Legend:  new window    outside link    tools page  glossary link   

Classic Spam: “Lese Selbst”
(Virus-borne German political propaganda)

The manner of transmission is a bit different (via infected third-party computers and their e-mail address books), as is the senders’ objective (political persuasion rather than swindling), but this is spam nevertheless — it was delivered in bulk and I didn’t solicit it (rule #2, doncha know).

From hidden Tue May 17 18:15:59 2005
Received: from fffha.com ([172.18.12.131])
   by vms050.mailsrvcs.net (Sun Java System Messaging Server 6.2    HotFix 0.04 (built Dec 24 2004)) with ESMTP id
   <0IGN00DQYCECEJG0@vms050.mailsrvcs.net>
   for hidden; Tue, 17 May 2005 13:23:00 -0500 (CDT)
Received: from fffha.com (66.156.32.186)
   by sv3pub.verizon.net (MailPass SMTP server v1.2.0 -
   013105113116JY+PrW)
   with SMTP id <3-752-201-752-200069-1-1116354180> for
   vms050pub.verizon.net; Tue, 17 May 2005 13:23:00 -0500
Date: Tue, 17 May 2005 18:20:49 +0000 (UTC)
From: hidden
Subject: Graeberschaendung auf bundesdeutsche Anordnung
To: hidden
Message-id: <c340ac75.cd4cdfcb@yahoo.com>
MIME-version: 1.0
Content-type: text/plain; charset=us-ascii
Content-transfer-encoding: 7bit
Importance: Normal
X-Priority: 3 (Normal)


Lese selbst:
http://www.die-kommenden.net/dk/zeitgeschichte/graeberschaendung.htm

This spam is part of a wave that broke out in the spring of 2005, apparently initiated by Germans intent on spreading right-wing political spin and anti-foreigner propaganda on the eve of an election in the German province of North Rhine Westphalia. The perps may have intended to restrict circulation to Germany (as was the case with an earlier outbreak with the same modus operandi), but in fact it ended up breaking out and going all over the world; I received more than a dozen myself (and was falsely implicated as the sender of at least three others) before the attack subsided shrotly after the election.

Many have called these perps “neo-Nazis” although I don’t find the labeling particularly useful. Let’s just say that their opinions are a couple of standard deviations off the mean. The messages urged you without comment to visit various web links (some to respected German periodicals like Der Spiegel) to read stories about dirty, primitive, violent, welfare-cheating foreigners and the heavy-handed government that suppresses the rights of “native” Germans in favor of these same foreigners. There are also references to long-bandied rumors of Allied murder of German POWs after the war (as in this message), and complaints about the erection in Berlin of a memorial to the mass-murder of Jews during World War II. These guys have to tread carefully, however, since German law makes certain kinds of speech illegal (e.g., defaming Jews or other racial groups, denying the holocaust).

Like most folks who hold such extremist views, these people have decided that it is imperative to spread them to the masses. In the past, traditional means of publicity were pretty much unavailable to this sort, so they had to rely on graffiti, illegal bill-sticking, and other forms of anonymous “street spam.” Now that the internet is here, they have a new venue for their schtick. In this case, the perpetrators apparently modified a “mass-mailing worm” called (by Symantec malware investigators) W32.Sober.O@mm. When the worm-laden mail is received and its attachment opened by a naive or careless user, the worm installs itself and sends out mail both to replicate itself to other computers, and to spread the eh, good word to potential converts.

You can read the Symantec page linked above to find out more about the worm, but here’s a summary of what is going on:

  1. Naive or careless user receives mail with Sober worm in payload (typically as an attached .zip archive) and opens the payload.
  2. Worm installs itself and scans the user’s system for files containing e-mail addresses (such as the address book of the user’s e-mail program).
  3. Worm will use its own built-in SMTP agent to send itself (via infected e-mail) to some or all of these addresses in order to replicate itself (and create more platforms for sending mail), and will also send uninfected mass-mailings (like that shown here) to distribute the Truth that will Make You Free (“Wahrheit macht frei!”).

Since the worm has its own self-contained direct-to-MX-capable SMTP agent, it can send out all this mail without going through any of the victim’s ISP mail hosts and without leaving any traces on the victim’s system; this makes it pretty difficult to trace the mail back to the ultimate originators on the basis of any single message. The worm even appears to be smart enough not to mail itself to any addresses that might hasten its detection and eradication (e.g., addresses like “admin@foo.bar” that look like those belonging to system administrators).

In this manner, the mail will propagate more-or-less geometrically from one vulnerable machine to others, and the political messages will go out to all the correspondents of the users of these machines. While it is clever and untraceable, this method might be a bit too inefficient and limited in scope for your average drugz-mortgage-warez spammers:

However, our German friends here (like pump-and-dump spammers) are just interested in publishing their stuff, and not in getting any direct responses to their messages; so, this method probably fits the bill. Leaving aside the time and resources required to develop or adapt the Sober worm, this method is also nearly free of cost, since the perps only have to “seed” the message to an initial handful of addresses to get the thing going.

For the record, this message came to me from a machine at 66.156.32.186 (a BellSouth DSL line somewhere in the Southeastern U.S.). There isn’t much more to be learned. The From-address is not trustworthy, of course, since it was undoubtedly planted by the worm. The web link given in the message points to a German political website, which prudently replaced the article with a “gateway page” bearing a disclaimer and an explanation (in German and English) of this mail trick.



 home | legal stuff | glossary | blog | search

 Legend:  new window    outside link    tools page  glossary link   


(c) 2003-2006, Richard C. Conner ( )

06050 hits since March 28 2009

Updated: Sat, 06 May 2006