Who and where are the bad guys?
The Cloud is clouding the issue of spam sources
Spam is nothing new and neither are large blasts of spam but the large blasts we are seeing lately appear to be a related stream with the same or similar batches of subject lines, content and links.
The frustrating part for us is the originating range of IP addresses. We currently block more email than we deliver and jump on new spammers as fast as we can identify them. We also try to be very careful to not block ranges indiscriminately and make every attempt possible to contact abuse contacts when we see something fishy. Ironically sending email to abuse contacts frequently initiates more abuse (noted when we see a whole new batch of spam from the same provider).
Another trend is infected machines on business class DSL services. If your connection to the internet is via a cable provider I would urge you to check with your service provider for specific settings (SMTP) you may use for outgoing mail.
Who is responsible for the flooding of junk and hazards filling up inboxes?
Tracking bad email back to the source is not terribly straight forward and it can be very time consuming!
TLD Pollution
According to The SpamHaus Project
This is not a list of the worst TLDs in quantity, several other TLDs have far more spam domains, but they also have vastly more non-spam domains. This list shows the ratio of domains seen by the systems at Spamhaus versus the domains our systems profile as spamming or being used for botnet or malware abuse. This is also not a list that retains a long history, it is a one-month “snapshot” of our current view.
| The 10 Worst Top Level Domains |
| As of 30 April 2016 the TLDs with the worst reputations for spam operations are: |
|
1
|
.work | 74.4% bad domains |
|
2
|
.poker | 70.4% bad domains |
|
3
|
.click | 69.7% bad domains |
|
4
|
.link | 64.5% bad domains |
|
5
|
.download | 61.6% bad domains |
|
6
|
.ml | 61.5% bad domains |
|
7
|
.kim | 58.3% bad domains |
|
8
|
.faith | 58.3% bad domains |
|
9
|
.gq | 53.7% bad domains |
|
10
|
.ga | 53.6% bad domains |
The trend I am seeing in TLD abuse
The statistics from SpamHaus differ from what I am seeing. The worst offenders I have noted in the first quarter of 2016 are:
- .xyz
- .top
- .science
The domains that are registered to these tlds are predominately throw away meaningless no-value domains.
Last night a single honeypot address received 34 emails between 10:44 pm and 11:46 pm from the range 198.105.166.*
An example from last night:
Subject: Attn: Use your Walgreens $50 reward
sent from: bajaiur28.gsehose.top> [198.105.166.61]
Another in the same range:
Subject: What Will You Buy with Your $50-Amazon Voucher?
sent from: zaii7wiua.aremove.top ([198.105.166.59]
Another in the same range:
Subject: Do you or a loved one need help with alcohol addiction?
sent from:loeucgh5n.asqueak.top ([198.105.166.58]
Another in the same range:
Subject: Find the Confidence You Deserve - Breast Implants Options
sent from: ueio33xmv.aforged.top ([198.105.166.57]
The geo location of this IP range is Fremont, California, in the United States. But the details on the subnet say this is assigned to someone in China:
NetRange: 198.105.166.32 - 198.105.166.63
CIDR: 198.105.166.32/27
NetName: SERVERYOU-NET-LAX
NetHandle: NET-198-105-166-32-1
Parent: SY-LA-3 (NET-198-105-160-0-1)
NetType: Reassigned
OriginAS: AS11282
Customer: YeZheng (C04862551)
RegDate: 2014-02-02
Updated: 2014-02-02
Ref: http://whois.arin.net/rest/net/NET-198-105-166-32-1
CustName: YeZheng
Address: AnXinSanDaoJie 20Hao 4Dong 12Men 302Shi
City: HaErBinShi
StateProv: HEILONGJIANG
PostalCode: 150016
Country: CN
RegDate: 2014-02-02
Updated: 2014-02-02
What country is it really coming from?
On 4/29/2016 the email below came from Fremont California – or China – or did it?
Subject: Do you or a loved one need help with alcohol addiction?
sent from:loeucgh5n.asqueak.top ([198.105.166.58]
Link to: http://onlyhere.asqueak.top/visitnow
A record: 104.18.33.221
Reported by duke.ns.cloudflare.com on 4/30/2016
On 4/28/2016 the very same (content, subject line and images) email below came from an IP address with a geo location in Germany
ama57ceyi.cxraxle.top (static.88-198-196-73.clients.your-server.de [88.198.196.73])
Link to: http://actnow.cxraxle.top/greatdeals
A record: 104.27.137.74
Reported by zara.ns.cloudflare.com on 4/30/2016
The GEO Location of the range where the link point: San Francisco, California
NetRange: 104.16.0.0 - 104.31.255.255
CIDR: 104.16.0.0/12
NetName: CLOUDFLARENET
NetHandle: NET-104-16-0-0-1
Parent: NET104 (NET-104-0-0-0-0)
NetType: Direct Assignment
OriginAS: AS13335
Organization: CloudFlare, Inc. (CLOUD14)
RegDate: 2014-03-28
Updated: 2015-10-01
Comment: https://www.cloudflare.com
Ref: https://whois.arin.net/rest/net/NET-104-16-0-0-1
But wait – who owns these domains?
