How to block this amazon AWS spam, what can i key off of? RSS

1

So since just before Christmas, we've been receiving a HUGE amount of spam advertising counterfeit high-end brand products (tiffany, coach, pandora, etc)

Each smtp-envelope from address is obviously different each time, but it's a new and legit domain each time, which even has a valid SPF record allowing the amazon aws servers to send from that domain.

The body is completely base64 so i can't key off of any image sources, body text or anything

There are two X headers that are always the same:
X-Mailer: Microsoft Outlook Express 6.00.2900.5512
X-MimeOLE: Produced By Microsoft MimeOLE V6.3.9600.18538

I've contacted amazon aws support () and they said forward samples with headers. So i did, 180 of them by hand, individually. Each one generated a new support ticket, which was promptly closed as "We've determined that an amazon EC2 instance was running at the IP address you provided in your report...we'll investigate..."

But nothing changes, the spam keeps coming in. I dont think amazonaws support cares, because someone's paying for the ability to send this spam.

I'm half tempted to just block all of amazonaws, and if any legit sender complains i'll tell them to contact amazonaws support... but that's just a grudge and won't really solve it.

So what can i do?

original headers of one sample:

Received: from ec2-54-165-172-30.compute-1.amazonaws.com (54.165.172.30) by
onlinew2.ourdomain.com (172.16.1.70) with Microsoft SMTP Server id
14.3.319.2; Wed, 18 Jan 2017 15:16:19 -0500
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=key; d=yl526.com;
h=Message-ID:From:To:Subject:Date:Mime-Version:Content-Type; i=;
bh=9BpzCOoBB/On9epUtrSrLlZtEbk=;
b=ACWfCrRROrjh0yUgC4XT+yIZwQTy4xs9hiuwdFrdQLyg2KDd3MAE6DVKoMstfaIvXtoR75rXGqyS
AWsytNL2CIy+cKoWCTNns/8Lvc0Ydvxab1yd2AMlVl+/uP36lLr/IMzQQ+hCN1fK7r5j2mtucWnA
AeOp9Grf8HcMtTHiVlk=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=key; d=yl526.com;
b=Wo1tkrdhnbGbl685d2+dh8rz3vPTemSysik7djlNmplaeMJY4TBdOFqMJ9SDGfmbEvXsSY4AdpYL
xP7lx4aiXQ7vmlfgcHouprQAOGYS1nqbiM9mDmQuHWIVvjc2bqwE7dICQVuKrDZLAKtfPTHtkYPQ
jFHdjEYC2nZeSB4xzVY=;
Received: from lxacepcu (91.121.113.108) by
ec2-54-165-172-30.compute-1.amazonaws.com id hfv6h80e97ge for
; Wed, 18 Jan 2017 13:26:01 -0500 (envelope-from
)
Message-ID:
From: "TIFFANY&Co. Online"
To:
Subject: Be the first to shop the RESORT 2017 collection.
Date: Wed, 18 Jan 2017 19:25:50 +0100
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0D59_01261893.12C92740"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5512
X-MimeOLE: Produced By Microsoft MimeOLE V6.3.9600.18538
Return-Path:
X-MS-Exchange-Organization-AuthSource: onlinew2.ourdomain.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Organization-PRD: yl526.com
X-MS-Exchange-Organization-SenderIdResult: Pass
Received-SPF: Pass (onlinew2.Reserves1.com: domain of
designates 54.165.172.30 as permitted sender)
receiver=onlinew2.Reserves1.com; client-ip=54.165.172.30;
helo=ec2-54-165-172-30.compute-1.amazonaws.com;
X-MS-Exchange-Organization-SCL: 4
X-MS-Exchange-Organization-PCL: 2
X-MS-Exchange-Organization-Antispam-Report:
DV:3.3.16106.867;SID:SenderIDStatus
Pass;TIME:TimeBasedFeatures;OrigIP:54.165.172.30
X-EsetId: 37303A290704736A647463

MIME-Version: 1.0

--_ecfec0ce-ea89-4bb7-a443-512d48646ae8_
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64

