LinkedIn ACH spam/virus

Forum for getting help with Project Gamera, Spamassassin, Clamav, qmail-scanner and other anti-spam tools.
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

LinkedIn ACH spam/virus

Unread post by faris »

Not actually realted to clamav/qmail-scanner etc, but I figured I'd post this here anyway, as it seem to be the best section.

One of my mailboxes, hosted on a third party server over which I have no control, is letting in scores of messages "from" LinkedIn which contain a nasty payload.

What I'm curious about is the header. Take a look:

Code: Select all

Return-Path: <valises1682@roofsys.com>
Delivered-To: REDACTED
Received: (qmail 26713 invoked from network); 13 Dec 2011 15:40:17 -0000
Received: from unknown (HELO 89-69-130-109.dynamic.chello.pl) (89.69.130.109)
  by MY-REAL-ISP with SMTP; 13 Dec 2011 15:40:17 -0000
[b]Received: from mta900.em.linkedin.com (mta900.em.linkedin.com [63.211.90.176])[/b]
	by inbound.electric.net (8.13.8/8.13.8) with ESMTP id 8UEO5D1608818
	for <REDACTED>; Tue, 13 Dec 2011 16:39:42 +0100
Date: Tue, 13 Dec 2011 16:39:42 +0100
From: "LinkedIn" <linkedin@em.linkedin.com>
To: REDACTED
In the first two Received: lines, the message appears to be going from chello.pl to my real ISP.

But there's also a third Received: line. This, at first glance, would seem to indicate that LinkedIn was involved in the mail transport somehow.

rdns on 63.211.90.176 is indeed mta900.em.linkedin.com but as Mike says, this can be faked easily. Whois says the range belongs to Cheetamail.

My trail goes cold there. "Experian CheetahMail" is legit, but is that the same cheetahmail? I can't tell.

What I do know is that the same 63.211.90.176 IP appears in messages posted about a slightly different spam/virus outbreak which was deliberately (fake) from LinkedIn (with a subject of "so now you'e on LinkedIn....".

So...what's REALLY going on? Has this mysterious part of the header just been totally faked, to make it look more legit?
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: LinkedIn ACH spam/virus

Unread post by mikeshinn »

rdns on 63.211.90.176 is indeed mta900.em.linkedin.com but as Mike says, this can be faked easily. Whois says the range belongs to Cheetamail.
Looks like the IP is legit:

[mshinn@mtsoffice ~]$ nslookup 63.211.90.176
Server: 10.10.14.1
Address: 10.10.14.1#53

Non-authoritative answer:
176.90.211.63.in-addr.arpa name = mta900.em.linkedin.com.

Authoritative answers can be found from:
in-addr.arpa nameserver = a.in-addr-servers.arpa.
in-addr.arpa nameserver = b.in-addr-servers.arpa.
in-addr.arpa nameserver = c.in-addr-servers.arpa.
in-addr.arpa nameserver = d.in-addr-servers.arpa.
in-addr.arpa nameserver = e.in-addr-servers.arpa.
in-addr.arpa nameserver = f.in-addr-servers.arpa.

[mshinn@mtsoffice ~]$ nslookup mta900.em.linkedin.com
Server: 10.10.14.1
Address: 10.10.14.1#53

Non-authoritative answer:
Name: mta900.em.linkedin.com
Address: 63.211.90.176
Post Reply