Not too long ago we published an article going over the general landscape of large file size spam (http://spamauditor.org/2018/02/large-file-size-spammers/).
In this article we will present a case study identifying a particular hosting provider whose network has been consistently sending out large file size spam. The purpose of this article is to illustrate how some basic observations can be used to identify patterns that can infer and prevent future occurrences of this spam. Admittedly, such patterns can never be used as condemning support for malicious activity. However, at the very least, it should raise a flag for further inspection.
51.255.21.224 x4 commercieopard.net 51.255.21.225 x8 iclide.commercieopard.net 51.255.21.226 x8 sbesn.commercieopard.net 51.255.21.227 x9 caruk.commercieopard.net 54.38.4.96 x29 blueomb.com 54.38.4.97 x18 netsy.blueomb.com 54.38.4.98 x19 nettab.blueomb.com 54.38.4.99 x28 oblag.blueomb.com 54.38.4.100 x14 ohpop.applpeak.com 54.38.4.101 x24 ohoerd.applpeak.com 54.38.4.102 x25 midpc.applpeak.com 54.38.4.103 x29 ohris.applpeak.com 54.38.4.104 x20 grnture.com 54.38.4.105 x23 sangat.grnture.com 54.38.4.106 x21 vedla.grnture.com 54.38.4.107 x23 pop.grnture.com 54.38.4.108 x28 coolource.com 54.38.4.109 x20 caruja.coolource.com 54.38.4.110 x20 frash.coolource.com 54.38.4.111 x21 ratyn.coolource.com 144.217.201.156 x8 majela.awesopak.com 144.217.201.157 x9 propt.awesopak.com 149.56.34.160 x7 buyodels.com 149.56.34.161 x10 pop.buyodels.com 149.56.34.162 x7 physc.buyodels.com 149.56.34.163 x6 egar.buyodels.com 149.56.34.164 x6 khabhi.buyodels.com 176.31.74.248 x10 tlad.heritagdation.com 176.31.74.249 x7 caruk.heritagdation.com 176.31.74.250 x5 highplaounge.net 176.31.74.251 x4 picnet.highplaounge.net 213.32.32.216 x46 hewis.bonueak.com 213.32.32.217 x42 midpit.bonueak.com 213.32.32.218 x86 neezaar.net 213.32.32.219 x37 yoyita.neezaar.net 213.32.39.64 x10 ohris.bridgewdable.net 213.32.39.65 x14 tauton.bridgewdable.net 213.32.39.66 x14 tlad.bridgewdable.net 213.32.39.67 x12 starz.bridgewdable.net 213.32.39.68 x14 midlandlink.net 213.32.39.69 x3 propt.midlandlink.net 213.32.39.70 x7 gcn.midlandlink.net 213.32.39.71 x5 blez.midlandlink.net
The data presented above is just part of a subset of the last 2 months (April-May 2018) of large file size spam that we have detected from this one provider (actually, this type of spam is sent from many hosted networks all over the world). The number after the ‘x’ represents the number of unique ISPs reporting the associated IP as having sent to an excessive number of invalid users (email accounts which do not exist). Some of these IPs may have their PTR records updated by now, while others still contain the ‘throwaway’ domain.
There are some simple patterns that we can observe from the above data:
1) A particular domain usually has multiple IPs associated with with it.
2) These multiple IPs are in consecutive order.
3) It starts with a 2 part PTR record (domain.tld), subsequent IPs are 3 part (subdomain.domain.tld).
4) These servers are capable of sending email.
Of course, these patterns are not enough to implicate anything, but it is a start. We can take an extra step and see what patterns we can find within the WHOIS records for these domains.
5) All of these domains have the same registrar.
6) All of these domains are fairly new, with a registration date ranging from Sept2017 to Jan2018.
Side Note:
Speaking of WHOIS in this reasearch, let’s take a small step back and mention something most readers are probably aware of; that is, we now live in a post-GDPR world. What this means is that the above (points 5 and 6) are the few useful information fields left from this resource.
In the past we may have been able to find patterns in registrant details, such as all the domains having the same registrant, address, etc. Of course, this information can be faked, but whether the information is authentic or not does not matter in this case. As long as we see a pattern it may be another indicator of suspicious activity, regardless of it being of small significance or not. For example, it has been mentioned quite often that when the privatization of registrant details became an option (pre-GDPR), ironically, the main adopters were the Spammers themselves. In a pre-GDPR world, if we were to see that every one of these domains had privatized registrant information, we can suspect that the registrant has something to hide.
The above 6 points should be enough information for a hosting provider to raise a red flag and inspect the IPs further. They most likely have the data to see whether similar behavioral patterns in the past (namely, new domains across multiple PTR records with mail servers) have a high probability of malicious behavior. What are the chances that a new domain, with no website or company information, requires multiple mail servers for a legitimate use? Solutions depend on many factors, though it is not something we will touch upon in this article.
As always, it is our opinion that the onus rests on the provider. We have been detecting the exact same activity from this network for a long time, and it seems like nothing has been done on their end even though the pattern is always the same. Our philosophy is that spam should be blocked before it gets a chance to reach any mail boxes. Action after the fact is not enough, especially in a case like this when the pattern of behavior is consistently the same. The hosting provider has more data to work with, which can aid in preventing future occurrences of this activity before it hits the tens to hundreds of thousands of mail boxes. Are we to blame the Spammers who behave this way, or the hosting providers who seemingly turn a blind eye to this blatant behavior? And what do you do when complaints to a provider go unanswered.
Stay tuned for a series on calling out certain hosting providers, and asking the pointed questions…
a) Are they profiting from known spamming behavior?
b) Are they simply turning a blind eye?
c) Are they unable to legitimately detect and/or stop this behavior?
d) Is spamming, affiliate email marketing, using throwaway domains a legitimate use of IPv4 space (ARIN)?
e) If it is so easy to detect, why is law enforcement not all over the operators?