The latest twist on virus/malware campaigns pretends to be an email from the Social Security Administration that supposedly contains a copy of your annual statement.
The email arrives with the headers:
Subject: Review your annual Social Security statement
From: ”Social Security Administration” <notification@ssa.gov>Due to possible calculation errors, your annual Social Security statement may contain errors.
Open attached file to review your annual Social Security statement.
There are really only two ways to keep spam out of your in-box:
(Actually, there is a third way but we’re assuming you don’t want to give up email altogether.)
These approaches are not mutually exclusive. In fact the most effective spam filtering comes from a combination of both. This means that, even if you have a good spam filtering service, it still helps if you take preventative measures. Relying on your filtering service to take care of everything is like asking asking your doctor to keep you healthy when you have a lousy diet and fail to exercise.
First and foremost, spam exists because it works. If a spammer sends out millions of emails enough people will respond to make it worthwhile. Don’t be one of them.
Of all the confusing and convoluted mail server rejections commonly in use, “Currently not permitted to relay through this server” causes more Support tickets for us than any other. Worse yet, it’s not even an error that we use, so we find ourselves constantly trying to coherently explain what someone else’s mail server is saying.
Given that this is arguably the worst mail server error message ever, we’re going to try to make sense of it once and for all.
When reviewing the following example, realize that the IP addresses and server names will change to reflect the server that is sending the email and also the one which is refusing to accept it. We’re replacing the receiving/rejecting server IP with 111.111.111.111 and the sending server’s IP with 222.222.222.222.
Also note that the layout and formatting for these rejections can often be confusing as well, with lots of line breaks and “550′s” scattered about.
Disclaimers aside, this ugly bounce/rejection/NDR message typically says:
SMTP error from remote mail server after RCPT TO:: host 111.111.111.111:
your-mailserver.com [222.222.222.222]: is currently not permitted to relay through this server.
Perhaps you have not logged into the pop/imap server in the last 30 minutes or do not have SMTP Authentication turned on in your email client.
While the language is fairly uncomplicated, at the same time it’s also impossibly confusing for the average user to decipher. Further, because of the dual nature of this error message, it actually confuses many experienced email and network admins too.
While the “currently not permitted to relay through this server” is a convoluted explanation, what it means is that the receiving server doesn’t believe that it is supposed to accept messages for the recipient domain, so it’s refusing/rejecting the email you sent.
Instead, the recipient server thinks that you’re trying to use it to deliver/relay messages to some outside domain for which is not responsible.
Usually this is seen after someone manually changes settings on a mail server or some automatic update is applied and the server which used to happily accept mail for “recipient.com” no longer thinks it’s supposed to host mail for them and rejects with this error instead.
On the other hand, these error messages also contemplate that perhaps you’re not some outside mail-server trying to deliver inbound mail, but instead you might be a local user with a mail account on the server who is trying to send outbound email via SMTP but you (or your email software) forgot to login and authenticate.
The fact of the matter is that most mail-servers cannot actually tell the difference between another mail-server connecting to deliver inbound mail or an individual user who is connecting to send outbound mail. That may sound hard to believe, but it’s sadly true.
And that is why this part is confusingly tacked added to the end of the rejection:
Perhaps you have not logged into the pop/imap server in the last 30 minutes or do not have SMTP Authentication turned on in your email client.
Having this one rejection message trying to cover two completely different scenarios, combined with the most confusing of language, is what causes so many problems and misunderstanding.
Now, given that the above explanation still might not make perfect sense to the average user, let’s re-write the rejection to say what it really means:
We’re sorry, our server will not accept your message.
If you are a mail-server connecting to our system to deliver this message to us, then please be aware that our servers are not configured to accept mail for the recipient’s domain.
If you are a local user, trying to send this email outbound for delivery, the problem is that we don’t see you as having logged into the SMTP server. Please configure your software to use SMTP Authentication and/or restart your email client software.
Granted this still probably won’t make perfect sense to someone with no knowledge of how email actually works, but it’s hopefully a lot clearer for the rest of us.
This is one for the record books.
The other day we intercepted several copies of a phishing email that, in conjunction with a fake web page, attempts to acquire your Vonage phone number and password.
