, it allows to trace the message back to the sender.

The path is documented by the lines that begin with Received, in reverse order, i.e., the last step of the path is the first line. Therefore, the first Received line identifies the last mail server encountered and the last Received line reveals the first server through which the message was relayed and therefore reveals its source, including the IP address of the sender's computer. In these lines of the header, the word From indicates the server that sent the message and the word By identifies the server that received it at each step of the route.

In this case, therefore, the message originated from the IP address 213.73.149.120, which belongs to the Dutch provider Quicknet.nl, an affiliate of Multikabel.net. I have already contacted the provider to warn about the abuse (they replied that they have sent a disconnect notice to their user).

It's quite obvious, in other words, that the message originated from a computer in the Netherlands. However, that computer may have been controlled from another location, maybe without its owner's knowledge ("zombified", in the jargon). But in the specific case of the IP address 213.73.149.120, a Google search seems to indicate that it's a proxy, i.e., a computer that intentionally allows remote control.

This is indeed the most plausible scenario, as there is a strange detail in the header of another "message-rejected" e-mail generated by this spam attack (the recipient has been replaced with asterisks):

Received: from vmx55.multikabel.net ([212.127.254.145])
by fepcert01-svc.flexmail.it with ESMTP
id <20050319211702.ENSE9237.fepcert01-svc.flexmail.it@vmx55.multikabel.net>
for <********@interbusiness.it>;
Sat, 19 Mar 2005 22:17:02 +0100
Received: from vmx90.multikabel.net ([212.127.254.146])
by vmx55.multikabel.net with esmtp (Exim 4.44)
id 1DClJc-0004CD-4p
for *******@interbusiness.it; Sat, 19 Mar 2005 22:17:00 +0100
Received: from attivissimo (213-73-149-120.cable.quicknet.nl [213.73.149.120])
by vmx90.multikabel.net (8.12.10/8.12.8) with SMTP id j2JLGWhr014315;
Sat, 19 Mar 2005 22:16:34 +0100
Message-Id: <200503192116.j2JLGWhr014315@vmx90.multikabel.net>
Reply-To: <topone@pobox.com>
From: "WEBMASTER"<topone@pobox.com>
Date: Sat, 19 Mar 2005 21:16:50 +0300

Did you catch that? Look at the last line: the time zone difference ("+0300"). In mail servers, the time of day is given together with the offset with respect to GMT. That's why the servers of Multikabel.net and Interbusiness.it correctly give "+0100". Yet the last line gives a different time zone.

This is an interesting detail, because "+0300" is the time zone difference of, for example, computers that use Moscow time. There are many other locations in the same time zone, but I'm referring to Moscow for a very specific reason. The computer of Valentin Mikhaylin, a scammer I reported on in my hoax busting pages, is set to Moscow time (I know because the headers in the messages he sends me say so).

On the 19th of March we had a lively exchange of e-mails after a period of silence. The other attacks occurred just after I had published updates to my Web pages covering his activities. As I know for sure from the logs of my Website that Valentin reads obsessively (even 130 times in a single month) the pages that deal with his story, mere coincidence seems unlikely.

I hope you found this little antispam investigation interesting. If you have details to add or corrections to make, you know where to e-mail me.

The attack on 31/12/2005

On the 31st of December 2005 I posted a blog article on the new social engineering technique being used by a spammer, Valentin Mikhaylin, to try to authenticate his scam messages.

A few hours after this posting, I received about 2500 e-mails reporting attempts to subscribe me to mailing lists of all kinds, accompanied by the wording "stupid gay Ativisimo" [sic].

Other messages, sent to the abuse mailboxes of many providers using my address as apparent sender, contain this tragicomically amusing text:

"Dear Internet Users: I wish you a Happy New Year 2006! Please send any banknote to my address and it will stop my old dishonest wife to leave me alone and go to the rich black man."

The message was followed by my home address (this is no suprise and no cause for concern, as it's easy to find this information on the Net).

Of course, I promptly trashed all the messages without any problem: I'm used to far more professional attacks, and the people in charge of abuse maiboxes won't be fooled by such pathetic tricks. I am detailing the attack here so that Google will index the keywords of the spoofed message, so anyone seeking information on this incident, in order to determine whether I'm a spammer or not, can find out easily.

Acknowledgments

Desidero ringraziare MDT e walter per aver snidato alcuni errori e refusi di quest'indagine, i membri dei newsgroup di abuse e sorveglianza della Rete che hanno pubblicato avvisi di non mettermi in "lista nera", e Paypal.com e Pobox.com per la loro ottima gestione di quest'attacco.

I'd like to thank MDT and walter for spotting a few errors and typos in this page, the members of the Net abuse and monitoring newsgroups for posting notices to avoid blacklisting me, and Paypal.com and Pobox.com for their excellent handling of this attack.