Large File Size Spammers Part 2: A Case Study

Not too long ago we published an article going over the general landscape of large file size spam (http://spamauditor.org/2018/02/large-file-size-spammers/).

In this article we will present a case study identifying a particular hosting provider whose network has been consistently sending out large file size spam. The purpose of this article is to illustrate how some basic observations can be used to identify patterns that can infer and prevent future occurrences of this spam. Admittedly, such patterns can never be used as condemning support for malicious activity. However, at the very least, it should raise a flag for further inspection.

51.255.21.224	x4	commercieopard.net
51.255.21.225	x8	iclide.commercieopard.net
51.255.21.226	x8	sbesn.commercieopard.net
51.255.21.227	x9	caruk.commercieopard.net

54.38.4.96	x29	blueomb.com
54.38.4.97	x18	netsy.blueomb.com
54.38.4.98	x19	nettab.blueomb.com
54.38.4.99	x28	oblag.blueomb.com
54.38.4.100	x14	ohpop.applpeak.com
54.38.4.101	x24	ohoerd.applpeak.com
54.38.4.102	x25	midpc.applpeak.com
54.38.4.103	x29	ohris.applpeak.com
54.38.4.104	x20	grnture.com
54.38.4.105	x23	sangat.grnture.com
54.38.4.106	x21	vedla.grnture.com
54.38.4.107	x23	pop.grnture.com
54.38.4.108	x28	coolource.com
54.38.4.109	x20	caruja.coolource.com
54.38.4.110	x20	frash.coolource.com
54.38.4.111	x21	ratyn.coolource.com

144.217.201.156	x8	majela.awesopak.com
144.217.201.157	x9	propt.awesopak.com

149.56.34.160	x7	buyodels.com
149.56.34.161	x10	pop.buyodels.com
149.56.34.162	x7	physc.buyodels.com
149.56.34.163	x6	egar.buyodels.com
149.56.34.164	x6	khabhi.buyodels.com

176.31.74.248	x10	tlad.heritagdation.com
176.31.74.249	x7	caruk.heritagdation.com
176.31.74.250	x5	highplaounge.net
176.31.74.251	x4	picnet.highplaounge.net


213.32.32.216	x46	hewis.bonueak.com
213.32.32.217	x42	midpit.bonueak.com
213.32.32.218	x86	neezaar.net
213.32.32.219	x37	yoyita.neezaar.net

213.32.39.64	x10	ohris.bridgewdable.net
213.32.39.65	x14	tauton.bridgewdable.net
213.32.39.66	x14	tlad.bridgewdable.net
213.32.39.67	x12	starz.bridgewdable.net
213.32.39.68	x14	midlandlink.net
213.32.39.69	x3	propt.midlandlink.net
213.32.39.70	x7	gcn.midlandlink.net
213.32.39.71	x5	blez.midlandlink.net

The data presented above is just part of a subset of the last 2 months (April-May 2018) of large file size spam that we have detected from this one provider (actually, this type of spam is sent from many hosted networks all over the world). The number after the ‘x’ represents the number of unique ISPs reporting the associated IP as having sent to an excessive number of invalid users (email accounts which do not exist). Some of these IPs may have their PTR records updated by now, while others still contain the ‘throwaway’ domain.

There are some simple patterns that we can observe from the above data:

1) A particular domain usually has multiple IPs associated with with it.
2) These multiple IPs are in consecutive order.
3) It starts with a 2 part PTR record (domain.tld), subsequent IPs are 3 part (subdomain.domain.tld).
4) These servers are capable of sending email.

Of course, these patterns are not enough to implicate anything, but it is a start. We can take an extra step and see what patterns we can find within the WHOIS records for these domains.

5) All of these domains have the same registrar.
6) All of these domains are fairly new, with a registration date ranging from Sept2017 to Jan2018.

Side Note:
Speaking of WHOIS in this reasearch, let’s take a small step back and mention something most readers are probably aware of; that is, we now live in a post-GDPR world. What this means is that the above (points 5 and 6) are the few useful information fields left from this resource.

In the past we may have been able to find patterns in registrant details, such as all the domains having the same registrant, address, etc. Of course, this information can be faked, but whether the information is authentic or not does not matter in this case. As long as we see a pattern it may be another indicator of suspicious activity, regardless of it being of small significance or not. For example, it has been mentioned quite often that when the privatization of registrant details became an option (pre-GDPR), ironically, the main adopters were the Spammers themselves. In a pre-GDPR world, if we were to see that every one of these domains had privatized registrant information, we can suspect that the registrant has something to hide.

The above 6 points should be enough information for a hosting provider to raise a red flag and inspect the IPs further. They most likely have the data to see whether similar behavioral patterns in the past (namely, new domains across multiple PTR records with mail servers) have a high probability of malicious behavior. What are the chances that a new domain, with no website or company information, requires multiple mail servers for a legitimate use? Solutions depend on many factors, though it is not something we will touch upon in this article.

As always, it is our opinion that the onus rests on the provider. We have been detecting the exact same activity from this network for a long time, and it seems like nothing has been done on their end even though the pattern is always the same. Our philosophy is that spam should be blocked before it gets a chance to reach any mail boxes. Action after the fact is not enough, especially in a case like this when the pattern of behavior is consistently the same. The hosting provider has more data to work with, which can aid in preventing future occurrences of this activity before it hits the tens to hundreds of thousands of mail boxes. Are we to blame the Spammers who behave this way, or the hosting providers who seemingly turn a blind eye to this blatant behavior? And what do you do when complaints to a provider go unanswered.

Stay tuned for a series on calling out certain hosting providers, and asking the pointed questions…

a) Are they profiting from known spamming behavior?
b) Are they simply turning a blind eye?
c) Are they unable to legitimately detect and/or stop this behavior?
d) Is spamming, affiliate email marketing, using throwaway domains a legitimate use of IPv4 space (ARIN)?
e) If it is so easy to detect, why is law enforcement not all over the operators?

This entry was posted in Informative and tagged , , , , , , . Bookmark the permalink.

Leave a Reply