ICAgICAgICBDYW4ndCBzZWUgaW1hZ2VzPyB2aWV3IGluIGEgQnJvd2VyfCBJZiB5b3UgZG9uJ3Qg
d2lzaCB0byByZWNlaXZlIGFueSAgICAgICBlbWFpbHMsIHVuc3Vic2NyaWJlIE9yIG1vdmUgaXQg
dG8gc3BhbSAgICAgICBGcmVlICAgICAgIFNoaXBwaW5nIEZvciBPcmRlcnMgT3ZlciAkOTkhIFZJ
RVcgREVUQUlMUyAgICAgICAgIFdIQVQnUyBORVcgICAgIFdPTUVOJ1MgQkFHUyAgICAgTUVOJ1Mg
QkFHUyAgICAgQUNDRVNTT1JJRVMgICAgICAgICAgICAgICAgICAgICAgICAgQ29weXJpZ2h0IMKp
MjAxNSBDT0FDSEJBR1MgU0FMRSAgICAgICBTVE9SRQ0KVGhpcyBlbWFpbCB3YXMgc2VudCB0byBs
c25vd0B0cm5zdGFmZmluZy5jb20uDQpUaGlzIGlzIGEgcG9zdC1vbmx5ICAgICAgIG1haWxpbmcu
IFBsZWFzZSBkbyBub3QgcmVzcG9uZCB0byB0aGlzIG1lc3NhZ2UuDQpBZGRyZXNzOjEwMjEgZXVu
aWNlIHJvYWQsIHN0Lm1hcnRpbnZpbGxlLCBsb3Vpc2lhbmEsIDcwNTgyICAgICAgICAgICA0MDow
MTk6MDI2IEJ1dCBKZXN1cyBiZWhlbGQgdGhlbSwgYW5kIHNhaWQgdW50byB0aGVtLCBXaXRoIG1l
biB0aGlzIGlzIGltcG9zc2libGU7IGJ1dCB3aXRoIEdvZCBhbGwgdGhpbmdzIGFyZSBwb3NzaWJs
ZS4NCjI0OjAzMDowMTYgVGhlcmVmb3JlIGFsbCB0aGV5IHRoYXQgZGV2b3VyIHRoZWUgc2hhbGwg
YmUgZGV2b3VyZWQ7IGFuZCBhbGwgdGhpbmUgYWR2ZXJzYXJpZXMsIGV2ZXJ5IG9uZSBvZiB0aGVt
LCBzaGFsbCBnbyBpbnRvIGNhcHRpdml0eTsgYW5kIHRoZXkgdGhhdCBzcG9pbCB0aGVlIHNoYWxs
IGJlIGEgc3BvaWwsIGFuZCBhbGwgdGhhdCBwcmV5IHVwb24gdGhlZSB3aWxsIEkgZ2l2ZSBmb3Ig
YSBwcmV5Lg0KIA==

--_ecfec0ce-ea89-4bb7-a443-512d48646ae8_
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: base64

PG1ldGEgaHR0cC1lcXVpdj0iQ29udGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJz
ZXQ9dXRmLTgiPjx0YWJsZSBjZWxsc3BhY2luZz0iMCIgY2VsbHBhZGRpbmc9IjAiIHdpZHRoPSI2
NTAiIGFsaWduPSJjZW50ZXIiIGJvcmRlcj0iMCI+DQogID
...and on and on with base64...

by Bryon 1 year ago
2

Hello Bryon,

According to a quick DNSBL query (http://bit.ly/2k3wuHV), the source IP is listed on the ProtectedSky and GBUdb.com Truncate DNS Blacklists, so one approach would be making sure that ORF is checking the incoming emails against these two DNS blacklists as well. The GBUdb.com Truncate blacklist is part of the DNSBL definition file which can be downloaded (and imported into ORF) from: http://vamsoft.com/support/docs/knowledge-base/update-dnsbl-surbl

ProtectedSky's DNS Blacklist (http://psky.me/), on the other hand, should be added manually:

1. Start the ORF Administration Tool, navigate to the Blacklists > DNS Blacklists page and click New.

2. On the 'General' tab enter a shorthand identifier that should be displayed in the logs (e.g. PSKY), and the full name for the DNSBL entry (e.g. ProtectedSky).

3. On the 'Lookup' tab, enter 'bad.psky.me' for the lookup domain and mark the 'Reverse the IP address for lookups' checkbox enabled.

