marhleet Posted January 10, 2009 Share Posted January 10, 2009 http://www.spamcop.net/sc?id=z2514250194ze...39e6adf0435228z the chinese are using some tricky '404' error message type links where the web page quoted doesn't exist, it will chain back to the parent domain, which works, and up comes the spam site. so there is no link resolution, and therefore no reporting to anyone. the frst link, http://sha.hatherx.cn/ , doesn't resolve Parsing input: http://sha.hatherx.cn/ Cannot resolve http://sha.hatherx.cn/ No valid email addresses found, sorry! but if that's pasted in to a URL processor, http://weightlosscheap.net/ pops up after a sec. so something is getting through. Link to comment Share on other sites More sharing options...
turetzsr Posted January 10, 2009 Share Posted January 10, 2009 Hi, marhleet, ...IIUC, your questions are addressed in the "SpamCop FAQ" (see links so labeled near top of page) entry labeled "SpamCop reporting of spamvertized sites - some philosophy." Please read that FAQ entry and return here with any questions you may still have. Thanks! Link to comment Share on other sites More sharing options...
marhleet Posted January 10, 2009 Author Share Posted January 10, 2009 Hi, marhleet, ...IIUC, your questions are addressed in the "SpamCop FAQ" (see links so labeled near top of page) entry labeled "SpamCop reporting of spamvertized sites - some philosophy." Please read that FAQ entry and return here with any questions you may still have. Thanks! still took me 5 mins to find that obiovus thing you were pointing at. very tired. but yeh, this is for reporting the origin of the spam not all the links in the spam body. hard to wade through the (sudden;y) 40+ emails a day for the special chinese ones. Link to comment Share on other sites More sharing options...
Farelf Posted January 10, 2009 Share Posted January 10, 2009 ...the chinese are using some tricky '404' error message type links where the web page quoted doesn't exist, it will chain back to the parent domain, which works, and up comes the spam site. so there is no link resolution, and therefore no reporting to anyone. The have been commented on before - you are seeing a botnet with revolving 'servers': C:\Documents and Settings\Steve>nslookup sha.hatherx.cn * Non-authoritative answer: Name: hatherx.cn Addresses: 122.53.161.1, 211.173.141.155, 61.11.15.16, 80.99.200.8 81.184.65.101, 81.198.54.13, 89.149.88.86, 91.122.156.170 Aliases: sha.hatherx.cn SC will usually resolve the address at the top of the stack eventually (one compromised machine out of many). Some of the individual addresses may be offline or difficult (slow to trace) on the first attempt. As you have seen, these are not the 'payload' but redirect or otherwise call the remote website - you found weightlosscheap.net today, it may be something different tomorrow. Rick Conner explains it all better than I could - see http://www.rickconner.net/spamweb/ - and http://www.rickconner.net/spamweb/web-dns-...tml#redirection in particular. Nevertheless, the owners of the zombied machines in the botnet are surely unaware of the hijacking of their resources so, if SC resolves an address and offers to report to the provider, then doing that can certainly do no harm, it may lead to one of the machines being recovered from the botnet, if the provider bothers to pass it on, to find the actual machine and its owner. But there are millions more of them available. So what about weightlosscheap.net? C:\Documents and Settings\Steve>nslookup weightlosscheap.net * Non-authoritative answer: Name: weightlosscheap.net Address: 60.2.152.153 That is the 'real' target (for today, anyway) and who does it belong to? C:\Documents and Settings\Steve>whosip 60.2.152.153 WHOIS Source: APNIC IP Address: 60.2.152.153 Country: China Network Name: CNCGROUP-HE Owner Name: CNCGROUP Hebei Province Network From IP: 60.0.0.0 To IP: 60.10.255.255 Allocated: Yes Contact Name: CNCGroup Hostmaster Address: No.156,Fu-Xing-Men-Nei Street,, Beijing,100031,P.R.China Email: abuse[at]cnc-noc.net Abuse Email: abuse[at]cnc-noc.net Phone: +86-10-82993155 Fax: +86-10-82993102 Most people have very little luck dealing with the Chinese in attempting to get them to meet their obligations to the internet community. Others take a different view on the value of attacking these spam activities but in any event SpamCop does not offer the resources to do it effectively. SpamCop's mission is to list the IP addresses of persistent senders of spam mail. Others specialize in other aspects of spam fighting (KnujOn and Complainterator are two mentioned frequently in these pages - search here for more detail). Link to comment Share on other sites More sharing options...
rconner Posted January 10, 2009 Share Posted January 10, 2009 Thanks for the tracking link! It is my belief, unencumbered by any actual knowledge of the subject, that SpamCop only goes so far as to DNS-resolve the host given in the spam URL (e.g., like ping or nslookup), it does not attempt HTTP fetches from these sites, so it will never see a 404 (or any other HTTP code). It will also neither see nor follow any common redirection tricks. That's why it is important that reporters check these links before reporting them, to make sure they are still running and still appropriate to report. The simpler explanation here is as Farelf suggests (and I can vouch for the high quality of his references ), that we have a botnet that is shuttling the address for these sites all around the web: rconner$ dig a sny.hatherx.cn ; <<>> DiG 9.4.2-P2 <<>> a sny.hatherx.cn ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39079 ;; flags: qr rd ra; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;sny.hatherx.cn. IN A ;; ANSWER SECTION: sny.hatherx.cn. 179 IN CNAME hatherx.cn. hatherx.cn. 179 IN A 89.34.39.210 hatherx.cn. 179 IN A 89.186.110.35 hatherx.cn. 179 IN A 89.229.65.239 hatherx.cn. 179 IN A 91.116.168.26 hatherx.cn. 179 IN A 217.26.171.29 hatherx.cn. 179 IN A 72.225.253.137 hatherx.cn. 179 IN A 77.89.73.82 hatherx.cn. 179 IN A 85.27.10.181 ;; Query time: 1292 msec ;; SERVER: 10.0.1.1#53(10.0.1.1) ;; WHEN: Sat Jan 10 16:49:45 2009 ;; MSG SIZE rcvd: 174 Here are 8 distinct IP addresses from all over the public net (not just China), each with a suspiciously low time-to-live (TTL) of 3 minutes (179 seconds). Classic botnet stuff. Note also the use of CNAME records to point all these multiple URLs back to the "parent." -- rick Link to comment Share on other sites More sharing options...
Farelf Posted January 11, 2009 Share Posted January 11, 2009 Thanks for the further clarification Rick. ...Here are 8 distinct IP addresses from all over the public net (not just China), ...Yes, I neglected to point that out in my post - and note in Rick's data, after just 9 hours, that is a totally different set of IPs compared to the ones I showed. And now, after another four and a half hours, one sees yet a further set (24.197.146.125, 72.225.253.137, 82.225.226.230, 83.103.151.108, 89.2.226.23, 91.146.177.54, 201.160.249.249 and 201.236.235.139). And so it goes, not only does the 'stack' revolve every 3 minutes or so, it changes completely in the (slightly) longer term. As said, SC is not equipped to track back to the source of these 'advertisements' (the target behind the target behind the target which in turn is just a 'bullet proof' host for some hand-puppet of the actual beneficiary or his agent - it doesn't even penetrate the first layer on those occasions it resolves anything at all). And apparently has no intention of doing so. It does what it does well - but it does not do this. Link to comment Share on other sites More sharing options...
Wazoo Posted January 11, 2009 Share Posted January 11, 2009 and note in Rick's data, after just 9 hours, that is a totally different set of IPs compared to the ones I showed. And now, after another four and a half hours, one sees yet a further set (24.197.146.125, 72.225.253.137, 82.225.226.230, 83.103.151.108, 89.2.226.23, 91.146.177.54, 201.160.249.249 and 201.236.235.139). And yet another example, shown a different way ... note the tmestamps; 01/11/09 04:29:22 Slow traceroute sha.hatherx.cn Trace sha.hatherx.cn (80.161.14.91) ... 01/11/09 04:30:09 dns sha.hatherx.cn Canonical name: hatherx.cn Aliases: sha.hatherx.cn Addresses: 77.41.92.227 80.161.14.91 82.137.21.20 85.12.249.136 91.122.144.149 91.146.177.54 92.54.96.231 211.173.141.155 01/11/09 04:32:06 Slow traceroute sha.hatherx.cn Trace sha.hatherx.cn (81.198.194.219) ... 01/11/09 04:35:35 dns sha.hatherx.cn Canonical name: hatherx.cn Aliases: sha.hatherx.cn Addresses: 82.245.22.187 85.66.146.103 88.167.109.200 125.31.177.92 60.243.6.61 77.89.73.82 78.42.174.193 81.198.194.219 01/11/09 04:36:43 Slow traceroute sha.hatherx.cn Trace sha.hatherx.cn (82.245.22.187) ... Link to comment Share on other sites More sharing options...
Farelf Posted January 14, 2009 Share Posted January 14, 2009 May as well record the observation 'here' - first time I have noticed the same list of addresses for two different 'domains'. They all would lead to the one website anyway but even so I would not have imagined the same list in simultaneous use for two addresses - even spammers have budgets I guess and the 'senders' presumably have to hire their resources. 'Simultaneous' isn't quite the right description (several minutes maybe between consecutive lookups) but as close as can be determined in normal practice. H:\>nslookup gjl.ocauditors.cn ... Non-authoritative answer: Name: ocauditors.cn Addresses: 79.121.63.130, 79.140.167.74, 81.29.18.82, 85.65.22.143 95.104.44.116, 194.187.101.5, 67.60.175.195, 77.27.41.108 Aliases: gjl.ocauditors.cn H:\>nslookup rln.ocatx.cn ... Non-authoritative answer: Name: ocatx.cn Addresses: 67.60.175.195, 77.27.41.108, 79.121.63.130, 79.140.167.74 81.29.18.82, 85.65.22.143, 95.104.44.116, 194.187.101.5 Aliases: rln.ocatx.cn Link to comment Share on other sites More sharing options...
Farelf Posted January 16, 2009 Share Posted January 16, 2009 And here's another thing, sometimes those addresses are used to send spam (as well as to redirect visitors to a spam site). OK, I've only noticed it once: Non-authoritative answer: Name: aaowes.cn Addresses: 201.252.237.133, 78.156.158.227, 84.109.120.43, 99.20.38.244 190.46.185.220, 190.189.103.98, 193.224.128.248 Aliases: gdyi.aaowes.cn http://www.spamcop.net/w3m?action=checkblo...=190.189.103.98 190.189.103.98 listed in bl.spamcop.net (127.0.0.2) If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 23 hours. ... the only one listed, even so it can't efficiently 'direct traffic' AND send spam - two different worms? But they supposedly kill any other infections encountered in competition - maybe not, multiple infections are seen all the time, IIUC. But then, very soon after Non-authoritative answer: Name: aaowes.cn Addresses: 189.202.118.246, 80.81.40.39, 86.101.118.38, 91.146.177.54 124.191.19.216, 164.125.226.158 Aliases: gdyi.aaowes.cn Completely different set of addresses, none SCbl listed right now - co-incidental, I wonder? Or maybe DNS real-time BL detection is monitored? I shouldn't think so, the sets of numbers usually change quickly anyway (as we have previously seen), but would need to check on some other BLs to get more data - it is just an unusual observation in isolation. Link to comment Share on other sites More sharing options...
rconner Posted January 16, 2009 Share Posted January 16, 2009 ... the only one listed, even so it can't efficiently 'direct traffic' AND send spam - two different worms? But they supposedly kill any other infections encountered in competition - maybe not, multiple infections are seen all the time, IIUC. Don't see why the bot couldn't do two jobs for the same master (in theory, anyway). To do the web redirection, it would need a listener on port 80 that would just proxy for the real website. To send the mail, it needs a program to transmit on port 25. These are two different and independent processes, so I suspect that they can both happen simultaneously. Don't know as I've seen it before either, but then I haven't looked. It makes sense that one botherder would try to kick the other one off. Something to contemplate -- granny's computer as the apocalyptic battleground for two criminal gangs. -- rick Link to comment Share on other sites More sharing options...
Farelf Posted January 16, 2009 Share Posted January 16, 2009 ...Don't see why the bot couldn't do two jobs for the same master (in theory, anyway). ...Granted - but maybe in the real world it would be more likely to cause noticeable/unsupportable performance degradation also increase the chances of external detection and enforced disinfection. Still, in the present economic climate maybe even spammers "must needs go that the Devil drives". Maybe (does seem rare though).... It makes sense that one botherder would try to kick the other one off. Something to contemplate -- granny's computer as the apocalyptic battleground for two criminal gangs.Competing botherders, Windows Updates, AV updates, Sun Microsys updates, Adobe/Flash updates ... how the heck granny's beleaguered computer finds time to let granny watch the Chippendales on YouTube is anyones guess - and now they want to pipe TV through the networks? I know, more bandwidth! We need more bandwidth! HooAH! Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.