How to block this amazon AWS spam, what can i key off of? - ORF Forums

How to block this amazon AWS spam, what can i key off of? RSS Back to forum

1

So since just before Christmas, we've been receiving a HUGE amount of spam advertising counterfeit high-end brand products (tiffany, coach, pandora, etc)

Each smtp-envelope from address is obviously different each time, but it's a new and legit domain each time, which even has a valid SPF record allowing the amazon aws servers to send from that domain.

The body is completely base64 so i can't key off of any image sources, body text or anything

There are two X headers that are always the same:
X-Mailer: Microsoft Outlook Express 6.00.2900.5512
X-MimeOLE: Produced By Microsoft MimeOLE V6.3.9600.18538

I've contacted amazon aws support () and they said forward samples with headers. So i did, 180 of them by hand, individually. Each one generated a new support ticket, which was promptly closed as "We've determined that an amazon EC2 instance was running at the IP address you provided in your report...we'll investigate..."

But nothing changes, the spam keeps coming in. I dont think amazonaws support cares, because someone's paying for the ability to send this spam.

I'm half tempted to just block all of amazonaws, and if any legit sender complains i'll tell them to contact amazonaws support... but that's just a grudge and won't really solve it.

So what can i do?

original headers of one sample:

Received: from ec2-54-165-172-30.compute-1.amazonaws.com (54.165.172.30) by
onlinew2.ourdomain.com (172.16.1.70) with Microsoft SMTP Server id
14.3.319.2; Wed, 18 Jan 2017 15:16:19 -0500
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=key; d=yl526.com;
h=Message-ID:From:To:Subject:Date:Mime-Version:Content-Type; i=;
bh=9BpzCOoBB/On9epUtrSrLlZtEbk=;
b=ACWfCrRROrjh0yUgC4XT+yIZwQTy4xs9hiuwdFrdQLyg2KDd3MAE6DVKoMstfaIvXtoR75rXGqyS
AWsytNL2CIy+cKoWCTNns/8Lvc0Ydvxab1yd2AMlVl+/uP36lLr/IMzQQ+hCN1fK7r5j2mtucWnA
AeOp9Grf8HcMtTHiVlk=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=key; d=yl526.com;
b=Wo1tkrdhnbGbl685d2+dh8rz3vPTemSysik7djlNmplaeMJY4TBdOFqMJ9SDGfmbEvXsSY4AdpYL
xP7lx4aiXQ7vmlfgcHouprQAOGYS1nqbiM9mDmQuHWIVvjc2bqwE7dICQVuKrDZLAKtfPTHtkYPQ
jFHdjEYC2nZeSB4xzVY=;
Received: from lxacepcu (91.121.113.108) by
ec2-54-165-172-30.compute-1.amazonaws.com id hfv6h80e97ge for
; Wed, 18 Jan 2017 13:26:01 -0500 (envelope-from
)
Message-ID:
From: "TIFFANY&Co. Online"
To:
Subject: Be the first to shop the RESORT 2017 collection.
Date: Wed, 18 Jan 2017 19:25:50 +0100
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0D59_01261893.12C92740"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5512
X-MimeOLE: Produced By Microsoft MimeOLE V6.3.9600.18538
Return-Path:
X-MS-Exchange-Organization-AuthSource: onlinew2.ourdomain.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Organization-PRD: yl526.com
X-MS-Exchange-Organization-SenderIdResult: Pass
Received-SPF: Pass (onlinew2.Reserves1.com: domain of
designates 54.165.172.30 as permitted sender)
receiver=onlinew2.Reserves1.com; client-ip=54.165.172.30;
helo=ec2-54-165-172-30.compute-1.amazonaws.com;
X-MS-Exchange-Organization-SCL: 4
X-MS-Exchange-Organization-PCL: 2
X-MS-Exchange-Organization-Antispam-Report:
DV:3.3.16106.867;SID:SenderIDStatus
Pass;TIME:TimeBasedFeatures;OrigIP:54.165.172.30
X-EsetId: 37303A290704736A647463

MIME-Version: 1.0

--_ecfec0ce-ea89-4bb7-a443-512d48646ae8_
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64

ICAgICAgICBDYW4ndCBzZWUgaW1hZ2VzPyB2aWV3IGluIGEgQnJvd2VyfCBJZiB5b3UgZG9uJ3Qg
d2lzaCB0byByZWNlaXZlIGFueSAgICAgICBlbWFpbHMsIHVuc3Vic2NyaWJlIE9yIG1vdmUgaXQg
dG8gc3BhbSAgICAgICBGcmVlICAgICAgIFNoaXBwaW5nIEZvciBPcmRlcnMgT3ZlciAkOTkhIFZJ
RVcgREVUQUlMUyAgICAgICAgIFdIQVQnUyBORVcgICAgIFdPTUVOJ1MgQkFHUyAgICAgTUVOJ1Mg
QkFHUyAgICAgQUNDRVNTT1JJRVMgICAgICAgICAgICAgICAgICAgICAgICAgQ29weXJpZ2h0IMKp
MjAxNSBDT0FDSEJBR1MgU0FMRSAgICAgICBTVE9SRQ0KVGhpcyBlbWFpbCB3YXMgc2VudCB0byBs
c25vd0B0cm5zdGFmZmluZy5jb20uDQpUaGlzIGlzIGEgcG9zdC1vbmx5ICAgICAgIG1haWxpbmcu
IFBsZWFzZSBkbyBub3QgcmVzcG9uZCB0byB0aGlzIG1lc3NhZ2UuDQpBZGRyZXNzOjEwMjEgZXVu
aWNlIHJvYWQsIHN0Lm1hcnRpbnZpbGxlLCBsb3Vpc2lhbmEsIDcwNTgyICAgICAgICAgICA0MDow
MTk6MDI2IEJ1dCBKZXN1cyBiZWhlbGQgdGhlbSwgYW5kIHNhaWQgdW50byB0aGVtLCBXaXRoIG1l
biB0aGlzIGlzIGltcG9zc2libGU7IGJ1dCB3aXRoIEdvZCBhbGwgdGhpbmdzIGFyZSBwb3NzaWJs
ZS4NCjI0OjAzMDowMTYgVGhlcmVmb3JlIGFsbCB0aGV5IHRoYXQgZGV2b3VyIHRoZWUgc2hhbGwg
YmUgZGV2b3VyZWQ7IGFuZCBhbGwgdGhpbmUgYWR2ZXJzYXJpZXMsIGV2ZXJ5IG9uZSBvZiB0aGVt
LCBzaGFsbCBnbyBpbnRvIGNhcHRpdml0eTsgYW5kIHRoZXkgdGhhdCBzcG9pbCB0aGVlIHNoYWxs
IGJlIGEgc3BvaWwsIGFuZCBhbGwgdGhhdCBwcmV5IHVwb24gdGhlZSB3aWxsIEkgZ2l2ZSBmb3Ig
YSBwcmV5Lg0KIA==

--_ecfec0ce-ea89-4bb7-a443-512d48646ae8_
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: base64

PG1ldGEgaHR0cC1lcXVpdj0iQ29udGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJz
ZXQ9dXRmLTgiPjx0YWJsZSBjZWxsc3BhY2luZz0iMCIgY2VsbHBhZGRpbmc9IjAiIHdpZHRoPSI2
NTAiIGFsaWduPSJjZW50ZXIiIGJvcmRlcj0iMCI+DQogID
...and on and on with base64...

by Bryon 2 years ago
2

Hello Bryon,

According to a quick DNSBL query (http://bit.ly/2k3wuHV), the source IP is listed on the ProtectedSky and GBUdb.com Truncate DNS Blacklists, so one approach would be making sure that ORF is checking the incoming emails against these two DNS blacklists as well. The GBUdb.com Truncate blacklist is part of the DNSBL definition file which can be downloaded (and imported into ORF) from: http://vamsoft.com/support/docs/knowledge-base/update-dnsbl-surbl

ProtectedSky's DNS Blacklist (http://psky.me/), on the other hand, should be added manually:

1. Start the ORF Administration Tool, navigate to the Blacklists > DNS Blacklists page and click New.

2. On the 'General' tab enter a shorthand identifier that should be displayed in the logs (e.g. PSKY), and the full name for the DNSBL entry (e.g. ProtectedSky).

3. On the 'Lookup' tab, enter 'bad.psky.me' for the lookup domain and mark the 'Reverse the IP address for lookups' checkbox enabled.

4. On the 'Blacklist Web' tab, enter the URL "http://psky.me/" into the first field. The second should be left blank (there is no lookup URL for this DNSBL)

5. On the 'SMTP Actions' tab add the IP 127.0.0.2 and 127.0.0.3 to the list with an appropriate SMTP response (default: "5.7.1 Mailbox unavailable. Your IP address {IP} is blacklisted using {BLACKLISTNAME}. Details: {TXTDATAORWEBLOOKUP}.")

6. Click OK, mark the new DNSBL enabled and save the ORF configuration (Ctrl + S)

In addition to the above, make sure that you have all of the recommended DNS Blacklists enabled as well:

- Spamhaus ZEN
- Hostkarma (JMF) Blacklist
- Weighted Private Block List
- Passive Spam Block List
- Mailspike Combined List
- Barracuda Reputation Block List

Please, let me know if this has helped.

by Daniel Novak (Vamsoft) 2 years ago
3

@Daniel Novak (Vamsoft): Thanks for the reply

Will this by definition block amazonaws itself? We do get a number of legit emails from their servers - i guess they're pretty popular as a host. This is the first time we've received spam from their stuff, but it's an insane amount.

If this will block amazonaws completely, i'd really like to find a way to filter just this junk while not blocking them as a whole... but on the other hand if their own support department cant do anything about it maybe there's just no choice but to block them as a company.

by Bryon 2 years ago
(in reply to this post)

4

@Bryon: Hi Bryon,

In addition to the RBLs, here is another technique to consider, depending on your risk tolerance for false positives.

In your header I noticed Outlook Express as the sending agent. Some time ago I had a similar problem with emails from Outlook Express to Undisclosed recipients so the regex below helped me. In your header there is no recipient declared, only "To:" so you would need to adapt the regex for that (seeking a new line character like [\r\n]) I have had no trouble with my regex but monitor this to be sure it does what you expect.

Good luck,
Sam

Keyword Filter, Header, RegEx
(?!.*exceptthisdomain)(?=.*((To\: Undisclosed recipients\:\;|X\-Mailer\: Microsoft Outlook Express (4|5|6)).*){2,})

by Sam Russo 2 years ago
(in reply to this post)

5

@Sam Russo: I like that, i didnt know how to check headers in an orf rule

My tolerance says anyone using outlook express can be blocked on principal.

Since all of these spam emails have the exact same OE version, i'm going to try this:

keyword black, header, regex:
.*X\-Mailer\: Microsoft Outlook Express 6\.00\.2900\.5512.*

In fact i might just make that an exchange transport rule and anything that matches, automatically redirect to
(assuming my it only catches amazon junk over the next few days)

Did a quick search of our entire email archive and didnt see any legit emails with that header so, think we're going to be golden on this

by Bryon 2 years ago
(in reply to this post)

6

@Bryon: ProtectedSky certainly won't block the entire amazonaws IP range. I would be surprised if GBUdb.com Truncate would. I suggest you enable both DNSBLs and monitor the ORF logs for a while to see if any legitimate emails are blocked.

by Daniel Novak (Vamsoft) 2 years ago
(in reply to this post)

7

@Daniel Novak (Vamsoft): Perfect chance to update my dns blacklists and surbl definitions. Just re-set them up as per the suggestions in the KB

by Bryon 2 years ago
(in reply to this post)

8

After 6 hours, PSKY is blocking every single one of them... fantastic!

by Bryon 2 years ago
9

@Bryon: Nice!!

by Karen 11 months ago
(in reply to this post)

10

@Karen: Note that PSKY seems to pirate data from other well-known DNSBLs, so we do not recommend actually using it. For more on this, see: https://www.spamhaus.org/organization/statement/015/fraudulent-dnsbl-uncovered-protected-sky-bad.psky.me

by Daniel Novak (Vamsoft) 11 months ago
(in reply to this post)

11

I'm outraged that apparently one has to be a computer expert and go through all this crap just to stop being flooded with spam!! How can it be legal for amazonawes to evade responsibility for emails coming with their header? Is spam just the Wild West of the computer era?

by Richard Hoff 6 months ago
12

@Richard Hoff: It's a fine balancing act between amazon taking money for their service and also protecting their reputation...

But, if you're installing and configuring ORF on an email server, then yes you kind of do need to be a computer expert and go thru all of this crap...

On the other hand, if we as engineers could just get rid of the end users, our problems would be so much easier

by Bryon 6 months ago
(in reply to this post)

13

@Bryon: So you are saying that amazon makes money from this spam? But how can it be legal for them to flood your email with spam without giving you any choice to stop it? Each individual ad they send gives you that choice. Any organization that emails me gives me the option at the bottom of the email to stop any further emails. I have always presumed that this was the law, or why would they do it? So how can amazon somehow be excepted from this law?

by Richard Hoff 6 months ago
(in reply to this post)

14

Hi,

Amazon is a service provider. In this case they provide the infrastructure any paying customer can use to provide their own services. Some get hacked or similar. I doubt that criminals themselves rent virtual services in their names (but who knows). So yes Amazon (and any other infrastructure provider like MS Azure) is getting money and yes spammers use this infrastructure. So providing the street to the bank doesn't mean the streetworker is responsible for the bank robbery just because the the getaway car is standing on this same street.

Regards
Norbert

by NorbertFe 6 months ago
15

Thank you so much, Norbert, for taking the trouble to educate me--clearly a non-techy--on this matter!

But it seems to me that the problem with your metaphor is that in this case Amazon, the "street provider" (Internet access) to the "bank" (my hopefully lucrative inbox) is getting PAID by the "robbers" (intrusive invaders) of my "bank" inbox. Amazon is being paid by the the drivers of the getaway car for easy access to my lucrative inbox, knowing full well what they intend to do! So my bank is being flooded every day with invasions by numerous privacy robbers, who each take a share of my invaluable time and attention before I tell them never to darken my door again. And they couldn't do it without Amazon.

Again, I maintain that since each of these individual "robbers" is legally required to never enter my inbox again if I tell them to by "unsubscribing", Amazon--the "street provider" who the robbers have to pay in order to gain access to my bank--should also be legally required to have my permission to allow their endless flock of attention robbers to enter my inbox. I should have the legal right to tell Amazon to stop sending these ads! I should be able to unsubscribe from amazonawes. Why should amazonawes be exempted from the rules every other organization has to obey?

by Richard Hoff 6 months ago
16

@Richard Hoff: Think about it like this... if those bank robbers chose to pay $1.00 to drive on a toll road to get to the bank, because it's easier and what's $1.00 matter when you're about to make a lot more....

Does the toll commission have any responsibility here?

Sure their cameras might be able to look into the car and see the ski masks, but that's 1 in a billion cars... and they're not legally obligated to look in each car (amazon analyzing traffic)

Now let's say you come along and notice [this] license plate robs banks every day and you follow them, onto the toll road... then you complain to the toll commission to stop them. Yes, they need to stop them... and they do. Then the robbers get a new rental car and the cycle begins again (like they get a new source ip address and fake business name)

There are actually laws on the books similar to this... like if i post some absurdly abusive false comment about a person or company on THIS forum, vamsoft certainly can't get in trouble. Sure, they can delete it but they're not in trouble

by Bryon 6 months ago
(in reply to this post)

17

@Richard Hoff: Hi RIchard,

Thats often the problem with metaphors between cars/physical things and the nonphysical things in the IT. ;)
"I should have the legal right to tell Amazon to stop sending these ads! I should be able to unsubscribe from amazonawes. Why should amazonawes be exempted from the rules every other organization has to obey?"

