Sponsored by..

Thursday 6 June 2013

rxlogs.net: spam or Joe Job?

I've had nearly one hundred of these this morning. Is it a genuine spam run or a Joe Job?

Date:      Thu, 6 Jun 2013 09:44:18 -0700 [12:44:18 EDT]
From:      Admin [whisis101@gmail.com]
Reply-To:      ec2-abuse@amazon.com

facebook   
You recently requested a new password for your Facebook account. It looks like we sent you an email with a link to reset your password 4 ago.
This is a reminder that you need to complete this action by clicking this link and Confirm or Cancel your request.

If you have any other questions, please visit our Help Center.
Thanks,
The Facebook Team



The link in the emails goes to multiple pages on rxlogs.net which as far I as can tell is not malware, but is a blog about online pharmacies. But is is spam? Well, let's dig a little deeper..

Each email comes from a different IP, probably being sent by a botnet. That's pretty normal for pharma spam, but in this case there appear to be some anomalous addition headers..

The mildly munged headers from an example email are quite revealing. It appears that there are references to Amazon ECS (Amazon's cloud service) and a valid sender address of whisis101 -at- gmail.com injected into the headers, along with a load of other elements that you'd expect from botnet spam. The email has at no point hit either Gmail or Amazon, but the headers appear to have been faked in order to generate reports to Amazon and/or Gmail. It's worth noting that rxlogs.net is hosted on 107.20.147.122 which is an Amazon IP, so this is beginning to look like a Joe Job.
Received: from lsh410.van.ca.siteprotect.com (204.174.223.206)
  by [redacted] with SMTP; 6 Jun 2013 07:37:53 -0000
Date: Thu, 6 Jun 2013 00:37:53 -0700
To: [redacted]
From: Admin [whisis101 -at- gmail.com]
Return-Path: [bantstreetpottery -at- sctelco.net.au]
Reply-To: ec2-abuse -at- amazon.com
Subject: Reminder: Reset your password
Message-Id: [2cc3f11ac2ce3aa7d59d8682eee6df05@notify.amazon.com]
MIME-Version: 1.0
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: 7bit
So what do we know about the domain rxlogs.net? Well, the WHOIS details appear to be genuine and not hidden, I've redacted the most of the personal information but some of the key details are:

domain:       rxlogs.net
owner:        Stephen K. Walker
email:        whisis101 -at- gmail.com
address:      [redacted]
city:         [redacted]
postal-code:  [redacted]
country:      US
phone:        +7.[redacted]


The "From" address in the email matches the registration address in the WHOIS. Does that make it a genuine email? No, because no spammer is stupid enough to use their real email address in a spam run like this. Again, this smells like a Joe Job.

Another key indicator that this is a Joe Job is that all the dozens of emails have been sent to a spamcop.net email address, and there are far more emails that you would normally see for this type of spam run. This behaviour is typical for a Joe Job attack, the spammer pick the people who are most likely to complain and then hit them repeatedly to get try to get them to file a complaint with the victim's web host.

If you use Gmail, the email links back to a spare but apparently genuine Google+ profile, which links back to rxlogs.net. Which really leads to the next question.. what is rxlogs.net about?


rxlogs.net appears to be a genuine attempt to look at and rate online pharmacies using secondary sources to judge reliability and trustworthiness. The sites carries some paid advertising, but doesn't appear to deal with prescription medications directly, it looks like an affiliate site.

I'm not an expert in the US online pharmacy market, but I do know that you can check the legitimacy of online pharmacies with LegitScript but this is not without criticism.

My guess is that what has happened here is that Mr Walker has posted something on rxlogs.net which exposes a bogus pharma operation run by the same spammers sending out these emails. In other words, I believe this is a Joe Job and not a "genuine" spam run, and rxlogs.net is simply another victim of the bad guys.


No comments: