spam with Chinese links--what are they up to?

[Cherns]

Since my email client (The Bat!) is very cautious about displaying HTML, I get a fair number of legitimate "skeletal" messages that don't display all their pictures and graphics, and all have a line that says something like, "If you have trouble reading this message, click here," which leads me to a web page or some other HTML display using my browser. No problem here.

Lately (maybe last few months) I have been receiving a lot of spam that I find somewhat puzzling:

Messages almost always arrive in pairs, almost identical messages, generally with different Sb: lines, from different senders (both the spoofed addresses and SpamCop-analysis "real" ones);

All are "skeletal," claiming to be newsletters or some such that I've subscribed to, from alleged organizations with nonsense names like Poxiix or Vigiutype;

All contain many links, like "If you have trouble reading this message, click here," "Info on your account," "Unsubscribe," "Feedback," "User Information," etc. All these links point to Chinese-domain web sites with nonsensical (in English, anyway) names like sr.xzoyebac.cn/?sqy=4A713956585BFA36908E732. Even with my protection software, I don't want even to try following these links.

Can anyone suggest what's going on here? I'm guessing that they're either some form of phishing; or lead to some sort of poisoned web site that will try to drop a virus or a trojan or adware onto my computer; or maybe just some sort of listwashing, confirmation that my address is kosher. Maybe just testing hordes of zombie computers? Anyone else getting this kind of stuff? Any other suggestions? Anyone know for sure?

Follow-up question: I get a lot of these, and have so far been reporting them to the email-source ISPs and to the link ISPs via SpamCop.net. I suppose that it's a good idea to inform the mail source ISPs, but any ideas on whether it's worth it for the link ISPs?

Any suggestions greatly appreciated. Many thanks. --Howard

[rconner]

Can anyone suggest what's going on here? I'm guessing that they're either some form of phishing; or lead to some sort of poisoned web site that will try to drop a virus or a trojan or adware onto my computer; or maybe just some sort of listwashing, confirmation that my address is kosher. Maybe just testing hordes of zombie computers? Anyone else getting this kind of stuff? Any other suggestions? Anyone know for sure?

Follow-up question: I get a lot of these, and have so far been reporting them to the email-source ISPs and to the link ISPs via SpamCop.net. I suppose that it's a good idea to inform the mail source ISPs, but any ideas on whether it's worth it for the link ISPs?

I get an occasional "newsletter" spam, usually the perp is trying to sell pharma drugs. Don't know what might be happening in your case, a tracking link would be helpful.

I say that if SpamCop offers to report to the link provider, you can take them up on it (as long, of course, as the report is accurate and well-founded). It isn't clear whether any extra effort on your part would be worth the time (particularly in the case of botnet-hosted websites). Many of us now report spams with URLs in them to KnujOn.

-- rick

[Cherns]

Tracking number--hadn't thought of that--thanks. Here are a couple from today:

http://www.spamcop.net/sc?id=z3084757168z6...9dd8ce41c045b4z

http://www.spamcop.net/sc?id=z3084760299zc...64308a643bb626z

These two almost-identical ones came from Lithuania, different links

http://www.spamcop.net/sc?id=z3084762655zf...d432b2baa270e9z

http://www.spamcop.net/sc?id=z3084764878z7...e87eb3d58bec4bz

These two have same origins, but different links

Hmm, I don't know exactly how to get the tracking numbers for previous reports (I can go to "Previous Reports" and find the reports that were sent to the ISPs, but I'm not sure how to get the report that includes the full source). I'll look into this and possibly post some more--or, I'm pretty sure to get some more tomorrow or the next day.

I think I've figured out why it is that I tend to get these in pairs; thanks to some recent changes, xxx[at]compuserve.com and xxx[at]csi.com are now equivalent, and I seem to get one of these messages to each address.

I'll look into KnujOn--thanks. Cheers, --Howard

[Farelf]

Thanks for the tracking urls Howard

...Hmm, I don't know exactly how to get the tracking numbers for previous reports (I can go to "Previous Reports" and find the reports that were sent to the ISPs, but I'm not sure how to get the report that includes the full source). ...

Included as a link in that other link you were given - specifically Getting a Tracking URL from a Report ID numbers. It's all in the terminology - once it 'clicks' in your mind that your history list is showing you report numbers ... In a nutshell, open one of those, click on the 'Parse' link then copy the URL shown under "Here is your TRACKING URL - it may be saved for future reference:" near the top of the resulting page. It will be the same as the page address in your browser at that point except it is "www.spamcop.net/..." instead of "members.spamcop.net/..." (only you - or a SC staff member - would be able to open the "members" one).

[Farelf]

So, what are they up to? No telling at this stage, but certainly don't use any handy 'unsubscribe' links they offer and you can be fairly certain they only intend you harm .

It might be as simple, as you suggest, as getting your live email address and details for some 'identity theft' purpose or even just address validation so they can send targeted or otherwise effective 'human engineering' crafted messages (as you also anticipated). Even cold contacts like they sent dbiel - http://forum.spamcop.net/forums/index.php?showtopic=10483 can be very effective in the 'right' circumstance.

Or there may be active exploits, as you also suggest, at the end of those links. Perhaps some brave *nix/Macintosh user will venture there to look (but they'd want to know what they're doing!!)

wnahunef.cn and pnahayed.cn (and subdomains) both resolve to the same group of server hosts (which SC can never resolve properly because they are multiple):

C:\Documents and Settings\...>nslookup wnahunef.cn

Non-authoritative answer:

Name: wnahunef.cn

Addresses: 119.39.238.2, 203.93.208.86, 222.241.150.146, 60.191.239.150

218.75.144.6

C:\Documents and Settings\...>nslookup wnahunef.cn

Non-authoritative answer:

Name: pnahayed.cn

Addresses: 203.93.208.86, 222.241.150.146, 60.191.239.150, 218.75.144.6

119.39.238.2

C:\Documents and Settings\...>

...which are owned by, in the order of the first listing above:

Owner Name: CNC Group HuNan YueYang network

Owner Name: China Unicom IP network

Owner Name: CHINANET-HN Hengyang node network

Owner Name: Jinhua Telecom Co.,ltd

Owner Name: CHINANET-HN changde node network

These 'alphabet soup' domains are often used for illicit purposes and may well be auto-registered through the very cheap and unquestioning facilities available in China (last time I looked).

The case of dbiel's tricksters, the website there had more conventional name and hosting, pointing to:

Owner Name: CHINANET yunnan province network (yep, chinanet again).

Certainly there is some rampant Chinese criminality abroad, taking whatever advantage of the North American/Western vulnerability they can manage (they might be liable for execution if they tried such at home). That is nothing new but they may be trying harder now with the perception of more opportunity (= desperation). Predators have no concept of mercy.

[Wazoo]

http://www.spamcop.net/sc?id=z3084757168z6...9dd8ce41c045b4z

Fetching ht tp://tilee77.wnahunef.cn/ ...

Host: tilee77.wnahunef.cn

HTTP/1.1 302 Moved Temporarily

Server: nginx/0.6.36

Location: ht tp://www.pillsperfectgarden.com/

Fetching ht tp://ucvma84.wnahunef.cn/ ...

Host: ucvma84.wnahunef.cn

HTTP/1.1 302 Moved Temporarily

Server: nginx/0.6.36

Location: ht tp://www.pillsperfectgarden.com/

http://www.spamcop.net/sc?id=z3084762655zf...d432b2baa270e9z

Fetching ht tp://pmdl57.pnahayed.cn/ ...

Host: pmdl57.pnahayed.cn

HTTP/1.1 302 Moved Temporarily

Server: nginx/0.8.4

Location: ht tp://www.pillsperfectgarden.com/

Don't see any reason to keep on checking. The remainder of the URL you see in the spam are simply tracking variables, more than likely the same across the spam run to see which 'version' got a better response rate. The multiple URLs per spam are typically a work-around to try to better handle the problems with the fastflux type hosting/pointing of this crap.

[rconner]

Perhaps some brave *nix/Macintosh user will venture there to look (but they'd want to know what they're doing!!)

I was reluctant to test the entire URL for fear of it being a web bug, but I did hack off the query data and try it -- our old pals at "Canadian Pharmacy" are at it again. No sign of exploits, forced downloads, etc. but then this should not be considered a clean bill of health.

-- rick

[Farelf]

Great work, Wazoo & Rick. So - pillsperfectgarden.com, domain registered to "Lissette P Pagnozzi" at a wonky address, supposedly in Russia, hosting (202.75.37.166) by Telekom Malaysia, the Chinese bits seem simply redirection and hosting thereof.

Apparently just another way to get people to explore the pharmaceutical wonderland of sub-standard pillz awaiting any takers with just the right combination of naivety, liquidity, adventurousness and stupidity. And there are 'enough' of those around, it seems - maybe the recession isn't biting quite as hard as we thought.

Darn, overestimated the little devils (spammers) yet again. Yes, other reporting possibilities like KnujOn are seemingly better equipped to deal with this stuff, SC is primarily after the mail sources that deliver those links.

[edit - one 'formulaic' SiteAdvisor review at http://www.siteadvisor.com/sites/pillsperfectgarden.com the further link http://www.spamtrackers.eu/wiki/index.php/Canadian_Pharmacy looks a little dated now but Google the registrant name to see more findings and comments on the current operations.]

[Cherns]

Many thanks to you all, Farelf, rick, and Wazoo, for your detective work. So it seems that these mysterious messages are probably "only" trying to sell me bogus pills or sign me up for non-existent high-paying work or entangle me in some more "usual" kind of spam scam. I can't imagine the credulity of someone who would click on an "Unsubscribe" link, get a "Canadian Pharmacy" pitch, and fall for it, but obviously there are a lot of people who do not have the cynicism, arising from nature and experience, that makes one wary of whatever we see on this marvelous Internet. (Actually, I do get my meds from a local pharmacy right here in Canada...)

Here's one that arrived (twice) today, possibly from Bulgaria via GMail:

http://www.spamcop.net/sc?id=z3087054162z6...78b520f15e35aez

Cheers, and thanks again. --Howard

[Farelf]

...Here's one that arrived (twice) today, possibly from Bulgaria via GMail:

http://www.spamcop.net/sc?id=z3087054162z6...78b520f15e35aez

Well, the links (two checked) on that one appear to go to awesomepharmexcite.com hosted by Telekom Malaysia, domain registrant allegedly "Tatyana Matuhova", forwarded from the Chinese domains with exactly the same Chinese fast-flux hosting as your other examples. Yes, this is the same MO, same 'business', same gang. Why two at a time? My best guess is somehow your address has ended up twice in their lists, they don't care - the minute proportion of take-up their operation achieves means they rely on such high volumes that finesse is completely unnecessary. Besides, some bot controller 'contractor' probably gets paid by volume. Wish they'd switch to a results-driven model. On second thoughts, no I don't.

[rconner]

Actually, I do get my meds from a local pharmacy right here in Canada...

Make no mistake, these pharmacies are no more "Canadian" than am I (and I am not Canadian at all). "Canadian pharmacy" was a buzzphrase that cropped up here in the U.S. a few years back when some individual Americans (and even some local governments) began to buy meds in Canada due to their supposed lower prices (as I understand it, this is against U.S. law). The spammers simply wrapped themselves up in maple leaves to take advantage of the publicity.

-- rick

[Cherns]

Thanks again, rick and Farelf.

I have figured out the two-at-a-time thing: my compuserve.com address apparently has an alias as csi.com (probably due to some recent changes in the CompuServe mail system), so I'm getting one message at each address, although the To: address itself is as often as not exactly mine, but one close, presumably with a zillion BCCs including mine. Interestingly, the messages do differ slightly--usually in stuff like "You are subscribed to the newsletter from -----------", presumably to keep various servers or whatever from seeing too many identical messages. I believe that sometimes the twin messages have originated (according to SpamCop analysis) from servers in different places around the globe.

Most Canadian provinces have some sort of plan that reimburses people for their prescription costs, and most of the provincial health plans have negotiated deals with the pharma companies for discounted quantity prices. (I believe that US legislation expressly forbids US health plans, or at least the public ones, from doing this. Why? Well, the pharma companies like it...) As a result, I believe that the upshot is that prescription prices are quite a bit lower in Canada (and much of the rest of the world) than in the US. For a while there used to be busloads of seniors coming from to Canada from US border states, medical records in hand to be eyeballed by a Canadian physician who would write the actual prescription; and companies that would organize the buses, doctors, and pharmacies. (My understanding is that, while the FDA frowns on bringing non-US drugs into the country for commercial purposes like re-sale, bringing personal prescriptions across is ok. Canadian law is a bit more stringent, but I've never seen any enforcement.) And, I believe that for a while there were actually legitimate pharmacies in Canada that would do mail order to the US. I suspect that these have now been run out of business by various con artists claiming to be "mail order Canadian Pharmacies."

Thanks again to you folk who have shown me what this particular kind of spam is all about. I generally report to SpamCop.net only those spams that are 419s or other obvious scams--I get at least a couple of these a day, and if I were to include all the replica-watch, male-enhancement, blue-pill, or Canadian Pharmacy spams I get, I'd probably have to up my SpamCop.net time by another 20-30 spams a day. (I'm distrustful of spam filters--it doesn't take much time to hit the Delete button, but it does take some time to do a SpamCop.net report.) So if these peculiar messages are just pushing drugs and not trying to lure me into some zombie network, I guess that the bit bucket is good enough for them. Cheers, --Howard

[Farelf]

...it doesn't take much time to hit the Delete button, but it does take some time to do a SpamCop.net report.) So if these peculiar messages are just pushing drugs and not trying to lure me into some zombie network, I guess that the bit bucket is good enough for them. Cheers, --Howard

You're welcome Howard.

Nothing stays the same, if those things seem to be routine pill-pushers now doesn't mean something similar-looking won't be a lure for a drive-by infection in future but that, as always, is easily avoided by never clicking the links. There has been a resurgence of virus/downloader attempts by way of attachments to spam over the past year or so and those can be quite convincing by coincidence, depending on your current personal circumstances, so attachments are even more to be distrusted/wary of than links, no matter how plausible/tempting they might sometimes seem.

As for reporting, there are relatively effortless options in terms of the submission process (cf. http://forum.spamcop.net/scwik/QuickReporting) but you do need to know what you are doing and even the most knowledgeable will occasionally slip up with false, duplicate or unjustified 'own ISP' reports, especially when high volume reporting is involved - so it is best to stick to whatever you are comfortable in doing IMO.

All of which is a roundabout way of agreeing with your statements in the 'here and now' but with a couple of very muted 'yabuts'.