[nsp-sec] A mystery - Where did the spam go?

William Salusky william.salusky at aol.net
Mon Feb 25 13:52:15 EST 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

One such possibility.  There is a distinct high volume spammer network
that I noticed go dark on February 6th perhaps due to simultaneous loss
of controller nodes ;), with new controllers having reappeared in new
(again) hosting sometime on Feb 10th.

This particular spammer network in question operates with an XOR'd
reverse tunnel control mechanism, and is usually spamming either plain
text or .png image based spam for adult web sites and online pharmacy.

The links are most often just to landing pages that act as redirects to
the true spamvertised site, and the actual service of content is in a
mix of single flux network services.  Sometimes only the landing page is
in flux, sometimes the whole spamverstore is in flux, sometimes not in
flux at all.  I suppose it all depends on the type of run, and how much
has been paid in 'services'.


One of the more recent .png image based spam samples coming out of this
network was for 'thepromote.com' (still actively served in single flux).


Not picking on comcast, but clearly they have some of the better
connected live flux nodes at the moment. :)

;; ANSWER SECTION:
www.thepromote.com.     595     IN      A       67.184.9.34
[c-67-184-9-34.hsd1.il.comcast.net]
www.thepromote.com.     595     IN      A       76.30.221.50
[c-76-30-221-50.hsd1.tx.comcast.net]
www.thepromote.com.     595     IN      A       24.5.90.125
[c-24-5-90-125.hsd1.ca.comcast.net]

;; AUTHORITY SECTION:
thepromote.com.         172754  IN      NS      ns1.klaradavai.com.
thepromote.com.         172754  IN      NS      ns2.klaradavai.com.



Some of the recent plain text spam coming out of this net has been for
multiple domains hosted at (not in flux):

22725   | 72.5.175.97      | NEWNET-1 - New.net, Inc.
* The Upstream:
14743   | 72.5.175.97      | INTERNAP-BLOCK-4

The domains.  (I hope my own mail gateways do not kill this message!)
AsianCh  ickHot  dot net
BestNak  edPic  dot net
GreatCh  ickPics  dot net
RedHotD  evil  dot net
TheHotP  arty  dot net
YoungBa  re  dot net



