Blog for hpHosts, and whatever else I feel like writing about ....

Thursday, 25 June 2009

AS28840 involved in spambot activity

No surprises here I'm afraid, AS28840 is a russian outfit known as "OAO TATTELECOM" (, with the routes (amongst others);

A little basic research shows the IP that sent me the spam, which I'll get to in a second as it is rather funny, is known to ProjectHoneyPot and flagged by them as "Suspicious";

Given the information at PHP, it looks like a mail server, and I find it very difficult to believe that it's a compromised one, especially given it's location (perhaps I'm being too suspicious there? time will tell), and one or two of the other IP blocks owned by this company, has also been involved in malicious activity.

What is rather strange, is that other than the ProjectHoneyPot entry, I couldn't identify any other information referencing as being malicious, though I easily found several references to other net blocks owned by this AS in various places such as,

So what of the e-mail itself? Well in this case, though boring as the tracks stop there, the linky in the e-mail is to - Google (Outlook stripped the HTML, so presumably it didn't originally - one of these days Outlook will actually take notice of the options I've got set).

And yep, the headers are childs play to interpret too, one single fake "From" line, and that's it.

Delivered-To: [REMOVED]
X-FDA: 62387961720
X-Panda: scanned!
X-Filterd-Recvd-Size: 2294
Received: from (unknown [])
by (Postfix) with ESMTP
for <[REMOVED]>; Thu, 25 Jun 2009 17:52:58 +0000 (UTC)
Received: from by; Thu, 25 Jun 2009 20:52:58 +0300 <---FAKE
From: "Joaquin Haney" <>
Subject: About Us
Date: Thu, 25 Jun 2009 20:52:58 +0300
MIME-Version: 1.0
Content-Type: text/plain;
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
Thread-Index: Aca6QC14UYO5I7KFTGN0RMR9IYT63Z==
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2663
Message-ID: <01c9f5d6$eb861810$b3aa8a4e@iydc>
X-EsetId: 81896726F0AC3331D7CD


hpHosts -

No comments: