Friday, January 24, 2014

Spam via Google? Apparently Google has been hacked by the Chinese for months now


So, much like many other email providers, Spammers try and abuse VFEmail servers by creating thousands of account to use for SMTP sending.  We set daily limits per account, which forces this 'many accounts' issue - but we also have other throttling in place that prevents the Spam from actually leaving our systems.

What's odd is that Chinese spammers have lately been coming FROM GOOGLE.  Now, it's not uncommon for ASPs and other hosting environments to be the source of Spam - just like any email provider, we have no idea what the account holder will do until they've done it. But in this case, the Spam is coming from Google, using the VFEmail accounts for SMTP Auth.  That's really odd, because I wasn't aware of Google allowing that sort of hosting or sending with a remote sites credentials. 

[edit 3/3/14] Upon closer inspection, the DKIM header shows a Gmail hosted domain, 1e100.net as the source.  Google, fix it already.

Here's the relevant line -
Received: from unknown (HELO mail-ie0-f178.google.com) (YXNkLmxva0B2ZmVtYWlsLm5ldA==@209.85.223.178)
  by mail.vfemail.net with ESMTPA; 24 Jan 2014 02:42:16 -0000


According to whois, 209.85.223.178 is a Google IP.  Unfortunately, I'm only getting automated replies to my abuse emails.  So we'll see if this info gets their attention.

Here are the full headers -

Received: (qmail 88632 invoked by uid 89); 24 Jan 2014 15:18:43 -0000
Received: from localhost (HELO freequeue.vfemail.net) (127.0.0.1)
  by localhost with SMTP; 24 Jan 2014 15:18:41 -0000
Received: (qmail 35975 invoked by uid 89); 24 Jan 2014 02:42:17 -0000
Received: by simscan 1.3.1 ppid: 35953, pid: 35972, t: 0.0210s
         scanners:none
Received: from unknown (HELO smtp102-2.vfemail.net) (172.16.100.62)
  by FreeQueue with SMTP; 24 Jan 2014 02:42:17 -0000
Received-SPF: softfail (FreeQueue: transitioning SPF record at vfemail.net does not designate 172.16.100.62 as permitted sender)
Received: (qmail 631 invoked by uid 89); 24 Jan 2014 02:42:16 -0000
Received: by simscan 1.4.0 ppid: 625, pid: 628, t: 0.0694s
         scanners:none
Received: from unknown (HELO mail-ie0-f178.google.com) (SMTPAuthName@209.85.223.178)
  by mail.vfemail.net with ESMTPA; 24 Jan 2014 02:42:16 -0000
Received: by mail-ie0-f178.google.com with SMTP id x13so2137073ief.23
        for ; Thu, 23 Jan 2014 18:42:16 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=mime-version:date:message-id:subject:from:to:content-type;
        bh=f5GsZjfdse0Y8c+H8IzzmEM6HLaZXgOiXDMgsohQc54=;
        b=aR7dijI0xORpdCVjWz5/mWPYv4B7zAXZdZfhRqrvDU0NhN0x0if/xgms8NOKgwLBiS
         iaygwYd8yTE0RXg2TX0HMarSsNwpe1LtAJtETILK5dgdu+f9QhUsKEnfmph986EWNCja
         zah5hWJLOD59MzqyIL8xvRAaw7Yav473gnjn2/pVs+8MZfa5iMy+LxV15hgczNjQ/TbG
         ZeBKbydJVYFy6yRMA8+l2P5bcqk3S29oQMDD2Bt7M2h9Hynk8K+Qzy1W1SwO2qpMI8qS
         B+nb//gPGvGACtlCy3O2KZrmtJSLaS/2RwSdbtMmiKx6tHkycwY+XjQi4Hqk61lyhfcc
         +IcA==
MIME-Version: 1.0
X-Received: by 10.42.64.17 with SMTP id e17mr8876684ici.26.1390531336210; Thu,
23 Jan 2014 18:42:16 -0800 (PST)
Received: by 10.64.229.8 with HTTP; Thu, 23 Jan 2014 18:42:16 -0800 (PST)
Date: Fri, 24 Jan 2014 10:42:16 +0800
Message-ID:
Subject:
From: chang chun
To: uxnr@email.com.cn, v6@email.com.cn, vacancy@email.com.cn,
        vagabond@email.com.cn, vagrant@email.com.cn, vance@email.com.cn,
        vanquish@email.com.cn, variation@email.com.cn
Content-Type: multipart/alternative; boundary=90e6ba3fcdab58111304f0ae4e1c


Update 2/1/14 - still nothign from Google.  They're totally hacked.

 --------------
MESSAGE NUMBER 4875719
 --------------
Received: (qmail 80547 invoked by uid 89); 1 Feb 2014 16:41:32 -0000
Received: from localhost (HELO freequeue.vfemail.net) (127.0.0.1)
  by localhost with SMTP; 1 Feb 2014 16:41:32 -0000
Received: (qmail 80286 invoked by uid 89); 1 Feb 2014 16:41:15 -0000
Received: by simscan 1.3.1 ppid: 80273, pid: 80280, t: 0.0295s
         scanners:none
Received: from unknown (HELO smtp102-2.vfemail.net) (172.16.100.62)
  by FreeQueue with SMTP; 1 Feb 2014 16:41:15 -0000
Received-SPF: softfail (FreeQueue: transitioning SPF record at vfemail.net does not designate 172.16.100.62 as permitted sender)
Received: (qmail 6407 invoked by uid 89); 1 Feb 2014 16:41:15 -0000
Received: by simscan 1.4.0 ppid: 6398, pid: 6402, t: 0.0851s
         scanners:none
Received: from unknown (HELO mail-vb0-f43.google.com) (
SMTPAuthName@209.85.212.43)
  by mail.vfemail.net with ESMTPA; 1 Feb 2014 16:41:15 -0000
Received: by mail-vb0-f43.google.com with SMTP id p5so3789171vbn.30
        for ; Sat, 01 Feb 2014 08:41:14 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=mime-version:date:message-id:subject:from:to:content-type;
        bh=7u8pwYRxgVJr58KdRsQpYbJ+VS6xSKmQescj2zcM4WY=;
        b=QEfLb4w2QT9/jNotKqT7WDvrFCMzLQiM96WprG3LDnAULvMbg2R98yVzC8At9Pomf3
         3rNoWLNp+XOy358ul8IvQsloHDCCUvmMDNiNC8A/G6rlzUA63y2qWiKTs98ALoV0PTZv
         GmNW+xR9fowGnQE/q59J64OXH8JoTKBGe9SUyMyZGsK0qo3LJ7DJc2PHgucLIGDOV81s
         uRO57Jbv4BYlv0BeG6e2WNo0PxmIWqrJ65DwFXRqOotTVyn8QwIFeaqfcbCSjdu74nWm
         FLRgmDvSUVUYtIXPimp1LidLTCmeMulp/YqBxPb9XhibpitT7l4UI4nVJI+L+PEsnCCl
         xvQA==
MIME-Version: 1.0
X-Received: by 10.52.61.168 with SMTP id q8mr6816vdr.40.1391272874597; Sat, 01
 Feb 2014 08:41:14 -0800 (PST)
Received: by 10.58.65.69 with HTTP; Sat, 1 Feb 2014 08:41:14 -0800 (PST)
Date: Sun, 2 Feb 2014 00:41:14 +0800
Message-ID:
Subject:
From: chang chun
To: xiaoyaojian@email.com.cn, xiaoyaoke@email.com.cn, xiaoyaoxu@email.com.cn,
        xiaoyaoye@email.com.cn, xiaoyaozi@email.com.cn, xiaoye@email.com.cn
Content-Type: multipart/alternative; boundary=001a1136b37479e2f104f15af5fa

--001a1136b37479e2f104f15af5fa
Content-Type: text/plain; charset=GB2312
Content-Transfer-Encoding: base64

xPq6w6OhDQoNCsfrz8LU2Li9vP61vcT6tcS158TUo6wNCg0Ky6u796Osv8m/tLLY19bKr8PFxrHN
vMaso7sNCg0K1NrOxLz+w/vJz7XjyvOx6iDT0rz8o6y14yDW2MP8w/sgo6wNCr2rzsS8/rXEwKnV
ucP7o6guanBno6m4/LjEzqogLnJhciC686OsDQrU2dPDw9zC66O6dG16ZyC08r+qo6wNCr/J1MS2
wdPrxPrPos+iz+C52LXEusPOxNXCoaMNCg0KDQogMTGhomN6c3RtemctcGRmLmpwZzxodHRwczov
L2RvY3MuZ29vZ2xlLmNvbS9maWxlL2QvMEI1R2dSOF93M3AyOFZqTjJjbFpYVTNoc2QyOC9lZGl0
P3VzcD1kcml2ZV93ZWI+DQoNCiC547SrzfgucmFyPGh0dHBzOi8vZG9jcy5nb29nbGUuY29tL2Zp
bGUvZC8wQjVHZ1I4X3czcDI4Tmxkdk9VSkxPUzF2UXpnL2VkaXQ/dXNwPWRyaXZlX3dlYj4NCg0K
--001a1136b37479e2f104f15af5fa
Content-Type: text/html; charset=GB2312
Content-Transfer-Encoding: quoted-printable

=C4=FA=BA=C3=A3=A1

=C7=EB=CF=C2=D4=D8=B8=BD=BC=FE=
=B5=BD=C4=FA=B5=C4=B5=E7=C4=D4=A3=AC

=CB=AB=BB=F7=A3=AC=BF=C9=BF=B4=
=B2=D8=D7=D6=CA=AF=C3=C5=C6=B1=CD=BC=C6=AC=A3=BB

=D4=DA=CE=C4=BC=FE=
=C3=FB=C9=CF=B5=E3=CA=F3=B1=EA =D3=D2=BC=FC=A3=AC=B5=E3 =D6=D8=C3=FC=C3=FB =
=A3=AC
=BD=AB=CE=C4=BC=FE=B5=C4=C0=A9=D5=B9=C3=FB=A3=A8.jpg=A3=A9=B8=FC=
=B8=C4=CE=AA .rar =BA=F3=A3=AC
=D4=D9=D3=C3=C3=DC=C2=EB=A3=BAtmzg =B4=F2=
=BF=AA=A3=AC
=BF=C9=D4=C4=B6=C1=D3=EB=C4=FA=CF=A2=CF=A2=CF=E0=B9=D8=B5=
=C4=BA=C3=CE=C4=D5=C2=A1=A3









