Strange spam

[shmengie]

I mentioned to my roomate a week or so ago, that that spam he recieved contained a link to an image. I guessed it was some sort of counter. Since neither of our e-mailers display links to offsite images, I tought little of it at the time.

Today, I recieved yet another nonsence spam, and tracked down the link.

<IMG

src=3d"http://gjmatvienkoxdfg=2ecom/bdfadbb619845f8e312afd7d7/inexplicabl=

e=2ejpg" border=3d0>

which decodes to:

http://gjmatvienkoxdfg.com/bdfadbb619845f8...nexplicable.jpg

Name: gjmatvienkoxdfg.com

Address: 61.128.196.155

[informations about 61.128.196.155 ]

IP range : 61.128.128.0 - 61.128.255.255

Infos : CHINANET Chongqing Province Network

Infos : Data Communication Division

Infos : China Telecom

Country : China (CN)

Abuse E-mail : abuse[at]cta.cq.cn

Source : APNIC

After careful thought, I realized this link isn't to count me, because my e-mailer won't display the image. But I bet anything that whom-ever is identified by the /bdfadbb619845f8e312afd7d7/ section of that link who's emailer does display or tries to display that image, will recive the malware/spam proxy software that can infect their computer.

I believe chinanet is a spammers safe-haven, so this makes a lot of sense to me.

What I haven't figured out: how do I combat this issue?

[swingspacers]

The image linked in your spam is just a single pixel. This is called a web bug. In this case, it does not install any malware on your computer (although some images can, due to security holes in Windows). It is used to track which messages have been successfully delivered and viewed by the recipient. Such web bugs are used not just by spammers, but also by many legitimate mailers. The most recent versions of widely used email programs (Outlook, Outlook Express, Thunderbird) do not load these images unless you tell them to do so by clicking a button. If you do not click the "View Images" button on spam, you should be safe. If you are really paranoid, you can also disable HTML view of incoming messages.

If you report such spam through SpamCop and the ISP shares the complaint with the spammer, the spammer will be able to use the unique code in the web bug to identify the recipient who reported him, even if you let SpamCop conceal your email address.

[shmengie]

swingspacers

I don't think you understand the point I'm driving at.

The point I was trying to get across is this: I don't have a problem with that spam... But guessing at it's purpose, I finally realized why it exists (it's been bugging me for a while)...

I think it's a feeler spam, searching for e-mail clients that are suseptiable to trojan/viri spam proxy agents. The image content is irrelevant... The fact that the img src=http://gjmatvienkoxdfg.com/bdfadbb619845f8e312afd7d7/inexplicable.jpg generates a weblog that probably identifies my address to the spammer.

Now the spammer suspectes that I'm fool enough to use an email client that fetches images off the web, which is possiblly suseptable to infection.

I don't know, off the top of my head, if the weblog also includes the web client that retrieved the picture, but probably does. In that event, they've got all the information they need to know who to send the virus/trojan to.

I think it would be prudent to use this information against the responsible party and prosecute to the full extent of every law possible. I'm inclined to dig up an old outlook client and forward that e-mail to myself, then wait and see what viri comes my way.... with a good packet sniffer, I could determine when it calls home to say it's ready to proxy spam. Then sniff out the source of spam and forward to the proper officials.

After a breif googling on this topic, to no avail, I brought it here for discussion.

re: tracking

For a sophisticated spammer, it's very easy to track successful spam... all they need to do is include a unique identifier in an url, and when that url is hit, a quick database lookup for the weblog, shows which e-mail (addressee) is the duck.

If a spammer (which I seriously doubt) cares about who reported spam, they can do the same thing inside or outside of an web url, embed a unique identifier anywhere in the spam, and they would achieve the same result. I suspect spammers are too busy finding their next ISP, rather than worry about me reporting their spam.

re: spamcop

I grew tired of using spamcop to report spam. It takes too long to process the bulk of mail I recieve. 50~ a day. Instead I wrote a little scri_pt to facilitate my reporting process. Now days I always send spam reports to the ISP of the originating spam and where possible report websites referenced in the spam.

A spammer is now directly sending viri my way, but I can live with that.

[swingspacers]

I think it's a feeler spam, searching for e-mail clients that are suseptiable to trojan/viri spam proxy agents. The image content is irrelevant...  The fact that the img src=http://gjmatvienkoxdfg.com/bdfadbb619845f8e312afd7d7/inexplicable.jpg generates a weblog that probably identifies my address to the spammer.

24527[/snapback]

You understand the point of the web bug correctly, although it may not necessarily be virus/trojan related. It generates an entry in the logs of the web server that is hosting that picture. It's not called a weblog, though. A weblog (or blog for short) is an Internet-based diary.

I don't know, off the top of my head, if the weblog also includes the web client that retrieved the picture, but probably does.  In that event, they've got all the information they need to know who to send the virus/trojan to.

24527[/snapback]

It does. They will know your IP address and the browser (and which version of that browser) you used. An entry would look something like this:

Your IP -- date stamp -- GET (url requested) "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0"

Your IP -- date stamp -- GET (url requested) "Mozilla/4.0 (compatible; MSIE 5.23; Mac_PowerPC)"

Your IP -- date stamp -- GET (url requested) "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"

I think it would be prudent to use this information against the responsible party and prosecute to the full extent of every law possible.

Check out spamlaws.com. However, since that stuff comes from China, you will probably not get very far. The legal system in China sucks. They don't seem to prosecute spammers.

For a sophisticated spammer, it's very easy to track successful spam...  all they need to do is include a unique identifier in an url, and when that url is hit, a quick database lookup for the weblog, shows which e-mail (addressee) is the duck.

Correct.

If a spammer (which I seriously doubt) cares about who reported spam, they can do the same thing inside or outside of an web url, embed a unique identifier anywhere in the spam, and they would achieve the same result.  I suspect spammers are too busy finding their next  ISP, rather than worry about me reporting their spam.

Actually, some spammers care because they like to wash their lists of those who report them.

[shmengie]

You understand the point of the web bug correctly, although it may not necessarily be virus/trojan related. It generates an entry in the logs of the web server that is hosting that picture. It's not called a weblog, though. A weblog (or blog for short) is an Internet-based diary.

I can't concieve of any reason to send out nonsense spams that have the web bug, other than to identify targets for the virus/trojans.

I've been collecting the viri sent to me, but have yet to take the time to see what their purpose in life is. Althought I suspect their primary reason for being is to proxy spam, I have yet to verify this suspicion.

With that in mind, has anyone actively sought the virus and recorded where it reports to?

My interests is identifying the originating IP.

If I had the time, I'd also like to learn how to identify computers with the spam proxy agents, and figure out how to have them send reports on themself to their ISP's. <- that would be awesome.

[swingspacers]

I can't concieve of any reason to send out nonsense spams that have the web bug, other than to identify targets for the virus/trojans.

24529[/snapback]

That might be one reason. I can think of at least two others:

1. List refining. This mailing helps the spammer find out which email addresses on his list are valid, in active use, and used with mail clients that download linked images automatically. Such a list of "confirmed" email addresses is much more valuable when sold to other spammers than the raw list.

2. Broken spam. Sometimes the spammers, for technical reasons or just plain stupidity, forget to insert the payload into their spam. That happens surprisingly often.

I will leave the rest of your questions for other people to answer.

[swingspacers]

Since nobody else is jumping in, I guess I will have to answer some of your other questions myself.

I'm inclined to dig up an old outlook client and forward that e-mail to myself, then wait and see what viri comes my way....  with a good packet sniffer, I could determine when it calls home to say it's ready to proxy spam.  Then sniff out the source of spam and forward to the proper officials.

24527[/snapback]

Unless you are a top-notch computer security researcher, I recommend that you do not intentionally infect your computer with a virus. If you do not know precisely what you are doing, you can easily do more harm than good.

With that in mind, has anyone actively sought the virus and recorded where it reports to? 

My interests is identifying the originating IP. 

24529[/snapback]

These things either call home to Russia or China, where you cannot really prosecute anybody, or more typically, connect to IRC botnets consisting of other infected machines. These botnets frequently use special codes to make sure that only infected machines can connect--you cannot connect with your own IRC client to sniff out the IP controlling the botnet. If you want to know more about IRC botnets and how to shut them down, I suggest you read the daily diaries of the Internet Storm Center at isc.sans.org.

[shmengie]

Unless you are a top-notch computer security researcher, I recommend that you do not intentionally infect your computer with a virus. If you do not know precisely what you are doing, you can easily do more harm than good.

I wouldn't infect my working computers... That would be more trouble than it's worth. But I may have access to a couple of old 98 machines that have nothing better to do :/ (I'm not top notch, but know enough)

Thanks for the replies and the heads up on isc.scans.org

I need to break from this line of thinking... I'm not getting paid to do this work, I need to concentrate on work that will get me paid.

I'm not the only one aware of the web bugs... My main reason for posting. It was bugging me, that I didn't turn up any info searching the web, but I wasn't using the proper keywords... I got a little over excited too when I realized what the silly e-mails are potentially good for.

It seems like ISP's should to actively scan their network traffic and contact infected clients. If they would do that, 90% of the spam could be halted.

[get-even]

Name:  gjmatvienkoxdfg.com

24524[/snapback]

Notice that this domain shares the same name servers as the domains used by the Vancouver/Texas "porn" pair who control the domains:

hansenmansion.info

kazuyukitaki.com

johnmasonmen.info

cheruskialot.net

heidelberga.com

scottiq.info

sadgencrenaz.net

aretedf.com

among others. This might be an "affiliate" operation since all of those seem to redirect to either or both of Squirt.tv and goodporno.net.

The domain you listed, gjmatvienkoxdfg.com and the ones in my list all share the same name servers; Each uses the four name servers NS1.ANWOO.COM, NS1.BOMOFO.COM, NS1.EPOBOY.COM, and NS1.MYNAMESERVER.CA.

In your case, the registrant uses a different address in Virginia, not in either Vancouver or Texas as all previuosly tied domains have. Also, your "one pixel" trick, while well known is quite different than all the others with are straight forward "porn" spams. Still, the relationship is there!

[turetzsr]

I can't concieve of any reason to send out nonsense spams that have the web bug, other than to identify targets for the virus/trojans.

That might be one reason. I can think of at least two others:

1. List refining. This mailing helps the spammer find out which email addresses on his list are valid, in active use, and used with mail clients that download linked images automatically. Such a list of "confirmed" email addresses is much more valuable when sold to other spammers than the raw list.

2. Broken spam. Sometimes the spammers, for technical reasons or just plain stupidity, forget to insert the payload into their spam. That happens surprisingly often.

I will leave the rest of your questions for other people to answer.

24530[/snapback]

3. Spammer is being paid on the basis of the number of spams read by recipients.

[Jeff G.]

4. Spammer can now advertise that he has reached n recipients, and can now hike his rates accordingly.