Monday, July 20, 2009

Silly spammers

Some of the spam that turns up in my traps stands out from the rest. Not only are they completely useless because they are spam, they are completely useless to the spammer because they screwed up the settings in their spam software. These screw ups give some insight into the working of their spam software.

Over the past few months the abuse of .cn (China) domains has been at pandemic levels[1]. There are several different styles of spam containing these domains differentiated by their template or structure. Some have simply the raw domain name, others include a random page, yet others have a random hostname and a page. While the text content of the email changes dramatically (randomly) between spam runs, the domain structure remains the same.

Spam that enters my traps is usually processed auto-magically by a parsing and checking program. Anything that doesn't fit a previously seen pattern is flagged so that I can have a look and see what has changed. Just the other day I got one that included the following curious looking URI.


As you can see, this is not a valid URI but instead the raw template text from the spam software. From this we can see why all their URI look the same. The {symbol[4-6]} would normally be substituted for a 4 to 6 letter word (in all the emails I have seen from this group/bot/template) even though it says "symbol". The two instances are evaluated at different times and the word is usually different. {_2cndomains} implies they have a list of .cn domains from which they choose one randomly. Since this URI string occurs anywhere from once to 10+ times in the a single email, we get to see multiple domains in every email.

The end result of all this - If they're using repeating pattern to send out millions (billions?) of spams every day, that pattern can be recreated and used to fight it. Even random characters are a pattern.


No comments: