Unsolicited Email Advisory

The inbred miscreants that deluge the Internet with unsolicited email (SPAM) have recently been sending emails that appear to be coming from dwtreaclem@treacle.com.

  1. There is no such person or email address on this system.
  2. The email did not come from this network.
  3. The return address was spoofed (forged) as the below example shows. 
Return-Path: <dwtreaclem&treacle.com>
Received: (qmail 3220 invoked from network); 26 Jun 2008 23:59:59 -0700
Received: from unknown (HELO ?87.103.232.1?) (87.103.232.1)     (1)
  by rothackeradv.com with SMTP; 26 Jun 2008 23:59:59 -0700
Received: from [87.103.232.1] by mail.treacle.com; Fri, 27 Jun 2008 15:59:59 +0900   (2)
Date: Fri, 27 Jun 2008 15:59:59 +0900
From: "Lenore Weber" <dwtreaclem@treacle.com>   (3)
X-Mailer: The Bat! (v2.00.8) Educational
Reply-To: dwtreaclem@treacle.com    (4)
  1. Actual source of the email
  2. Actual source IP address with spoofed email server name
  3. Spoofed "From"
  4. Spoofed "Reply-To"
In this example, the email was sent by IP address 87.103.232.1 which is likely either an insecurely configured mail server, a compromised (hacked) server, or an infected computer. The IP address resolves to ns.chittel.ru (Russia).

Undeliverable or rejected emails that are sent to the spoofed return address are typically rejected by the mail server. Four that were accepted were looked at to determine the SPAM source IP address, which are listed below: 

83.174.230.70   h83-174-230-70.adsl.ufamts.ru. (Russia) 
77.120.128.162  ds-nat-128-162.datasvit.net. (Russia) 
90.188.10.75    90.188.10-75.xdsl.ab.ru (Russia) 
217.170.220.40  host-217-170-220-40.arctel.ru (Russia)
There appears to be large volume of SPAM with a spoofed return address of dwtreaclem@treacle.com based on the increase in DNS queries and SMTP rejections seen in the server logs. As a result, the firewall drops traffic from a number of netblocks, and the email server will reject email from additional netblocks and known sources of SPAM.