Not too long ago we published an article going over the general landscape of large file size spam (http://spamauditor.org/2018/02/large-file-size-spammers/).
In this article we will present a case study identifying a particular hosting provider whose network has been consistently sending out large file size spam. The purpose of this article is to illustrate how some basic observations can be used to identify patterns that can infer and prevent future occurrences of this spam. Admittedly, such patterns can never be used as condemning support for malicious activity. However, at the very least, it should raise a flag for further inspection.
126.96.36.199 x4 commercieopard.net 188.8.131.52 x8 iclide.commercieopard.net 184.108.40.206 x8 sbesn.commercieopard.net 220.127.116.11 x9 caruk.commercieopard.net 18.104.22.168 x29 blueomb.com 22.214.171.124 x18 netsy.blueomb.com 126.96.36.199 x19 nettab.blueomb.com 188.8.131.52 x28 oblag.blueomb.com 184.108.40.206 x14 ohpop.applpeak.com 220.127.116.11 x24 ohoerd.applpeak.com 18.104.22.168 x25 midpc.applpeak.com 22.214.171.124 x29 ohris.applpeak.com 126.96.36.199 x20 grnture.com 188.8.131.52 x23 sangat.grnture.com 184.108.40.206 x21 vedla.grnture.com 220.127.116.11 x23 pop.grnture.com 18.104.22.168 x28 coolource.com 22.214.171.124 x20 caruja.coolource.com 126.96.36.199 x20 frash.coolource.com 188.8.131.52 x21 ratyn.coolource.com 184.108.40.206 x8 majela.awesopak.com 220.127.116.11 x9 propt.awesopak.com 18.104.22.168 x7 buyodels.com 22.214.171.124 x10 pop.buyodels.com 126.96.36.199 x7 physc.buyodels.com 188.8.131.52 x6 egar.buyodels.com 184.108.40.206 x6 khabhi.buyodels.com 220.127.116.11 x10 tlad.heritagdation.com 18.104.22.168 x7 caruk.heritagdation.com 22.214.171.124 x5 highplaounge.net 126.96.36.199 x4 picnet.highplaounge.net 188.8.131.52 x46 hewis.bonueak.com 184.108.40.206 x42 midpit.bonueak.com 220.127.116.11 x86 neezaar.net 18.104.22.168 x37 yoyita.neezaar.net 22.214.171.124 x10 ohris.bridgewdable.net 126.96.36.199 x14 tauton.bridgewdable.net 188.8.131.52 x14 tlad.bridgewdable.net 184.108.40.206 x12 starz.bridgewdable.net 220.127.116.11 x14 midlandlink.net 18.104.22.168 x3 propt.midlandlink.net 22.214.171.124 x7 gcn.midlandlink.net 126.96.36.199 x5 blez.midlandlink.net
The data presented above is just part of a subset of the last 2 months (April-May 2018) of large file size spam that we have detected from this one provider (actually, this type of spam is sent from many hosted networks all over the world). The number after the ‘x’ represents the number of unique ISPs reporting the associated IP as having sent to an excessive number of invalid users (email accounts which do not exist). Some of these IPs may have their PTR records updated by now, while others still contain the ‘throwaway’ domain.
There are some simple patterns that we can observe from the above data:
1) A particular domain usually has multiple IPs associated with with it.
2) These multiple IPs are in consecutive order.
3) It starts with a 2 part PTR record (domain.tld), subsequent IPs are 3 part (subdomain.domain.tld).
4) These servers are capable of sending email.
Of course, these patterns are not enough to implicate anything, but it is a start. We can take an extra step and see what patterns we can find within the WHOIS records for these domains.
5) All of these domains have the same registrar.
6) All of these domains are fairly new, with a registration date ranging from Sept2017 to Jan2018.
Speaking of WHOIS in this reasearch, let’s take a small step back and mention something most readers are probably aware of; that is, we now live in a post-GDPR world. What this means is that the above (points 5 and 6) are the few useful information fields left from this resource.
In the past we may have been able to find patterns in registrant details, such as all the domains having the same registrant, address, etc. Of course, this information can be faked, but whether the information is authentic or not does not matter in this case. As long as we see a pattern it may be another indicator of suspicious activity, regardless of it being of small significance or not. For example, it has been mentioned quite often that when the privatization of registrant details became an option (pre-GDPR), ironically, the main adopters were the Spammers themselves. In a pre-GDPR world, if we were to see that every one of these domains had privatized registrant information, we can suspect that the registrant has something to hide.
The above 6 points should be enough information for a hosting provider to raise a red flag and inspect the IPs further. They most likely have the data to see whether similar behavioral patterns in the past (namely, new domains across multiple PTR records with mail servers) have a high probability of malicious behavior. What are the chances that a new domain, with no website or company information, requires multiple mail servers for a legitimate use? Solutions depend on many factors, though it is not something we will touch upon in this article.
As always, it is our opinion that the onus rests on the provider. We have been detecting the exact same activity from this network for a long time, and it seems like nothing has been done on their end even though the pattern is always the same. Our philosophy is that spam should be blocked before it gets a chance to reach any mail boxes. Action after the fact is not enough, especially in a case like this when the pattern of behavior is consistently the same. The hosting provider has more data to work with, which can aid in preventing future occurrences of this activity before it hits the tens to hundreds of thousands of mail boxes. Are we to blame the Spammers who behave this way, or the hosting providers who seemingly turn a blind eye to this blatant behavior? And what do you do when complaints to a provider go unanswered.
Stay tuned for a series on calling out certain hosting providers, and asking the pointed questions…
a) Are they profiting from known spamming behavior?
b) Are they simply turning a blind eye?
c) Are they unable to legitimately detect and/or stop this behavior?
d) Is spamming, affiliate email marketing, using throwaway domains a legitimate use of IPv4 space (ARIN)?
e) If it is so easy to detect, why is law enforcement not all over the operators?