Page 1 of 1

LinkedIn ACH spam/virus

Posted: Tue Dec 13, 2011 12:40 pm
by faris
Not actually realted to clamav/qmail-scanner etc, but I figured I'd post this here anyway, as it seem to be the best section.

One of my mailboxes, hosted on a third party server over which I have no control, is letting in scores of messages "from" LinkedIn which contain a nasty payload.

What I'm curious about is the header. Take a look:

Code: Select all

Return-Path: <valises1682@roofsys.com>
Delivered-To: REDACTED
Received: (qmail 26713 invoked from network); 13 Dec 2011 15:40:17 -0000
Received: from unknown (HELO 89-69-130-109.dynamic.chello.pl) (89.69.130.109)
  by MY-REAL-ISP with SMTP; 13 Dec 2011 15:40:17 -0000
[b]Received: from mta900.em.linkedin.com (mta900.em.linkedin.com [63.211.90.176])[/b]
	by inbound.electric.net (8.13.8/8.13.8) with ESMTP id 8UEO5D1608818
	for <REDACTED>; Tue, 13 Dec 2011 16:39:42 +0100
Date: Tue, 13 Dec 2011 16:39:42 +0100
From: "LinkedIn" <linkedin@em.linkedin.com>
To: REDACTED
In the first two Received: lines, the message appears to be going from chello.pl to my real ISP.

But there's also a third Received: line. This, at first glance, would seem to indicate that LinkedIn was involved in the mail transport somehow.

rdns on 63.211.90.176 is indeed mta900.em.linkedin.com but as Mike says, this can be faked easily. Whois says the range belongs to Cheetamail.

My trail goes cold there. "Experian CheetahMail" is legit, but is that the same cheetahmail? I can't tell.

What I do know is that the same 63.211.90.176 IP appears in messages posted about a slightly different spam/virus outbreak which was deliberately (fake) from LinkedIn (with a subject of "so now you'e on LinkedIn....".

So...what's REALLY going on? Has this mysterious part of the header just been totally faked, to make it look more legit?

Re: LinkedIn ACH spam/virus

Posted: Wed Dec 14, 2011 5:58 pm
by mikeshinn
rdns on 63.211.90.176 is indeed mta900.em.linkedin.com but as Mike says, this can be faked easily. Whois says the range belongs to Cheetamail.
Looks like the IP is legit:

[mshinn@mtsoffice ~]$ nslookup 63.211.90.176
Server: 10.10.14.1
Address: 10.10.14.1#53

Non-authoritative answer:
176.90.211.63.in-addr.arpa name = mta900.em.linkedin.com.

Authoritative answers can be found from:
in-addr.arpa nameserver = a.in-addr-servers.arpa.
in-addr.arpa nameserver = b.in-addr-servers.arpa.
in-addr.arpa nameserver = c.in-addr-servers.arpa.
in-addr.arpa nameserver = d.in-addr-servers.arpa.
in-addr.arpa nameserver = e.in-addr-servers.arpa.
in-addr.arpa nameserver = f.in-addr-servers.arpa.

[mshinn@mtsoffice ~]$ nslookup mta900.em.linkedin.com
Server: 10.10.14.1
Address: 10.10.14.1#53

Non-authoritative answer:
Name: mta900.em.linkedin.com
Address: 63.211.90.176