It is another quiet Sunday afternoon in SophosLabs. I'd like to take advantage of the calm to write about a different aspect of spam. One of the things that makes the sites advertised in spam so hard to shut down is a technique called fast-flux. To illustrate this we will take a deeper look into a piece of spam that SophosLabs received last weekend.
It is a simple pharmacy spam.
The link takes you to this website.
So far so good, now we'll try to figure out where this site is actually hosted. If we do a DNS lookup to find its IP address we get 15 different addresses. The domain name and IP numbers have been altered.
<domain>.cn. 300 IN A xxx.yyy.87.28
<domain>.cn. 300 IN A xx.yy.244.158
<domain>.cn. 300 IN A xx.yyy.143.90
<domain>.cn. 300 IN A xx.yyy.161.206
<domain>.cn. 300 IN A xx.yyy.163.122
<domain>.cn. 300 IN A xx.yyy.32.71
<domain>.cn. 300 IN A xx.yyy.92.199
<domain>.cn. 300 IN A xx.yyy.64.223
<domain>.cn. 300 IN A xx.yy.220.164
<domain>.cn. 300 IN A xxx.yyy.81.217
<domain>.cn. 300 IN A xxx.yy.207.157
<domain>.cn. 300 IN A xxx.yy.239.54
<domain>.cn. 300 IN A xxx.yyy.9.179
<domain>.cn. 300 IN A xxx.yyy.110.250
<domain>.cn. 300 IN A xxx.yyy.246.101
Not only are these addresses spread throughout IP space but the physical locations they represent are spread around the world in places as far apart as Los Angeles, Moscow and Tokyo. Readers familiar with DNS will notice that the time to live (TTL) values on these DNS results indicate that these addresses are only valid for 300 seconds. What happens if we ask again after that time has expired? We get 15 more, completely different, IP addresses. The spammers aren't actually moving their site every 5 minutes. What they are doing is a using a network of proxy servers all over the world and redirecting traffic through the proxies to the true pharmacy site. Whenever anyone looks up the address for the site they will get 15 randomly chosen addresses from the network. This rapid change in apparent location is fast-flux.
All this begs the question : "How big is this network?"
Over the 7 days from September 2 to September 8 inclusive I've seen this site proxied through 923 different IP addresses. Most of the addresses come and go from the network. Only 17 sites were active every day of the week.
923 is not a huge network by botnet standards but it certainly makes the task of hunting down the spammers that much harder.
Finally, if you are wondering where all those proxies are ...