Sponsored by..

Monday 4 August 2014

"Sup" snowshoe spam from 208.71.174.32/27

Here's a strange spam I've been tracking for a couple of days:

Date:      Sun, 03 Aug 2014 20:56:48 -0700 [08/03/14 23:56:48 EDT]
From:      Olive [olive@platesat.us]
Subject:      Sup

The HTML in the body text reads:
<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="content-type">
<meta http-equiv="Content-Language" content="en-us"/>
</head>
<body>
<img src="http://www.gonename.us/unsubscribe.php?email=[redacted]">
</body>
</html>
The "IMG" is invalid and shows a placeholder.. making you think that it is broken, but in fact it is triggering the "unsubscribe" link in the email. So.. the email automatically unsubscribes its victims? No exactly.

A look at the root directory of www.gonename.us (143.95.38.234 = petyrbaelish.asmallorange.com) shows the inner workings of the spam:

The presence of unsubscribe.dat and unsubscribe.php is a characteristic of Maxprog MaxBulk Mailer which like all mailing list applications can be used for good or evil. MaxBulk Mailer does have an unsubscribe option which stores names the unsubsribe.dat file (hardly secure, I know), and what appears to be happening in this case is the the HTML has been altered slightly to make everyone unsubscribe.

Finnell's Corollary to the Rules of Spam states that spammers define "remove" as "validate  which is exactly what is happening here.. when someone opens the email (if their email displays images) then it automatically confirms that they have opened it. A crude but effective way of confirming that the email address is valid.

At the time of writing, over 6800 email addresses have been validated for further spamming, a number that is increasing quite rapidly. Emails are held in plaintext and can be harvested by anyone.

****@test.com
********@freeuk.com
******@herregodts.com
******@mt.net.mk
*****@sabbangroup.com
************@solways.com.au
****@fundesigner.info
*********@lycos.co.kr
******@henryhunt.co.uk
*************@killingjoke.fr
*****@rlcfl.org
**********@sg-creation.com
**@rafting-experience.com
****@virtualinfosys.us
*********@heinemann-it.com
*****@intfalconer.net
****@intfalconer.net
***@de-laxdesigndomestic.com
***@hs-furtwangen.de
*********@ben-plastic.com
***********@rapidrepairs.biz
******@naver.com
****@ajuda.org.uk
****@hostcolor.com
*****@kiteworks.co.uk
********@rocketcreative.co.uk
*******@mw-telecom.com
****@hjtherapy.co.uk
******@viralbamboo.com
No doubt the people who opened this email can look forward to a whole set of additonal spam in their inboxes.

All the sending IPs are in the 208.71.174.32/27 range (Network Data Center Host Inc, US). Each IP has a .us domain hosted on it, but the WHOIS details for each domain appear to be fake.

This attack started last week with a different range of sending addresses in the 188.165.94.176/28 (OVH, France / VertVPS, Canada) range sending victims to a spamvertised site of www.morehex.us which was configured in the same way. All those sites have now been suspended. Email subjects in that case were:
What's up?
Hey Sister
G'day


Whoever is running these spam servers has taken enormous pains to hide their identity, and they are also well-resourced enough to be able to rent server farms for a short period until they get terminated.

I've seen the following domains and IPs in the spam I have received myself, no doubt there are other domains and IPs too.


IP Domain Type Contact Contact email
5.254.115.198 autofinder-low.us Email Laurs Finch laursfinchk995@yahoo.com
174.140.162.115 indeed-removefats.com Email Oli Brooker olibrooker732@yahoo.com
174.140.162.116 top-auto-locator.com Email Oli Brooker olibrooker732@yahoo.com
174.140.162.119 improvekitchen-cabinet-repair.com Email Oli Brooker olibrooker732@yahoo.com
174.140.162.120 tried-protectivecoats.com Email Oli Brooker olibrooker732@yahoo.com
174.140.162.123 active-timeshares-sells.com Email Oli Brooker olibrooker732@yahoo.com
174.140.162.124 proposed-lifeinsurance.com Email Lynne Dargle lynnedargle786@yahoo.com
174.140.162.125 low-mortgage-quotes-own.com Email Lynne Dargle lynnedargle786@yahoo.com
174.140.162.126 immediately-findwindows.com Email Lynne Dargle lynnedargle786@yahoo.com
188.165.94.189 belly-fats-reducerhuge.com  Email Oli Brooker olibrooker732@yahoo.com
208.71.174.35 liegewalk.us Email Chere Danes cheredanes736@yahoo.com
208.71.174.36 scrapehold.us Email Chere Danes cheredanes736@yahoo.com
208.71.174.37 teasesat.us Email Chere Danes cheredanes736@yahoo.com
208.71.174.38 cutecrane.us Email Chere Danes cheredanes736@yahoo.com
208.71.174.39 milkfame.us Email Chere Danes cheredanes736@yahoo.com
208.71.174.40 faintwalk.us Email Chere Danes cheredanes736@yahoo.com
208.71.174.41 moussehold.us Email Chere Danes cheredanes736@yahoo.com
208.71.174.42 platesat.us Email Chere Danes cheredanes736@yahoo.com
208.71.174.43 awaycrane.us Email Chere Danes cheredanes736@yahoo.com
208.71.174.44 flapfame.us Email Chere Danes cheredanes736@yahoo.com
143.95.38.234 gonename.us Web Kristie Fisher kristiefisher103@yahoo.com
143.95.32.129 morehex.us Web Helena Hodgson helenahodgson177@yahoo.com

Looking more deeply into the /27 also yields some more domains, all of which have fake or anonymous WHOIS details:

dormsuper.com
szqe36.dormsuper.com
liegewalk.us
quality-reducer-bodyfats.us
scrapehold.us
its-find-autofinder.us
teasesat.us
better-bathtubs-deals.us
cutecrane.us
trust-profilescheck.us
milkfame.us
on-kitchen-cabinet-repair.us
faintwalk.us
myinstant-files-review.us
moussehold.us
oil-changecoupons-detail.us
platesat.us
hair-regrow-completed.us
awaycrane.us
learned-sells-timeshare.us
flapfame.us
easy-directview-package.us
boatscast.com
rpcu46.boatscast.com
submit.boatscast.com

Recommended blocklist:
208.71.174.32/27
gonename.us





No comments: