Jump to content
Sign in to follow this  
dmspac

how to report zombie networks (McColo 2.0?)

Recommended Posts

Hello:

I don't know lots about networks, and here is my problem:

Since February I am receiving tons of spam. The messages have a link like:

http://zzzzz.standida.com/c.php?aid=xxx&lid=yyyy

where x,y,z are message specific numbers (zzzzz seems to identify the target email). The link redirects to another link like

http://xtremehealthfit.com/jajbua71u/WWWW/?e=mail[at]something.com&s=XXXXXX

And finally, it takes to an offending site (porn, scam, dating....)

Spamers are using lots of different domains, but they all point to an IP in AS36263. The most used IP is 67.159.200.132. But other addresses are used, and seems hackers control several entire subnetworks in this AS; since all IPs are in netblocks asigned to "Forona":

Subnet 98.142.176.0/20 98.142.176.0 98.142.191.254 Proxy route for FORONA by MZIMA
Subnet 173.195.96.0/20 173.195.96.0 173.195.111.254 Forona Technologies
Subnet 64.234.112.0/20 64.234.112.0 64.234.127.254 Proxy route for forona technologies by mzima
Subnet 216.10.64.0/20 216.10.64.0 216.10.79.254 Forona Technologies

Subnet 67.159.192.0/20 67.159.192.0 67.159.207.254 Forona technologies

[Full info here: http://ipinfo.io/AS36263]

Now, if you check routing tables for this AS you will find sometihing like:

show ip bgp 67.159.200.132

3277 39710 9002 3356 3361 36263

286 3356 3361 36263

7018 2828 3361 36263

Which means that all routes have to pass through AS3361 before reaching the "backbone"

Now, if you make a trace you will find that the last hops look like this:

(Info from http://ipduh.com/ip/traceroute/)

4.53.145.146 4.53.145.146 AS3356 (Level3 com)
[*] [*] [*]
[*] [*] [*]

unused-216-168-56-242.forest.net. 216.168.56.242 AS11739

67.159.200.132 67.159.200.132 AS36263

I expected to find AS3361 between AS3356 and AS36263, but I found AS11739 (registered to Digital Forest, dfcolo.com), which according to ipinfo.io does not have IP addresses. However, AS3361 does have IP addresses, and AS3361 is registered to Spectrum Networks / Digital Fortress (dfcolo.com, which also is listed in AS36263)

So we have here a zombie network, used for SPAMING. And looks exactly like the case of "McColo" (Sounds like DFColo!! )

which involved grave cybercrime (See https://en.wikipedia.org/wiki/Brian_Krebs )

As I stated, I am not a network expert. I would like to ask your help for ending with this posible cybercrime. I sent information to ICANN / ARIN but seems I was ignored. Maybe I could contact Brian Krebs, but I would like to have other options. Do you think it would work contacting level3.com?

Thanks.

Share this post


Link to post
Share on other sites

Thanks for the questions dmspac - hopefully someone can address them for you.

While you are feeling analytical, you may find https://www.robtex.com/ a useful resource. For instance enter 67.159.200.132, select first result "IP info about 67.159.200.132" and look at the information - progressively displayed, it takes time for it all to come up. It looks like Forona Technologies is fairly well known in computer security circles. SC mostly looks at the e-mail side of things and another resource you can use to explore that aspect is http://www.senderbase.org/ where the sending behaviour (and blacklisting in a number of RBLs) can also be gathered for other IP addresses in the same subnet/CIDR or optionally by domain/network owner.

Incidentally, your Wikipedia link in the above is fine but the other external links (not counting the munged ones which I have 'de-linked' anyway) are "404" page not found.

Share this post


Link to post
Share on other sites

Incidentally, your Wikipedia link in the above is fine but the other external links (not counting the munged ones which I have 'de-linked' anyway) are "404" page not found.

Thanks for your answer Farelf. Actually I just describe the generic form of the links.

Some extra info. This is a list of used and potentially usable domains:

http://viewdns.info/reverseip/?host=67.159.200.132&t=1

NOT all working.

A typical email would say this: [WARNING: INAPPROPRIATE IMAGES]

"The best looking married women in your city are posting nude pics of themselves on this new affairs dating community.

They also want to have a one night stand with someone that they meet here! "

<a href="5208152.standida.com/c.php?aid=265&lid=19799">See pictures here</a>

same as:

<a href="5208152.parantly.com/c.php?aid=265&lid=19799">See pictures here</a>

If you change 5208152 for another number, this will track another email.

if you change aid=265 for aid=263, you get a scam site.

The bgp tables should not include addresses from this block.

Share this post


Link to post
Share on other sites

Way out of my league but those people seem to know their stuff - few alerts with (say) virustotal.com analysis (62 different scan engines, currently) on the (reconstituted) standida.com links and nothing at all with the consequent quttera.com scans on same for malware/suspicious behaviour/blacklists. SC's main game is the e-mail sources of the spam with not much focussed on the spam-advertized payloads. Normally we would be discussing a reporter's Tracking URLs for your examples (or current versions of them) and how the parsing and reporting service is performing in relation to those sources and spam payload sites. IMO SC is not really up to making much impression on operations such as these (might fray them a little around the edges) but, having members "here" with a broad range of knowledge and experience, hopefully some of them might have some thoughts.

You're not a SC reporter are you? Or prepared to open an account (it's free)? We could do with a Tracking URL or two. Looks to me like SC would simply offer to report the standida.com and parantly.com "spamvertizing" to forona.com but the SURBL takes some of its feed from SC reported domains and THAT might cause some consternation to these miscreants. Not as sexy as taking down an entire zombie network but everything starts somewhere.

Share this post


Link to post
Share on other sites

You're not a SC reporter are you? Or prepared to open an account (it's free)?

-Not yet: I would be reporting spam contents, not headers. Would it work in an account?

We could do with a Tracking URL or two. Looks to me like SC would simply offer to report the standida.com and parantly.com "spamvertizing" to forona.com

-Reporting to forona.com is useless: The company seems to be fake (their web was unexistent until a few days ago). And if it's real, it is probably a "bullet-proof" provider. Their business is hosting spammers.

SURBL takes some of its feed from SC reported domains and THAT might cause some consternation to these miscreants.

-The question is how to add the offending domains to SC database.

Share this post


Link to post
Share on other sites

<snip

I would be reporting spam contents, not headers. Would it work in an account?

&nbsp &nbsp&nbsp&nbsp&nbsp No. Please see the SpamCop FAQ entry "How do I get started reporting spam?" starting at the section labeled "Reporting spam."

<snip>

The question is how to add the offending domains to SC database.

&nbsp &nbsp&nbsp&nbsp&nbsp If I understand you correctly to mean the domains that are in links in the body of the spam: SC won't do that; its blacklist deals exclusively with IP addresses that have been reported as sources of e-mail spam. To report Spamvertized links, you might want to check out Knujon and/ or Complainterator, links about which may be found by searching the SpamCop Forum.

Share this post


Link to post
Share on other sites

What I do not understand is the roll of IANA/ICANN/ARIN:

There is a zombie net in a unassigned netblock.

Are not they supposed to take an action?

"Tell to their [non-existent] ISP"

They act as bureaucratically as the government !!

Share this post


Link to post
Share on other sites

What I do not understand is the roll of IANA/ICANN/ARIN:

There is a zombie net in a unassigned netblock.

Are not they supposed to take an action?

Not to sound snarky, but Welcome to the reality of the management of the internet. Yes of course ICANN should take action! However, they do not seem inclined to do so. If you would like to read some background on this long standing issue and actions to try to get ICANN to do the act check the KnujOn.com website.

I agree it is frustrating.

They act as bureaucratically as the government !!

That is an understatement! Just my personal observation but as in other bureaucrases, 'Follow the money.' Internet users like you and I do not seem to have as much clout as the orginizations that pay ICANN for the right to register domain names and control the allocaiton of IP address blocks.

JMHO of course.

Share this post


Link to post
Share on other sites

SC won't do that; its blacklist deals exclusively with IP addresses that have been reported as sources of e-mail spam.

OK, I found that spam (at least today) came from relatvely few sources. Mostly provided by AS7046 and AS12182

All IPs blacklisted by spamhaus (NOT SC)

http://www.bulkblacklist.com/

AS7046 / Verizon

116.139.195.18

116.142.169.202

116.142.181.118

116.142.53.18

116.148.107.14

116.187.182.180

AS12182 / Internap Network

160.14.65.38

160.14.159.218

160.14.181.238

160.14.20.145

160.14.200.24

Anyway, if spamhaus got them, could we expect some action from Verizon/Internap?

Edited by dmspac

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×