Subject: Important – Vonage Account Security Information
From: “donotreply@vonage.com” <donotreply@vonage.com>
The body contains this image file:
In and of itself this phish is not particularly outstanding. The image file above looks like it could be from Vonage but actually links to a forged version of a Vonage sign-in page. The web site is not even a very good forgery.
What is outstanding is the URL of the fake web site . . .
Domains are cheap and easy to register, and marketing of otherwise low value domains can be so profitable that spammers simply cannot resist the opportunity.
Our favorite example currently goes by the name of “Arthur Simmons” from “InTrust Domains” but the personal and business aliases this spammer users are no doubt very many indeed.
We’ve seen this spammer send domain sales notices from a variety of email addresses, including:
And that’s just a small sampling. The domains used by this spammer are all recently registered, all redirect to the same spam landing pages, and are all easily disposable and thus likely to change in the near future.
Yahoo has apparently found yet another way to assist spammers.
As if longstanding abuses of Yahoo Groups weren’t enough for the spammed masses to suffer though, their blog site, Yahoo Pulse, is now making life easier and more productive for spammers as well.
The latest emails being spewed throughout the Internet have long and convoluted Subject lines (in an attempt to evade spam filtering) that allude to online sales of medications, such as:
Subject: extraordinary tablets tendered for superb way of life
Subject: supplying exceptional capsule brands for lots of years
Subject: web outlet tremendously suggested for pills purchases
Microsoft, itself a massive spam-enabler, is sending the vast majority of these emails (if not all of them) through hijacked Hotmail accounts abusing it’s mail servers. While the From addresses may or may not be legitimate Hotmail accounts:
From: Boyd Owenby <boydowenbykac@hotmail.com>
From: Stroum Elliff <estroumuel@hotmail.com>
From: Elphonte Stutz <stutzelphoduec@hotmail.com>
The actual sending mails servers most certainly are Microsoft’s:
from col0-omc4-s15.col0.hotmail.com (65.55.34.217)
from col0-omc3-s9.col0.hotmail.com (65.55.34.147)
from snt0-omc1-s27.snt0.hotmail.com ([65.55.90.38])
Here we go again. The vultures are circling, ready to take advantage of people affected by the Deepwater Horizon oil spill; just like they do after every disaster.
We just blocked a stack of emails purporting to offer help collecting money from the 20 billion dollar compensation fund BP is so graciously providing. In reality though, these emails are an advance-fee fraud attempt.
Advance-fee fraud is a con game in which the perpetrator promises to help the victim receive a large payment (such as an inheritance) but requires “up-front” money to complete the transaction. If the victim is gullible enough they may request several advance payments but in all cases the final payout is never delivered.
The examples we’re focusing on today are pretty slimy overall and not difficult to detect as fraud but they do provide some insights into how these advance-fee scams work.
This weeks most popular virus email variant attempts to use vague to it’s advantage.
Rather than trying to convince you that the emails is an official message from Ebay, Visa, Paypal, Chase or some other well known business, these messages are intentionally non-specific.
Subject lines refer only to some sort of “statement” like:
Subject: Statement of Fees
Subject: Statement of fees 2010
At least one of the larger spam botnets is hard at work these last few days spreading itself via spoofed Amazon.com emails.
For the most part, these frauds do an excellent job of mimicking legitimate Amazon emails.
The arrive with a Subject line of:
From: ”Amazon.com E-mail Subscriptions” <delivers@amazon.com>
Subject: Amazon.com: Please verify your new e-mail address
And the design, layout and attention to detail within the email is quite good:
Click for Larger Image
In another crafty attempt to induce email recipients to voluntarily infect their own computers with a virus the latest campaign spoofs a scanned document email purportedly from a Xerox WorkCentre Pro multi-tasking machine.
The emails arrive from an endless variety of spoofed email From address senders, when they are actually sent from personal computers that have already been infected by this campaign.
The Subject lines of the emails are consistently:
Subject: Scan from a Xerox WorkCentre Pro N 5458581
Subject: Scan from a Xerox WorkCentre Pro $4181035
In order to attempt to evade spam filtering systems, the very last part of the Subject line is a completely random number, so that no two emails will look exactly alike.
