Not too long ago we published an article going over the general landscape of large file size spam (http://spamauditor.org/2018/02/large-file-size-spammers/).
In this article we will present a case study identifying a particular hosting provider whose network has been consistently sending out large file size spam. The purpose of this article is to illustrate how some basic observations can be used to identify patterns that can infer and prevent future occurrences of this spam. Admittedly, such patterns can never be used as condemning support for malicious activity. However, at the very least, it should raise a flag for further inspection.
188.8.131.52 x4 commercieopard.net 184.108.40.206 x8 iclide.commercieopard.net 220.127.116.11 x8 sbesn.commercieopard.net 18.104.22.168 x9 caruk.commercieopard.net 22.214.171.124 x29 blueomb.com 126.96.36.199 x18 netsy.blueomb.com 188.8.131.52 x19 nettab.blueomb.com 184.108.40.206 x28 oblag.blueomb.com 220.127.116.11 x14 ohpop.applpeak.com 18.104.22.168 x24 ohoerd.applpeak.com 22.214.171.124 x25 midpc.applpeak.com 126.96.36.199 x29 ohris.applpeak.com 188.8.131.52 x20 grnture.com 184.108.40.206 x23 sangat.grnture.com 220.127.116.11 x21 vedla.grnture.com 18.104.22.168 x23 pop.grnture.com 22.214.171.124 x28 coolource.com 126.96.36.199 x20 caruja.coolource.com 188.8.131.52 x20 frash.coolource.com 184.108.40.206 x21 ratyn.coolource.com 220.127.116.11 x8 majela.awesopak.com 18.104.22.168 x9 propt.awesopak.com 22.214.171.124 x7 buyodels.com 126.96.36.199 x10 pop.buyodels.com 188.8.131.52 x7 physc.buyodels.com 184.108.40.206 x6 egar.buyodels.com 220.127.116.11 x6 khabhi.buyodels.com 18.104.22.168 x10 tlad.heritagdation.com 22.214.171.124 x7 caruk.heritagdation.com 126.96.36.199 x5 highplaounge.net 188.8.131.52 x4 picnet.highplaounge.net 184.108.40.206 x46 hewis.bonueak.com 220.127.116.11 x42 midpit.bonueak.com 18.104.22.168 x86 neezaar.net 22.214.171.124 x37 yoyita.neezaar.net 126.96.36.199 x10 ohris.bridgewdable.net 188.8.131.52 x14 tauton.bridgewdable.net 184.108.40.206 x14 tlad.bridgewdable.net 220.127.116.11 x12 starz.bridgewdable.net 18.104.22.168 x14 midlandlink.net 22.214.171.124 x3 propt.midlandlink.net 126.96.36.199 x7 gcn.midlandlink.net 188.8.131.52 x5 blez.midlandlink.net
The data presented above is just part of a subset of the last 2 months (April-May 2018) of large file size spam that we have detected from this one provider (actually, this type of spam is sent from many hosted networks all over the world). The number after the ‘x’ represents the number of unique ISPs reporting the associated IP as having sent to an excessive number of invalid users (email accounts which do not exist). Some of these IPs may have their PTR records updated by now, while others still contain the ‘throwaway’ domain.
There are some simple patterns that we can observe from the above data:
1) A particular domain usually has multiple IPs associated with with it.
2) These multiple IPs are in consecutive order.
3) It starts with a 2 part PTR record (domain.tld), subsequent IPs are 3 part (subdomain.domain.tld).
4) These servers are capable of sending email.
Of course, these patterns are not enough to implicate anything, but it is a start. We can take an extra step and see what patterns we can find within the WHOIS records for these domains.
5) All of these domains have the same registrar.
6) All of these domains are fairly new, with a registration date ranging from Sept2017 to Jan2018.
Speaking of WHOIS in this reasearch, let’s take a small step back and mention something most readers are probably aware of; that is, we now live in a post-GDPR world. What this means is that the above (points 5 and 6) are the few useful information fields left from this resource.
In the past we may have been able to find patterns in registrant details, such as all the domains having the same registrant, address, etc. Of course, this information can be faked, but whether the information is authentic or not does not matter in this case. As long as we see a pattern it may be another indicator of suspicious activity, regardless of it being of small significance or not. For example, it has been mentioned quite often that when the privatization of registrant details became an option (pre-GDPR), ironically, the main adopters were the Spammers themselves. In a pre-GDPR world, if we were to see that every one of these domains had privatized registrant information, we can suspect that the registrant has something to hide.
The above 6 points should be enough information for a hosting provider to raise a red flag and inspect the IPs further. They most likely have the data to see whether similar behavioral patterns in the past (namely, new domains across multiple PTR records with mail servers) have a high probability of malicious behavior. What are the chances that a new domain, with no website or company information, requires multiple mail servers for a legitimate use? Solutions depend on many factors, though it is not something we will touch upon in this article.
As always, it is our opinion that the onus rests on the provider. We have been detecting the exact same activity from this network for a long time, and it seems like nothing has been done on their end even though the pattern is always the same. Our philosophy is that spam should be blocked before it gets a chance to reach any mail boxes. Action after the fact is not enough, especially in a case like this when the pattern of behavior is consistently the same. The hosting provider has more data to work with, which can aid in preventing future occurrences of this activity before it hits the tens to hundreds of thousands of mail boxes. Are we to blame the Spammers who behave this way, or the hosting providers who seemingly turn a blind eye to this blatant behavior? And what do you do when complaints to a provider go unanswered.
Stay tuned for a series on calling out certain hosting providers, and asking the pointed questions…
a) Are they profiting from known spamming behavior?
b) Are they simply turning a blind eye?
c) Are they unable to legitimately detect and/or stop this behavior?
d) Is spamming, affiliate email marketing, using throwaway domains a legitimate use of IPv4 space (ARIN)?
e) If it is so easy to detect, why is law enforcement not all over the operators?