Could the bad guys be girls?
Bulgaria?
Whois lookup for: cxraxle.top
Registrant Name: Jacynthe Losique
Domain Name: cxraxle.top
Domain ID: D20160429G10001G_64744009-TOP
WHOIS Server: whois.alpnames.com
Referral URL: http://www.alpnames.com
Updated Date: 2016-04-29T00:11:00Z
Creation Date: 2016-04-28T23:20:38Z
Registry Expiry Date: 2017-04-28T23:20:38Z
Sponsoring Registrar: Alpnames Limited
Sponsoring Registrar IANA ID: 1857
Domain Status: clientTransferProhibited https://www.icann.org/epp#clientTransferProhibited
Domain Status: addPeriod https://www.icann.org/epp#addPeriod
Registrant ID: alp_53647319
Registrant Name: Jacynthe Losique
Registrant Organization: N/A
Registrant Street: 12
Registrant City: Petar Beron Str
Registrant State/Province: Sofija
Registrant Postal Code: 1142
Registrant Country: BG
Registrant Phone: +359.24219054
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: jacynthe234@aol.com
Admin ID: alp_53647319
Admin Name: Jacynthe Losique
Admin Organization: N/A
Admin Street: 12
Admin City: Petar Beron Str
Admin State/Province: Sofija
Admin Postal Code: 1142
Admin Country: BG
Admin Phone: +359.24219054
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: jacynthe234@aol.com
Tech ID: alp_53647319
Tech Name: Jacynthe Losique
Tech Organization: N/A
Tech Street: 12
Tech City: Petar Beron Str
Tech State/Province: Sofija
Tech Postal Code: 1142
Tech Country: BG
Tech Phone: +359.24219054
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: jacynthe234@aol.com
Name Server: zara.ns.cloudflare.com
Name Server: jerry.ns.cloudflare.com
DNSSEC: unsigned
>>> Last update of WHOIS database: 2016-04-30T18:31:51Z <<<
Poland?
Whois lookup for: asqueak.top
Registrant Name: Christina Labelle
Domain Name: asqueak.top
Domain ID: D20160430G10001G_64825611-TOP
WHOIS Server: whois.alpnames.com
Referral URL: http://www.alpnames.com
Updated Date: 2016-04-30T00:50:25Z
Creation Date: 2016-04-29T23:39:50Z
Registry Expiry Date: 2017-04-29T23:39:50Z
Sponsoring Registrar: Alpnames Limited
Sponsoring Registrar IANA ID: 1857
Domain Status: clientTransferProhibited https://www.icann.org/epp#clientTransferProhibited
Domain Status: addPeriod https://www.icann.org/epp#addPeriod
Registrant ID: alp_53625200
Registrant Name: Christina Labelle
Registrant Organization: N/A
Registrant Street: 20
Registrant City: Walicow
Registrant State/Province: Warazawa
Registrant Postal Code: 00-865
Registrant Country: PL
Registrant Phone: +48.228901623
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: christina3558@aol.com
Admin ID: alp_53625200
Admin Name: Christina Labelle
Admin Organization: N/A
Admin Street: 20
Admin City: Walicow
Admin State/Province: Warazawa
Admin Postal Code: 00-865
Admin Country: PL
Admin Phone: +48.228901623
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: christina3558@aol.com
Tech ID: alp_53625200
Tech Name: Christina Labelle
Tech Organization: N/A
Tech Street: 20
Tech City: Walicow
Tech State/Province: Warazawa
Tech Postal Code: 00-865
Tech Country: PL
Tech Phone: +48.228901623
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: christina3558@aol.com
Name Server: uma.ns.cloudflare.com
Name Server: duke.ns.cloudflare.com
DNSSEC: unsigned
>>> Last update of WHOIS database: 2016-04-30T18:31:51Z <<<
Who should be held responsible?
- The person who owes to domains?
- The company hosting email services?
- The company hosting the websites?
The era of “Cloud Computing” has opened the doors wider for unscrupulous behavior
Not long ago it would have taken a person with some skill to set up a circuitous route like the one outlined above, but with the plug and play cloud computing era and user interfaces that allows anyone with a creditcard to “set up” a virtual private server – anyone could do it from anywhere.
The end host for the example above is company in San Francisco called Cloudflare. One of their featured services is a CDN (Content Delivery Network) service.
What Cloudflare says about the service they offer.
