Spam Storm, July 26th 2005

July 27, 2005

There's a spam storm blowing strong this week and it's irritating me, because it's pretty much all coming from compromised zombie machines. Again. Zombies are clearly the number one general spam problem, and it's probably only going to get worse as more and more of the world gets more and more broadband.

The biggest indicator I have of the storm is simple: since 6am on Sunday, we've had 233,000 SMTP connections. As mentioned recently, we normally see on the order of 120,000 connections in a week; in less than three days, we're already at twice the weekly volume.

We use a simple IP-based greylisting technique, which the zombies appear to be powering through by retrying over and over. Unlike the first, very simple spam zombies, these seem to parse SMTP replies enough to abort if they don't get any RCPT TO: commands accepted, which is a nice change. (There was a time when reading our SMTP server command logs would let one see entire spam messages, along with a blizzard of 'syntax error' replies.)

The other big indication of spam storms is that our logs light up with a lot of essentially the same rejection. In this case, there seem to be one spam gang in two different forms.

#1: 'Foundation Men On Line'

The first spam gang sends multipart/alternative messages with a garbage plaintext part and a HTML part that's mostly a giant table designed to break up certain giveaway words. They use a consistent hostname pattern for their web sites, of '<Word>.<domain>.net' (they probably use .com domains too); the <Word> always has an initial capital. Because of the table structure, they have six zillion links in the message, all using the same domain with different words. They also seem to use Subject: lines that start with 'Re[<N>]:' or 'Re<N>:', which is pretty distinctive.

Domains I've seen them use include aliener.net, trapeziums.net, oiling.net, subsidises.net, and homespuns.net. They seem to be pushing male potency drugs and hosting out of China Network Communications Group Hainan (specifically IP address 221.11.133.66). They seem to have started their spamming as far back as July 19th, but only spun up to full speed on us recently.

Their domains seem to be registered to 'Foundation Men On Line', nameservice from balladries.com, nameservice out of 211.147.228.0/24 and 221.11.133.0/24 (both in China, of course). All their domains are registered through Yesnic in China (the choice of discriminating spammers).

Update: the latest domain, 'taxables.net', is now registered under the name 'Harry Gourley' and the email address whois77000@yahoo.com. Unlike the previous ones, which claimed an address in the Netherlands, this domain claims to be registered to someone in Georgia (not the US state, the one in Europe). It was registered July 26th 2005, so they're probably cycling through domains rapidly.

Update 2: as onf July 29th, the spammer has switched to the domain 'hundertsoft.com', at IP address 81.177.13.233 (SBL listed) in Russia. Nameservice has switched to 'moviedvddownload.info' (with the nameservers apparently located in the same network block) and the registry information has switched to 'James Halicho', claiming to be in Sunnyvale California.

#2: joboffer-colorphotomix.com

This is a form letter soliciting 'job applications' to the email address manager@joboffer-colorphotomix.com. At first I thought this was a separate spam, but this domain has identical registration details to the spammed domains above, including the claimed owner, so now it looks like another tentacle.

All of the spams I've received start with the following, in plain text and distinctly justified (never do this in plain ASCII, but that's another rant):

Our company deals with the software development, creation of human-engineered interface web-sites and modern design. We work with the clients from Canada, United Kingdom, Deutschland and the USA.

It goes on to offer part time work as a 'financial manager', which should be setting off your alarm bells. It's quite possible that the offer is 'genuine', but will enmesh any respondents in the primary spamming work of 'Foundation Men On Line'. (And whatever happens, they're likely to harvest the email addresses they get and spam them madly.)

Typical subject lines seem to be things like 'Amazing job offer <Name>'. The <Name> seems completely unrelated to who it gets sent to.

The domain is hosted by informtelecom.ru. I suspect that they are not about to stop hosting it any time soon, unfortunately. (I shall hope for a prompt SBL listing to encourage them otherwise, since these spammers seem to be rather virulent.)

Written on 27 July 2005.
« What ASNs are most actively spamming us
Doing DNS queries in Python »

Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Wed Jul 27 01:56:45 2005
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.