Over the past few months the abuse of .cn (China) domains has been at pandemic levels[1]. There are several different styles of spam containing these domains differentiated by their template or structure. Some have simply the raw domain name, others include a random page, yet others have a random hostname and a page. While the text content of the email changes dramatically (randomly) between spam runs, the domain structure remains the same.
Spam that enters my traps is usually processed auto-magically by a parsing and checking program. Anything that doesn't fit a previously seen pattern is flagged so that I can have a look and see what has changed. Just the other day I got one that included the following curious looking URI.
http://{symbol[4-6]}.{_2cndomains}/?/{SYMBOL[4-6]}.html
As you can see, this is not a valid URI but instead the raw template text from the spam software. From this we can see why all their URI look the same. The {symbol[4-6]} would normally be substituted for a 4 to 6 letter word (in all the emails I have seen from this group/bot/template) even though it says "symbol". The two instances are evaluated at different times and the word is usually different. {_2cndomains} implies they have a list of .cn domains from which they choose one randomly. Since this URI string occurs anywhere from once to 10+ times in the a single email, we get to see multiple domains in every email.
The end result of all this - If they're using repeating pattern to send out millions (billions?) of spams every day, that pattern can be recreated and used to fight it. Even random characters are a pattern.
[1] http://garwarner.blogspot.com/2009/06/spam-crisis-in-china.html
No comments:
Post a Comment