I received a spam message the other day that went to my Junk Mail Folder. I decided to take a look at it and dissect it piece by piece. It really is amazing to see how spam crosses so many international borders and exploits so many different machines. Spammers have their own globally redundant infrastructure. Below are the headers with minimum munging:
Envelope From: <> Received: from 97-115-21-35.ptld.qwest.net (184.108.40.206) by TX2EHSMHS041.bigfish.com (10.9.99.141) with Microsoft SMTP Server id 14.0.482.32; Tue, 29 Sep 2009 02:09:30 +0000 Received: from [220.127.116.11] (helo=arq) by 97-115-21-35.ptld.qwest.net with smtp (Exim 4.62 (FreeBSD)) id 125419027064-0004WM-EZ; Mon, 28 Sep 2009 18:11:10 -0800 Message-ID: <002501ca40a9$a607a510$8e5f328c@Boscoarq> From: Salome Fields <email@example.com> To: <firstname.lastname@example.org> Subject: Hot chixs.Ponetnce.Blue-colored-tab. Date: Mon, 28 Sep 2009 18:07:51 -0800 Content-Type: text/plain; format=flowed; charset="windows-1252"; reply-type=original Content-Transfer-Encoding: quoted-printable
Here is your complimentary health supply. http://lsjo.lawdingops.com/
Let’s look at everything here:
So, going by this, here’s how it works: A malware author infects a machine in Canada (1) that relays spam to a machine in the United States (2), which contains payload that points to a machine in Spain (3) registered by a guy in the United States (4) using a registrar in France (5), which is resolved by a name server in the Czech Republic (6). That’s quite the multinational mechanism for transmitting spam, and I didn’t even dig through everything (there are multiple name servers and registrars I could have followed up on but didn’t).
Let’s count how many exploited machines there are here: the two that are involved in sending me spam plus the one where the web page is hosted is three. The guy in Texas is using name servers that look like they are located in Russia, but they are not. The one name server which resolves the spammy site is exploited (the one sitting in the Czech Republic) and then the top domain cn8.ru, sitting on a machine in China, is five. Since the the bot in Canada has to pull its instructions from somewhere, that makes 6. Whew, that’s a lot of infrastructure to maintain. This makes for a pretty fracking resilient system of sending spam.
I wonder if these guys have their own Operations department?