Hard, harder, hardest
Ok, this is not a "tale", but is something I wanted to put down in writing.
I got a mail from one of our user from the Finance Department, she was lamenting the fact that the mails from one of their "consulting" companies (from Germany, of course, 'cause they have to bend to the Great German Owner) keeps being stuffed in the 'quarantine' box by the antispam, despite repeated attempt at training the antispam that no, those mails are legit. And the user is kinda tired to fish them out of the quarantine box.
These kind of problems would be the realm of "user support" and as such my colleague should deal with them, but apparently he couldn't figure it out and the standard solution of "click on the 'this is not spam' link" in the mail didn't worked very well.
He also explained (twice, with drawings) how to configure outlook to auto-fish the mails and put them in the right box but she doesn't seems to get it.
And now, the colleague is in holiday, so I decide to have a crack at it. Fish out the mail from the box and take a look.
So...
The "From" address contains randoms numbers, letters and stuff.
The "Subject" also seems to contains random numbers and letters.
The "User-Agent" says "Drupal v1"
The "Content-Type" is obviously "multipart/html" because why not?
It does contains a bunch of images, logos and crap.
It does have embedded documents.
Plain text is less than 10% of the total.
The server that started the whole thing was called "localhost.locadomain" sure.
The server had also an ip address in the 192.168.x.y range. Obviously.
The fishy-looking relay server was named "webserver081094"
The fishy-looking relay server doesn't have a reverse-IP.
The fishy-looking relay server is hosted on AWS/Google/Whatthefuck.
If I was the antispam, I'd say this is most probably spam.
At this point I go checking the "whitelist" and, as expected, it contains already 79 entries related to these peoples, since every time there is a random "from" address and a different "source" IP.
After checking around (for as much as I can check without using truth serum or torture) that these mail are actually legit, I zap all the existing entries and then add a blanket entry for the whole domain, in the hope that whoever is managing that crap can actually keep its drupal thing clean of more junk. But if I have to judge by how they send mail we have less chances than a fart in a tornado.
But this made me think...
We're in 2020 (or will be when you're going to read this stuff), is not that spam happened yesterday, it's about 30 years we're wading through it, how is that there are still peoples that does this kind of stuff?
I mean, even the real spammers have figured out that the best way is to at least try to look legit, while those peoples, that are probably well paid to do... whatever they're doing, aren't event trying. If they are, they are trying the opposite.
Is it so fucking difficult to give that piece of crap machine a decent-sounding name? Can't they add a reverse-ip for the relay? And can't they actually use a real relay instead of whatever is that thing? And do they really need to send this garbage by mail instead of using any of the thousands of "document sharing" system? And how about using SMTP instead of Drupal to send mail?
And since they are sending stuff like this, the users are complaining and then the admins are forced to use "blanket" pass rules that ends up letting actual spam through.
There should be a punishment for these kind of behavior, that lower the general 'security' level for everybody else. I mean, we do have fines for "wreckless driving" already, when you do shit that is not completely illegal but still kinda dangerous, why there isn't a fine for "wreckless sysadminning"?
Davide
17/07/2020 09:54
