Jump to content

Host-hopping spammer - can anything be done?


jhg
 Share

Recommended Posts

I'm receiving spam messages that all look the same and have the same "unsubscribe" link:

The messages are always base64-encoded HTML and the HTML always has the following at the end

Preferences

Unsubscribe

6757 Cascade Rd. Suite 166

where Preferences and Unsubscribe are links of the form

http://same-host-as-spam-link/long-string-of-hex-digits

These messages seem to come through exploited open relays or throwaway Amazon EC2 instances, and I get only 3-4 messages from each IP. I've been adding client IP and sender checks to my Postfix SMTP configuration but they change hosts often enough that I have to update the filters at least once a day to add the latest hosts/domains.

Sample headers:

Return-Path: <WirelessInternet[at]allwebbuy.com>
X-Original-To: redacted[at]redacted.com
Delivered-To: redacted[at]redacted.com
X-Greylist: delayed 00:10:00 by SQLgrey-1.8.0
Received: from allwebbuy.com (unknown [91.108.81.162])
    by smtp.redacted.com (Postfix) with ESMTP id D4FB8338554
    for <redacted[at]redacted.com>; Sat,  3 Jan 2015 02:48:42 +0000 (UTC)
Content-Type: multipart/alternative;
    boundary="===============6835749550156966652=="
MIME-Version: 1.0
From: Wireless Internet <WirelessInternet[at]allwebbuy.com>
To: redacted[at]redacted.com
Subject: Your Web Connection Floats with You with Wi-Fi
Reply-To: noreply[at]allwebbuy.com
List-Unsubscribe: <mailto:unsubscribe-espc-tech-12345N[at]allwebbuy.com>
Message-ID: <5bd0724990f8d52706b3ff173e52e4ee[at]allwebbuy.com>
Date: Sat, 3 Jan 2015 05:38:40 +0300

The message format is extremely consistent, and I'm sure thousands of people are receiving these emails. Is there any resource on the web that might know the actual source of these messages?

I tried following one of the links with curl but there are at least 3 or 4 layers of redirects involved.

Anything else to do to fight the spammers?

Edited by jhg
Link to comment
Share on other sites

Sounds like the sort of thing which the Spamhaus "snowshoe" list might eventually catch - http://www.spamhaus.org/css/ - it takes fairly special resources to address snowshoeing efficiently and I think that's well beyond the capability of the SCbl UNLESS heaps of reporters just keep on reporting, or the spammers' lists include SC spamtraps (note What is the SpamCop Blocking List (SCbl)?).

If you have a "paid" reporting account you can look at the report histories of those IP addresses to see how many other reporters are making submissions. The spamstats - https://www.spamcop.net/spamstats.shtml - can give you an impression of how much spam traffic is passing through those networks (especially Ѕpam reports vs. email volume which, with a little guesswork, gives some clue as to the liklihood of future SCbl listing. And the links from those stats to the SenderBase analysis of the net range/network gives more detailed analysis. SenderBase can be generally-directly interrogated from http://www.senderbase.org/ as well.

If the spammers are illegally hacking the sending serververs, then SC reports to the abused networks will generally - but not always - help, especially if the addresses are also on the CBL (shown in both the parse and the SenderBase analysis) and you mention that in the report notes to the abuse addresses. The CBL links often include specific advice to the network on disinfecting suborned servers.

spam payload "spamvertized" domains are a potential weak link for snowshoe operations and SC reports go to the hosts of those (the first re-direction link at least) to invite their attention to the supposed abuse of their terms of use. We know from complaints made from (more or less innocent) domain owners/registrants on this forum that can be effective, sometimes rather too effective. A certain amount of SC spamvertizing "observations" are also picked up by the independent-specialiazied SURBL to list offending domains.

"Complainterator" (seach the internet and this forum for that name) is a non-SC approach discussed here frequently, another is "KnujOn", either/both are certainly additional tools that might be used and there are members of this forum who use (or used) one or both.

There's a lot that can be done (without becoming too obsessive) but SC reporting still has a part to play IMO - even if the results are not immediately apparent or spectacular.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...