SUPPORT INTELLIGENCE  •  FIGHT THE ABUSE   LOG IN   |  SIGN UP   |  CONTACT US   
Support Intelligence
ServicesTechnologyBlogAbout usSign Up

Thursday, April 12, 2007

Business Week wants me to become a better lover?!?

We've been collecting spam from a corporate email gateway (205.142.53.51) over at Business Week which is owned by McGrawHill which is responsible for announcing the 205.142.50.0/22 block from AS 4546.

This particular computer is one of Business Week's outbound mail gateways better known as mail03-1.mcgraw-hill.com. Its been showering our traps with titles like Become a better lover and Enjoy complete and total confidence every time. This server isn't botted it's just an IronPort[aren't they owned by cisco now] box that's forwarding SPAM, but where is the spam coming from? Upon deeper inspection a received header indicates that this mail server received the message from a host (bw-www2-hts.mcgraw-hill.com) with an RFC1918 address [172.16.40.20]

This all sounds very complicated. It gets worse, the are other compromised web servers in other business units all leveraging the same technique of using a compromised system to send out spam through outbound corporate MX servers, in this case a IronPort anti-spam system.

One of the other systems that caught our eye is [corona.eppg.com] which sprouted titles like Obesity is the number one cause of premature death in Americans This box used the same technique exiting its spam through another outbound mail server at 198.45.24.235. This host's block were registered to "Macmillan/McGraw-Hill School Publishing Company" which does K-6 Schoolbooks. That's friggn kinder garden through 6th grade books, do you think they interact with kids over their website... yep, the kiddies log in at http://glencoe.passkeylearning.com/LoginController

These computers have been spewing spam for some time now, I'm interested to know if they also have key loggers operating on them. Well, I doubt we will hear from their systems administrator, we wrote this post because we couldn't figure out how to report instances like this. Hey, Mr. Business Week, you got 0wned!

A set E-Mail Headers from the ~100 messages we analyzed

X-SENDER-IP: 205.142.53.65
X-ENVELOPE: EHLO mail04-1.mcgraw-hill.com
MAIL FROM:
RCPT TO:
X-HELO: mail04-1.mcgraw-hill.com
X-UUID: 7ce71508-07ab-4427-bafd-cdd5fa56d7fa
X-ECP: McGrawHill
Received: from unknown (HELO bw-www2-hts.mcgraw-hill.com) ([172.16.40.20])
by mail04-1.mcgraw-hill.com with ESMTP; 07 Apr 2007 09:56:20 -0400
X-IronPort-AV: i="4.14,384,1170651600";
d="scan'208"; a="13150503:sNHT79478476"
Received: (from busweek@localhost)
by bw-www2-hts.mcgraw-hill.com (8.11.7p1+Sun/8.11.7) id l37Dtc705382;
Sat, 7 Apr 2007 09:55:38 -0400 (EDT)
Date: Sat, 7 Apr 2007 09:55:38 -0400 (EDT)
Message-Id: <200704071355.l37dtc705382@bw-www2-hts.mcgraw-hill.com>
To: bwwebmaster@businessweek.com
From: planet8094@businessweek.com
Content-Transfer-Encoding: 7bit
Content-Type: text/plain
Subject: An all natural solution that studies prove works wonders


Another message's headers for the PASSKEYLEARNING.COM site


X-SENDER-IP: 198.45.24.235
X-ENVELOPE: EHLO corona.eppg.com
MAIL FROM:
RCPT TO:
X-HELO: corona.eppg.com
X-UUID: 5aa1d38b-fb32-4ac6-8aac-8ad1845c09eb
X-ECP: McGrawHill
Received: (from passkeylearning.com@localhost)
by corona.eppg.com (8.11.7p3+Sun/8.10.2) id l2BDxSl23545;
Sun, 11 Mar 2007 08:59:28 -0500 (CDT)
Date: Sun, 11 Mar 2007 08:59:28 -0500 (CDT)
From: passkeylearning.com@corona.eppg.com
Message-Id: <200703111359.l2bdxsl23545@corona.eppg.com>
To:
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain
Subject: Obesity is the number one cause of premature death in Americans

The ARIN IP Address Deligation for the ip addresses mentioned above.
OrgName:    Businessweek Corporation
OrgID: BUSINE
Address: 1221 Avenue of the Americas
City: New York
StateProv: NY
PostalCode: 10020
Country: US

NetRange: 205.142.52.0 - 205.142.55.255
CIDR: 205.142.52.0/22
NetName: BUSINESSWEEK
NetHandle: NET-205-142-52-0-1
Parent: NET-205-0-0-0-0
NetType: Direct Assignment
NameServer: CORP

Spread the word:  del.icio.us Bookmark it!    submit If You Can't Measure It, You Can't Manage It to digg.com Digg it!    Technorati Related



 

 

Sign Up  |   About Us   |   Terms of Use  |   Privacy  |   Contact

© Copyright 2006 Support Intelligence, LLC • All rights reserved