Last Friday morning an East Coast client (ECC) woke up to find her Gmail business account pummeled with more than 40,000 spam emails—with approximately 150-250 emails bypassing Google’s spam filters to cut up her inbox—this ongoing spam deluge was no laughing matter. With business email delayed and spam consistently pouring in—ECC’s ability to conduct business on Friday was 100 percent crippled.
It flooded my inbox with spam (woke up with 50 spam messages that made it to my inbox and probably received 100-200 more after that. Over 40,000 went to spam. This took over an entire day of business and caused almost all emails sent to me on Friday to be delayed in their delivery until Saturday. —ECC
The Google guarantee
Google claims 99.9 percent up-time and 0 percent planned downtime. Their corporate website touts : “Count on Google’s ultra-reliable servers to keep your lights on 24/7/365. Automatic backups, spam protection and industry-leading security measures help protect your business data.” Unfortunately, Google does not protect a Gmail business account from this type of attack.
Upon review of ECC’s spam problem, I was perplexed—all messages were nonsensical, impregnated with gibberish, and looked like this example:
Subject: (situation report). It used Debbie as and stripped to “Gowith just The dog of rising, to brainwas was an abused, yet the
TEXT, NOTES & CRITICISM Golding.” 10 (Summer-Autumn, 1958), 118-28. Fuller, Edmund, “Behind the ferns. of regeneration But kidneeded head donot satisfy them, “Bollocks gradually be near And Piggy, put and What nodded. Piggy couldthink. shrank eachother pretended the wrong. of contemplation, Grammar the travel to pretend,” Simon I’ll tell and white, Jack. Ralph kept not suggested controlling the unenlightened, stood appropriate to it? again,till as He flushed,looking achieve it “I walloped Jolly stick intentional in our thinking “No go, water.” “What’s that anywhere.” and And crawled youlisten wanted, without sleep? society are eliminating and before ‘Noticed what?” “Well. we findMr. said made him; food, hear him. about Do
I attempted to sort through the messages, senders, IP’s, and subject lines to see if the spam held a common thread. I compared subject lines that had uppercase with their corresponding IP addresses, and played I Spy until I realized that I was clearly overbeating a dead dog. There were no dots to connect. The only connection I could entertain was a denial-of-service-type attack so that the miscreant(s) could compromise one of more financial accounts.
On Friday morning we filed a support ticket with Google who later responded with a standard canned response (that arrived the following day)—Use the “Report Spam” feature and send message headers (they were sent in the initial support request). Later that day a Google support representative called and left a voice mail stating that he would call back and followed up with this email:
Hello [Name Redacted],
I hope this message finds you well. This is a friendly follow up regarding the case that you submitted about how to prevent incoming spam messages. I tried to call you, but unfortunately you were not available. I left you a voice mail. Please let me know if I can call you today, otherwise I will call you back on Tuesday to follow up towards this case.
Please reply to any of my messages to update me, or if you have any additional questions regarding this or other Issue, and I will be happy to assist you.
Google for Work Support
Though ECC received a Google support voice mail (with no call back number)—the support representative clearly did not understand that ECC’s business had come to a grinding halt—ECC had become the victim of a crippled Gmail account. By Saturday morning, she was receiving Friday’s email. At this juncture—Google’s business support for the spam situation was tantamount to the idiom too little, too late.
By Saturday morning (after turning on aggressive spam handling in the admin console) the campaign was delivering 3-14 spam messages per minute. At this point in time it looked more like a DoS attack to me. Since I am not a spam expert, I fired off an email to Brian Krebs describing the attack. Krebs said that it sounded like an email bomb service and that he had experienced this type of attack in the past. He also pointed me to two KrebsonSecurity blog posts: Cyberheist Smokescreen and another post here. Armed with this information—I finally derived some sense of direction on how best to proceed.
Examining IP addresses
There are many online tools for examining email headers (in order to extract the originating IP address). In Gmail you can examine the full header with “Show original.”
- Open the message.
- Click on the down arrow next to Reply.
- Click Show original.
Two of my favorite email header analysis services are: MxToolbox and IP Tracker Online. Just copy the email header from the Gmail message source and paste to the header analysis service. Once you grab the originating IP address you can check the IP for blacklisting. When you have the IP address you can check/report it with services such as AbuseIPDB, SpamCop, VirusTotal, and file a complaint with IC3.
