I get spam :)

  • Article

I just received this spam message the other day:

From: Microsoft [mailto:customerservice@microsoft.com]

Sent: Saturday, October 11, 2008 11:13 PM

To: Larry Osterman

Subject: Security Update for OS Microsoft Windows

Dear Microsoft Customer,

Please notice that Microsoft company has recently issued a Security Update for OS Microsoft Windows. The update applies to the following OS versions: Microsoft Windows 98, Microsoft Windows 2000, Microsoft Windows Millenium, Microsoft Windows XP, Microsoft Windows Vista.

Please notice, that present update applies to high-priority updates category. In order to help protect your computer against security threats and performance problems, we strongly recommend you to install this update.

Since public distribution of this Update through the official website https://www.microsoft.com would have result in efficient creation of a malicious software, we made a decision to issue an experimental private version of an update for all Microsoft Windows OS users.

As your computer is set to receive notifications when new updates are available, you have received this notice.

In order to start the update, please follow the step-by-step instruction:

1. Run the file, that you have received along with this message.

2. Carefully follow all the instructions you see on the screen.

If nothing changes after you have run the file, probably in the settings of your OS you have an indication to run all the updates at a background routine. In that case, at this point the upgrade of your OS will be finished.

We apologize for any inconvenience this back order may be causing you.

Thank you,

Steve Lipner

Director of Security Assurance

Microsoft Corp.

-----BEGIN PGP SIGNATURE-----

Version: PGP 7.1

AN86DCS206WKI6IK8LIFD5S1VODA48SHXDCG6KT8V4C50MO21RUHP8O84T6P73YGX

EO755U27OA5JVX3U51QF8N2E97FQQDOC6IRHH7T3TSQJRFYYPR3434M634A375LAO

49ICIMQZ680BR307KVS857K6U9UYSBHE20RNI16HUB45SMTDF0DDMQZ4YIR2QIHLD

UVPMVD54LRY8HNLDA020KWMIFYYD9B1A07AM1VWIA0YO8QZO2WLY27KAPXBFDN6DT

48VYUVW7M7JZ5P2NIU7FGDRIGCM819WMKJ2==

-----END PGP SIGNATURE-----

Attached to the message was an attachment named “KB266311.exe”.

I’ve heard that these before but I’ve never received one.  Apparently the email was sent from “koln-5d8184e2.pool.einsundeins.de (93.129.132.226)”, which I suspect is a trojaned machine in Germany.   In this case I’m pretty impressed with the email – it’s in plain text with the name of a real Microsoft employee, it has a PGP signature (which tends to give credence to the email).  On the other hand it has some grammatical errors (“Please notice that Microsoft company has…”, “We apologize for any inconvenience this back order may be causing you”) that give the scam away.  I also don’t know what trojan was inside KB266311 because it was filtered by our email servers before it got to me.

 

 

For those that are wondering how I knew it came from koln-5d8184e2.pool.einsundeins.de, here’s what I did:

I started with the raw email headers (some servers and IP addresses obscured):

Received: from XXX.microsoft.com (n.n.n.n) by
YYY.microsoft.com (m.m.m.m) with Microsoft SMTP
Server (TLS) id 8.2.83.0; Sat, 11 Oct 2008 23:13:52 -0700
Received: from koln-5d8184e2.pool.einsundeins.de (93.129.132.226) by
ZZZ.microsoft.com (o.o.o.o) with Microsoft SMTP Server id
8.1.291.1; Sat, 11 Oct 2008 23:13:41 -0700
Received: from [93.129.132.226] by QQQ.hotmail.com; Sun, 12 Oct 2008 07:13:17
+0100
From: Microsoft <customerservice@microsoft.com>
To: <<Larry’s Email Address>>
Subject: Security Update for OS Microsoft Windows
Date: Sun, 12 Oct 2008 07:13:17 +0100
MIME-Version: 1.0
Content-Type: multipart/mixed;
    boundary="----=_NextPart_000_000E_01C92C39.FF9CE480"
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
Thread-Index: Aca6Q862Q89QD80AN22RHXR0U7WZ61==
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700
Message-ID: <01c92c39$ff9ce480$e284815d@60GC7Q>
Return-Path: 60GC7Q@hotmail.com
X-MS-Exchange-Organization-PRD: microsoft.com
Received-SPF: TempError (XXX.microsoft.com: error in
processing during lookup of customerservice@microsoft.com: DNS timeout)
X-MS-Exchange-Organization-PCL: 2
X-MS-Exchange-Organization-Antispam-Report: DV:3.3.7011.600;SV:3.3.7011.1437;SID:SenderIDStatus
TempError;OrigIP:93.129.132.226
X-MS-Exchange-Organization-SCL: 0
X-MS-Exchange-Organization-SenderIdResult: TEMPERROR

RFC 2821 says that SMTP servers should prepend a Received: header to an email message whenever they process the email message.  In this case the last email server was XXX.microsoft.com.  XXX.microsoft.com received the message from YYY.microsoft.com which in turn received the message from koln-5d8184e2.pool.einsundeins.de (einsundeins.de appears to be a german ISP).   The next bit of trace is confusing.  The machine at 93.129.132.226 says that it received the message from QQQ.hotmail.com. 

It’s possible that this spam email originated from hotmail, but I don’t think so.  First off, as far as I know, you can’t relay through the hotmail SMTP servers and the sender of the email is “customerservice@microsoft.com” (the sender is included in the Received-SPF header which indicates that the “MAIL FROM” header in the SMTP exchange was “customerservice@microsoft.com”.  Secondly the hotmail servers don’t set the X-Mailer header, but this header indicates that it was sent from Outlook 2003.  Instead, I think that the bottom Received: header was forged to throw off people trying to figure out where the email came from.

 

 

Needless to say, Microsoft will never EVER send a security update to customers by mail, and customers should immediately delete any emails that claim to have security fixes from Microsoft.