There are many ways a spammer can infect a device with malware and capture confidential or banking information or sell counterfeit drugs, luxury items or software. A few years ago, spammers would register fictitious email accounts with many different webmail services to send spam messages which would capture private information or make victims partake in affiliate scams. As antispam companies became more proficient in identifying unsolicited messages through email domains and IP addresses, spammers began to use more clever techniques. An example is the so-called snowshoe spamming, in which spammers scatter their messages across a wide range of IPs and domains, in order to blur domain reputation metrics and evade filters. Recent years have seen a rise in snowshoe spam, but while this type of spam fits into a pattern, the way it’s executed may vary from one spam wave to another.
Bitdefender Antispam Labs has analyzed two recent spam attacks that used hundreds of fictitious or real domains in order to hide the primary spammer site from Antispam security companies. By automating the creation of hundreds of domain names, the sheer volume of different sites can take time, effort, and resources to identify the actual spammer site. Clearly, Antispam technologies have to continually evolve and change to proactively identify new spam methods.
Below is an analysis of the two spam wave attacks that were detected by our labs and were immediately blocked, as the pattern of attack was evident and validated through multiple systems.
Spam waves invading Japanese speakers during May 9 – May 26
• For these particular spam waves, the domains in the URLs reused the same IP as physical host (in this case: 119.[redacted].8.7, located in Australia). They were all registered with the same Yahoo! email address, associated with other 7000 domains (at the time of the analysis).
• New domains were registered automatically, their names being randomly generated by a botnet. These domains were meant to hide the main one, and they were functional for about two weeks, on average.
For example: two domains observed on May 26th, kk[redacted]kxc.net and ei[redacted]g5z.net, redirected to xh[redacted]wgd.net and rf[redacted]yc.biz and jj[redacted]8s.biz, seen on May 14th, which in turn redirected to ik[redacted]rd7.net.
• The target domain was associated with a simple dating web page built on a generic html template; this web page was also reused by spammers, when a new target domain was generated, as part of a new spam wave.
• Spammers randomly alternated a number of target domains several times.
For example, during the period analyzed by Bitdefender researchers, spammers used 909 distinct redirecting domains and only five target domains as follows:
o pti[redacted]te.net – May 10-11, 16-17 and 21
o xh[redacted]wgd.net – May 9-10, 15-16, 26
o ik[redacted]rd7.net – May 9, 14, 23-25
o ne[redacted]pm4.net – May 12, 22-23
o de[redacted]3pe.net – May 12-14, 18-19, 22, 25-26
• As observed in the examples above, the alternating target domains are usually .net or .biz domains, most likely acquired with stolen credit cards, from top level domain registrars who offer discounts on certain occasions. This just goes to show how complex and specialized the online black market, also known as the dark web, is getting.
Spam targeting English speakers during May 9 – May 26
• Between May 9 and May 22, spammers orchestrated spam waves invading English-speaking users in a similar fashion, albeit a bit more complex and detail-oriented.
• The domains used in the process were hosted on a single IP located in the US: 173. [redacted].43.114, and were registered through WHOIS Guard to make them anonymous.
• This IP address answered HTTP requests the same way domains do.
• Bitdefender researchers observed 371 different domains used in spam. Usually, the target or redirecting domains used by spammers are live for one month, at most. However, in this particular case, many of the domains used were among the more resilient ones – they had been live and appeared in spam campaigns for almost a year.
• The spam topics varied from dating messages, pharmacy advertisements, to conspiracy theories. However, the URLs included in them did not redirect users to topic-relevant webpages, but to other spam webpages, depending on the user’s IP address. So the spam was geo-targeted – only those in the targeted area were redirected to the web page built for the spam campaign. Which means, if you’re not part of the targeted area, you’re unable to see the spammers’ domain. This is an efficient way to avoid detection, since it makes it harder to identify the redirecting spam domain and blacklist it.
• Typically, when the email body contains parsable (machine readable) text, it is easier for antispam products to identify certain words and phrases typically used in spam. But in these particular spam waves, the emails were crafted in such a way as to evade detection filters. The email text was part of an image, and instead of unsubscribing the individual from the email, the individual validated his/her email address and allowed the spammer to send further spam messages.
Clever spam techniques require advanced antispam technologies
…That enable you to be one step ahead of spammers.
As Virus Bulletin, the leading independent tester for antispam solutions puts it:
“Spam is changing continually, both in quality and quantity, and to protect inboxes and networks an anti-spam solution must be able to keep up with these changes” and proactively counter them, we may add.
Which means, the classic approach to spam detection based on local content filtering is not enough anymore to protect against these sophisticated spam waves. Local antispam filters are heavy on system resources, have a slow reaction time, and their updates can take up to 20 minutes – with antispam cloud technologies, spam can be identified quickly as these antispam filters use machine learning algorithms that can identify the newest spam threats in seconds.
Bitdefender’s antispam technology combines local and cloud-based detection techniques, which enable it to analyze SMTP connection information (sender IP address/sender domain), email header information, content information (text fingerprints, URLs, phone numbers, images, attachments etc.), so as to quickly and accurately identify spam. The filters used for the analysis of these details interact with each other, to cover various scenarios and variants of already detected spam waves.
One important note here: only non-recoverable hash data is analyzed in the cloud. Which means, no one can actually read through the end-users’ emails, thus their privacy is protected.
Antispam technology is available for endpoint, network and cloud implementation. So if you’re looking to develop your own award-winning antispam product or improve your existing one, look no further! Check out the award-winning antispam engine and how your business can benefit from it.
Note: This article is based on technical information provided courtesy of Andrei Afloarei, Bitdefender Researcher.