The countries of hackers originating malware-laced spam runs have been exposed by new research, which confirms they are often located thousands of miles away from the compromised systems they use to send out junk mail. A third of targeted malware attacks sent so far in March came from the United States (36.6 per cent), based on …
Is it me being thick...
So how exactly did they manage to guess the true origin of SPAM sent by zombies? There are not that many open relays left out there to actually have true header information suitable for analysis. In the case of zombies everything in the header is faked and nothing can be trusted. So what address is there is pretty irrelevant...
Next stage analysis
An originator cannot fake its IP address as it would not be able to complete the handshake. Secondly, you may be able to somehow fake stage 1, but the next stage is no longer under your control so you'll have at least a grip on the route.
In summary, it appears the bad guys transmit from China/Romania et al, and the idiots who have their systems infected are in the US. That's fun - at least you could theoretically sue them through their own legal system for collaborating. Hmm...
Looks like they were focused on webmail accounts, which generally record the user's IP in the headers. So you get a US-based server for the webmail host, but a web-client IP from somewhere else. I suppose it could be bots from other countries connecting up to US-based webmail services, but yeah, we'll never know the actual source of anything that comes out of a botnet.
Was wondering that myself...
How do they verify that the SENDER e-mail addresses (which can easily be faked) are genuine?
...they checked the X-Originating-IP Header of e-mails coming from (presumably compromised) webmail accounts hosted on (presumably uncompromised) servers.
You could still argue that baddies used additional redirection when submitting the e-mail, so that the machine in Shaoxing submitting the e-mail is actually a zombie PC controlled from Uppsala instead of the primary source, but that may be going too far.
Not if you're covering up tracks, it isn't.
If you plan to make an action that could conceivably be traced to you, chanced are you're going to employ some means to disguise your origin so that, even if the law starts digging, they won't find the truth. They could for all you know using an anonymizer service, an onion router, or the like. IOW, odds are not only is the sender's e-mail not likely to be legit, neither is the originating IP.
check your Received header chain
You need to look at a few full email headers. If your postmaster rips open your envelopes, throws these away and cuts off your letterheadings as some webmail providers do, then you'll stay ignorant until you choose to use a decent incoming mail delivery service. When you can check your full headers, the IP address delivering to the first trusted gateway in your trusted incoming chain is the one you filter/reject it on, blacklist if you want to and check blacklists for. This can all be done automatically.
How water discovered
"Analysis of the sender’s IP address, rather than the IP address of the email server, reveals the true source of these targeted attacks.”
No shit, Sherlock. I've known that since 1996, ever since Eudora allowed me to send email from my PC instead of directly sending it from the UNIX Workstations. That's why the headers usually stamp the originating SMTP server *and* the originating IP from which the email actually came from.
The thing is that it is mostly the zombie PC sending the e-mail, so even this source IP might end up being irrelevant. :(
re: Is it me being thick...
Wait a second...
"The average additional inbound and outbound traffic due to TLS requires an overhead of around 1KB, smaller than the average size of spam emails"
Surely you mean "..., larger than..."?
How to be sure?
Dead simple: Honeypots.
If you have total control of a zombie and its supporting infrastructure, you can trace the commands coming in and the previous step in the chain.
Sending mail server.
“A large proportion of targeted attacks are sent from legitimate webmail accounts....."
In these cases the IP address of the sending mail server is highly relevant. It tells us which webmail providers need to get off their fat, complacent arses and beef up their security to stem the tide of sewage flowing from their shite services.
Here's an idea. If the webmail providers' spam filters can pick up spam with very high accuracy inbound as they do, why the f*** can't they run outbound mail through the things? They could provide an O/B spam folder of things wot were blocked, giving the legitimate user the option to either flag individual items as not spam or, far more likely, delete the lot and change their sodding password. They wouldn't even need to run the spam filters aggressively O/B, keeping false positives to a bare minimum, as just blocking the bleedin' obvious stuff would render this route unusable to spammers.
 One at a time - with authentication. We don't want anyone scripting that.
Re: How to be sure?
>> If you have total control of a zombie and its supporting infrastructure, you can trace the commands coming in and the previous step in the chain.
Yes but that only gives you one step back in the chain. So that only tells you that the X% bots sending spam are downstream of bots in china/russia/US. I don't see how they can be certain if it is the original source, or just another bot - unless they have managed to successfully follow the chain and prosecute the spammer, however this would give misleading numbers as it is possibly easier to follow the chain in certain countries than others.
- It's true, the START MENU is coming BACK to Windows 8, hiss sources
- Pic NASA Mars tank Curiosity rolls on old WET PATCH, sighs, sniffs for life signs
- How UK air traffic control system was caught asleep on the job
- Google embiggens its fat vid pipe Chromecast with TEN new supported apps
- Microsoft: Don't listen to 4chan ... especially the bit about bricking Xbox Ones