store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Tue Sep 02, 2014 10:02 pm

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 2 posts ] 
Author Message
 Post subject: LinkedIn ACH spam/virus
Unread postPosted: Tue Dec 13, 2011 12:40 pm 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2047
Not actually realted to clamav/qmail-scanner etc, but I figured I'd post this here anyway, as it seem to be the best section.

One of my mailboxes, hosted on a third party server over which I have no control, is letting in scores of messages "from" LinkedIn which contain a nasty payload.

What I'm curious about is the header. Take a look:

Code:
Return-Path: <valises1682@roofsys.com>
Delivered-To: REDACTED
Received: (qmail 26713 invoked from network); 13 Dec 2011 15:40:17 -0000
Received: from unknown (HELO 89-69-130-109.dynamic.chello.pl) (89.69.130.109)
  by MY-REAL-ISP with SMTP; 13 Dec 2011 15:40:17 -0000
[b]Received: from mta900.em.linkedin.com (mta900.em.linkedin.com [63.211.90.176])[/b]
   by inbound.electric.net (8.13.8/8.13.8) with ESMTP id 8UEO5D1608818
   for <REDACTED>; Tue, 13 Dec 2011 16:39:42 +0100
Date: Tue, 13 Dec 2011 16:39:42 +0100
From: "LinkedIn" <linkedin@em.linkedin.com>
To: REDACTED


In the first two Received: lines, the message appears to be going from chello.pl to my real ISP.

But there's also a third Received: line. This, at first glance, would seem to indicate that LinkedIn was involved in the mail transport somehow.

rdns on 63.211.90.176 is indeed mta900.em.linkedin.com but as Mike says, this can be faked easily. Whois says the range belongs to Cheetamail.

My trail goes cold there. "Experian CheetahMail" is legit, but is that the same cheetahmail? I can't tell.

What I do know is that the same 63.211.90.176 IP appears in messages posted about a slightly different spam/virus outbreak which was deliberately (fake) from LinkedIn (with a subject of "so now you'e on LinkedIn....".

So...what's REALLY going on? Has this mysterious part of the header just been totally faked, to make it look more legit?

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
 
 Post subject: Re: LinkedIn ACH spam/virus
Unread postPosted: Wed Dec 14, 2011 5:58 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3626
Location: Chantilly, VA
Quote:
rdns on 63.211.90.176 is indeed mta900.em.linkedin.com but as Mike says, this can be faked easily. Whois says the range belongs to Cheetamail.


Looks like the IP is legit:

[mshinn@mtsoffice ~]$ nslookup 63.211.90.176
Server: 10.10.14.1
Address: 10.10.14.1#53

Non-authoritative answer:
176.90.211.63.in-addr.arpa name = mta900.em.linkedin.com.

Authoritative answers can be found from:
in-addr.arpa nameserver = a.in-addr-servers.arpa.
in-addr.arpa nameserver = b.in-addr-servers.arpa.
in-addr.arpa nameserver = c.in-addr-servers.arpa.
in-addr.arpa nameserver = d.in-addr-servers.arpa.
in-addr.arpa nameserver = e.in-addr-servers.arpa.
in-addr.arpa nameserver = f.in-addr-servers.arpa.

[mshinn@mtsoffice ~]$ nslookup mta900.em.linkedin.com
Server: 10.10.14.1
Address: 10.10.14.1#53

Non-authoritative answer:
Name: mta900.em.linkedin.com
Address: 63.211.90.176

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 2 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group