How to block this amazon AWS spam, what can i key off of? RSS

1

So since just before Christmas, we've been receiving a HUGE amount of spam advertising counterfeit high-end brand products (tiffany, coach, pandora, etc)

Each smtp-envelope from address is obviously different each time, but it's a new and legit domain each time, which even has a valid SPF record allowing the amazon aws servers to send from that domain.

The body is completely base64 so i can't key off of any image sources, body text or anything

There are two X headers that are always the same:
X-Mailer: Microsoft Outlook Express 6.00.2900.5512
X-MimeOLE: Produced By Microsoft MimeOLE V6.3.9600.18538

I've contacted amazon aws support () and they said forward samples with headers. So i did, 180 of them by hand, individually. Each one generated a new support ticket, which was promptly closed as "We've determined that an amazon EC2 instance was running at the IP address you provided in your report...we'll investigate..."

But nothing changes, the spam keeps coming in. I dont think amazonaws support cares, because someone's paying for the ability to send this spam.

I'm half tempted to just block all of amazonaws, and if any legit sender complains i'll tell them to contact amazonaws support... but that's just a grudge and won't really solve it.

So what can i do?

original headers of one sample:

Received: from ec2-54-165-172-30.compute-1.amazonaws.com (54.165.172.30) by
onlinew2.ourdomain.com (172.16.1.70) with Microsoft SMTP Server id
14.3.319.2; Wed, 18 Jan 2017 15:16:19 -0500
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=key; d=yl526.com;
h=Message-ID:From:To:Subject:Date:Mime-Version:Content-Type; i=;
bh=9BpzCOoBB/On9epUtrSrLlZtEbk=;
b=ACWfCrRROrjh0yUgC4XT+yIZwQTy4xs9hiuwdFrdQLyg2KDd3MAE6DVKoMstfaIvXtoR75rXGqyS
AWsytNL2CIy+cKoWCTNns/8Lvc0Ydvxab1yd2AMlVl+/uP36lLr/IMzQQ+hCN1fK7r5j2mtucWnA
AeOp9Grf8HcMtTHiVlk=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=key; d=yl526.com;
b=Wo1tkrdhnbGbl685d2+dh8rz3vPTemSysik7djlNmplaeMJY4TBdOFqMJ9SDGfmbEvXsSY4AdpYL
xP7lx4aiXQ7vmlfgcHouprQAOGYS1nqbiM9mDmQuHWIVvjc2bqwE7dICQVuKrDZLAKtfPTHtkYPQ
jFHdjEYC2nZeSB4xzVY=;
Received: from lxacepcu (91.121.113.108) by
ec2-54-165-172-30.compute-1.amazonaws.com id hfv6h80e97ge for
; Wed, 18 Jan 2017 13:26:01 -0500 (envelope-from
)
Message-ID:
From: "TIFFANY&Co. Online"
To:
Subject: Be the first to shop the RESORT 2017 collection.
Date: Wed, 18 Jan 2017 19:25:50 +0100
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0D59_01261893.12C92740"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5512
X-MimeOLE: Produced By Microsoft MimeOLE V6.3.9600.18538
Return-Path:
X-MS-Exchange-Organization-AuthSource: onlinew2.ourdomain.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Organization-PRD: yl526.com
X-MS-Exchange-Organization-SenderIdResult: Pass
Received-SPF: Pass (onlinew2.Reserves1.com: domain of
designates 54.165.172.30 as permitted sender)
receiver=onlinew2.Reserves1.com; client-ip=54.165.172.30;
helo=ec2-54-165-172-30.compute-1.amazonaws.com;
X-MS-Exchange-Organization-SCL: 4
X-MS-Exchange-Organization-PCL: 2
X-MS-Exchange-Organization-Antispam-Report:
DV:3.3.16106.867;SID:SenderIDStatus
Pass;TIME:TimeBasedFeatures;OrigIP:54.165.172.30
X-EsetId: 37303A290704736A647463

MIME-Version: 1.0

--_ecfec0ce-ea89-4bb7-a443-512d48646ae8_
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64

