While every hosting company has challenges with preventing spam outbreaks, and some do better than others, we occasionally see a trend that indicates a larger issue.
This could be related to a general security issue, or a systemic deficiency. And over the recent week we have seen such an increase from SoftLayer IP Space. Fortunately, it is easy to block and detect, and most spam protections should already do this for you, but reporting it here for general information.
The outbreaks all seem to conform to the same pattern. Generic IP Space or servers, with the rDNS of ‘*-static.reverse.softlayer.com’. Based on the generic naming convention, it appears the spammers don’t actually administrate the individual IP(s), otherwise they would have changed the rDNS.
An example from today:
Return-Path:
Delivered To:
Received: from 50.22.179.61-static.reverse.softlayer.com (HELO alibaba.com) (50.22.179.61)
Now, in all these types of outbreaks, the sender is ‘www-data’, and while this ‘could’ be a legitimate process running as that user, generally it is a good indicator that this is a compromise.
The HELO is generally forged.. Systems are usually running Postfix, and it always presents a header put in for security purposes.
X-PHP-Originating-Script: 0:ejp5wo8l4nrjyge16gy.php
So, it appears that spammers/hackers are abusing something on the system to upload a PHP script which is used to perform the spamming itself. (This is typical of many past exploits of popular softwares such as older WordPress installations)
While it would be nice if SoftLayer blocked at egress servers with the default generic rDNS, and/or used this information to find compromised servers themselves, it makes it so that anyone can simply mark email with the generic rDNS and generated by a PHP script as probably spam.
Interesting enough, the script itself that is commonly used is broken, in that in repeats a header block.
From: billg
MIME-Version: 1.0
Content-type: text/html; charset=iso-8859-1
X-Mailer: Microsoft Office Outlook, Build 17.551210
From: billg
MIME-Version: 1.0
Content-type: text/html; charset=iso-8859-1
X-Mailer: Microsoft Office Outlook, Build 17.551210
From: billg
MIME-Version: 1.0
Content-type: text/html; charset=iso-8859-1
X-Mailer: Microsoft Office Outlook, Build 17.551210
From: billg
MIME-Version: 1.0
Judging from this common pattern, it seems likely that he same person or group of persons’ is targeting SoftLayer.
And typically the content is used to exploit recipients computers, so this is a dangerous type of spam to be allowing.
Suggest that if you see these, adjust your filters, or if you are unable to, be highly suspicious of this pattern, and/or use a reputation list that has identified these compromised servers.