W


Joel Rosenblatt wrote:
| ----------- nsp-security Confidential --------
|
| Hi,
|
| I may have mentioned this before, but we typically get between 2 and 3
million bounce messages a day to jra54449 at cs.columbia.edu - an ID that
has never existed
| at Columbia.
|
| Over the last 20 days, the number of messages went from 2 million+
down to 13,354 and then back up to 1.1 million.
|
| Looks like a smooth curve - very strange.
|
| The raw data is attached.  Can anyone correlate this with some other
events going on over the last 20 days?
|
| Regards,
| Joel Rosenblatt
|
| Joel Rosenblatt, Manager Network & Computer Security
| Columbia Information Security Office (CISO)
| Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
| http://www.columbia.edu/~joel
|
|
| --------------------------------------------------
|
| WHERE SPAM AND OTHER JUNK CAME FROM - 2/25
|
| 2,906,107 spam and other junk came from 310,768 unique IP addresses
| (about 9 messages per host).
|
| 1,559,715 spam messages came from 207,884 unique IP addresses
| (about 7 messages per host).
|
| Of the 1,346,392 other junk,
|        1,159,373 were bounces to jra54449 at cs.columbia.edu, an address
| that has never existed (most count as "null to invalid rcpt").
|
| --------------------------------------------------
|
| --------------------------------------------------
|
| WHERE SPAM AND OTHER JUNK CAME FROM - 2/24
|
| 2,999,846 spam and other junk came from 283,853 unique IP addresses
| (about 10 messages per host).
|
| 1,471,387 spam messages came from 181,247 unique IP addresses
| (about 8 messages per host).
|
| Of the 1,528,459 other junk,
|        1,122,095 were bounces to jra54449 at cs.columbia.edu, an address
| that has never existed (most count as "null to invalid rcpt").
|
| --------------------------------------------------
|
|
| --------------------------------------------------
|
| WHERE SPAM AND OTHER JUNK CAME FROM - 2/23
|
| 2,420,783 spam and other junk came from 310,464 unique IP addresses
| (about 7 messages per host).
|
| 1,328,820 spam messages came from 204,425 unique IP addresses
| (about 6 messages per host).
|
| Of the 1,091,963 other junk,
|        808,994 were bounces to jra54449 at cs.columbia.edu, an address
| that has never existed (most count as "null to invalid rcpt").
|
| --------------------------------------------------
|
|
| --------------------------------------------------
|
| WHERE SPAM AND OTHER JUNK CAME FROM - 2/22
|
| 1,884,703 spam and other junk came from 306,927 unique IP addresses
| (about 6 messages per host).
|
| 1,444,464 spam messages came from 233,545 unique IP addresses
| (about 6 messages per host).
|
| Of the 440,239 other junk,
|        13,354 were bounces to jra54449 at cs.columbia.edu, an address
| that has never existed (most count as "null to invalid rcpt").
|
| --------------------------------------------------
|
| --------------------------------------------------
|
| WHERE SPAM AND OTHER JUNK CAME FROM - 2/21
|
| 1,769,898 spam and other junk came from 306,127 unique IP addresses
| (about 5 messages per host).
|
| 1,383,499 spam messages came from 231,439 unique IP addresses
| (about 5 messages per host).
|
| Of the 386,399 other junk,
|        15,719 were bounces to jra54449 at cs.columbia.edu, an address
| that has never existed (most count as "null to invalid rcpt").
|
| --------------------------------------------------
|
| --------------------------------------------------
|
| WHERE SPAM AND OTHER JUNK CAME FROM - 2/20
|
| 1,710,441 spam and other junk came from 297,067 unique IP addresses
| (about 5 messages per host).
|
| 1,355,004 spam messages came from 225,857 unique IP addresses
| (about 5 messages per host).
|
| Of the 355,437 other junk,
|        20,244 were bounces to jra54449 at cs.columbia.edu, an address
| that has never existed (most count as "null to invalid rcpt").
|
| --------------------------------------------------
|
| --------------------------------------------------
|
| WHERE SPAM AND OTHER JUNK CAME FROM - 2/19
|
| 1,735,368 spam and other junk came from 281,528 unique IP addresses
| (about 6 messages per host).
|
| 1,367,421 spam messages came from 221,424 unique IP addresses
| (about 6 messages per host).
|
| Of the 367,947 other junk,
|        28,097 were bounces to jra54449 at cs.columbia.edu, an address
| that has never existed (most count as "null to invalid rcpt").
|
| --------------------------------------------------
|
| --------------------------------------------------
|
| WHERE SPAM AND OTHER JUNK CAME FROM - 2/18
|
| 1,265,875 spam and other junk came from 244,449 unique IP addresses
| (about 5 messages per host).
|
| 1,001,064 spam messages came from 189,312 unique IP addresses
| (about 5 messages per host).
|
| Of the 264,811 other junk,
|        40,049 were bounces to jra54449 at cs.columbia.edu, an address
| that has never existed (most count as "null to invalid rcpt").
|
| --------------------------------------------------
|
| --------------------------------------------------
|
| WHERE SPAM AND OTHER JUNK CAME FROM - 2/17
|
| 1,286,648 spam and other junk came from 260,175 unique IP addresses
| (about 4 messages per host).
|
| 982,048 spam messages came from 193,182 unique IP addresses
| (about 5 messages per host).
|
| Of the 304,600 other junk,
|        48,024 were bounces to jra54449 at cs.columbia.edu, an address
| that has never existed (most count as "null to invalid rcpt").
|
| --------------------------------------------------
|
| --------------------------------------------------
|
| WHERE SPAM AND OTHER JUNK CAME FROM - 2/16
|
| 1,378,846 spam and other junk came from 267,850 unique IP addresses
| (about 5 messages per host).
|
| 1,009,491 spam messages came from 201,554 unique IP addresses
| (about 5 messages per host).
|
| Of the 369,355 other junk,
|        66,355 were bounces to jra54449 at cs.columbia.edu, an address
| that has never existed (most count as "null to invalid rcpt").
|
| --------------------------------------------------
|
| --------------------------------------------------
|
| WHERE SPAM AND OTHER JUNK CAME FROM - 2/15
|
| 1,663,446 spam and other junk came from 283,030 unique IP addresses
| (about 5 messages per host).
|
| 1,185,536 spam messages came from 213,651 unique IP addresses