Most of the IP’s used for this attack are U.S.-based, and only one IP (out of 33) was blacklisted:
184.108.40.206 ASAHI Net,Inc. Nirasaki, Japan ae248002.dynamic.ppp.asahi-net.or.jp
220.127.116.11 TWC/Roadrunner rrcs-24-97-142-18.nys.biz.rr.com Albany NY
18.104.22.168 Uk Ministry Of Defence DINSA
22.214.171.124 Uk Ministry Of Defence DINSA
126.96.36.199 UK Ministry of Defence DINSA
188.8.131.52 Comcast Business 50-73-123-45-ip-static.hfc.comcastbusiness.net
184.108.40.206 Garden Valley Telephone Co. Fosston MN 64-235-92-16.ip.gvtel.com
220.127.116.11 Birch Telecom Sheffield, AL host65-16-97-79.birch.net
18.104.22.168 Skyriver communications Simi Valley, CA 66-209-122-20.skyriver.net
22.214.171.124 Onshore Chicago mail-253-153.rm0004.net
126.96.36.199 TelePacific Communications Tahoe City, CA 67-203-69-194.static-ip.telepacific.net
188.8.131.52 atjeu publishing, llc Phoenix rdp-host-23.nakzdot.com
184.108.40.206 static-68-238-246-15.phlapa.fios.verizon.net Exton, PA
220.127.116.11 TDS Telecom Milwaukee mail.spectrumltg.com
18.104.22.168 Windstream Nuvox mail.umikc.com Kansas City, MO Hughes Development Co Inc – – N 7
22.214.171.124 Comcast Upper Darby PA 70-91-63-73-PANJDE.hfc.comcastbusiness.net
126.96.36.199 At&t Internet Services Port Pompano Beach, FL adsl-070-155-035-126.sip.bct.bellsouth.net
188.8.131.52 Cox Net New Orleans, LA wsip-70-182-147-34.br.br.cox.net
184.108.40.206 TWC/RR Dallas, TX rrcs-71-40-114-43.sw.biz.rr.com
220.127.116.11 Verion FIOS Seffner, FL static-71-101-88-4.tampfl.fios.verizon.net
18.104.22.168 Avid Communications/Kc Nap, LLC, Kansas City home.omniemployment.com
22.214.171.124 Worldpath Internet Services Portsouth, NH WPIS-74-220-225-76.worldpath.net
126.96.36.199 Comcast Salt Lake City, UT 74-92-245-113-Utah.hfc.comcastbusiness.net
188.8.131.52 Comcast Phoenixville, PA 75-146-243-98-Philadelphia.hfc.comcastbusiness.net
184.108.40.206 Comcast Business Petaluma 75-147-142-33-SFBA.hfc.comcastbusiness.net
220.127.116.11 Comcast Business San Francisco 75-149-52-217-SFBA.hfc.comcastbusiness.net
18.104.22.168 ISP = lcp nv Bruges, Belgium www.degy.be
22.214.171.124 Time Warner Cable cdptpa-oedge02.email.rr.com
126.96.36.199 Almouroltec Servicos De Informatica E Internet Lda Lisbon, Portugal
188.8.131.52 Cablevision Buenos Aires AR 78-130-29-181.fibertel.com.ar
184.108.40.206 ISP: Vivo/Brazil 201-69-65-108.dial-up.telesp.net.br
220.127.116.11 ISP/Xspedius Communications Co. Birmingham, AL
18.104.22.168 Telefonica de Espana Madrid 8.Red-217-127-196.staticIP.rima-tde.net
Block bad IP’s with the Admin Console
The one item that Google help is not very clear about is how to block IP addresses. Here is how you do it from the admin console:
- Click on Apps.
- Click on Google Apps.
- Click on Gmail.
- Scroll down to Advanced settings.
- Scroll down to the header: Spam.
- Under the settings for Blocked senders, click CONFIGURE.
- Next, write a short description for blocked senders. Example: “Spam bomb campaign-blocked IP’s”.
- Next, You will create a new list: from “1: Add addresses or domains that you want to automatically reject messages from” select create a new one.
- Type the name of the new list, then click on CREATE and press SAVE.
- Next, click EDIT blocked senders.
- Under the new list that you created (Example: Banned IP’s), click ADD.
- Under “Address or domain name” add IP addresses separated by a comma, then click on SAVE.
Though Google’s instructions are clear on how to add email addresses or domains to the blocked senders list—it fails to mention IP addresses/blocks. Though I did find a rather succinct IP address mention here. Ironically, Google support called me from Ireland on Wednesday afternoon to tell me that I had to close two other support tickets. I basically said that I was not going to do squat. She covered the same old ground of reporting spam, blocking the sender or domain, but failed miserably at squeaking out anything about blocking the offending IP’s.When I did mention that I absolutely had to block the IP’s due to the type of attack that occurred—she appeared to discourage this approach.
I’ve dealt with Google support many times in the past and support was always immediate and problems were always resolved quickly. Their approach with ECC’s email bomb dilemma—regrettably, became a twist in the wind.
Email spam bomb used as a diversion tactic
Wikipedia defines an email bomb as a form of net abuse consisting of sending huge volumes of email to an address in an attempt to overflow the mailbox or overwhelm the server where the email address is hosted in a denial-of-service attack.
A Reddit post from 2013 indicated that a spam bomb is often used as a diversion tactic to funnel funds away from a victims account:
The idea is that once you’ve reached your receiving limit, you will not get PayPal’s notification email telling you that “you” have made a transfer…and by the time you do get it (usually a day or 2 in the future) it’s too late, and the hacker has your money.
Early on, I texted ECC and told her to keep close tabs on all financial accounts, and reiterated security measures that she should take immediately. It came as no surprise when Monday morning arrived and she saw this sitting in her inbox:
This dimwitted cybercriminal-in-training possibly ruptured a huge leak in her/his think tank by not testing the waters prior to making such a blatant purchase. Maybe, maybe not.
Will the real culprit please stand up?
The mystery of origin was finally solved when ECC sent a text stating that malware had been discovered in Chrome.
Mal/Phish_A has been around since the beginning of 2013. Sophos describes it as a phishing web page, usually sent as a spam attachment or seen on the internet. Mal/Phish_A targets financial and banking institutions. Sophos warns at their website that:
Mal/Phish-A attempts to steal personal information (for example login information, banking details or credit card numbers) by pretending to be a page belonging to a legitimate account provider but sending the details to a malicious or compromised website instead. Mal/Phish-A may then redirect to the legitimate provider’s website in order to hide the fact that information has been stolen.
Fortunately my client received a phone call from the Apple Store to verify the iPhone purchases. During the interim spam bomb phase she also had the opportunity to secure all her accounts. Have you ever been hit by a spam bomb?