« new pats posted - 20091021 (maintenance pats release) | Main | new pats posted - 20091022 (maintenance pats release) »

October 22, 2009

Will the stupidity ever end?

Today, I found this in our quarantine.

Return-Path: oct200921@q3tech.net
Received: from q3email.securesites.net (q3email.securesites.net [168.143.5.77]) 
        by tabasco.hesketh.com (8.14.1/8.14.1/20080606) with ESMTP id
        n9MDXAFr005510 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256
        verify=NO) for <ELIDED>; Thu, 22 Oct 2009 09:33:28 -0400   
Received: from Q3GN0038 (del-static-174-68-7-210.direct.net.in [210.7.68.174]
        (may be forged)) by q3email.securesites.net (8.13.6.20060614/8.13.6)   
        with SMTP id n9MDDISh055841 for <ELIDED>; Thu, 22 Oct 2009
        13:33:10 GMT
From: Feroz Zaidi <feroz@q3tech.net>

So, an entity calling itself "securesites.net", located in Colorado, accepted mail from a host in India, probably New Delhi, that HELO'd with an unqualified hostname (something we haven't done since MyDoom was easily stopped as a result back in 2003), from a host whose name does not resolve to its IP, without any evidence of SMTP authentication, sending from a customer's domain (check out the whois for q3tech.net and q3tech.com) to a third party (us).

The sender MAILFROM, based on the date, is obviously designed to allow them to throw it away once the spam run is over, or distinguish between bounces from one spam run to the next.

Now, this could be that Q3 Technologies (if you're at the Javits Center in NYC for Global Sourcing Forum + Expo, and want to buttonhole them about why they're spamming CEOs of Web development companies, be my guest) hired someone in India to send this invite on their behalf (the clickthrough tracking links are all pointing to 210.7.68.174:81, on a non-standard HTTP port, on an IP in New Delhi), and "securesites.net" has its mail servers set up to allow relaying for anyone sending from an address in a certain set of domains. But is this at all wise? I don't think so.

The clincher here is that Q3 Technologies is a customer, making "securesites.net" complicit in the spam run, never mind their poor security otherwise. Whether it is CAN-SPAM compliant or not, these jokers are allowing the insecure relay of UCE via their mail systems, and in obvious ignorance of longstanding practice.

What makes this even more suspicious is that while they allowed relaying for <feroz@q3tech.net> from that IP in India, they disallow it from my server:

$ telnet 168.143.5.77 25
Trying 168.143.5.77...
Connected to 168.143.5.77.
Escape character is '^]'.
220 q3email.securesites.net ESMTP Sendmail 8.13.6.20060614/8.13.6; Thu, 22 Oct 2009 16:18:18 GMT
HELO tabasco.hesketh.com
250 q3email.securesites.net Hello smtp.hesketh.com [96.10.13.100], pleased to meet you
MAIL FROM: <feroz@q3tech.net>
250 2.1.0 <feroz@q3tech.net>... Sender ok
RCPT TO: <schampeo@hesketh.com>
550 5.7.1 <schampeo@hesketh.com>... Relaying denied. Proper authentication required.
QUIT
221 2.0.0 q3email.securesites.net closing connection
Connection closed by foreign host.

It's possible that they've seen so many complaints already that they've shut down this spammer, or tightened up their configuration. More likely, they've whitelisted mail from the IP in India for the express purposes of letting them send mail via their systems. One day, I hope I don't see any more of this nonsense.

Posted by schampeo at October 22, 2009 11:37 AM

Trackback Pings

TrackBack URL for this entry:
http://enemieslist.com/mt/cgi-bin/mt-tb.cgi/1052

Search Blog

Browse

• Archives
• Categories
  • antispam in practice
  • consortiae
  • gripes
  • history
  • legal
  • news
  • privacy
  • project
  • security
  • spammers
  • studies and statistics
  • tactics
  • tools
  • viruses and worms

Feeds

• RSS
• ATOM

Enemieslist

• Package Features
• Contribute