SUPPORT INTELLIGENCE  •  FIGHT THE ABUSE   LOG IN   |  SIGN UP   |  CONTACT US   
Support Intelligence
ServicesTechnologyBlogAbout usSign Up

Wednesday, April 18, 2007

Company Profile: Conseco (NYSE: CNO)




at 4:07pm PDT today we received yet another spam from Conseco, specifically the webserver at 205.144.127.10 which has sent our traps some 296 SPAM in the last 30 days. Today it was Viagra links, yesterday HGH and OEM software, the day before -- image spam. The week of March 12th brought us some Tranny pornography with titles like Beusty Wkoman Srucks BIGFCOCK & Taitty Fjuck In Piool and Cjlassy Tdanned SHYEMALE Balowjob & Djoggystyle Feuck.

Several of the lovely notes from the server at 205.144.127.10 had Received: headers. The following machines apparently proxied 6 of the 296 transactions through it.
  • Received: from 65.112.18.68 (HELO mrclean.mnimaging.com)
  • Received: from 208.180.123.23 (HELO mail.ftwoods.com)
  • Received: from 62.249.192.203 (HELO mx1.freeola.net)
  • Received: from 212.14.64.180 (HELO mail.ijb.de)
  • Received: from 217.12.160.3 (HELO smtp.yepa.com)
  • Received: from 64.71.166.217 (HELO sesmail-com-bk.mr.outblaze.com)
The forward and reverse for these hosts do seem to match up, and none are listed on any DNS RBL that we know of. The only oddity is that the FQDN matches the forward ip address and some reverses don't match the FQDN but are close enough. This isn't how SMTP servers work though.

With Nmap reporting all the ports on 205.144.127.10 as closed, I'm confused how other servers could proxy any of the SPAM through 205.144.127.10. therefore I'm going to call the headers in the 6 aparently proxied transactions as forged.

My best guess is that the host is a decommissioned web server for conseco.com as the reverse DNS points to conseco.com however the forward DNS for conseco.com as an A record of 205.144.125.110. Since these are different and 205.144.125.110 has the reverse for 10 or so other names I can imagine a transition that just left the old conseco.com. web server out dangling.

This server has been infected for over a month and sits on the same /24 that all of the other main company resources reside on. We will come back and review this one again in a week or so and see of anyone has cleaned it up.

Spread the word:  del.icio.us Bookmark it!    submit If You Can't Measure It, You Can't Manage It to digg.com Digg it!    Technorati Related



 

 

Sign Up  |   About Us   |   Terms of Use  |   Privacy  |   Contact

© Copyright 2006 Support Intelligence, LLC • All rights reserved