Spamhuntress

More and more spammers, and yes, even linkspammers, are using zombies to spam from. From my vantage point, I’d say cutting down on zombies and proxies should be a goal.

There’s one list that zombies often end up on, the one at dnsstuff.com. I don’t know why, but those lists seem quite full (though I’m sure there are more zombies not on those lists). They’ll also list open proxies, which is bad as well.

And there’s a way to keep an eye on your own IP space (let’s say you’re an ISP, webhost or IP block owner). And don’t think you won’t be listed even if you have no end users. Servers can and will be infected and misconfigured. Keep this link handy, and check it often:

http://www.dnsstuff.com/tools/banned.ch?ip=xx.xx.0.0/16

Where the xx’s represent the first two quads of your IP block.

The site is unfortunately down today, but I checked Google’s cache, and found quite a few listed for various blocks.

This method is crude enough you’ll see your IP space neighbor’s zombies as well. But it’s still a good tool. Do you guys know of any other tools such as this one?

I’ve tried several RBL’s, but they don’t display results unless you search for the specific IP number that’s listed. There’s no wildcard search, which would have been useful for network admins.

I did find another way to test IP blocks. But this is ONLY relating to e-mail, and only shows which servers are used for e-mail. So at most it will help you figure out if an IP number that shouldn’t send e-mail, actually does anyway.

Search this address for an IP address in your block. For instance:
http://www.senderbase.org/search?searchString=xx.xx.xx.1
You’ll see all servers they’ve detected sending mail in that C-block. So for those with large net blocks, it’s quite a chore. You’ll have to do it all over again for each C-block.

Update: Dshield has a list of IP ranges and attackers coming from them. Look up your IP ranges here.

After writing the previous post, I got to thinking about ways to cut down on the number of zombies. Here’s what I came up with:

If some biggie could organize a blacklist that could be used by as many ISP’s as possible, then we could firewall the addresses to the places where the botnets are controlled. If some big players were in on this, it would SERIOUSLY hamper the botnets’ efficiency, if the blacklist is updated frequently enough. Bigger companies with their own networks would probably like this as well (Google, anyone?)

Please let me know if this gets off the ground! And I’d love the credit for the idea, of course.

Update October 15: Users want ISPs to filter spyware. Related topic.

I’ve been looking up botnet information today. After chasing the invisible wiki spammer around for a while, I realized he’d been using a botnet at least since September 20, possibly longer.

I’m interested in logging infected computers, and finally found an article that was a bit more meaty than most:

SANS: Mitglieder hell

He’s absolutely right in that certain URL’s should be null routed on your network - especially if you’re an ISP or a large company.

I came upon an ad. I don’t know where I “picked it up”. But I thought it was cute enough I wanted to show it to you. It presumed to know something about my computer, that it couldn’t possibly know:

My apologies if the image gets shrinked. Just click on the image to view it at full size.

The point is that most of these ads will load a spyware scanner that gives fraudulent results. The scan may be free, but the cure isn’t. There ARE so called spyware scanners that are fronts for actual spyware as well.

NEVER run spyware scanners that you know nothing about. ONLY run spyware scanners that are considered the real deal. Examples are “Spybot Search And Destroy” and “Adaware”.

Check Spywareblog for more about spyware.

Someone at 195.24.194.5 created a new page on my wiki. I decided to check that IP number out. It’s got a long and distinguished career at wiki spam, and it’s an open proxy. I believe wiki spammers are creating new orphan pages to spam. That would make more sense than defacing pages that already holds content, right? And it might quietly flit by a busy admin without him or her noticing.

Anyway, I looked for wikispam, and one of the users of said proxy had a very interesting page. At scarletton.teenposes.com/bankers-long-term-care-insurance.html I found an iframe that went to 195.225.177.33. It then 302 redirected to 195.225.177.33/vx/ where I found a trojan waiting to be downloaded.

I don’t have a clue what it does (not coming near my system!), but the name of the file is win32.exe.

The host is netcathost in Ukraine. Ukraine is the home of a LOT of spam, so that’s not surprising.

I went further, trying to figure out who owns this thing…

I found a domain on that server, with this whois info:

Danyelle Christian
Danyelle Christian (mortiis@ukr.net)
Chocho Street 16
Highland Beach
null,96365
US
Tel. +09.6070231

Fake name and address, in other words.

Those domains and that whois info is implicated in browser hijacking in the past. McAfee christened a trojan associated with one of the domains StartPage-FX.