Fast, Global Content Delivery Network
We’ve built the next-generation CDN
CloudFlare designed its CDN (Content Delivery Network) without the legacy of the last 15 years. Our proprietary technology takes advantage of recent changes to hardware, web server technology and network routing. In other words, we’ve built the next-generation CDN. The result is a CDN that is easier to setup, more affordable, and performs better than any legacy CDN you’ve tried before.
(from: https://www.cloudflare.com/features-cdn/)
Oh joy! Faster more globally distributed spam operations!
UPDATE May 2 2016
I just blocked another range from the Netherlands –
inetnum: 89.248.162.128 - 89.248.162.255
netname: SC-QUASI9 descr: QUASI country: SC
That is where the email is coming from – but the links in the emails all resolve back to Cloudflare:
NetRange: 104.16.0.0 - 104.31.255.255
CIDR: 104.16.0.0/12
NetName: CLOUDFLARENET
NetHandle: NET-104-16-0-0-1
Parent: NET104 (NET-104-0-0-0-0)
NetType: Direct Assignment
OriginAS: AS13335
Organization: CloudFlare, Inc. (CLOUD14)
RegDate: 2014-03-28
Updated: 2015-10-01
Comment: https://www.cloudflare.com
Ref: https://whois.arin.net/rest/net/NET-104-16-0-0-1
UPDATE: 5/11/2016
We have blocked mail from the following servers all the emails link back to Cloudflare IP ranges:
- HIvelocity florida (Cloudflare links) 2016-05-09 mail from: 66.232.96.0-66.232.127.255
- peru massive blast .top and Cloudflare links 2016-05-11 mail from: 138.185.116.0/22
- UA – Ukraine spam (Links resolve to Cloudflare range) 2016-05-08 mail from: 46.148.19.0/24
- SERVERYOU INC spammers using cdn to cloudflare sites 2016-04-30 mail from: 198.15.128.0-198.15.255.255
- Spammers in range at SERVERYOU (Links resolve to Cloudflare range) 2016-04-30 mail from: 198.105.166.0/24
- Spammers at Enzu (Cloudflare links) 2016-05-11 mail from: 23.244.230.0/24
- GB iomart Hosting Limited (Cloudflare links) 2016-05-09 mail from: 212.84.163.0-212.84.163.255
- german (cloudflare links) 2016-05-03 mail from: 176.9.242.224-176.9.242.239
- Russian relay through netherlands (cloudflare links) 2016-05-03 mail from: 5.39.217.129-5.39.217.255
- DE Hetzner is a spammy provider (cloudflare links) 2016-05-03 mail from: 85.10.235.96-85.10.235.111
spammers at Forked (cloudflare links) 2016-05-13 NetRange: 199.30.64.0 – 199.30.67.255 CIDR: 199.30.64.0/22 NetName: FORK-NETWORKING
Domain name: reciperecipe.science
Status: registered
Domain nameservers: stan.ns.cloudflare.com adrian.ns.cloudflare.com
Spam blast includes the following – Fork allows the spam – the links are all to Cloudflare IP addresses:
- ip=199.30.65.150 rdns= helo=ve2azuiko.reciperecipe.science
- ip=199.30.65.152 rdns= helo=tcazuoile.haircutstyle.science
Email From: ip=199.30.65.150 rdns= helo=ve2azuiko.reciperecipe.science (fork range) Links to: startit.reciperecipe.science – resolves to 104.27.151.105 (cloudflare range)
I could go on and on – but I don’t have time – 31 emails in a 20 minute span to user
The responsibility should be at every level (in my opinion)
Unfortunately the hosting industry is mimicking wall street. Microsoft and Google are the “too big to fail” – or in this case – too big to give a flying whatever about any inboxes other than their own, and Amazon in cutting a close third.
Both Microsoft and Google make reporting spammers FROM their servers a painful and seemingly fruitless endeavor. BOTH companies COULD do something but they choose not to.
Is it any wonder that with role models like that in our industry that smaller companies simply cannot afford to police bad behavior to the degree they might like to?
New-ish – but not new
https://en.wikipedia.org/wiki/History_of_email_spam
According to Brad Templeton, founder of ClariNet Communication Corporation, the first business on the Internet, the first email spam was from 1978, and was sent out to all users on ARPANET (several hundred users). It was an ad for a presentation by Digital Equipment Corporation. It was not until 1993 that a USENET posting was called “spam.” In an attempt to implement a retro-moderation system that allowed posts to be deleted after they had been posted, Richard Depew accidentally created a monster. His software, ARMM, had a bug in it which caused it to post 200 messages to news.admin.policy. Readers of this group were making jokes about the accident, one person referring to the incident as “spamming.”
There is a decent article about cloudflare from 2014:
http://tacit.livejournal.com/595116.html
Ok – end of my rant for the day – I have to go track down some spammers….
