Date: Sun, 03 Aug 2014 20:56:48 -0700 [08/03/14 23:56:48 EDT]
From: Olive [olive@platesat.us]
Subject: Sup
The HTML in the body text reads:
<html>The "IMG" is invalid and shows a placeholder.. making you think that it is broken, but in fact it is triggering the "unsubscribe" link in the email. So.. the email automatically unsubscribes its victims? No exactly.
<head>
<meta content="text/html; charset=utf-8" http-equiv="content-type">
<meta http-equiv="Content-Language" content="en-us"/>
</head>
<body>
<img src="http://www.gonename.us/unsubscribe.php?email=[redacted]">
</body>
</html>
A look at the root directory of www.gonename.us (143.95.38.234 = petyrbaelish.asmallorange.com) shows the inner workings of the spam:
The presence of unsubscribe.dat and unsubscribe.php is a characteristic of Maxprog MaxBulk Mailer which like all mailing list applications can be used for good or evil. MaxBulk Mailer does have an unsubscribe option which stores names the unsubsribe.dat file (hardly secure, I know), and what appears to be happening in this case is the the HTML has been altered slightly to make everyone unsubscribe.
Finnell's Corollary to the Rules of Spam states that spammers define "remove" as "validate which is exactly what is happening here.. when someone opens the email (if their email displays images) then it automatically confirms that they have opened it. A crude but effective way of confirming that the email address is valid.
At the time of writing, over 6800 email addresses have been validated for further spamming, a number that is increasing quite rapidly. Emails are held in plaintext and can be harvested by anyone.
****@test.comNo doubt the people who opened this email can look forward to a whole set of additonal spam in their inboxes.
********@freeuk.com
******@herregodts.com
******@mt.net.mk
*****@sabbangroup.com
************@solways.com.au
****@fundesigner.info
*********@lycos.co.kr
******@henryhunt.co.uk
*************@killingjoke.fr
*****@rlcfl.org
**********@sg-creation.com
**@rafting-experience.com
****@virtualinfosys.us
*********@heinemann-it.com
*****@intfalconer.net
****@intfalconer.net
***@de-laxdesigndomestic.com
***@hs-furtwangen.de
*********@ben-plastic.com
***********@rapidrepairs.biz
******@naver.com
****@ajuda.org.uk
****@hostcolor.com
*****@kiteworks.co.uk
********@rocketcreative.co.uk
*******@mw-telecom.com
****@hjtherapy.co.uk
******@viralbamboo.com
All the sending IPs are in the 208.71.174.32/27 range (Network Data Center Host Inc, US). Each IP has a .us domain hosted on it, but the WHOIS details for each domain appear to be fake.
This attack started last week with a different range of sending addresses in the 188.165.94.176/28 (OVH, France / VertVPS, Canada) range sending victims to a spamvertised site of www.morehex.us which was configured in the same way. All those sites have now been suspended. Email subjects in that case were:
What's up?
Hey Sister
G'day
Whoever is running these spam servers has taken enormous pains to hide their identity, and they are also well-resourced enough to be able to rent server farms for a short period until they get terminated.
I've seen the following domains and IPs in the spam I have received myself, no doubt there are other domains and IPs too.
IP | Domain | Type | Contact | Contact email |
5.254.115.198 | autofinder-low.us | Laurs Finch | laursfinchk995@yahoo.com | |
174.140.162.115 | indeed-removefats.com | Oli Brooker | olibrooker732@yahoo.com | |
174.140.162.116 | top-auto-locator.com | Oli Brooker | olibrooker732@yahoo.com | |
174.140.162.119 | improvekitchen-cabinet-repair.com | Oli Brooker | olibrooker732@yahoo.com | |
174.140.162.120 | tried-protectivecoats.com | Oli Brooker | olibrooker732@yahoo.com | |
174.140.162.123 | active-timeshares-sells.com | Oli Brooker | olibrooker732@yahoo.com | |
174.140.162.124 | proposed-lifeinsurance.com | Lynne Dargle | lynnedargle786@yahoo.com | |
174.140.162.125 | low-mortgage-quotes-own.com | Lynne Dargle | lynnedargle786@yahoo.com | |
174.140.162.126 | immediately-findwindows.com | Lynne Dargle | lynnedargle786@yahoo.com | |
188.165.94.189 | belly-fats-reducerhuge.com | Oli Brooker | olibrooker732@yahoo.com | |
208.71.174.35 | liegewalk.us | Chere Danes | cheredanes736@yahoo.com | |
208.71.174.36 | scrapehold.us | Chere Danes | cheredanes736@yahoo.com | |
208.71.174.37 | teasesat.us | Chere Danes | cheredanes736@yahoo.com | |
208.71.174.38 | cutecrane.us | Chere Danes | cheredanes736@yahoo.com | |
208.71.174.39 | milkfame.us | Chere Danes | cheredanes736@yahoo.com | |
208.71.174.40 | faintwalk.us | Chere Danes | cheredanes736@yahoo.com | |
208.71.174.41 | moussehold.us | Chere Danes | cheredanes736@yahoo.com | |
208.71.174.42 | platesat.us | Chere Danes | cheredanes736@yahoo.com | |
208.71.174.43 | awaycrane.us | Chere Danes | cheredanes736@yahoo.com | |
208.71.174.44 | flapfame.us | Chere Danes | cheredanes736@yahoo.com | |
143.95.38.234 | gonename.us | Web | Kristie Fisher | kristiefisher103@yahoo.com |
143.95.32.129 | morehex.us | Web | Helena Hodgson | helenahodgson177@yahoo.com |
Looking more deeply into the /27 also yields some more domains, all of which have fake or anonymous WHOIS details:
dormsuper.com
szqe36.dormsuper.com
liegewalk.us
quality-reducer-bodyfats.us
scrapehold.us
its-find-autofinder.us
teasesat.us
better-bathtubs-deals.us
cutecrane.us
trust-profilescheck.us
milkfame.us
on-kitchen-cabinet-repair.us
faintwalk.us
myinstant-files-review.us
moussehold.us
oil-changecoupons-detail.us
platesat.us
hair-regrow-completed.us
awaycrane.us
learned-sells-timeshare.us
flapfame.us
easy-directview-package.us
boatscast.com
rpcu46.boatscast.com
submit.boatscast.com
Recommended blocklist:
208.71.174.32/27
gonename.us