Home > InfoSec > Quick and dirty spam analysis

Quick and dirty spam analysis

2009/04/26

I don’t normal bother with analysing spam, however two received yesterday caught my attention. Mostly they were noticeable as they avoided my usually bulletproof filters.

Both spam emails are similar in subject, content, and sending options. Sender address was spoofed (surprise, surprise) in this case I supposedly sent the email myself, from the same account as the destination. This is a technique that I’ve started seeing more frequently, I’m assuming that this is to bypass sender white/black-lists.

Content is a single line, ultimately linking to a ‘medication’ sales site. (hxxp://plfctqvlam.wipvoqen.cn/ and hxxp://sbuih.gukceyiq.cn/ [Standard Disclaimer: Links may be nasty, don’t blame me if they do nasty things to your machines]). Fortunately, or unfortunately depending on your point of view, Wepawet analysis states the sites are benign so no interesting samples for further analysis.

As expected both URLs are linked, being hosted on the same 3 IP addresses: 58.17.3.44, 58.20.140.5 and 220.248.167.126 [same disclaimer as above]. Whois records show that the IP addresses belong to separate organisations, but ultimately all IP addresses are allocated by “China Unicom Hunan provincial network”, AS9929.

Nothing groundbreaking in any of this, just a (slightly) interesting way to kill 30 minutes on a sleepy Sunday afternoon.

Andrew Waite

Update (2009/04/28): Spam run is still continuing and still making it’s way through filters, but it appears to be changing tact, unsurprisingly, to take advantage of recent Swine flu concerns. Last email body “Swine flu coming? We know how to protect you from it hxxp://osdns.hencedix.cn/” Usual warning and disclaimers apply

Update 2 (2009/04/29): Looks like a wide spread spam run, Malware City have just posted some analysis on the same emails.

Update 3 (2009/04/29): Great write-up by Dancho Danchev on his blog (more domains than I’ve seen personally). Also include a nice diagram of the DNS/server infrastructure in use, nice work Dancho.

Advertisements
Categories: InfoSec
%d bloggers like this: