Home page logo

funsec logo funsec mailing list archives

Re: Mailer Software that inserts "X-NSCC" header?
From: Rich Kulawiec <rsk () gsp org>
Date: Fri, 28 Jun 2013 07:42:39 -0400

On Thu, Jun 27, 2013 at 12:02:15AM -0400, Jeffrey Walton wrote:
Spam to follow in case you need the sample in your database.

Got it -- thanks, this is most useful.

Here's my best guess as to what these mean:

        X-NSCC-CustomerSegment: XXXX
        X-NSCC-FileID: YYYY
        X-NSCC-CampaignId: ZZZZ
        X-NSCC-Tracking-Header: Email Campaign Manager
        X-NSCC-MeterId: YYYYYY

I suspect that "NS" is "Network Solutions".  I suspect that "CC"
is "Customer Care", which is what corporations often like to call the
department responsible for treating customers like dirt.  (But I have
less confidence in that guess than the first one.)  These headers
probably serve the purpose as these other (quasi-common) ones,
found exclusively (AFAIK) in spam samples:

        X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
        X-AntiAbuse: Primary Hostname - server.forexu.info
        X-AntiAbuse: Original Domain - XXXXXXXXXX
        X-AntiAbuse: Originator/Caller UID/GID - [YYY Y] / [YYY Y]
        X-AntiAbuse: Sender Address Domain - ZZZZZZZZZZZZZZZZZZZZZ

The identifying information encoded in all of these enables the spammer
to process complaints efficiently...where "efficiently" means, variously,
"to remove the complainer and keep right on spamming" (listwashing),
"to target the complainer for further abuse", and/or "to sell the
complainer's address to other abusers".  Other uses include tracking
"deliverability" and computing billing for the spammer's client. [1]

In other words, the numeric values encode which victim database was
used, what mail system actually sent the spam, which spam payload
was included, and so on.  This enables the spammers to work out
the best methods for evading blocking by performing statistical
analysis that correlates the SMTP logs with the methodology used.

Some of the major spammers-for-hire are quite good at this.
One way to run experiments on them is to set up fake addresses
and then manipulate the acceptance/rejection of email traffic
to them.  Even simplistic approaches sometimes yield tangible
results: address A, which accepts all incoming email, will
continue to get it via the same methodology; address B, which
rejects all incoming email from methodology 1, will eventually
be targeted by methodologies 2, 3 and 4 in an attempt to evade
the blocking.  And address C, which availed itself of whatever
bogus "unsubscribe" facility they offer, will eventually be
targeted by methodology 5 or 6.


[1] Speaking of reliable indicators, anyone who uses the terms "campaign"
or "blast" in conjunction with their email activities is almost certainly
a spammer (and will almost certainly deny it).  So the presence of
X-NSCC-CampaignId: in the header of the spam sent to you is telling.
Fun and Misc security discussion for OT posts.
Note: funsec is a public and open mailing list.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]