Jump to content
Sign in to follow this  
marhleet

spam using '404' call backs ?

Recommended Posts

http://www.spamcop.net/sc?id=z2514250194ze...39e6adf0435228z

the chinese are using some tricky '404' error message type links

where the web page quoted doesn't exist, it will chain back to the parent domain, which works, and up comes the spam site.

so there is no link resolution, and therefore no reporting to anyone.

the frst link, http://sha.hatherx.cn/ , doesn't resolve

Parsing input: http://sha.hatherx.cn/

Cannot resolve http://sha.hatherx.cn/

No valid email addresses found, sorry!

but if that's pasted in to a URL processor,

http://weightlosscheap.net/ pops up after a sec.

so something is getting through.

Share this post


Link to post
Share on other sites

Hi, marhleet,

...IIUC, your questions are addressed in the "SpamCop FAQ" (see links so labeled near top of page) entry labeled "SpamCop reporting of spamvertized sites - some philosophy." Please read that FAQ entry and return here with any questions you may still have. Thanks!

Share this post


Link to post
Share on other sites
Hi, marhleet,

...IIUC, your questions are addressed in the "SpamCop FAQ" (see links so labeled near top of page) entry labeled "SpamCop reporting of spamvertized sites - some philosophy." Please read that FAQ entry and return here with any questions you may still have. Thanks!

still took me 5 mins to find that obiovus thing you were pointing at. very tired.

but yeh, this is for reporting the origin of the spam

not all the links in the spam body.

hard to wade through the (sudden;y) 40+ emails a day for the special chinese ones.

Share this post


Link to post
Share on other sites
...the chinese are using some tricky '404' error message type links

where the web page quoted doesn't exist, it will chain back to the parent domain, which works, and up comes the spam site.

so there is no link resolution, and therefore no reporting to anyone.

The have been commented on before - you are seeing a botnet with revolving 'servers':

C:\Documents and Settings\Steve>nslookup sha.hatherx.cn

*

Non-authoritative answer:

Name: hatherx.cn

Addresses: 122.53.161.1, 211.173.141.155, 61.11.15.16, 80.99.200.8

81.184.65.101, 81.198.54.13, 89.149.88.86, 91.122.156.170

Aliases: sha.hatherx.cn

SC will usually resolve the address at the top of the stack eventually (one compromised machine out of many). Some of the individual addresses may be offline or difficult (slow to trace) on the first attempt. As you have seen, these are not the 'payload' but redirect or otherwise call the remote website - you found weightlosscheap.net today, it may be something different tomorrow. Rick Conner explains it all better than I could - see http://www.rickconner.net/spamweb/ - and http://www.rickconner.net/spamweb/web-dns-...tml#redirection in particular.

Nevertheless, the owners of the zombied machines in the botnet are surely unaware of the hijacking of their resources so, if SC resolves an address and offers to report to the provider, then doing that can certainly do no harm, it may lead to one of the machines being recovered from the botnet, if the provider bothers to pass it on, to find the actual machine and its owner. But there are millions more of them available.

So what about weightlosscheap.net?

C:\Documents and Settings\Steve>nslookup weightlosscheap.net

*

Non-authoritative answer:

Name: weightlosscheap.net

Address: 60.2.152.153

That is the 'real' target (for today, anyway) and who does it belong to?

C:\Documents and Settings\Steve>whosip 60.2.152.153

WHOIS Source: APNIC

IP Address: 60.2.152.153

Country: China

Network Name: CNCGROUP-HE

Owner Name: CNCGROUP Hebei Province Network

From IP: 60.0.0.0

To IP: 60.10.255.255

Allocated: Yes

Contact Name: CNCGroup Hostmaster

Address: No.156,Fu-Xing-Men-Nei Street,, Beijing,100031,P.R.China

Email: abuse[at]cnc-noc.net

Abuse Email: abuse[at]cnc-noc.net

Phone: +86-10-82993155

Fax: +86-10-82993102

Most people have very little luck dealing with the Chinese in attempting to get them to meet their obligations to the internet community. Others take a different view on the value of attacking these spam activities but in any event SpamCop does not offer the resources to do it effectively. SpamCop's mission is to list the IP addresses of persistent senders of spam mail. Others specialize in other aspects of spam fighting (KnujOn and Complainterator are two mentioned frequently in these pages - search here for more detail).

Share this post


Link to post
Share on other sites

Thanks for the tracking link!

It is my belief, unencumbered by any actual knowledge of the subject, that SpamCop only goes so far as to DNS-resolve the host given in the spam URL (e.g., like ping or nslookup), it does not attempt HTTP fetches from these sites, so it will never see a 404 (or any other HTTP code). It will also neither see nor follow any common redirection tricks. That's why it is important that reporters check these links before reporting them, to make sure they are still running and still appropriate to report.

The simpler explanation here is as Farelf suggests (and I can vouch for the high quality of his references :lol: ), that we have a botnet that is shuttling the address for these sites all around the web:

rconner$ dig a sny.hatherx.cn

; <<>> DiG 9.4.2-P2 <<>> a sny.hatherx.cn
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39079
;; flags: qr rd ra; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;sny.hatherx.cn.			IN	A

;; ANSWER SECTION:
sny.hatherx.cn.		179	IN	CNAME	hatherx.cn.
hatherx.cn.		179	IN	A	89.34.39.210
hatherx.cn.		179	IN	A	89.186.110.35
hatherx.cn.		179	IN	A	89.229.65.239
hatherx.cn.		179	IN	A	91.116.168.26
hatherx.cn.		179	IN	A	217.26.171.29
hatherx.cn.		179	IN	A	72.225.253.137
hatherx.cn.		179	IN	A	77.89.73.82
hatherx.cn.		179	IN	A	85.27.10.181

;; Query time: 1292 msec
;; SERVER: 10.0.1.1#53(10.0.1.1)
;; WHEN: Sat Jan 10 16:49:45 2009
;; MSG SIZE  rcvd: 174

Here are 8 distinct IP addresses from all over the public net (not just China), each with a suspiciously low time-to-live (TTL) of 3 minutes (179 seconds). Classic botnet stuff. Note also the use of CNAME records to point all these multiple URLs back to the "parent."

-- rick

Share this post


Link to post
Share on other sites

Thanks for the further clarification Rick.

...Here are 8 distinct IP addresses from all over the public net (not just China), ...
Yes, I neglected to point that out in my post - and note in Rick's data, after just 9 hours, that is a totally different set of IPs compared to the ones I showed. And now, after another four and a half hours, one sees yet a further set (24.197.146.125, 72.225.253.137, 82.225.226.230, 83.103.151.108, 89.2.226.23, 91.146.177.54, 201.160.249.249 and 201.236.235.139). And so it goes, not only does the 'stack' revolve every 3 minutes or so, it changes completely in the (slightly) longer term. As said, SC is not equipped to track back to the source of these 'advertisements' (the target behind the target behind the target which in turn is just a 'bullet proof' host for some hand-puppet of the actual beneficiary or his agent - it doesn't even penetrate the first layer on those occasions it resolves anything at all). And apparently has no intention of doing so. It does what it does well - but it does not do this.

Share this post


Link to post
Share on other sites
and note in Rick's data, after just 9 hours, that is a totally different set of IPs compared to the ones I showed. And now, after another four and a half hours, one sees yet a further set (24.197.146.125, 72.225.253.137, 82.225.226.230, 83.103.151.108, 89.2.226.23, 91.146.177.54, 201.160.249.249 and 201.236.235.139).

And yet another example, shown a different way ... note the tmestamps;

01/11/09 04:29:22 Slow traceroute sha.hatherx.cn

Trace sha.hatherx.cn (80.161.14.91) ...

01/11/09 04:30:09 dns sha.hatherx.cn

Canonical name: hatherx.cn

Aliases:

sha.hatherx.cn

Addresses:

77.41.92.227

80.161.14.91

82.137.21.20

85.12.249.136

91.122.144.149

91.146.177.54

92.54.96.231

211.173.141.155

01/11/09 04:32:06 Slow traceroute sha.hatherx.cn

Trace sha.hatherx.cn (81.198.194.219) ...

01/11/09 04:35:35 dns sha.hatherx.cn

Canonical name: hatherx.cn

Aliases:

sha.hatherx.cn

Addresses:

82.245.22.187

85.66.146.103

88.167.109.200

125.31.177.92

60.243.6.61

77.89.73.82

78.42.174.193

81.198.194.219

01/11/09 04:36:43 Slow traceroute sha.hatherx.cn

Trace sha.hatherx.cn (82.245.22.187) ...

Share this post


Link to post
Share on other sites

May as well record the observation 'here' - first time I have noticed the same list of addresses for two different 'domains'. They all would lead to the one website anyway but even so I would not have imagined the same list in simultaneous use for two addresses - even spammers have budgets I guess and the 'senders' presumably have to hire their resources. 'Simultaneous' isn't quite the right description (several minutes maybe between consecutive lookups) but as close as can be determined in normal practice.

H:\>nslookup gjl.ocauditors.cn

...

Non-authoritative answer:

Name: ocauditors.cn

Addresses: 79.121.63.130, 79.140.167.74, 81.29.18.82, 85.65.22.143

95.104.44.116, 194.187.101.5, 67.60.175.195, 77.27.41.108

Aliases: gjl.ocauditors.cn

H:\>nslookup rln.ocatx.cn

...

Non-authoritative answer:

Name: ocatx.cn

Addresses: 67.60.175.195, 77.27.41.108, 79.121.63.130, 79.140.167.74

81.29.18.82, 85.65.22.143, 95.104.44.116, 194.187.101.5

Aliases: rln.ocatx.cn

Share this post


Link to post
Share on other sites

And here's another thing, sometimes those addresses are used to send spam (as well as to redirect visitors to a spam site). OK, I've only noticed it once:

Non-authoritative answer:

Name: aaowes.cn

Addresses: 201.252.237.133, 78.156.158.227, 84.109.120.43, 99.20.38.244

190.46.185.220, 190.189.103.98, 193.224.128.248

Aliases: gdyi.aaowes.cn

http://www.spamcop.net/w3m?action=checkblo...=190.189.103.98

190.189.103.98 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 23 hours.

... the only one listed, even so it can't efficiently 'direct traffic' AND send spam - two different worms? But they supposedly kill any other infections encountered in competition - maybe not, multiple infections are seen all the time, IIUC.

But then, very soon after

Non-authoritative answer:

Name: aaowes.cn

Addresses: 189.202.118.246, 80.81.40.39, 86.101.118.38, 91.146.177.54

124.191.19.216, 164.125.226.158

Aliases: gdyi.aaowes.cn

Completely different set of addresses, none SCbl listed right now - co-incidental, I wonder? Or maybe DNS real-time BL detection is monitored? I shouldn't think so, the sets of numbers usually change quickly anyway (as we have previously seen), but would need to check on some other BLs to get more data - it is just an unusual observation in isolation.

Share this post


Link to post
Share on other sites
... the only one listed, even so it can't efficiently 'direct traffic' AND send spam - two different worms? But they supposedly kill any other infections encountered in competition - maybe not, multiple infections are seen all the time, IIUC.
Don't see why the bot couldn't do two jobs for the same master (in theory, anyway). To do the web redirection, it would need a listener on port 80 that would just proxy for the real website. To send the mail, it needs a program to transmit on port 25. These are two different and independent processes, so I suspect that they can both happen simultaneously. Don't know as I've seen it before either, but then I haven't looked.

It makes sense that one botherder would try to kick the other one off. Something to contemplate -- granny's computer as the apocalyptic battleground for two criminal gangs.

-- rick

Share this post


Link to post
Share on other sites
...Don't see why the bot couldn't do two jobs for the same master (in theory, anyway). ...
Granted - but maybe in the real world it would be more likely to cause noticeable/unsupportable performance degradation also increase the chances of external detection and enforced disinfection. Still, in the present economic climate maybe even spammers "must needs go that the Devil drives". Maybe (does seem rare though).
... It makes sense that one botherder would try to kick the other one off. Something to contemplate -- granny's computer as the apocalyptic battleground for two criminal gangs.
Competing botherders, Windows Updates, AV updates, Sun Microsys updates, Adobe/Flash updates ... how the heck granny's beleaguered computer finds time to let granny watch the Chippendales on YouTube is anyones guess - and now they want to pipe TV through the networks? I know, more bandwidth! We need more bandwidth! HooAH!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×