Jump to content

[Resolved] Multiple hosts for the same spamvertised site


elind

Recommended Posts

...This is the part that I don't understand and why, with all due respect, I have trouble accepting the explanations I have seen so far.
Well, I could certainly be quite mistaken in my views. But, have you considered the sheer scale of the botnets and the ease of recruitment to them. Components are entirely expendable while the effort to produce a clean list of any great size is very considerable. It's all a 'business model' concept. It seems very apparent to me that the greater part of the spamming 'fraternity' is hooked on insane (and increasing) volume. Why not? They steal all the real resources and ISPs happily increase capacity/bandwidth to compensate for the imposture of spam. And who pays? Why, we do.
Link to comment
Share on other sites

  • Replies 65
  • Created
  • Last Reply

A point that was missed here but I for one have experienced and paid for (in hard cash and computers made useless by virus infections) is that people e-mails targeted for spam are often targeted with viruses that spread spam, It's as if once a name has made it on a list it is sold to every criminal in the business. What is often overlooked is that these people are criminal not just in what they sell (or make you pay for) but every way they conduct business. They are obviously a menace and unnecessary load on all legitimate internet users. That is why I am baffled at the slowness of response and talk of freedom, freedom means nothing if crime is allowed to prevail, the old wild west is a legend, it wasn't entirely lawless even then.

Link to comment
Share on other sites

This is the part that I don't understand and why, with all due respect, I have trouble accepting the explanations I have seen so far.

Just as in other 'business' environments, consider the phrase .. the cost of doing business

Noting that some of the previous is projected to increase in the future. A listing I can't really seem to find fault with is at 10 Security Predictions For 2009

Some of the nastiest stuff is already happening a bit too often, for example the latest Microsoft Warns Of Zero-Day IE Attacks ... of particular note is the repeat of the 'timing' involved.

And just to bring that last one up to date, Microsoft has revised its last Security Notice ....

Vulnerability in Internet Explorer Could Allow Remote Code Execution

December 11, 2008: Revised to include Microsoft Internet Explorer 5.01 Service Pack 4, Internet Explorer 6 Service Pack 1, Internet Explorer 6, and Windows Internet Explorer 8 Beta 2 as potentially vulnerable software. Also added more workarounds.

The bad part being that so many others had to get involved to get all the facts straight .... as described in Microsoft confirms that all versions of IE have critical new bug

Link to comment
Share on other sites

Just to record the latest instances I am seeing of the type with the .CN botnet redirectors are providing links to two of the things - like tyds.obano.cn and tja.obano.cn This behavior has been seen several times just in the past few hours.

Tracker - http://www.spamcop.net/sc?id=z2466957531z8...5a0f599dc5ba5az

The purpose of this is entirely unclear since they both resolve to the same botnet:

H:\>nslookup tja.obano.cn

...

Non-authoritative answer:

Name: obano.cn

Addresses: 74.78.12.190, 80.98.31.8, 81.198.194.219, 84.105.54.200

85.122.97.134, 88.201.155.253, 89.156.72.201, 218.39.182.141

Aliases: tja.obano.cn

H:\>nslookup tyds.obano.cn

...

Non-authoritative answer:

Name: obano.cn

Addresses: 80.98.31.8, 81.198.194.219, 84.105.54.200, 85.122.97.134

88.201.155.253, 89.156.72.201, 218.39.182.141, 74.78.12.190

Aliases: tyds.obano.cn

...anyone have any thoughts on what (if anything) it's all about? Giving automated lookups (like the SC parser) a bit of extra work is the only thing that occurs to me. Even spammers can count to "1", presumably 2 URLs is deliberate. I wouldn't really think it's anything specifically aimed at SC - though it would be nice to imagine otherwise.

Link to comment
Share on other sites

Hello again. HD started to crash. Installed a new one. Reinstalled everything. Backups went to the wrong directories, and I could go on....

I haven't read everything above, but I have been getting the same spam with the cryptic 2 words ending in CN. Usually it's watches.

However when they first started it was one web link. Then they came with two and now it is 4 separate links in groups of two, usually only the first word varies in each spam.

I think (IE guess) they are deliberately doing this to spoof the likes of spamcop because I've been resubmitting them manually to see what comes up. The sender is always the same of course, but 9 out of 10 spamcop processes come up with nothing on the URLs and then there will be a series of hits, but usually only one or two of the addresses, then no hits for several minutes (resubmitting as fast as spamcop responds, and canceling if nothing new appears). Some hits reappear more often than others (EG Chello.hu) but good old Comcast, Earthlink and even RR pop up now and then.

I understand that for reasons I don't understand, Spamcop doesn't focus on spamsites as much as senders, and I'm sure there are good technical reasons to not persist (wait?) to resolve these changing URLs; but it seems to me that spammers are a lot more vulnerable at the point of sale than the mailboxes they send from.

If the reasoning for not addressing this ploy is technical, bandwidth/hardware/whatever, then it occurred to me that Spamcop should consider putting an application on BOINC to spread the load.

These kinds of delayed URL resolutions could be farmed out to participating PCs who would repeatedly, on their dime, try to resolve all the varying URLs in a particular piece of spam then, within a certain time limit, send back the list of resolved hosts to spamcop for reporting.

Link to comment
Share on other sites

I think (IE guess) they are deliberately doing this to spoof the likes of spamcop because I've been resubmitting them manually to see what comes up.
For sure they are deliberately doing it, specifically to make it hard to trace the actual websites.

The sender is always the same of course, but 9 out of 10 spamcop processes come up with nothing on the URLs and then there will be a series of hits, but usually only one or two of the addresses, then no hits for several minutes (resubmitting as fast as spamcop responds, and canceling if nothing new appears). Some hits reappear more often than others (EG Chello.hu) but good old Comcast, Earthlink and even RR pop up now and then.
I think that in most cases SpamCop will try to track down web URLs that it finds in the clear, but it won't wait forever for nameserver responses. That's how most of these sites slip under the wire. Bear in mind that most of these sites rotate their nameservers as well, and there tends to be quite a bit of latency within these botnets.

it seems to me that spammers are a lot more vulnerable at the point of sale than the mailboxes they send from.
Perhaps this is where other services/tools like Complainterator, KnujOn, etc. come into the picture.

These kinds of delayed URL resolutions could be farmed out to participating PCs who would repeatedly, on their dime, try to resolve all the varying URLs in a particular piece of spam then, within a certain time limit, send back the list of resolved hosts to spamcop for reporting.
I wouldn't mind SpamCop doing something of this sort (tho it sounds kinda complicated), but I think it would be better still to find out what name service or registry these guys are using, and deal with the problem at that level. You can forward you spam to KnujOn and that is what they will do with it.

-- rick

Link to comment
Share on other sites

I understand that for reasons I don't understand, Spamcop doesn't focus on spamsites as much as senders, and I'm sure there are good technical reasons to not persist (wait?) to resolve these changing URLs; but it seems to me that spammers are a lot more vulnerable at the point of sale than the mailboxes they send from.

The reason is quite straight forward if you look at the logistics of chosen task - keeping spam out of peoples inbox. You can attack the problem at the sending end, where the spammer, spammer's ISP may or may not be interested in stopping the flow if spam for financial reasons - and may not respond to any efforts by spamcop. Or you can attack the problem at the receiving end where the owner of the inbox, and their ISP are interested in stopping the spam for reasons in addition to financial - and will take action. As a result SC gets better results building a SCBL to be used at the receiving end than trying to convince a spammer or their ISP to stop the spam and reduce their income.

As for the spamvertised links, they generally do not expose themselves by sending spam. Therefore, it is does not directly effect the spam in the inbox to identify these URLs. You are most likely correct about where they are most financially vulnerable. KnujOn and others agree and concentrate on this side of the overall problem attacking the spamvertised sites.

Different groups have chosen to concentrate on different parts of the problem, not having the resources to do everything. CastleCops have divided their volunteers into groups to work on different type of spam; KnujOn works only on the spamvertised site not on the source of the spam; PhishTank only collects phishing spam and uses volunteers to look at each reported site to be sure it is a phishing - they don't look at the source.

SpamCop has chosen to keep as may spam out of inboxes as possible by developing a SCBL. If sending reports to the senders ISP gets the spammer cut off as McColo was last month, all the better. (Don't mean to imply SC got McColo Corp cut off. But their ISP did unplug them.)

All of this is why I send my spam to several "tools" and support several organizations that fight spam.

Link to comment
Share on other sites

Well, I've learned some more again. I haven't researched other anti spam efforts as described, just doing my bit with spamcop seemed enough, but I'll see how easily I can contribute to these others as well.

As to the BOINC approach, granted if spamcop is only peripherally interested in getting to spam websites they may not be the ones to do this, and someone else may be able to manage the same with their dedicated systems. I don't think it is terribly complicated, there are plenty of users of that on the web (I run Seti only) and I suspect one can get a "package" where one just writes ones own code inside it. In the case I described all it is a matter of building a table of unique hits from the URLs in question over a period of time, then treating it exactly like a spamcop report, except to all the multiple hosts identified.

However, It seems to me that the very fact that spammers have no interest in removing spamcop addresses from their lists means that they don't much care about spam message reduction efforts. That is just a cost of doing business.

However simple economics says that if they lose their sales points, of which there will be less than their mailing points, then they will be hit harder than by spamcop reports to the sender's ISPs who mostly don't seem to care.

What is also missing, IMHO, is a concerted effort by the people who can have influence and pressure in the market as a whole. That means the main telecommunication companies and ISPs etc., including those like Microsoft. A few years ago even Bill Gates was talking of stopping spam, now one hears almost nothing except from the technical press. What happened?

Link to comment
Share on other sites

IMHO, it will take consumer pressure to make the companies who can do something about spam to do it. Part of the reason, I believe, that ISPs, Microsoft, etc. are happy with the status is that blocking is effective. It saves the bandwidth for accepting and with much spam being sent via botnets, it doesn't affect customer traffic. The really high up backbones don't much care since someone is paying for the spam to be sent - the more traffic they have, the more money they make.

Even though I do not have spam filtering turned on in my 'free' accounts, I hardly get any spam - and one account is definitely on the spammer lists. Once in a while, a 419 gets through and there is a persistent viagra spam that evades the filters, but not much else. Of course, legitimate email disappears also, but there is nothing that can be done about that since they won't tell you why it was caught.

At some point, all ISPs will have filtering and any who do not use the filtering, will not be the ones to answer the spam. However, as long as there is money to be made with the 419 and viagra and 'Respond now - you account needs verification' and maybe even Rolex watches, there will be criminals who will evade the filters. And people to buy the 'spammer package' that promises untold wealth until their account is canceled or they do not get any return because all their email has been blocked.

Economics as the way history is driven theory gets a big boost from spam.

Miss Betsy

Link to comment
Share on other sites

Filtering was improved to the point it is not noticiable by the end user, thus.. "the problem is solved". :(
Succinctly put. :)

The more spergin amongst us (naturally) fret about the increasing dilution of 'real' mail amid the growing torrent of transmitted spam, the esoterica of signal-noise ratios in such an environment, the hidden costs we all bear as a consequence of this and the unchecked banditry of the botmakers, the unmitigated greed of ISPs and registrars, the undeserved profits of the criminally-inclined, the cluelessness of regulators (who invariably make things worse) and the simple injustice of an uncaring world. Ah, it's a cold place, the universe :D Just as well it's the festive season (near enough)!

...I haven't read everything above, but I have been getting the same spam with the cryptic 2 words ending in CN. Usually it's watches.

However when they first started it was one web link. Then they came with two and now it is 4 separate links in groups of two, usually only the first word varies in each spam....

Thanks for that confirmation elind - yours seem to to have 'evolved' to the next stage, compared to my 2-link kind. Anyone have any idea what the multiple link thing is about (tracking URL supplied in my post preceding that one of elind's)? Things like that worry me.
Link to comment
Share on other sites

Here's the latest 4 link one, in case anyone can work the links to the end.

http://www.spamcop.net/sc?id=z2468210465z4...a2004ad9582605z

Thanks, yes, each in a pair resolves the same, the two pairs are two different assemblages, each pair apparently with different functions to the other pair.