ICAgICAgICBDYW4ndCBzZWUgaW1hZ2VzPyB2aWV3IGluIGEgQnJvd2VyfCBJZiB5b3UgZG9uJ3Qg
d2lzaCB0byByZWNlaXZlIGFueSAgICAgICBlbWFpbHMsIHVuc3Vic2NyaWJlIE9yIG1vdmUgaXQg
dG8gc3BhbSAgICAgICBGcmVlICAgICAgIFNoaXBwaW5nIEZvciBPcmRlcnMgT3ZlciAkOTkhIFZJ
RVcgREVUQUlMUyAgICAgICAgIFdIQVQnUyBORVcgICAgIFdPTUVOJ1MgQkFHUyAgICAgTUVOJ1Mg
QkFHUyAgICAgQUNDRVNTT1JJRVMgICAgICAgICAgICAgICAgICAgICAgICAgQ29weXJpZ2h0IMKp
MjAxNSBDT0FDSEJBR1MgU0FMRSAgICAgICBTVE9SRQ0KVGhpcyBlbWFpbCB3YXMgc2VudCB0byBs
c25vd0B0cm5zdGFmZmluZy5jb20uDQpUaGlzIGlzIGEgcG9zdC1vbmx5ICAgICAgIG1haWxpbmcu
IFBsZWFzZSBkbyBub3QgcmVzcG9uZCB0byB0aGlzIG1lc3NhZ2UuDQpBZGRyZXNzOjEwMjEgZXVu
aWNlIHJvYWQsIHN0Lm1hcnRpbnZpbGxlLCBsb3Vpc2lhbmEsIDcwNTgyICAgICAgICAgICA0MDow
MTk6MDI2IEJ1dCBKZXN1cyBiZWhlbGQgdGhlbSwgYW5kIHNhaWQgdW50byB0aGVtLCBXaXRoIG1l
biB0aGlzIGlzIGltcG9zc2libGU7IGJ1dCB3aXRoIEdvZCBhbGwgdGhpbmdzIGFyZSBwb3NzaWJs
ZS4NCjI0OjAzMDowMTYgVGhlcmVmb3JlIGFsbCB0aGV5IHRoYXQgZGV2b3VyIHRoZWUgc2hhbGwg
YmUgZGV2b3VyZWQ7IGFuZCBhbGwgdGhpbmUgYWR2ZXJzYXJpZXMsIGV2ZXJ5IG9uZSBvZiB0aGVt
LCBzaGFsbCBnbyBpbnRvIGNhcHRpdml0eTsgYW5kIHRoZXkgdGhhdCBzcG9pbCB0aGVlIHNoYWxs
IGJlIGEgc3BvaWwsIGFuZCBhbGwgdGhhdCBwcmV5IHVwb24gdGhlZSB3aWxsIEkgZ2l2ZSBmb3Ig
YSBwcmV5Lg0KIA==

--_ecfec0ce-ea89-4bb7-a443-512d48646ae8_
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: base64

PG1ldGEgaHR0cC1lcXVpdj0iQ29udGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJz
ZXQ9dXRmLTgiPjx0YWJsZSBjZWxsc3BhY2luZz0iMCIgY2VsbHBhZGRpbmc9IjAiIHdpZHRoPSI2
NTAiIGFsaWduPSJjZW50ZXIiIGJvcmRlcj0iMCI+DQogID
...and on and on with base64...

by Bryon 1 year ago
2

Hello Bryon,

According to a quick DNSBL query (http://bit.ly/2k3wuHV), the source IP is listed on the ProtectedSky and GBUdb.com Truncate DNS Blacklists, so one approach would be making sure that ORF is checking the incoming emails against these two DNS blacklists as well. The GBUdb.com Truncate blacklist is part of the DNSBL definition file which can be downloaded (and imported into ORF) from: http://vamsoft.com/support/docs/knowledge-base/update-dnsbl-surbl

ProtectedSky's DNS Blacklist (http://psky.me/), on the other hand, should be added manually:

1. Start the ORF Administration Tool, navigate to the Blacklists > DNS Blacklists page and click New.

2. On the 'General' tab enter a shorthand identifier that should be displayed in the logs (e.g. PSKY), and the full name for the DNSBL entry (e.g. ProtectedSky).

3. On the 'Lookup' tab, enter 'bad.psky.me' for the lookup domain and mark the 'Reverse the IP address for lookups' checkbox enabled.