--001a1136b37479e2f104f15af5fa--
 


NetRange:       209.85.128.0 - 209.85.255.255
CIDR:           209.85.128.0/17
OriginAS:
NetName:        GOOGLE
 


Ok does this really mean Google is hacked?  No, it shows there's at least one system at Google that is a spam source, but it could just be a few botnet members. I understand this sort of thing happens to everyone, but frankly, I'm sick and tired of cleaning this shit up.


Update - 3/3/14.   After blocking the above CIDR for a month, the spammers are now using a new one -

Received: (qmail 76016 invoked by uid 89); 3 Mar 2014 03:02:15 -0000
Received: by simscan 1.3.1 ppid: 75998, pid: 76006, t: 0.2433s
         scanners:none
Received: from unknown (HELO smtp101-2.vfemail.net) (172.16.100.61)
  by FreeQueue with SMTP; 3 Mar 2014 03:02:15 -0000
Received: (qmail 26663 invoked by uid 89); 3 Mar 2014 03:02:15 -0000
Received: by simscan 1.4.0 ppid: 26615, pid: 26641, t: 0.1460s
         scanners:none
Received: from unknown (HELO mail-we0-f179.google.com) (aThqN2subWZndEB2ZmVtYWlsLm5ldA==@74.125.82.179)
  by mail.vfemail.net with ESMTPA; 3 Mar 2014 03:02:15 -0000
Received: by mail-we0-f179.google.com with SMTP id x48so2491161wes.38
        for <817 qq.com="">; Sun, 02 Mar 2014 19:02:14 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=mime-version:date:message-id:subject:from:to:content-type;
        bh=pEGGLF9NMqHn49abWF4r9h3T2oZ2p/fE63y4TvKB2o0=;
        b=F5wEnRP4ZwkQgcMtnxzyAGW6Xim0JmOhGBYLBbMVaL3IbmAqmmOjI3ibYcIb+duG7m
         PAq2uyFKKBUcgPTYb9cCLDbBw0pU7ShZsFrpHFm6PrMpfXgxN8CPsoXp2zu7T8Klm7MH
         QVAz+shWX1yHMRyxiIJEK3YHOZud+DrBqSYyRS5w4gLNFJM1VWg1ITu8sqirrvkiAkZL
         GR0VXgIOb0US6hmjW2HA32GaijeoReXpKwt1cm86ugc3F2MSDOYDNuV0G0B1w2ax/aW8
         GilCb0FUImZDKuW0mMr+DPFLLQgk6psYu8ZgRYBJA7A4V1pbq8PyvI9YJKqKo0O/6w/l
         qVdg==
MIME-Version: 1.0
X-Received: by 10.194.2.70 with SMTP id 6mr13500638wjs.25.1393815732134; Sun,
 02 Mar 2014 19:02:12 -0800 (PST)
Received: by 10.216.9.1 with HTTP; Sun, 2 Mar 2014 19:02:12 -0800 (PST)
Date: Mon, 3 Mar 2014 11:02:12 +0800
Message-ID:
Subject: =?GB2312?B?19TTycPFIM7evec=?=
From: tryu werd
To: undisclosed-recipients:;
Content-Type: multipart/alternative; boundary=047d7b3a817498a7dd04f3ab0383
Bcc: 817@qq.com

--047d7b3a817498a7dd04f3ab0383
Content-Type: text/plain; charset=GB2312
Content-Transfer-Encoding: base64

zbvGxs34wue34sv4tcTGxs34yO28/tfU08nDxSDO3r3ntcTPwtTYtdjWt6GjDQoNCrXnxNSw5iBo
dHRwOi8vd3d3Lndpa2lmb3J0aW8uY29tLzY5NjUzMy8NCrCy17+w5iBodHRwOi8vd3d3Lndpa2lm
b3J0aW8uY29tLzgxODYwOC8NCg0K08PT2rCy17/K1rv6u/LN+MLnu/q2pbrQOg0KaHR0cHM6Ly9n
b28uZ2wvbVpNR3E5DQpodHRwczovL2dvby5nbC9yc05UMUYNCg0K08PT2rXnxNQ6DQpodHRwczov
L2dvby5nbC8zSlRYZw0KaHR0cHM6Ly9nb28uZ2wvMHZLcjMNCg==
--047d7b3a817498a7dd04f3ab0383
Content-Type: text/html; charset=GB2312
Content-Transfer-Encoding: quoted-printable



--047d7b3a817498a7dd04f3ab0383--

NetRange:       74.125.0.0 - 74.125.255.255
CIDR:           74.125.0.0/16
OriginAS:
NetName:        GOOGLE

Apologies to users are Google.


1 comment:

Blogger said...

I'm using AVG anti virus for a couple of years now, and I'd recommend this product to all of you.