07 September 2010

an interesting forgery

It is quite common for an online service provider to suggest adding their 'email sending address' to a end user, so that spam filters let pieces from know senders avoid spam filtering

This piece came in. Here are the headers:

Return-Path: 
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
bronson.owlriver.com
X-Spam-Level:
X-Spam-Status: No, score=-87.1 required=4.0 tests=BAYES_05,
HTML_IMAGE_ONLY_24,
HTML_MESSAGE,MIME_HTML_ONLY,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_PSBL,
SPF_HELO_PASS,
T_SURBL_MULTI1,T_SURBL_MULTI2,T_SURBL_MULTI3,T_URIBL_BLACK_OVERLAP,
URIBL_BLACK,URIBL_DBL_SPAM,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SC_SURBL,
URIBL_WS_SURBL,USER_IN_WHITELIST autolearn=no version=3.3.1
Received: from shadow.apd.hu (shadow.apd.hu [195.70.36.72])
by bronson.owlriver.com (8.13.8/8.13.8) with SMTP id o8224mbp009823
for <rpm@owlriver.com>; Wed, 1 Sep 2010 22:04:50 -0400
Date: Thu, 2 Sep 2010 04:04:49 +0000
From: Twitter <twitter-notification-rpm=owlriver.com@postmaster.twitter.com>
Reply-To: noreply@postmaster.twitter.com
To: rpm@owlriver.com
Message-Id: <6aba5bca4c284_51e06cbd75096ceb8@mx001.twitter.com.tmail>
Subject: You have 5 unread direct messages from Twitter!
Mime-Version: 1.0
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: Quoted-printable
Content-Disposition: inline
X-Campaignid: twitter20100902312977
Errors-To: Twitter
<twitter-notification-rpm=owlriver.com@postmaster.twitter.com>
Bounces-To: Twitter
<twitter-notification-rpm=owlriver.com@postmaster.twitter.com>
X-Envelope-To: rpm@owlriver.com
X-Munge: added X-Envelope-To
X-Orig-Subject: You have 5 unread direct messages from Twitter!
X-Loop: herrold@owlriver.com
X-ORC: antiloop

The body is heavily obsfucated HTML, but the clear text is:

HI, RPM.

You have 5 unread direct messages from Twitter!
http://twitter.com/account/messages/rpm/RKQYA-KU4GO-417167
[medicinete.info]

The Twitter Team

If you received this message in error and did not sign up for a
Twitter account, click not my account [medicinete.info].

Please do not reply to this message; it was sent from an unmonitored
email address. This message is a service email related to your use of
Twitter. For general inquiries or to request support with your
Twitter account, please visit us at Twitter Support
[medicinete.info].

Clever enough -- the "[medicinete.info]" is added by my MUA -- Mail (reading) User Agent, alpine, and so the link to a forged site is obvious. But the use of the forged sender address, and the fact that I have a global 'whitelist' pass rule on that mail server, rather than 'per user' pass rules for the custom spamassassin on this CentOS 5 box, means that the forgery was treated as though it was from a trusted sender and favorably scored 100 points

Of course there IS no such user 'rpm' here sending email, but that was scraped off a web page in the domain, and so it draws content from hopeful spammers