You do have the legal right to tell them. But I doubt that this will help you at all. If it was that easy no one would need software like Vamsoft's ORF. And... you can't tell if Amazon is actually paid by the "robbers", because they could easily use a hacked account from legitimate customers.

Regards
Norbert

by NorbertFe 6 months ago
(in reply to this post)

18

OY! Well, last week I put all this rational legalistic tap-dancing and metaphor wielding aside and simply sent amazonawes an email requesting that they cease sending me any further emails. So far I have received none. We shall see...

--Richard

by Richard Hoff 6 months ago
19

Well, it's been a couple of weeks now, and even though it's Christmas time, I have received no further ads from amazonawes! Maybe my email to them actually worked. Why don't you all try it yourself and see what happens?

I'll keep you posted...

--Richard

by Richard Hoff 6 months ago
20

Hi,
great that it worked for you. But actually I don't get much such spam from that source. And I really doubt, that I will write to any provider and ask for not spamming me. If it would be that easy we all wouldn't have a problem at all. But actually we do. But I'm glad you got your problem solved.

Regards and happy christmas
Norbert

by NorbertFe 6 months ago
21

Hi Norbert--

I don't understand why you would not want to write to a provider and ask them not to spam you. And I don't know if my solution will keep working. I'll let you know if I get any more amazonawes spam.

Anyway, thanks for hanging in there with me, and I wish you too a happy holiday!

--Richard

by Richard Hoff 6 months ago
22

I was also encountering the same problem as I was also using the conventional AWS server. But, story is not the same as I have shifted to a more secure and managed AWS server. which is powered by Cloudways So, all the spam activities that I was encountering at some point has been drastically stopped.

by JaimeClark 3 months ago
23

I have 313 logged Amazon spam messages in this computer alone. All reported to Amazon, all "we have determined and instance of..."

They do not care.

Today I got three more extortion e-mails, and since Amazon (and google, and yahoo, and who else) does not reveal actual source in headers, it becomes Amazon's responsibility to at least break the use of their service from that source(s). Very similar to the toll road camera scenario. Yet they keep coming.

As far as blocking OE.......I use OE. All I use, except on one newer machine, it uses OEClassic.

I don't care if I block ALL of Amazon.....and Romania...and Russia...and China...and Korea...and every stinking middle eastern country.

Oh, well.

by Stan 2 months ago
24

@Stan: I totally agree with you, Stan

We already do block just about every other country out there... some oddities happen when huge companies (microsoft/gmail) use mail servers in ireland or the like....

But Amazon... AWS... is mostly USA... and we can't just block the USA, or all of AWS because as fate would have it, some legit companies do actually use AWS.

As far as OE... i can see it from your standpoint, old dog / new tricks... but that just means you won't be able to email into our company :)

by Bryon 2 months ago
(in reply to this post)

25

I know. Polled folks here, big issue is if they order anything from Amazon, replies get blocked, too.

old/new, yeah, sorta kinda.

XP Pro 64 bit on several. Good friend at F5 told me a long time ago, you are safer with XP and a decent A-V than 10 with the best A-V. We killed MS updates totally after the WGA fiasco, so we've been "unsupported" for what, 10 years?

But, back to Amazon. You would NOT believe some of the boiler plate denials of fault response we have gotten over the years.

And how much do you want to bet the source of some of these that are identified as OE6.0 something...aren't?

There is a LOT of XP out there even MS won't admit to. Mostly PRC. They DO admit to four times as many XP users as 8/8.1 users, and that was this year.

by Stan 2 months ago

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

It will not be published.
hnp1 | hnp2