Received: from minitanth.info-88(037008194168.suwalki.[126.96.36.199]) Received: from exundancyc.megabulkmessage225(109241011223.slupsk.[109.2]) Received: from disfrockinga.message-49(unknown [.251]) Received: from offenders.megabulkmessage223(088156021226.olsztyn.[88.1]) Received: from snaileaterl.inboxmsg-228(109241018033[109.2]) Received: from soapberryl.inboxmsg-242(037008209142.suwalki.[188.8.131.52]) Received: from dicrostonyxc.inboxmsg-230(088156042129.olsztyn.[88.1]) To learn more about what information you can glean from email headers, see this post.But for now, here’s a crash course for our purposes.So how did Krebs On Security tie the spam that was sent to promote these two adult dating schemes to the network of spam botnet panels that I mentioned at the outset of this post?I should say it helped immensely that one anti-spam source maintains a comprehensive, historic collection of spam samples, and that this source shared more than a half dozen related spam samples. All of those spams had similar information included in their “headers” — the metadata that accompanies all email messages.
Here’s the output of one controller that’s currently getting pinged by more than 12,000 systems configured to relay porn spam (the relevant part is the first bit on the second line below — “current activebots=”).
In this case, an Nmap scan against that list of IPs showed they were all listening for incoming connections on Port 10001.
From there, I took the IP address list and plugged each address individually into the URL field of a browser window in Mozilla Firefox, and then added “:10001” to the end of the address.
For several months I’ve been poking at a decent-sized spam botnet that appears to be used mainly for promoting adult dating sites.
Having hit a wall in my research, I decided it might be good to publish what I’ve unearthed so far to see if this dovetails with any other research out there.
This type of spamming is known as “snowshoe” spamming.