4. On the 'Blacklist Web' tab, enter the URL "http://psky.me/" into the first field. The second should be left blank (there is no lookup URL for this DNSBL)

5. On the 'SMTP Actions' tab add the IP 127.0.0.2 and 127.0.0.3 to the list with an appropriate SMTP response (default: "5.7.1 Mailbox unavailable. Your IP address {IP} is blacklisted using {BLACKLISTNAME}. Details: {TXTDATAORWEBLOOKUP}.")

6. Click OK, mark the new DNSBL enabled and save the ORF configuration (Ctrl + S)

In addition to the above, make sure that you have all of the recommended DNS Blacklists enabled as well:

- Spamhaus ZEN
- Hostkarma (JMF) Blacklist
- Weighted Private Block List
- Passive Spam Block List
- Mailspike Combined List
- Barracuda Reputation Block List

Please, let me know if this has helped.

by Daniel Novak (Vamsoft) 1 year ago
3

@Daniel Novak (Vamsoft): Thanks for the reply

Will this by definition block amazonaws itself? We do get a number of legit emails from their servers - i guess they're pretty popular as a host. This is the first time we've received spam from their stuff, but it's an insane amount.

If this will block amazonaws completely, i'd really like to find a way to filter just this junk while not blocking them as a whole... but on the other hand if their own support department cant do anything about it maybe there's just no choice but to block them as a company.

by Bryon 1 year ago
(in reply to this post)

4

@Bryon: Hi Bryon,

In addition to the RBLs, here is another technique to consider, depending on your risk tolerance for false positives.

In your header I noticed Outlook Express as the sending agent. Some time ago I had a similar problem with emails from Outlook Express to Undisclosed recipients so the regex below helped me. In your header there is no recipient declared, only "To:" so you would need to adapt the regex for that (seeking a new line character like [\r\n]) I have had no trouble with my regex but monitor this to be sure it does what you expect.

Good luck,
Sam

Keyword Filter, Header, RegEx
(?!.*exceptthisdomain)(?=.*((To\: Undisclosed recipients\:\;|X\-Mailer\: Microsoft Outlook Express (4|5|6)).*){2,})

by Sam Russo 1 year ago
(in reply to this post)

5

@Sam Russo: I like that, i didnt know how to check headers in an orf rule

My tolerance says anyone using outlook express can be blocked on principal.

Since all of these spam emails have the exact same OE version, i'm going to try this:

keyword black, header, regex:
.*X\-Mailer\: Microsoft Outlook Express 6\.00\.2900\.5512.*

In fact i might just make that an exchange transport rule and anything that matches, automatically redirect to
(assuming my it only catches amazon junk over the next few days)

Did a quick search of our entire email archive and didnt see any legit emails with that header so, think we're going to be golden on this

by Bryon 1 year ago
(in reply to this post)

6

@Bryon: ProtectedSky certainly won't block the entire amazonaws IP range. I would be surprised if GBUdb.com Truncate would. I suggest you enable both DNSBLs and monitor the ORF logs for a while to see if any legitimate emails are blocked.

by Daniel Novak (Vamsoft) 1 year ago
(in reply to this post)

7

@Daniel Novak (Vamsoft): Perfect chance to update my dns blacklists and surbl definitions. Just re-set them up as per the suggestions in the KB

by Bryon 1 year ago
(in reply to this post)

8

After 6 hours, PSKY is blocking every single one of them... fantastic!

by Bryon 1 year ago
9

@Bryon: Nice!!

by Karen 4 months ago
(in reply to this post)

10

@Karen: Note that PSKY seems to pirate data from other well-known DNSBLs, so we do not recommend actually using it. For more on this, see: https://www.spamhaus.org/organization/statement/015/fraudulent-dnsbl-uncovered-protected-sky-bad.psky.me

by Daniel Novak (Vamsoft) 4 months ago
(in reply to this post)

11

I'm outraged that apparently one has to be a computer expert and go through all this crap just to stop being flooded with spam!! How can it be legal for amazonawes to evade responsibility for emails coming with their header? Is spam just the Wild West of the computer era?

by Richard Hoff 1 week ago
12

@Richard Hoff: It's a fine balancing act between amazon taking money for their service and also protecting their reputation...

But, if you're installing and configuring ORF on an email server, then yes you kind of do need to be a computer expert and go thru all of this crap...

