 Undelivered mail returned to sender
Tuesday, 29 August 2006
The clever little spammers must be desperate. Lately they’ve been using the old “undelivered mail returned to sender” as the mail subject, in order to get our attention.
A seemingly natural progression from the even dumber tactic of starting a spam message with “re: ” or “fwd: “, this one uses the “forged headers” technique to trick you into thinking that an email you sent to somebody could not be delivered. The theory is that you’ll see this in your inbox and open it to see which one of your messages failed to be delivered. Instead of your original message attached to the notice, you’ll get the latest “fantastic offer”, including stuff to make you more attractive to members of either sex, stuff to make you perform better in the bedroom and stuff to make you really rich.
Here are the headers from a recent one which promises that we’ll “smile our anxious away”, whatever the hell that’s supposed to mean:
Return-Path: <>
X-Original-To: xxx@lutrov.com
Delivered-To: xxx@lutrov.com
Received: by pearl.solvol.net.au (Postfix)
id 423D532C04C; Tue, 22 Aug 2006 18:36:21 +1000 (EST)
Date: Tue, 22 Aug 2006 18:36:21 +1000 (EST)
From: MAILER-DAEMON@pearl.solvol.net.au (Mail Delivery System)
Subject: Undelivered Mail Returned to Sender
To: xxx@lutrov.com
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status; boundary=”2CD5A32C041.1156235781/pearl.solvol.net.au”
Message-Id: <20060822083621.423D532C04C@pearl.solvol.net.au>
This is a MIME-encapsulated message.
--2CD5A32C041.1156235781/pearl.solvol.net.au
Content-Description: Notification
Content-Type: text/plain
This is the Postfix program at host pearl.solvol.net.au.
I’m sorry to have to inform you that your message could not be delivered to one or more recipients. It’s attached below. For further assistance, please send mail to <postmaster>. If you do so, please include this problem report. You can delete your own text from the attached returned message.
The Postfix program
<xxx@lutrov.com>: host 127.0.0.1[127.0.0.1] said: 550 5.7.1 Message content rejected, UBE, id=02475-05 (in reply to end of DATA command)
--2CD5A32C041.1156235781/pearl.solvol.net.au
Content-Description: Delivery report
Content-Type: message/delivery-status
Reporting-MTA: dns; pearl.solvol.net.au
X-Postfix-Queue-ID: 2CD5A32C041
X-Postfix-Sender: rfc822; xxx@lutrov.com
Arrival-Date: Tue, 22 Aug 2006 18:36:14 +1000 (EST)
Final-Recipient: rfc822; xxx@lutrov.com
Action: failed
Status: 5.0.0
Diagnostic-Code: X-Postfix; host 127.0.0.1[127.0.0.1] said: 550 5.7.1 Message
content rejected, UBE, id=02475-05 (in reply to end of DATA command)
--2CD5A32C041.1156235781/pearl.solvol.net.au
Content-Description: Undelivered Message
Content-Type: message/rfc822
Received: from 195.174.118.116 (unknown [195.174.118.116]) by pearl.solvol.net.au (Postfix) with ESMTP id 2CD5A32C041 for <xxx@lutrov.com>; Tue, 22 Aug 2006 18:36:14 +1000 (EST)
Received: from gateway.skipstone.com (gateway.skipstone.com [64.218.174.34]) by 195.174.118.116 (Qmailv1) with ESMTP id UFKNGTM7HPB for <xxx@lutrov.com>; Tue, 22 Aug 2006 11:39:18 +0200
Received: from 64.218.174.37 ([scorpiopartnership.com]:5049 “EHLO scorpiopartnership.com” smtp-auth: “skkcbfu” TLS-CIPHER: <none> TLS-PEER-CN1: <none>) by gateway.skipstone.com with ESMTP id nFUh-k1WH-IS (ORCPT <rfc822;skkcbfu@scorpiopartnership.com>); Tue, 22 Aug 2006 09:44:29 +0100
Date: Tue, 22 Aug 2006 09:44:29 +0100
From: “Allen Perrel” <skkcbfu@scorpiopartnership.com>
X-Mailer: The Bat! (v2.12.00) Personal
X-Priority: 3
Message-ID: <52021725228.2006082209442988505464@scorpiopartnership.com>
To: xxx@lutrov.com
Subject: Smile your anxious away
MIME-Version: 1.0
Content-Type: multipart/alternative;
Like the “re: ” and “fwd: ” trick, this one is particularly stupid for at least six reasons we know of and here’s why their latest scam will never make it into our inboxes:
- The “X-Virus-Scanned” in the failure notice is missing. A real failure notice contains this field because it proves that the failure notice was generated outside our network.
- The “Final-Recipient” in the original message wouldn’t be the same person as the one who sent it, would it?
- The “Diagnostic-Code” in the original message (host) can’t be 127.0.0.1 because that’s a local address.
- The “Received” in the original message (for) can’t be the same person as the one who sent it, can it?
- The “From” in the original message (username) is dodgy as it consists of mostly consonants. Real usernames are rarely as meaningless as “skkcbfu”, no matter what domain they’re from.
- The “X-Mailer” in the original message is “The Bat”, a well-known and much-despised spamming agent.
The clever little spammers must be desperate. Now they’re trying to outwit that small percentage of the human population which is even dumber then they are.
|
