[hashcash] example of bot mail sending forged hashcash

Interesting I got the below report of bot mail with attached probable
virus payload which actually has forged version 0 hashcash attached.

Forged in the sense that if you verify the stamps they are not valid.

So clearly it won't fool spamassassin or any client that looks at that
stamp, but one presumes the bot author was attempting to gather a
veneer of legitimacy (or attempting to discredit hashcash by
associating with viruses).  Who knows.

Adam

----- Forwarded message from "Dave." <webmaster@xxxxxxxxxxxxxxxxxxxxxxxxxxx> 
-----

X-Original-To: adam@xxxxxxx
Delivered-To: adam@xxxxxxxxxxxx
From: "Dave." <webmaster@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
To: "Adam Back" <adam@xxxxxxxxxxxxxxx>
Subject: Re: Hashcash - Spammers - VIRUS
Date: Thu, 23 Dec 2004 12:53:35 -0000
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-Scanned-By: MIMEDefang 2.43
X-AOL-IP: 195.93.52.87

Hello Adam,

Many thanks for your prompt reply.

I have no objection to you sharing the contents with the development list, 
if you thing it would help.

>Or does the mail look like it is written by a bot?
I have no idea if the emails have been written by a bot or a human. I do not 
have the technical knowledge to even know the difference.

The four emails all had the same Subject line:
Osama Bin Laden Captured

All had the same text in the main window:
Hi dude! The pass is 12345

All had the same attachment, but these were called by different names, but 
were exactly the same size as a Zip file with a .scr file inside. The size 
is 24.3k

Below, are the other 3 sets of headers.

Thanks again for taking time to investigate.

Cheers

Dave.

HEADERS:
Return-Path: <swallowtailufdhbbjbfd@xxxxxxxxxx>
Received: from adsl-68-123-38-141.dsl.sktn01.pacbell.net 
(adsl-68-123-38-141.dsl.sktn01.pacbell.net [68.123.38.141])
by ns2.joshuainternet.net (8.10.2-SOL3/8.10.2) with SMTP id iBMIa6t23742;
Wed, 22 Dec 2004 18:36:06 GMT
Received: from 51.17.192.148 by 68.123.38.141; Wed, 22 Dec 2004 21:33:19 
+0300
Message-ID: <QJOHGPFNBUWOWDBFOAIT@xxxxxxx>
From: "Lacy" <swallowtailufdhbbjbfd@xxxxxxxxxx>
Reply-To: "Lacy" <swallowtailufdhbbjbfd@xxxxxxxxxx>
To: webmaster@xxxxxxxxxxxxxxxxxxxxxxxxxxx
Subject: Osama Bin Laden Captured
Date: Thu, 23 Dec 2004 00:29:19 +0600
X-Mailer: Outlook Express
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="--=_NextPart_000_0022_303Y03.9468PWA01"
X-Priority: 3
X-Mailer: Outlook Express
X-Hashcash: 
0:041222:webmaster@xxxxxxxxxxxxxxxxxxxxxxxxxxx:108007m5337r15702e6195a571
X-UIDL: al3!!b-d!!lF)!!RUo!!
Status: RO


Return-Path: <gortonhpobefdc@xxxxxxxxxx>
Received: from adsl-68-123-38-141.dsl.sktn01.pacbell.net 
(adsl-68-123-38-141.dsl.sktn01.pacbell.net [68.123.38.141])
by ns2.joshuainternet.net (8.10.2-SOL3/8.10.2) with SMTP id iBMIZwt23738
for <webmaster@xxxxxxxxxxxxxxxxxxxxxxxxxxx>; Wed, 22 Dec 2004 18:35:58 GMT
Received: from 71.139.23.60 by 68.123.38.141; Wed, 22 Dec 2004 
14:30:11 -0400
Message-ID: <FYKEEOKWCWKKPKIWXHSEXGP@xxxxxxxxxx>
From: "Marissa" <gortonhpobefdc@xxxxxxxxxx>
Reply-To: "Marissa" <gortonhpobefdc@xxxxxxxxxx>
To: webmaster@xxxxxxxxxxxxxxxxxxxxxxxxxxx
Subject: Osama Bin Laden Captured
Date: Wed, 22 Dec 2004 23:34:11 +0500
X-Mailer: Outlook Express
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="--=_NextPart_000_0018_881R5954.896615GNA7514"
X-Priority: 3
X-Mailer: Outlook Express
X-Hashcash: 
0:041222:webmaster@xxxxxxxxxxxxxxxxxxxxxxxxxxx:784924o8121g72403k2961m517
X-UIDL: 5n`"!`'9"!E>e"!PH9!!
Status: RO