On the other hand, if we as engineers could just get rid of the end users, our problems would be so much easier

by Bryon 1 week ago
(in reply to this post)

13

@Bryon: So you are saying that amazon makes money from this spam? But how can it be legal for them to flood your email with spam without giving you any choice to stop it? Each individual ad they send gives you that choice. Any organization that emails me gives me the option at the bottom of the email to stop any further emails. I have always presumed that this was the law, or why would they do it? So how can amazon somehow be excepted from this law?

by Richard Hoff 1 week ago
(in reply to this post)

14

Hi,

Amazon is a service provider. In this case they provide the infrastructure any paying customer can use to provide their own services. Some get hacked or similar. I doubt that criminals themselves rent virtual services in their names (but who knows). So yes Amazon (and any other infrastructure provider like MS Azure) is getting money and yes spammers use this infrastructure. So providing the street to the bank doesn't mean the streetworker is responsible for the bank robbery just because the the getaway car is standing on this same street.

Regards
Norbert

by NorbertFe 6 days ago
15

Thank you so much, Norbert, for taking the trouble to educate me--clearly a non-techy--on this matter!

But it seems to me that the problem with your metaphor is that in this case Amazon, the "street provider" (Internet access) to the "bank" (my hopefully lucrative inbox) is getting PAID by the "robbers" (intrusive invaders) of my "bank" inbox. Amazon is being paid by the the drivers of the getaway car for easy access to my lucrative inbox, knowing full well what they intend to do! So my bank is being flooded every day with invasions by numerous privacy robbers, who each take a share of my invaluable time and attention before I tell them never to darken my door again. And they couldn't do it without Amazon.

Again, I maintain that since each of these individual "robbers" is legally required to never enter my inbox again if I tell them to by "unsubscribing", Amazon--the "street provider" who the robbers have to pay in order to gain access to my bank--should also be legally required to have my permission to allow their endless flock of attention robbers to enter my inbox. I should have the legal right to tell Amazon to stop sending these ads! I should be able to unsubscribe from amazonawes. Why should amazonawes be exempted from the rules every other organization has to obey?

by Richard Hoff 3 days ago
16

@Richard Hoff: Think about it like this... if those bank robbers chose to pay $1.00 to drive on a toll road to get to the bank, because it's easier and what's $1.00 matter when you're about to make a lot more....

Does the toll commission have any responsibility here?

Sure their cameras might be able to look into the car and see the ski masks, but that's 1 in a billion cars... and they're not legally obligated to look in each car (amazon analyzing traffic)

Now let's say you come along and notice [this] license plate robs banks every day and you follow them, onto the toll road... then you complain to the toll commission to stop them. Yes, they need to stop them... and they do. Then the robbers get a new rental car and the cycle begins again (like they get a new source ip address and fake business name)

There are actually laws on the books similar to this... like if i post some absurdly abusive false comment about a person or company on THIS forum, vamsoft certainly can't get in trouble. Sure, they can delete it but they're not in trouble

by Bryon 3 days ago
(in reply to this post)

17

@Richard Hoff: Hi RIchard,

Thats often the problem with metaphors between cars/physical things and the nonphysical things in the IT. ;)
"I should have the legal right to tell Amazon to stop sending these ads! I should be able to unsubscribe from amazonawes. Why should amazonawes be exempted from the rules every other organization has to obey?"

You do have the legal right to tell them. But I doubt that this will help you at all. If it was that easy no one would need software like Vamsoft's ORF. And... you can't tell if Amazon is actually paid by the "robbers", because they could easily use a hacked account from legitimate customers.

Regards
Norbert

by NorbertFe 2 days ago
(in reply to this post)

18

OY! Well, last week I put all this rational legalistic tap-dancing and metaphor wielding aside and simply sent amazonawes an email requesting that they cease sending me any further emails. So far I have received none. We shall see...

--Richard

by Richard Hoff 1 day ago

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

Nickname:
Email address (will not be published):
Your comment:

ORF Technical Support

Configuring, installing and troubleshooting ORF.

News & Announcements

Your dose of ORF-related news and announcements.

Everything but ORF

Discuss Exchange and system administration with fellow admins.

Feature Test Program

Feature Test Program discussion. Membership is required to visit this forum.

ORF Beta

Join the great bug hunt of the latest test release.

Customer Service

Stay Informed