home | legal stuff | glossary | blog | search

 Legend:  new window    outside link    tools page  glossary link   

The manner of transmission is a bit different (via infected third-party computers and their e-mail address books), as is the senders’ objective (political persuasion rather than swindling), but this is spam nevertheless — it was delivered in bulk and I didn’t solicit it (rule #2, doncha know).

From hidden Tue May 17 18:15:59 2005
Received: from fffha.com ([172.18.12.131])
   by vms050.mailsrvcs.net (Sun Java System Messaging Server 6.2    HotFix 0.04 (built Dec 24 2004)) with ESMTP id
   <0IGN00DQYCECEJG0@vms050.mailsrvcs.net>
   for hidden; Tue, 17 May 2005 13:23:00 -0500 (CDT)
Received: from fffha.com (66.156.32.186)
   by sv3pub.verizon.net (MailPass SMTP server v1.2.0 -
   013105113116JY+PrW)
   with SMTP id <3-752-201-752-200069-1-1116354180> for
   vms050pub.verizon.net; Tue, 17 May 2005 13:23:00 -0500
Date: Tue, 17 May 2005 18:20:49 +0000 (UTC)
From: hidden
Subject: Graeberschaendung auf bundesdeutsche Anordnung
To: hidden
Message-id: <c340ac75.cd4cdfcb@yahoo.com>
MIME-version: 1.0
Content-type: text/plain; charset=us-ascii
Content-transfer-encoding: 7bit
Importance: Normal
X-Priority: 3 (Normal)


Lese selbst:
http://www.die-kommenden.net/dk/zeitgeschichte/graeberschaendung.htm

This spam is part of a wave that broke out in the spring of 2005, apparently initiated by Germans intent on spreading right-wing political spin and anti-foreigner propaganda on the eve of an election in the German province of North Rhine Westphalia. The perps may have intended to restrict circulation to Germany (as was the case with an earlier outbreak with the same modus operandi), but in fact it ended up breaking out and going all over the world; I received more than a dozen myself (and was falsely implicated as the sender of at least three others) before the attack subsided shrotly after the election.

Many have called these perps “neo-Nazis” although I don’t find the labeling particularly useful. Let’s just say that their opinions are a couple of standard deviations off the mean. The messages urged you without comment to visit various web links (some to respected German periodicals like Der Spiegel) to read stories about dirty, primitive, violent, welfare-cheating foreigners and the heavy-handed government that suppresses the rights of “native” Germans in favor of these same foreigners. There are also references to long-bandied rumors of Allied murder of German POWs after the war (as in this message), and complaints about the erection in Berlin of a memorial to the mass-murder of Jews during World War II. These guys have to tread carefully, however, since German law makes certain kinds of speech illegal (e.g., defaming Jews or other racial groups, denying the holocaust).

Like most folks who hold such extremist views, these people have decided that it is imperative to spread them to the masses. In the past, traditional means of publicity were pretty much unavailable to this sort, so they had to rely on graffiti, illegal bill-sticking, and other forms of anonymous “street spam.” Now that the internet is here, they have a new venue for their schtick. In this case, the perpetrators apparently modified a “mass-mailing worm” called (by Symantec malware investigators) W32.Sober.O@mm. When the worm-laden mail is received and its attachment opened by a naive or careless user, the worm installs itself and sends out mail both to replicate itself to other computers, and to spread the eh, good word to potential converts.

You can read the Symantec page linked above to find out more about the worm, but here’s a summary of what is going on:

1. Naive or careless user receives mail with Sober worm in payload (typically as an attached .zip archive) and opens the payload.
2. Worm installs itself and scans the user’s system for files containing e-mail addresses (such as the address book of the user’s e-mail program).
3. Worm will use its own built-in SMTP agent to send itself (via infected e-mail) to some or all of these addresses in order to replicate itself (and create more platforms for sending mail), and will also send uninfected mass-mailings (like that shown here) to distribute the Truth that will Make You Free (“Wahrheit macht frei!”).

Since the worm has its own self-contained direct-to-MX-capable SMTP agent, it can send out all this mail without going through any of the victim’s ISP mail hosts and without leaving any traces on the victim’s system; this makes it pretty difficult to trace the mail back to the ultimate originators on the basis of any single message. The worm even appears to be smart enough not to mail itself to any addresses that might hasten its detection and eradication (e.g., addresses like “admin@foo.bar” that look like those belonging to system administrators).

In this manner, the mail will propagate more-or-less geometrically from one vulnerable machine to others, and the political messages will go out to all the correspondents of the users of these machines. While it is clever and untraceable, this method might be a bit too inefficient and limited in scope for your average drugz-mortgage-warez spammers:

• It probably won’t reach as many eyeballs as a good traditional spam run;
• It might take a few days to propagate, time that normal spammers can ill afford — they may lose their web services before most suckers get to read the mail.

However, our German friends here (like pump-and-dump spammers) are just interested in publishing their stuff, and not in getting any direct responses to their messages; so, this method probably fits the bill. Leaving aside the time and resources required to develop or adapt the Sober worm, this method is also nearly free of cost, since the perps only have to “seed” the message to an initial handful of addresses to get the thing going.

For the record, this message came to me from a machine at 66.156.32.186 (a BellSouth DSL line somewhere in the Southeastern U.S.). There isn’t much more to be learned. The From-address is not trustworthy, of course, since it was undoubtedly planted by the worm. The web link given in the message points to a German political website, which prudently replaced the article with a “gateway page” bearing a disclaimer and an explanation (in German and English) of this mail trick.

Josef-Job: As is typical for this sort of worm, Sober used one of the e-mail addresses it collected (in step #2 above) as the from-address for each message. This means that if the infected user had you as an e-mail correspondent at some time in the past, you might not only have gotten these mails, but chances were pretty good that you might have shown up as the sender of such a mail (and you might have gotten bounce messages or worse). This amounts to what is known as a “Joe Job” (or perhaps “Josef-job” in this case), an attempt to place blame for the spam on innocent parties.

If you get an automatic bounce message for any message you didn’t send, you can safely ignore it. If you get some sort of irate personal response, it is up to you as to whether you should reply and explain your innocence, but sllence may be the better part of wisdom here — I’ve found that the kind of people who rush to send these complaints do not understand how e-mail works (and how it can be perverted), and furthermore may not believe you. In the unlikely event that they elevate their complaint to your ISP, you’ll generally have no trouble explaining that you’ve been Joe-jobbed, even if you don’t have the specific message in hand.

home | legal stuff | glossary | blog | search

 Legend:  new window    outside link    tools page  glossary link