4. On the 'Blacklist Web' tab, enter the URL "http://psky.me/" into the first field. The second should be left blank (there is no lookup URL for this DNSBL)

5. On the 'SMTP Actions' tab add the IP 127.0.0.2 and 127.0.0.3 to the list with an appropriate SMTP response (default: "5.7.1 Mailbox unavailable. Your IP address {IP} is blacklisted using {BLACKLISTNAME}. Details: {TXTDATAORWEBLOOKUP}.")

6. Click OK, mark the new DNSBL enabled and save the ORF configuration (Ctrl + S)

In addition to the above, make sure that you have all of the recommended DNS Blacklists enabled as well:

- Spamhaus ZEN
- Hostkarma (JMF) Blacklist
- Weighted Private Block List
- Passive Spam Block List
- Mailspike Combined List
- Barracuda Reputation Block List

Please, let me know if this has helped.

by Daniel Novak (Vamsoft) 1 year ago
3

@Daniel Novak (Vamsoft): Thanks for the reply

Will this by definition block amazonaws itself? We do get a number of legit emails from their servers - i guess they're pretty popular as a host. This is the first time we've received spam from their stuff, but it's an insane amount.

If this will block amazonaws completely, i'd really like to find a way to filter just this junk while not blocking them as a whole... but on the other hand if their own support department cant do anything about it maybe there's just no choice but to block them as a company.

by Bryon 1 year ago
(in reply to this post)

4

@Bryon: Hi Bryon,

In addition to the RBLs, here is another technique to consider, depending on your risk tolerance for false positives.

In your header I noticed Outlook Express as the sending agent. Some time ago I had a similar problem with emails from Outlook Express to Undisclosed recipients so the regex below helped me. In your header there is no recipient declared, only "To:" so you would need to adapt the regex for that (seeking a new line character like [\r\n]) I have had no trouble with my regex but monitor this to be sure it does what you expect.

Good luck,
Sam

Keyword Filter, Header, RegEx
(?!.*exceptthisdomain)(?=.*((To\: Undisclosed recipients\:\;|X\-Mailer\: Microsoft Outlook Express (4|5|6)).*){2,})

by Sam Russo 1 year ago
(in reply to this post)

5

@Sam Russo: I like that, i didnt know how to check headers in an orf rule

My tolerance says anyone using outlook express can be blocked on principal.

Since all of these spam emails have the exact same OE version, i'm going to try this:

keyword black, header, regex:
.*X\-Mailer\: Microsoft Outlook Express 6\.00\.2900\.5512.*

In fact i might just make that an exchange transport rule and anything that matches, automatically redirect to
(assuming my it only catches amazon junk over the next few days)

Did a quick search of our entire email archive and didnt see any legit emails with that header so, think we're going to be golden on this

by Bryon 1 year ago
(in reply to this post)

6

@Bryon: ProtectedSky certainly won't block the entire amazonaws IP range. I would be surprised if GBUdb.com Truncate would. I suggest you enable both DNSBLs and monitor the ORF logs for a while to see if any legitimate emails are blocked.

by Daniel Novak (Vamsoft) 1 year ago
(in reply to this post)

7

@Daniel Novak (Vamsoft): Perfect chance to update my dns blacklists and surbl definitions. Just re-set them up as per the suggestions in the KB

by Bryon 1 year ago
(in reply to this post)

8

After 6 hours, PSKY is blocking every single one of them... fantastic!

by Bryon 1 year ago
9

@Bryon: Nice!!

by Karen 4 weeks ago
(in reply to this post)

10

@Karen: Note that PSKY seems to pirate data from other well-known DNSBLs, so we do not recommend actually using it. For more on this, see: https://www.spamhaus.org/organization/statement/015/fraudulent-dnsbl-uncovered-protected-sky-bad.psky.me

by Daniel Novak (Vamsoft) 4 weeks ago
(in reply to this post)

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

Nickname:
Email address (will not be published):
Your comment:

ORF Technical Support

Configuring, installing and troubleshooting ORF.

News & Announcements

Your dose of ORF-related news and announcements.

Everything but ORF

Discuss Exchange and system administration with fellow admins.

Feature Test Program

Feature Test Program discussion. Membership is required to visit this forum.

ORF Beta

Join the great bug hunt of the latest test release.

Customer Service

Stay Informed