About four months ago some new colleagues in the security business arrived in our Dublin office. They are part of Microsoft Anti-spam team and it is our pleasure to have them here :)

The Dublin Spam team recently told us that almost every week, Microsoft Forefront Online Security for Exchange is filtering a whopping 13 billion spam messages. Most of them (around 95%) are automatically blocked because they are sent from computers listed in blacklists.

Date

Total number of messages

Non-spam messages

Spam messages

Mar 2 – Mar 8

14,573,035,329

305,930,377

14,267,104,952

Mar 9 – Mar 15

13,407,338,885

316,179,479

13,091,159,406

Mar 16 – Mar 22

12,946,498,410

308,336,934

12,638,161,476

Mar 23 – Mar 29

13,505,537,445

307,332,413

13,198,205,032

Mar 30 – Apr 5

14,928,945,154

316,407,069

14,612,538,085

Apr 6 – Apr 12

13,389,657,751

291,404,668

13,098,253,083

From the remaining messages that are coming from computers not listed in a blacklist of known spammers, another 30% are flagged as spam by various filters and rules.

That’s a staggering amount– one in three messages that is sent to you from supposedly clean systems is spam, but thanks to the work done by the Anti-spam team, it doesn’t clog your inbox.

Now, probably you remember (or not) our blog entries about our honeypot (part1 and part2). We’ve also installed a fake open-relay mail server and today we’re going to show you some of the things that we’ve received.

In the past few months our honeypot received probes from more than 60 independent computers that are used by various automated systems to actively search for badly configured mail servers.

Spammers are always on the lookout for expanding their capabilities to send spam messages, maybe contracting bot-herders that control a number of infected machines capable of sending massive amount of spam for their campaign.

Now, a server won’t be added so easily to the spammer’s network. Probe e-mails are sent a couple of times to check the viability of the target mail server (for example, to ensure that the target mail server is active and has not been reconfigured). The probe e-mails we’ve received usually have the following format:

Sender:  <random e-mail address>
Receiver:  <e-mail address monitored by the spammer>

For easier verification, the subject usually contains a way to identify the scanned computer, for example:

Subject: BC_<IP address>

Or

Subject: Super webscan open relay check succeded, hostname = <IP address>

Country/Region

No. of Probe

e-mail templates

Taiwan

116

Russia

5

United States

3

European Union

1

Another interesting thing is that spammers are also using various free web mail services in their probes.

After a short check of these IPs we found just a few of them listed in our database as known spam senders. Of course some of those that aren’t listed belong to various web mail services, but the others are probably part of a botnet/spam network and are used only for various scans (possibly for “reconnaissance” attempts) and not for sending spam.

Using an open relay mail server is an integral part of the spam campaign. A spam message can try to sell you an untrustworthy product, but more seriously it can lead to a phishing scam, or might contain links that point to malicious files.

To make sure that your Microsoft Exchange Server is not configured as an open mail relay, you can read Microsoft KB Article 895853.

With our efforts combined, Microsoft’s Anti-malware and Anti-spam teams are actively working on mitigating these attacks.

Special Thanks to Kai Yu from the Dublin Anti-spam Team, and Andrei Florin Saygo and Jireh Sanico from the Dublin Anti-malware Team!

- MMPC Dublin
- Dublin Anti-spam Team