Sponsored by..

Monday, 4 August 2014

"Sup" snowshoe spam from

Here's a strange spam I've been tracking for a couple of days:

Date:      Sun, 03 Aug 2014 20:56:48 -0700 [08/03/14 23:56:48 EDT]
From:      Olive [olive@platesat.us]
Subject:      Sup

The HTML in the body text reads:
<meta content="text/html; charset=utf-8" http-equiv="content-type">
<meta http-equiv="Content-Language" content="en-us"/>
<img src="http://www.gonename.us/unsubscribe.php?email=[redacted]">
The "IMG" is invalid and shows a placeholder.. making you think that it is broken, but in fact it is triggering the "unsubscribe" link in the email. So.. the email automatically unsubscribes its victims? No exactly.

A look at the root directory of www.gonename.us ( = petyrbaelish.asmallorange.com) shows the inner workings of the spam:

The presence of unsubscribe.dat and unsubscribe.php is a characteristic of Maxprog MaxBulk Mailer which like all mailing list applications can be used for good or evil. MaxBulk Mailer does have an unsubscribe option which stores names the unsubsribe.dat file (hardly secure, I know), and what appears to be happening in this case is the the HTML has been altered slightly to make everyone unsubscribe.

Finnell's Corollary to the Rules of Spam states that spammers define "remove" as "validate  which is exactly what is happening here.. when someone opens the email (if their email displays images) then it automatically confirms that they have opened it. A crude but effective way of confirming that the email address is valid.

At the time of writing, over 6800 email addresses have been validated for further spamming, a number that is increasing quite rapidly. Emails are held in plaintext and can be harvested by anyone.

No doubt the people who opened this email can look forward to a whole set of additonal spam in their inboxes.

All the sending IPs are in the range (Network Data Center Host Inc, US). Each IP has a .us domain hosted on it, but the WHOIS details for each domain appear to be fake.

This attack started last week with a different range of sending addresses in the (OVH, France / VertVPS, Canada) range sending victims to a spamvertised site of www.morehex.us which was configured in the same way. All those sites have now been suspended. Email subjects in that case were:
What's up?
Hey Sister

Whoever is running these spam servers has taken enormous pains to hide their identity, and they are also well-resourced enough to be able to rent server farms for a short period until they get terminated.

I've seen the following domains and IPs in the spam I have received myself, no doubt there are other domains and IPs too.

IP Domain Type Contact Contact email autofinder-low.us Email Laurs Finch laursfinchk995@yahoo.com indeed-removefats.com Email Oli Brooker olibrooker732@yahoo.com top-auto-locator.com Email Oli Brooker olibrooker732@yahoo.com improvekitchen-cabinet-repair.com Email Oli Brooker olibrooker732@yahoo.com tried-protectivecoats.com Email Oli Brooker olibrooker732@yahoo.com active-timeshares-sells.com Email Oli Brooker olibrooker732@yahoo.com proposed-lifeinsurance.com Email Lynne Dargle lynnedargle786@yahoo.com low-mortgage-quotes-own.com Email Lynne Dargle lynnedargle786@yahoo.com immediately-findwindows.com Email Lynne Dargle lynnedargle786@yahoo.com belly-fats-reducerhuge.com  Email Oli Brooker olibrooker732@yahoo.com liegewalk.us Email Chere Danes cheredanes736@yahoo.com scrapehold.us Email Chere Danes cheredanes736@yahoo.com teasesat.us Email Chere Danes cheredanes736@yahoo.com cutecrane.us Email Chere Danes cheredanes736@yahoo.com milkfame.us Email Chere Danes cheredanes736@yahoo.com faintwalk.us Email Chere Danes cheredanes736@yahoo.com moussehold.us Email Chere Danes cheredanes736@yahoo.com platesat.us Email Chere Danes cheredanes736@yahoo.com awaycrane.us Email Chere Danes cheredanes736@yahoo.com flapfame.us Email Chere Danes cheredanes736@yahoo.com gonename.us Web Kristie Fisher kristiefisher103@yahoo.com morehex.us Web Helena Hodgson helenahodgson177@yahoo.com

Looking more deeply into the /27 also yields some more domains, all of which have fake or anonymous WHOIS details:


Recommended blocklist:

No comments: