The SPAM
So I don't normally see the direct effects of these kinds of attacks as the company I work for is small. But we do see the secondary and tertiary effects of this in the form of SPAM.Our company gets well over 2,000 emails a day, 1,500 of them are SPAM! Most the time my filters block most of these emails, via blacklisting and some content filtering. But after this most recent attack I started seeing a new breed of SPAM. It was walking right through all my filters and took it WEEKS to get black listed. Below is an example of this new SPAM:
Return-Path: <PeterGarcia@cc34b8f738cc4489fda151ad551de4.sortut.com> X-Original-To: ME Delivered-To: ME Received: from cc34b8f738cc4489fda151ad551de4.sortut.com (cc34b8f738cc4489fda151ad551de4.sortut.com [37.156.202.220]) by ME.MAIL.localhost (ME.MAIL.localhost) with ESMTP id 72A6224FDA for <ME>; Thu, 18 Sep 2014 16:36:53 -0700 (PDT) Message-ID: <Peter.2ac7115c98f53c458ff0cd5b87345e2c@cc34b8f738cc4489fda151ad551de4.sortut.com> From: Blood Sugar Discovery <Peter@sortut.com> To: <ME> Date: Thu, 18 Sep 2014 16:39:54 -0700 Subject: Info released - 9/18 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit MIME-Version: 1.0 Notice - Jeremiahp Diabetes Cure Alert - Begin Notice - ------------------------------------------------ Regain control of Blood Sugar levels. - Scientifically Proven - Turn-around of 3 weeks ------------------------------------------------ Exposed Remedy -> http://www.sortut.com/psa/video/released/dia/assoc.html - End Notice - View Doctor Report: http://www.sortut.com/psa/video/released/dia/assoc.html stop further diabetes notices - http://www.sortut.com/68i/werg/ju76/wt.sert32 or write - TGI Services 1324 Swan Drive_Bartlesville, Oklahoma 7 4 0 0 6 I've changed the solenoid. My battery has over 12 volts, but will not crank the engine. When I turn the key, I may get one or two halfhearted attempts then nothing. When I charge the battery up to over 13.5 volts, it turns over like nothing is wrong. I've tested the ignition switch and I have continuity, it doesn't read to 000's but it beeps and goes to like 0.26 or so. I've unplugged the wire from the solenoid that comes from the ignition and I get 12.5 volts through there. It's a 4 pole solenoid. I get 12+ volts on the post with the red wire that seems to be connected to the battery. I don't get 12 volts on the starter end. And when I try to crank the engine from the ignition, I don't get 12 volts to the starter. How can I test the wire from the solenoid to the starter? Or is that even an issue? I'm at a loss. Any help will be greatly I have a 'quill' now with a grease fitting on top, however (looking inside it) it has Sealed bearings on both ends, so the grease fitting seems kinda useless on this quill , (I would think anyhow, but correct me if I'm wrong).. After your post about the pulley, I did put my dial indicator on today to check more accurately the pulley for run-out, & it has .029" run-out on the outer edge.. Hard to see by eye, but it is not as true as I thought.. But being stamped steel, would that be considered TOO much out of true ? No it doesn't sound like much.. But nothing else makes sense.. Your advice is Always most appreciated.. Now I have a direction to concentrate on.. I want to check for run-out on that 'quill' (spindle top) to see if it is the pulley or the spindle first.. & then test the other Good side for run-out as well.. If it's the pulley, I could possibly true it to a much better tolerance, or make it much worse.. LOL Time will tell.. I'm a bit reluctant to even touch the good side, that is still the original assembly (over 6 yrs old).. And as I posted above, the bearings are holding up very well, it is the housing that gets the seats for the bearings beat out.
*Note: I have changed things as to not expose any info about my work, Every thing else is as I received it*
So the odd thing about this email is the last part, It's some text aboooooou a guy fixing his starter. WTF? I saw 24 plus emails like this show in my inbox at work and got reports of people getting these emails as well. I found out that the text at the bottom was scrapped from an open forum. This post is from http://www.hobbytalk.com/bbs1/showthread.php?t=421200, a post made in August this year. The server hosting the forum was not compromised from what I could tell. So I'm guessing what ever the script was that generated this email used a web crawler to gather this text from open forums. The other emails had every thing from talking about home build airplanes to beauty tips. So it seem to be all over the board. But the oddity did stop there....
The Servers
After seeing so many of these emails getting through I started to dig into this further. I couldn't find any info on this with deep google so I dug in my self. All of direct sources of this SPAM seem to be from servers, either was looked like home run servers or long forgotten servers in datacenters for web hosting.They where a mix of Windows and Linux, about 2/3 of the servers that I tested where running Windows 2008 the rest where running Redhat kernel 2.6.x.
This pattern on its own is not so abnormal, as this is what most of the compromised boxes on the net look like from what I have seen. The bit that was abnormal was how the servers had been changed. Most the Windows servers had a very minimalist SMPT and HTTP server installed. No content on the HTTP, just some way to rediect you to another site. The SMPT server had just about everything disabled. Most of them seem to be some version of PowerMTA, an alternative MTA for windows. The Linux servers had a very limited POSTFIX server.
The HTTP was NGINX that had just about everything turned off on it.
The security on the servers where basic, but enough to keep any random person from getting in. I didn't try too hard to break in to gather more info, this was just the reconnaissance.
The Trap
After looking at the servers I started looking at the "path" that the links would take you. I must give a warring here to any one who wants to try this. Use chorme's incognito tabs for this, doing this out side of a sandbox WILL DAMAGE YOUR SYSTEM!!!
So if you open the link you will find that it just sits there for a few, then pops up with annoying add site. If you grab the site with wget -r you will something like this:
wget -r http://www.sortut.com/psa/video/released/dia/assoc.html
--2014-09-22 10:25:31-- http://www.sortut.com/psa/video/released/dia/assoc.html
Resolving www.sortut.com (www.sortut.com)... 66.172.90.246
Connecting to www.sortut.com (www.sortut.com)|66.172.90.246|:80... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: http://affiliate.gosotrack.com/rd/r.php?sid=928&pub=220319&c1=&c2=&c3=0918864UNIE [following]
--2014-09-22 10:25:32-- http://affiliate.gosotrack.com/rd/r.php?sid=928&pub=220319&c1=&c2=&c3=0918864UNIE
Resolving affiliate.gosotrack.com (affiliate.gosotrack.com)... 173.230.238.191
Connecting to affiliate.gosotrack.com (affiliate.gosotrack.com)|173.230.238.191|:80... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: http://tracking.routeoffers.com/aff_c?offer_id=22&aff_id=1154&aff_sub=220319&aff_sub2=SUBIDHERE&aff_sub3=SUBIDHERE&url_id=162 [following]
--2014-09-22 10:25:32-- http://tracking.routeoffers.com/aff_c?offer_id=22&aff_id=1154&aff_sub=220319&aff_sub2=SUBIDHERE&aff_sub3=SUBIDHERE&url_id=162
Resolving tracking.routeoffers.com (tracking.routeoffers.com)... 54.183.46.151
Connecting to tracking.routeoffers.com (tracking.routeoffers.com)|54.183.46.151|:80... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: https://buyglucohealth.com/pages/report-video?AFFID=1154&C1=220319&C2=SUBIDHERE&C3=SUBIDHERE&trackslugs[]={trackslug_1}&trackslugs[]={trackslug_2}&trackslugs[]={trackslug_3} [following]
--2014-09-22 10:25:33-- https://buyglucohealth.com/pages/report-video?AFFID=1154&C1=220319&C2=SUBIDHERE&C3=SUBIDHERE&trackslugs[]=%7Btrackslug_1%7D&trackslugs[]=%7Btrackslug_2%7D&trackslugs[]=%7Btrackslug_3%7D
Resolving buyglucohealth.com (buyglucohealth.com)... 192.64.176.135
Connecting to buyglucohealth.com (buyglucohealth.com)|192.64.176.135|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: `www.sortut.com/psa/video/released/dia/assoc.html'
[ <=> ] 9,540 --.-K/s in 0.005s
2014-09-22 10:25:34 (1.94 MB/s) - `www.sortut.com/psa/video/released/dia/assoc.html' saved [9540]
FINISHED --2014-09-22 10:25:34--
Total wall clock time: 2.4s
Downloaded: 1 files, 9.3K in 0.005s (1.94 MB/s)
You can see if bounces you around 4 different sites before landing you on the ad site where there are so many trackers and pop ups that it feels like the `90's all over again.
The sites that they are bounced through advertise themselves as "Social networking advertising market places." I haven't dug into this much, but from talking with my friends in the marketing world these would be the companies that promise to get your add more clicks, and thousands of more views. They just leave out that it will be views from very pissed off people or lots of unknowing old people.
The end site you land on seems to be really selling what they are saying they want to sell. Complete with all the info to comply with the CANSPAM act burried under 15 pop ups.
The sites that they are bounced through advertise themselves as "Social networking advertising market places." I haven't dug into this much, but from talking with my friends in the marketing world these would be the companies that promise to get your add more clicks, and thousands of more views. They just leave out that it will be views from very pissed off people or lots of unknowing old people.
The end site you land on seems to be really selling what they are saying they want to sell. Complete with all the info to comply with the CANSPAM act burried under 15 pop ups.
Questions
After all this digging I'm still left with a lot of questions. What connection does these SPAM "sources" have with the attack a month ago, if it has any connection?
What is the backend behind all of these bot servers, what packages are they using and how do they work?
Have the bot herders moved from using personal connections to servers to spread SPAM? or are the personal computers used to attack the servers?
Who is behind the command and control systems of these bot nets?
And how are these advertising "markets" connected with the bot nets?
What companies are using these tickets and how can we shed light on what is really behind this kind of marketing?
In the end I want to try to help with reducing the SPAM on the internet and making network admin's jobs easier around the world. I spend a good 60% of my work day on just SPAM.
If any of you out there have info on this please leave a comment below or give me a shout out on twitter @KD7DMP with your info.
Thanks all, until next time.
No comments:
Post a Comment