Blog

Spam Farm Spotted in the Wild, (Fri, Mar 5th)

If there is a place where you can always find juicy information, it’s your spam folder! Yes, I like spam and I don’t delete my spam before having a look at it for hunting purposes. Besides emails flagged as spam, NDR or “Non-Delivery Receipt” messages also deserve some attention. One of our readers (thanks to him!) reported yesterday how he found a “spam farm” based on bounced emails. By default, SMTP is a completely open protocol. Everybody can send an email pretending to be Elon Musk or Joe Biden! That’s why security control like SPF[1] or DKIM[2] can be implemented to prevent spoofed emails to be sent from anywhere. If not these controls are not implemented, you may be the victim of spam campaigns that abuse your domain name or identity. The “good” point (if we can say this) is that all NDR messages will bounce to the official mail server that you manage. That’s what happened with our reader, he saw many bounced messages for unknown email addresses. Here is an example:

--1614779618-eximdsn-513689040
Content-type: text/plain; charset=us-ascii

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

  [victim]@[victimdomain]
    host [victimmx]
    SMTP error from remote mail server after end of data:
    550 5.2.0 Mail rejete. Mail rejected. ************

--1614779618-eximdsn-513689040
Content-type: message/delivery-status

Reporting-MTA: dns; fjimkopo[.]com

Action: failed
Final-Recipient: rfc822;[victim]@[victimdomain]
Status: 5.0.0
Remote-MTA: dns; [victimmx]
Diagnostic-Code: smtp; 550 5.2.0 Mail rejete. Mail rejected. ***********

--1614779618-eximdsn-513689040
Content-type: message/rfc822

Return-path: 
Received: from admin by fjimkopo[.]com with local (Exim 4.86_2)
(envelope-from [ourmailbox]@[ourdomain])
id 1lHQYA-0002y9-UD
for [victim]@[victimdomain]; Wed, 03 Mar 2021 12:24:22 +0000
To: [victim]@[victimdomain]
Subject: *****************
X-PHP-Originating-Script: 1000:mailer1.php
Date: Wed, 3 Mar 2021 12:24:22 +0000
From: ***************** [ourmailbox]@[ourdomain]>
Reply-To: [email protected][.]com
Message-ID: 
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit

What interesting information do we have in this email? We see a domain name: farments[.]cf in the Message-ID (this header is generated by the first hop in the SMTP delivery chain) but also another SMTP header added by the mailer: X-PHP-Originating-Script: 1000:mailer1.php.

Let’s combine the domain with the URL in the header: hxxp://farments[.]cf/mailer1.php

This is a leafmailer[3] instance… A very popular PHP mailer used by spammers. urlscan.io reports 26 similar websites[4]:

I did the same search on VirusTotal and found more URLs:

hxxp://voceconfia[[.]]com[[.]]br/utils/leafmailer[.]php
hxxp://surmatete[[.]]com/img/p/9/5/
hxxp://hamboua1[[.]]000webhostapp[[.]]com/leafmailer[.]php
hxxp://avalonfootwears[.]com/images/leafmailernzmall[.]php
hxxps://www[.]bearchub4u[.]com/images/snd[.]php
hxxp://sech[.]cl/wp-includes/rand/leafmailer[.]php
hxxp://www[.]eudurica[.]sk/doc/leafmailer[.]php
hxxps://github[.]com/PHPMailer/apix-log-phpmailer
hxxp://thehunarfoundation[.]org/luckk[.]php
hxxp://farments[.]cf/mailer1[.]php
hxxp://elhusseinyusmleprep[.]com/wp-includes/leafmailer[.]php
hxxp://jrcasey[.]com/leaf[.]php
hxxp://secundaria[.]comprensiondelalectura[.]com/CDL/Profile/phpmailer/examples
hxxp://synergieconsulting[.]biz/leaf[.]php
hxxp://www[.]shiatsu[.]com[.]uy/archivos/pdf/2722[.]php
hxxp://rainbowisp[.]info/dot/js/leafmailer2[.]8[.]php
hxxp://aquabizarre[.]com/leaf[.]php
hxxp://neaters[.]serveusers[.]com/
hxxp://www[.]eos-numerique[.]com/sitemap/JC4Ei2aF[.]php
hxxp://themadam[.]com/inb0x[.]php
hxxp://satkom[.]id/includes/phpmailer
hxxp://a-mla[.]org/images/acts/leafmailer2[.]8[.]php
hxxp://scootelaru[.]com/leafmailer2[.]8[.]php
hxxp://eudurica[.]sk/doc/leafmailer[.]php
hxxp://secundaria[.]comprensiondelalectura[.]com/CDL/Profile/phpmailer/examples/images
hxxps://e2e[.]marketing/wp-content/themes/spacious/leaf[.]php
hxxp://mailerphppro[.]blogspot[.]com/
hxxp://www[.]fastnet[.]rw/luckk[.]php
hxxp://sanrosindia[.]com/admin_2016/library/phpmailer/docs
hxxp://emboutsdetalons[.]com/
hxxps://yanaclub[.]net/vendor/bootstrap/css/alal[.]php
hxxp://wigitest[.]com/leafmailer2[.]8[.]php
hxxp://fullfullstack[.]com/leafmailer2[.]8[.]php
hxxps://www[.]itread01[.]com/content/1542020464[.]html
hxxp://letsdoit[.]pro/wp-admin/oonnm[.]php
hxxps://www[.]leafmailer[.]pw/
hxxp://sanrosindia[.]com/admin_2016/library/phpmailer/language
hxxp://sanrosindia[.]com/admin_2016/library/phpmailer/test
hxxps://www[.]sementesvivas[.]bio/modules/jmsslider/views/img/layers/leafmailer2[.]8[.]php
hxxp://143[.]110[.]155[.]129/
hxxps://casing-china[.]com/wp-admin/leaf[.]php
hxxp://grma[.]9lj[.]ru/
hxxps://ipv6[.]lekkeropdemet[.]be/ibasao/l[.]php
hxxp://ow[.]ly/9t8W50DzlZG
hxxp://siquerida[.]com/ajtro/system/PHPMailer/language
hxxps://tinyurl[.]com/y4zbkzja
hxxps://anandlagad[.]com/how-to-send-email-using-phpmailer-and-gmail-with-example/
hxxp://www[.]asc925[.]com/leafmailer2[.]8[.]php
hxxp://solusitoilet[.]com/xz/leafmailer2[.]7[.]php
hxxps://mckinleywashstand[.]com/leafmailer2[.]8[.]php
hxxp://chase-online[.]ddnsking[.]com/
hxxps://smyankton[.]com/leaf[.]php
hxxps://m12tatar[.]ru/wp-admin/leafmailer2[.]8[.]php
hxxp://rnd[.]com[.]mx/wp-content/plugins/RootSaul/block[.]php
hxxp://is01[.]cba[.]edu[.]kw/old/wptest/wp-content/themes/xzbvsjrmhd[.]php?pass=xptasztqzd
hxxp://www[.]assostone[.]com/11[.]php
hxxps://pastebin[.]com/5igVDBVT
hxxp://sanrosindia[.]com/admin_2016/library/phpmailer
hxxp://www[.]ilendglobal[.]com/PHPMailer/
hxxps://elite11[.]in/public/site/image/slider/leafmailer2[.]8[.]php
hxxp://phpmailer[.]github[.]io/PHPMailer/
hxxps://legalhackers[.]com/videos/PHPMailer-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10033-PoC[.]html
hxxps://legalhackers[.]com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln[.]html
hxxps://github[.]com/opsxcq/exploit-CVE-2016-10033
hxxps://t[.]co/LMf3TIcdmy
hxxps://rfr[.]bz/t1jy3sp
hxxps://blog[.]sucuri[.]net/2021/01/phishing-malspam-with-leaf-phpmailer[.]html?utm_source=twitter&utm_medium=social&utm_campaign=en-us_sec_social_prd_awa_us_x_001
hxxp://sucur[.]it/3qXbEMS
hxxps://blog[.]sucuri[.]net/2021/01/phishing-malspam-with-leaf-phpmailer[.]html
hxxp://www[.]erbilen[.]net/phpmailer-sinifi-ile-gmail-uzerinden-e-posta-gonderimi/
hxxp://rpa-seminar-shinagawa[.]oni-nagoya[.]co[.]jp/wp-content/plugins/leafmails[.]php
hxxps://t[.]co/vXgBEIippr
hxxps://emboutsdetalons[.]com/
hxxp://www[.]qurankipukar[.]com/en/
hxxp://github[.]com/PHPMailer/PHPMailer
hxxps://dummyscodes[.]blogspot[.]com/2014/08/php-send-mail-with-xampp-localhost[.]html
hxxps://pseudonymousone[.]com/leafmailer[.]php
hxxp://vulapps[.]evalbug[.]com/w_wordpress_6/
hxxps://estacaoblumenau[.]com[.]br/leaf[.]php
hxxp://vitamfoundation[.]org/luckk[.]php
hxxps://phpmailer[.]en[.]softonic[.]com/
hxxps://unicrditalia[.]com/
hxxp://unicrditalia[.]com/
hxxp://cbdmover[.]com[.]au/calculate-your-move/phpmailer/
hxxp://52[.]42[.]241[.]167/PHPMailer-master/vendor/guzzlehxxp/guzzle/src/Exception
hxxp://shiyarajewells[.]com/img/portfolio/leafmailer2[.]8[.]php
hxxps://www[.]cdxy[.]me/?p=765
hxxp://warriorwealthsolutions[.]com/wp-admin/wp-config[.]php
hxxp://mislayer[.]egloos[.]com/1509382
hxxps://phpmailer[.]github[.]io/PHPMailer/classes/PHPMailer[.]PHPMailer[.]PHPMailer[.]html
hxxp://espaciosdeinnovacion[.]udd[.]cl/leaf[.]php
hxxp://siquerida[.]com/ajtro/system/PHPMailer/docs
hxxp://siquerida[.]com/ajtro/system/PHPMailer
hxxp://dedikodudunyasi[.]com/
hxxps://alchemicclasses[.]com/
hxxp://www[.]willalooka[.]com[.]au/wp-content/plugins/sdwffdy/leafmailer2[.]8[.]php
hxxps://phpmailer[.]github[.]io/PHPMailer/classes/PHPMailer[.]PHPMailer[.]POP3[.]html
hxxps://ranaunique[.]com/hato-old/vendor/phpmailer/phpmailer/language/
hxxps://www[.]websapex[.]com/blog/tutorial/php/send-an-email-through-html-form-using-phpmailer-in-php/
hxxp://rpa-seminar-shinagawa[.]oni-nagoya[.]co[.]jp/wp-content/plugins/leaf[.]php
hxxps://owlmailer[.]io/
hxxp://phpmailer[.]worxware[.]com/critique-avengers-endgame-streaming/
hxxp://labanquepostale623662s7[.]betaforge[.]it/
hxxps://sech[.]cl/wp-includes/rand/leafmailer[.]php
hxxp://unionbankonline[.]light-nutrition[.]com/leafmailer2[.]8[.]php
hxxps://zaimcraft[.]ru/
hxxps://account-login-inc[.]com/wp-admin/ky-verification/leafmailer2[.]8%20(1)[.]php?emailfilter=on
hxxp://caudan-vous-accueille[.]com/images/gmapfp/hsfgdyfy[.]php?pass=kod3
hxxp://mailqwerty[.]xyz/
hxxp://www[.]thaimartin[.]co/aku/pro[.]php
hxxp://wonodds[.]club/wp-content/plugins/qohdbjl/classic[.]php
hxxps://uni-leipzig[.]email/leaf[.]php?emailfilter=on
hxxp://theqwrqwry[.]com/leafmailer2[.]8[.]php?emailfilter=on
hxxps://dduuwwc[.]com/1[.]php?emailfilter=on
hxxp://hghfhgfhs[.]com/1[.]php?emailfilter=on
hxxps://adggnbbvns[.]com/leafmailer2[.]8[.]php?emailfilter=on
hxxp://galaxysystemsgroup[.]com/1[.]php?emailfilter=on
hxxps://freesolos[.]club/inc/PHPMailer/test_script
hxxps://github[.]com/Synchro/PHPMailer/
hxxp://envision-media[.]co/wp-includes/js/jcrop/leafup[.]php?pass=0112255
hxxp://www[.]netsisantalya[.]com/wp-content/themes/skand/lhcqyhebrt[.]php?pass=nsgonwmful

Many of them are compromised websites where the mailer is deployed and used to send spam.

Conclusion: Keep an eye on your bounced messages, sometimes they may reveal interesting information!

[1] https://en.wikipedia.org/wiki/Sender_Policy_Framework
[2] https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail
[3] https://leafmailer.pw
[4] https://urlscan.io/result/3289f4f9-6db2-46e8-b72b-fa3b1561bdf6/related/

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) ↓