Non-authoritative answer:

Name: obaudi.cn

Addresses: 190.97.129.143, 77.27.41.102, 80.96.237.9, 81.184.139.176

81.198.241.29, 82.131.55.11, 85.122.50.75, 91.122.160.94

Aliases: scnl.obaudi.cn

Non-authoritative answer:

Name: obaudi.cn

Addresses: 82.131.55.11, 85.122.50.75, 91.122.160.94, 190.97.129.143

77.27.41.102, 80.96.237.9, 81.184.139.176, 81.198.241.29

Aliases: scb.obaudi.cn

____________________________________________________________

Non-authoritative answer:

Name: obaudi.cn

Addresses: 82.225.43.251, 85.12.249.136, 85.186.223.250, 89.135.22.8

89.215.99.153, 94.74.72.85, 77.41.92.230, 82.131.55.11

Aliases: slcu.obaudi.cn

Non-authoritative answer:

Name: obaudi.cn

Addresses: 94.74.72.85, 77.41.92.230, 82.131.55.11, 82.225.43.251

85.12.249.136, 85.186.223.250, 89.135.22.8, 89.215.99.153

Aliases: subw.obaudi.cn

Er, could it be spammers' customers complaining of a suboptimal browsing experience? Fast-flux botnet admins asleep on the job? These kids may not always have the devotion to duty we'd expect of them.
Yeah, I can imagine different assemblages with different functions giving stronger performance, also makes it just about impossible for some types of analysis to DNS-resolve the 'root domain' (if that's the term) in isolation - obaudi.cn in this case (though analysis of any of the subdomains - say through robtex - fairly quickly unravels the whole structure). These things maybe have very limited capacity (cheapness shows) but are quite resistant to some kinds of automated probing/analysis.

Not so sure of the purpose of pairings though. Can't see that if one struggles to redirect that the other would necessarily do better but that would seem to be the idea. Oh well, at least gives the 'dedicated client' something to do if their attempts at putting themselves in harm's way are being frustrated.

The net result of pairings means that SC is never going to resolve both at the same time (let alone TWO pairs), meaning that SC reporters, using SC tools only, are never going to touch them. That seems very specific behavior if it is by design - almost too much to hope that SC has forced a lifting of the bar in that regard.

I would think SC is not a great risk at all in the 'spamvertized wesite' world - certainly SC doesn't go out of its way and there's little evidence that any ISPs do anything much (/at all) to pull zombied machines in their netspace out of the botnets - what's their incentive? I thought infected machines were maybe being pulled to a significant extent (picturing some sort of 'Hawking radiation'-type evaporation) but now imagine most of the apparent attrition is better explained by mere redeployment within the (botnet) resource rental framework.

Link to comment
Share on other sites

...I have been told that if connected to the internet via a router, then a firewall on the PC is redundant (and can sometimes cause network problems). Is that true?...
Some homework for you (do try to keep up :D ) shamelessly stolen from part of a post by user Kayman in newsgroup grc.security
The NAT router can be your first line of protection :)

Implement Countermeasures against DNSChanger.

http://extremesecurity.blogspot.com/2008/0...t-hijacked.html

References and educational reading:

Deconstructing Common Security Myths.

http://www.microsoft.com/technet/technetma...hs/default.aspx

Scroll down to:

"Myth: Host-Based Firewalls Must Filter Outbound Traffic to be Safe."

Exploring the windows Firewall.

http://www.microsoft.com/technet/technetma...ll/default.aspx

"Outbound protection is security theater—it's a gimmick that only gives the

impression of improving your security without doing anything that actually

does improve your security."

Managing the Windows Vista Firewall

http://technet.microsoft.com/en-us/magazine/cc510323.aspx

For the average homeuser, the Windows Firewall in XP does a fantastic job

at its core mission and is really all you need if you have an 'real-time'

anti-virus program, [another firewall on your router or] other edge

protection like SeconfigXP and practise Safe-Hex.

The windows firewall deals with inbound protection and therefore does not

give you a false sense of security. Best of all, it doesn't implement lots

of nonsense like pretending that outbound traffic needs to be monitored.

Activate and utilize the Win XP built-in Firewall; Uncheck *all* Programs

and Services under the Exception tab.

Windows XP: How to turn on your firewall.

http://www.microsoft.com/protect/computer/firewall/xp.mspx

Configure Windows by using:

Seconfig XP 1.1

http://seconfig.sytes.net/

Don't expose services to public networks.

Windows XP Service Pack 3 Service Configurations

http://www.blackviper.com/WinXP/servicecfg.htm

Routinely practice Safe-Hex.

http://www.claymania.com/safe-hex.html

Good luck :)

When you've mastered that lot, I for one would like your comments. Probably so would Kayman.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.


×
×
  • Create New...