| (about 5 messages per host).
|
| Of the 477,910 other junk,
|        79,870 were bounces to jra54449 at cs.columbia.edu, an address
| that has never existed (most count as "null to invalid rcpt").
|
| --------------------------------------------------
|
| --------------------------------------------------
|
| WHERE SPAM AND OTHER JUNK CAME FROM - 2/14
|
| 1,567,988 spam and other junk came from 289,094 unique IP addresses
| (about 5 messages per host).
|
| 1,156,018 spam messages came from 220,738 unique IP addresses
| (about 5 messages per host).
|
| Of the 411,970 other junk,
|        103,643 were bounces to jra54449 at cs.columbia.edu, an address
| that has never existed (most count as "null to invalid rcpt").
|
| --------------------------------------------------
|
| --------------------------------------------------
|
| WHERE SPAM AND OTHER JUNK CAME FROM - 2/13
|
| 1,635,305 spam and other junk came from 307,324 unique IP addresses
| (about 5 messages per host).
|
| 1,129,189 spam messages came from 228,175 unique IP addresses
| (about 4 messages per host).
|
| Of the 506,116 other junk,
|        125,592 were bounces to jra54449 at cs.columbia.edu, an address
| that has never existed (most count as "null to invalid rcpt").
|
| --------------------------------------------------
|
| --------------------------------------------------
|
| WHERE SPAM AND OTHER JUNK CAME FROM - 2/12
|
| 1,987,493 spam and other junk came from 310,297 unique IP addresses
| (about 6 messages per host).
|
| 1,081,153 spam messages came from 209,488 unique IP addresses
| (about 5 messages per host).
|
| Of the 906,340 other junk,
|        626,920 were bounces to jra54449 at cs.columbia.edu, an address
| that has never existed (most count as "null to invalid rcpt").
|
| --------------------------------------------------
|
| --------------------------------------------------
|
| WHERE SPAM AND OTHER JUNK CAME FROM - 2/11
|
| 3,494,689 spam and other junk came from 362,917 unique IP addresses
| (about 9 messages per host).
|
| 1,032,101 spam messages came from 212,579 unique IP addresses
| (about 4 messages per host).
|
| Of the 2,462,588 other junk,
|        2,221,177 were bounces to jra54449 at cs.columbia.edu, an address
| that has never existed (most count as "null to invalid rcpt").
|
| --------------------------------------------------
|
|
| --------------------------------------------------
|
| WHERE SPAM AND OTHER JUNK CAME FROM - 2/10
|
| 2,845,870 spam and other junk came from 333,139 unique IP addresses
| (about 8 messages per host).
|
| 1,071,179 spam messages came from 199,087 unique IP addresses
| (about 5 messages per host).
|
| Of the 1,774,691 other junk,
|        1,481,728 were bounces to jra54449 at cs.columbia.edu, an address
| that has never existed (most count as "null to invalid rcpt").
|
| --------------------------------------------------
|
| --------------------------------------------------
|
| WHERE SPAM AND OTHER JUNK CAME FROM - 2/9
|
| 3,788,417 spam and other junk came from 385,627 unique IP addresses
| (about 9 messages per host).
|
| 1,103,195 spam messages came from 218,319 unique IP addresses
| (about 5 messages per host).
|
| Of the 2,685,222 other junk,
|        2,404,150 were bounces to jra54449 at cs.columbia.edu, an address
| that has never existed (most count as "null to invalid rcpt").
|
| --------------------------------------------------
|
| --------------------------------------------------
|
| WHERE SPAM AND OTHER JUNK CAME FROM - 2/8
|
| 3,365,998 spam and other junk came from 353,895 unique IP addresses
| (about 9 messages per host).
|
| 1,006,467 spam messages came from 202,634 unique IP addresses
| (about 4 messages per host).
|
| Of the 2,359,531 other junk,
|        2,134,948 were bounces to jra54449 at cs.columbia.edu, an address
| that has never existed (most count as "null to invalid rcpt").
|
| --------------------------------------------------
|
|
| --------------------------------------------------
|
| WHERE SPAM AND OTHER JUNK CAME FROM - 2/7
|
| 3,434,525 spam and other junk came from 328,424 unique IP addresses
| (about 10 messages per host).
|
| 962,887 spam messages came from 187,854 unique IP addresses
| (about 5 messages per host).
|
| Of the 2,471,638 other junk,
|        2,281,857 were bounces to jra54449 at cs.columbia.edu, an address
| that has never existed (most count as "null to invalid rcpt").
|
| --------------------------------------------------
|
| --------------------------------------------------
|
| WHERE SPAM AND OTHER JUNK CAME FROM - 2/6
|
| 3,365,600 spam and other junk came from 320,483 unique IP addresses
| (about 10 messages per host).
|
| 1,131,277 spam messages came from 189,093 unique IP addresses
| (about 5 messages per host).
|
| Of the 2,234,323 other junk,
|        2,039,194 were bounces to jra54449 at cs.columbia.edu, an address
| that has never existed (most count as "null to invalid rcpt").
|
| --------------------------------------------------
|
| --------------------------------------------------
|
| WHERE SPAM AND OTHER JUNK CAME FROM - 2/5
|
| 3,027,266 spam and other junk came from 314,837 unique IP addresses
| (about 9 messages per host).
|
| 1,040,211 spam messages came from 185,441 unique IP addresses
| (about 5 messages per host).
|
| Of the 1,987,055 other junk,
|        1,766,979 were bounces to jra54449 at cs.columbia.edu, an address
| that has never existed (most count as "null to invalid rcpt").
|
| --------------------------------------------------
|
|
|
| _______________________________________________
| nsp-security mailing list
| nsp-security at puck.nether.net
| https://puck.nether.net/mailman/listinfo/nsp-security
|
| Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
| community. Confidentiality is essential for effective Internet
security counter-measures.
| _______________________________________________
|



- --

William Salusky
william.salusky at aol.net
Sr. Technical Security Investigator - AOL Operations Security
703-265-4924 (desk)
703-201-8873 (cell)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Cygwin)

iD8DBQFHww5dXyx2ON3+G40RAvMQAKChIJYXjiUs2AT1a62alWXO6EQEgACeLp61
2FZZIwE4GS4LbXi4IYA5cko=
=gwct
-----END PGP SIGNATURE-----

More information about the nsp-security mailing list