taint.org: Justin Mason’s Weblog

Words: ‘Pharming’. I recently came across this line in a discussion document:

‘Wait, isn’t this exactly the kind of attack pharmers mount?’

I was under the impression that ‘pharming’ was a transgenics term: ‘In pharming, … genetically modified (transgenic) animals are
mostly used to make human proteins that have medicinal value. The protein encoded by the transgene is secreted into the animal’s milk, eggs or blood, and then collected and purified. Livestock such as cattle, sheep, goats, chickens, rabbits and pigs have already been modified in this way to produce several useful proteins and drugs.’

Obviously this wasn’t what was being referred to. So I got googling. It appears the sales and marketing community of various security/filtering/etc. companies, have been getting all het up about various phishing-related dangers.

The earliest article I could find was this — GCN: Is a new ID theft scam in the wings? (2005-01-14):

”Pharming is a next-generation phishing attack,’ said Scott Chasin, CTO of MX Logic. ‘Pharming is a malicious Web redirect,’ in which a person trying to reach a legitimate commercial site is sent to the phony site without his knowledge. ‘We don’t have any hard evidence that pharming is happening yet,’ Chasin said. ‘What we do know is that all the ingredients to make it happen are in place.’

Oooh scary! The article is short on technical detail (but long on scary), but I think he’s talking about DNS cache poisoning, whereby an attacker implants incorrect data in the victim’s DNS cache, to cause them to visit the wrong IP address when they resolve a name. This Wired article (2005-03-14) seems to confirm this.

But wait! Another meaning is offered by Green Armor Solutions, who use the term to talk about the Panix and Hushmail domain hijacks, where an attacker social-engineered domain transfers from their registrars. There’s no date on the page, but it appears to be post-March 2005.

Finally, yet another meaning is offered in this article at CSO Online: How Can We Stop Phishing and Pharming Scams? (May 2005): ‘The Computing Technology Industry Association has reported that pharming occurrences are up for the third straight year.’ What?! Call Scott Chasin!

Steady on — it appears that the ‘pharming’ CSO Online is talking about, has devolved to the stage where it’s simply a pop-up window that attempts to emulate a legit site’s input — no DNS trickery involved. (This trick has, indeed, been used in phish for years.)

So right there we have three different meanings for ‘pharming’, or four if you count the biotech one.

It may be impossible to get the marketeers to stop referring to ‘pharming’. But please, if you’re a techie, don’t use that term, it’s lack of clarity renders it useless. Anyway, the biotech people were there first, by several years…

Tags: article, attack, attacker, cache, dns, domain, line, pharming, site, term, words

Spam: recently, I’ve been getting a lot of spam bounces; that is, messages sent by people’s autoresponders, in response to forged spam claiming to come from my domain. (I have an SPF record, but these autoresponders naturally don’t bother to check that before replying.)

I have a SpamAssassin ruleset which catches these, and it gets rid of the vast majority — but the odd wierd one gets past. This one caught my eye before I deleted it:

On October 5, 2004, I will be going to the Illinois Department of Corrections for approximately 18 months. If you wish to contact me, please snail mail me at: (address deleted)
Your letters will be forwarded to me and I will reply as soon as I receive them! Thanks…and please do write! Mail is vitally important! :-)

… ouch. Good luck to this guy, whoever he is…

Tags: domain, lot, mail, majority, record, response, ruleset, spam, spamassassin, spf

Spam: eWeek recently published an article entitled ‘Spammers’ New Tactic Upends DNS’ , which notes that:

One .. technique finding favor with spammers involves sending mass mailings in the middle of the night from a domain that has not yet been registered. After the mailings go out, the spammer registers the domain early the next morning.

By doing this, spammers hope to avoid stiff CAN-SPAM fines through minimal exposure and visibility with a given domain. The ruse, they hope, makes them more difficult to find and prosecute.

The scheme, however, has unintended consequences of its own. During the interval between mailing and registration, the SMTP servers on the recipients’ networks attempt Domain Name System look-ups on the nonexistent domain, causing delays and timeouts on the DNS servers and backups in SMTP message queues.

This had me stumped when I read it, since an email from a nonexistent domain is a pretty reliable spamsign (it’s used in the NO_DNS_FOR_FROM rule in SpamAssassin, for example, which hits about 2% of spam), has been a rule in the default ruleset for several years, and there’s no sign of that behaviour in our spam traps.

After some discussion, Suresh Ramasubramanian came up with this explanation of what’s really happening:

Verisign now allows immediate (well, within about 10 minutes) updates of .com/.net zones (also same for .biz) while whois data is still updated once or twice a day. That means if spammer registers (a) new domain he’ll be able to use it immediatly (sic) and it’ll not yet show up in whois (and so not be immediatly identifiable to spam reporting tools) - and spammers are in fact using this “feature” more and more!

That does sound a much more likely explanation, and matches what’s been seen in the traps.

So: WHOIS, not DNS.

Tags: article, dns, domain, eweek, explanation, rule, smtp, spam, spammer, spammers

Spam: Well, this is just incredible. I’ve just been spammed by a .gov domain — myfloridahousemail.gov.

The irony of my first .gov spam coming from Florida is inescapable.

The message came from an IP address registered to State of Florida/Dept. of Management Services, bldg 4050 esplanade way suite 115d, Tallahassee, FL 32399-0950 US. That address looks genuine. It really does look like it came from the Florida House of Representatives.

And it was sent to a spamtrap which is on a few spammer address lists, but has never been a genuine user address. And, obviously, I don’t live in Florida ;)

Read the spam here.

Tags: address, dept, domain, gov, irony, management, message, myfloridahousemail, spam, state

More referrer spam stuff. As Mark states in the comments here, it seems that the referrer-spamming is using real browsers run by real people — no bots, no proxies.

The spammers create HTML pages which contain an IMG tag, using one of our pages in the SRC attribute. This causes the user’s browser to attempt to download the page — giving the correct referrer URL — but it’s not particularly visible to the user — since it’s a HTML page, not an image. All they’re likely to see is a ‘broken image’ icon, and more likely the image is hidden anyway using a hidden div or width=0 height=0 attributes.

Anyway, I took a look at the HTML for those sites. Interestingly, all of them use a distinctive HTML style, with a redirecting frame and some Javascript to load the following pop-up ad:

http: //pb. xxxconnex. com/pb.phtml? d=aporndomain.net &sc=EXPN &ip=9999999999 &c=preview

Where ‘aporndomain.net’ is a porn domain, not necessarily always the same one as you’re viewing, and ‘9999999999′ is a 10-digit number. This then loads a frameset containing another random popunder ad from a load of domains. It also throws a few hidden ones into the corner, loads them as pop-unders, loads a javascript timer to open new ones occasionally, etc. etc. etc. As you close ‘em, new ones open, and so on. Glad I don’t run IE ;)

I would bet these guys, xxxconnex.com — or one of their customers — are the ones behind the referrer-spamming as a result. Their WHOIS info states they are:

Admin, Domain  info@webfinity.net
1E Braemar Ave
Unit 19
Kingston 10, WI N/A
JM
876-357-8404

Interestingly, that phone number and address also shows up in ROKSO as well, listed under domain registrations controlled by the ‘Dynamic Pipe / Webfinity / Python Video’ spam gang, ie. one of the biggest sources of porn spam out there. They’re diversifying it seems!

Based on some suggestions on Kasia’s weblog, I think I now have a good comeback — still working on this though.

Tags: aporndomain, domain, html, image, javascript, page, porn, referrer, spam, user

Yahoo: al-Jazeera website redirected:

The hacker was able to gain control of the domain name by asking domain
seller Network Solutions for the account password on official al-Jazeera
stationery, said an industry source speaking on condition of anonymity.
A spokesman for Network Solutions’ parent company declined to comment on
how the hacker was able to hijack the domain name, but said the company
had fixed the problem and was trying to track the impostor down.
‘We followed our procedures, in this particular instance someone was able
to get around those procedures,’ said Brian O’Shaughnessy, a spokesman
for Internet security firm VeriSign.

They fixed the problem? Surely this is exactly what happened with the sex.com domain several years ago?

Tags: al, company, domain, hacker, name, network, problem, spokesman, website, yahoo

Nice one! The IE Domain Registry (IEDR) has just sent out a ‘free newsletter‘ to all postmaster addresses in the entire .ie top-level domain. Yes, every one.

And did they follow the best practices for legit mailing list operators, like

• (a) never mailing without a previous sign-up, or even

• (b) setting up the list to use verified opt-in (”reply to confirm that you want to receive further mail”), instead of opt-out (”reply if you do not want to receive further mail”)?

Of course not:

YOU WILL BE RECEIVING this free bi-monthly ezine because you are one of our 31,000+ .ie domain name holders, an Irish journalist, with an Irish government body or have a legitimate interest in matters relating to the Domain Name System (DNS) in all Ireland, concerning .ie domain names. This publication is delivered by email and will serve as an official channel of the IEDR to deliver notices and announcements.

If you do not wish to receive Inside.ie, you can unsubscribe by clicking on the link below.

Not my emphasis, BTW. But don’t worry — their mail host was already listed in the DNS blacklists as a Confirmed Spam Source by the time I received it, so I don’t think we’ll be actually receiving many more of them ;)

For more information on the hi-larious antics of our national registrar, take a look at IEWatch.

Date: Thu, 24 Oct 2002 06:08:10 -0400
From: “Sophie Pozzey” (spam-protected)
To: (spam-protected)
Subject: The IEDR’s Inside.ie e-mail newsletter - Welcome

Dear Sir/Madam,

The IE Domain Registry Ltd. (IEDR - www.iedr.ie) is an independent not-for-profit organisation that manages the .ie country code Top Level Domain (ccTLD) namespace in the public interest of the Irish and global Internet communities. In line with the Best Practice Principles of IANA, ICANN, and CENTR, the IEDR is committed to the concept of administering .ie throughout all Ireland in an open and transparent manner.

INSIDE.IE, THE IEDR’S FREE BI-MONTHLY E-MAIL NEWSLETTER, assists us in attaining and maintaining this standard and in ensuring that recipients will be kept abreast of .ie and DNS related issues, nationally and internationally.

YOU WILL BE RECEIVING this free bi-monthly ezine because you are one of our 31,000+ .ie domain name holders, an Irish journalist, with an Irish government body or have a legitimate interest in matters relating to the Domain Name System (DNS) in all Ireland, concerning .ie domain names. This publication is delivered by email and will serve as an official channel of the IEDR to deliver notices and announcements.

If you do not wish to receive Inside.ie, you can unsubscribe by clicking on the link below.

Yours sincerely Sophie Pozzey

Co-ordinator, Inside.ie Head of Public Affairs & Communications IE Domain Registry Ltd Tel: 01 2300 797
Email: (spam-protected)
Web: http://www.iedr.ie

-|To be removed from this list, use this link: (spam-protected) To receive future messages in HTML format, use this link: (spam-protected)

Tags: dns, domain, iedr, interest, list, mail, name, newsletter, postmaster, registry