Tracking spam victims

Filed Under: Malware, SophosLabs, Spam

Whilst plodding through some of the spam that hit my personal mailbox this lunchtime, I came across a message that warranted closer inspection. The message was from a chap who has inundated me with spam these last few days - good old "Mr Kaspersky Anti-Hacker". Written in Chinese, the message bore all the characteristics of plain old product-spam (click here to buy this...). The links in the message use a redirect service to load pages from other (rather suspicious looking) domains. These pages all redirect to yet another domain using a META refresh:

<meta http-equiv="refresh" content="0;url=http://[removed].xps.to">

The numerous software advertisements on the final web page confirm previous suspicions about the spam being product related.

pspam

Looking at the source of the page, a short PHP script containing a checkip() function is visible. This script attempts to deduce the IP address of the visiting client, and check it against a list of IP ranges stored on the web server (stored in a text file). Even if the visiting client is sitting behind a proxy server, the script tries to get the IP of the client by using the (optional, and easily spoofed) HTTP_X_FORWARDED_FOR header:


if($_SERVER["HTTP_X_FORWARDED_FOR"]){
//extract IP from $_SERVER["HTTP_X_FORWARDED_FOR"]
...
}else{
//assume no proxy, IP address is taken from $_SERVER["REMOTE_ADDR"];
...
}

So, the site attempts to track the IP address of the people that fall victim to the spam and click on the link. Exactly how the spammers may use the information is not known. Repeat access to the site from the same IP is permitted (unlike typical malicious driveby sites that also track client IP addresses). In an age where email addresses themselves have a price, it is not hard to imagine that there is significant value in tracking the addresses of spam victims. Correlation of such data against the list of email addresses used in the spam campaign could be used to target future campaigns more effectively.

The text file containing the list of IP ranges of the spam victims is visible on the site. The ranges correspond predominantly to machines in Taiwan, but there are addresses for machines across the globe (including Germany, New Zealand, China, Australia, United States, and Japan). Curiously, the list contains several email addresses - presumably due to mis-configured proxy servers. (These reference several mailboxes within governmental and police departments in Taiwan.)

This is just another example of the efforts the bad guys are going to in their campaigns. The financial gain from spam and malware continues to drive the multifarious nature of their creations. Digging into a seemingly innocuous piece of product spam actually reveals the use of simple traffic monitoring techniques in order to harvest details about spam victims. Whilst we're watching them, they're watching you!

You might like

About the author

Fraser is one of the Principal Virus Researchers in SophosLabs. He has been working for Sophos since 2006, and his main interest is in web related threats.