Return-Path: <anglicanlswdzzthrc@xxxxxxx>
Received: from adsl-68-123-38-141.dsl.sktn01.pacbell.net 
(adsl-68-123-38-141.dsl.sktn01.pacbell.net [68.123.38.141])
by ns2.joshuainternet.net (8.10.2-SOL3/8.10.2) with SMTP id iBMIZpt23729
for <webmaster@xxxxxxxxxxxxxxxxxxxxxxxxxxx>; Wed, 22 Dec 2004 18:35:52 GMT
Received: from 227.129.111.184 by 68.123.38.141; Wed, 22 Dec 2004 
15:30:04 -0300
Message-ID: <NTZCDABTSXRJJXOMMTNCKIPHO@xxxxxxxxxxxxxxxxx>
From: "Christopher" <anglicanlswdzzthrc@xxxxxxx>
Reply-To: "Christopher" <anglicanlswdzzthrc@xxxxxxx>
To: webmaster@xxxxxxxxxxxxxxxxxxxxxxxxxxx
Subject: Osama Bin Laden Captured
Date: Wed, 22 Dec 2004 15:34:04 -0300
X-Mailer: Outlook Express
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="--=_NextPart_000_0076_41X430.719BMY00"
X-Priority: 3
X-Mailer: Outlook Express
X-Hashcash: 
0:041222:webmaster@xxxxxxxxxxxxxxxxxxxxxxxxxxx:958668d1083m63073v4397f556
X-UIDL: Re+!!6KA"!=o]!!Ap%"!
Status: RO


END


----- Original Message ----- 
From: "Adam Back" <adam@xxxxxxxxxxxxxxx>
To: "Dave." <webmaster@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
Cc: "Adam Back" <adam@xxxxxxxxxxxxxxx>
Sent: Thursday, December 23, 2004 12:07 AM
Subject: Re: Hashcash - Spammers - VIRUS


>Hello, thank you for the report.
>
>It is very interesting and the first I have seen.  Would you mind if I
>share the contents of your email with the hashcash development list?
>
>
>I checked the hashcash header and it appears to be a forgery.  The
>hashcash stamps have a checksum and the checksum fails.  The format is
>also slightly different from that created by any of the existing
>hashcash clients.
>
>It would be useful to see the headers of the other messages you
>received.
>
>If I could ask also do the contents of the mails appear to be sent by
>real humans (ie people you would recognize and text they would likely
>have written) who are unsuspecting victims of virus distributors?  (I
>believe that as a result of a recent trend, now ti is the case taht
>most spam is sent by unsuspecting victim's desktop computers infected
>with spam sending virus software).
>
>Or does the mail look like it is written by a bot?
>
>
>
>Technically, for your information, to verify hashcash requires more
>than checking for the existance of the header.  Anti-spam systems that
>support hashcash such as spamassassin verify the checksum and would
>reject the below email.
>
>What hashcash does (when the recipient verifies the checksum in the
>stamp) is prove that the sender spent some non-negligible amount of
>compute time computing the stamp.  A sufficient amount of time to slow
>down and reduce the amount of spams a spammer could send.
>
>(Of course if the checksum is not checked the header can be forged and
>cheaply created).
>
>Adam
>
>On Wed, Dec 22, 2004 at 11:10:03PM -0000, Dave. wrote:
>>Dear Sir,
>>
>>Having received FOUR emails from apparently four different people, all 
>>with HASHCASH in the headers, I thought I should investigate, as I have 
>>never seen this before.
>>
>>The four emails I got, all had an identical attachment, which I know is a 
>>VIRUS.
>>
>>I show One set of headers below, but I DO NOT send the virus attachment.
>>
>>Return-Path: <greedjacqaawnk@xxxxxxxxxxxx>
>>Received: from adsl-68-123-38-141.dsl.sktn01.pacbell.net 
>>(adsl-68-123-38-141.dsl.sktn01.pacbell.net [68.123.38.141])
>> by ns2.joshuainternet.net (8.10.2-SOL3/8.10.2) with SMTP id 
>>iBMIaHt23769;
>> Wed, 22 Dec 2004 18:36:17 GMT
>>Received: from 89.80.185.254 by 68.123.38.141; Wed, 22 Dec 2004 
>>15:29:30 -0300
>>Message-ID: <MQQOUMBDSSQAJGGILSYOF@xxxxxxxx>
>>From: "Faye" <greedjacqaawnk@xxxxxxxxxxxx>
>>Reply-To: "Faye" <greedjacqaawnk@xxxxxxxxxxxx>
>>To: webmaster@xxxxxxxxxxxxxxxxxxxxxxxxxxx
>>Subject: Osama Bin Laden Captured
>>Date: Wed, 22 Dec 2004 15:30:30 -0300
>>X-Mailer: Outlook Express
>>MIME-Version: 1.0
>>Content-Type: multipart/mixed;
>> boundary="--=_NextPart_000_0081_67XY042.896433QPG579"
>>X-Priority: 3
>>X-Mailer: Outlook Express
>>X-Hashcash: 
>>0:041222:webmaster@xxxxxxxxxxxxxxxxxxxxxxxxxxx:775325l7460d72482u8737r125
>>X-UIDL: C&f"!A^#"!n%I!!2lH"!
>>Status: RO
>>
>>Having looked at your website, and correct me if I am wrong, it appears 
>>to say that people using Hardcash in Emails, will help the email beat the 
>>system and get through to the end user - MEANING THAT ANYONE CAN USE THE 
>>HARDCASH TO MAKE SURE THEY GET AS NEAR AS POSSIBLE TO CAUSING CHAOS IN 
>>THE END USER'S COMPUTER.
>>
>>Any help you can give to STOP such emails getting through would be great.
>>After all, your Hashcash will only get a BAD name from the millions of 
>>people wanting the web kept clean.
>>
>>I look forward to any response.
>>
>>Regards
>>
>>David Paxton
>>Webmaster.
>

----- End forwarded message -----

Other related posts: