Fast-flux pharmacies

Filed Under: SophosLabs, Spam

It is another quiet Sunday afternoon in SophosLabs. I'd like to take advantage of the calm to write about a different aspect of spam. One of the things that makes the sites advertised in spam so hard to shut down is a technique called fast-flux. To illustrate this we will take a deeper look into a piece of spam that SophosLabs received last weekend.

It is a simple pharmacy spam.

The link takes you to this website.

So far so good, now we'll try to figure out where this site is actually hosted. If we do a DNS lookup to find its IP address we get 15 different addresses. The domain name and IP numbers have been altered.


<domain>.cn. 300 IN A xxx.yyy.87.28
<domain>.cn. 300 IN A xx.yy.244.158
<domain>.cn. 300 IN A xx.yyy.143.90
<domain>.cn. 300 IN A xx.yyy.161.206
<domain>.cn. 300 IN A xx.yyy.163.122
<domain>.cn. 300 IN A xx.yyy.32.71
<domain>.cn. 300 IN A xx.yyy.92.199
<domain>.cn. 300 IN A xx.yyy.64.223
<domain>.cn. 300 IN A xx.yy.220.164
<domain>.cn. 300 IN A xxx.yyy.81.217
<domain>.cn. 300 IN A xxx.yy.207.157
<domain>.cn. 300 IN A xxx.yy.239.54
<domain>.cn. 300 IN A xxx.yyy.9.179
<domain>.cn. 300 IN A xxx.yyy.110.250
<domain>.cn. 300 IN A xxx.yyy.246.101

Not only are these addresses spread throughout IP space but the physical locations they represent are spread around the world in places as far apart as Los Angeles, Moscow and Tokyo. Readers familiar with DNS will notice that the time to live (TTL) values on these DNS results indicate that these addresses are only valid for 300 seconds. What happens if we ask again after that time has expired? We get 15 more, completely different, IP addresses. The spammers aren't actually moving their site every 5 minutes. What they are doing is a using a network of proxy servers all over the world and redirecting traffic through the proxies to the true pharmacy site. Whenever anyone looks up the address for the site they will get 15 randomly chosen addresses from the network. This rapid change in apparent location is fast-flux.

All this begs the question : "How big is this network?"

Over the 7 days from September 2 to September 8 inclusive I've seen this site proxied through 923 different IP addresses. Most of the addresses come and go from the network. Only 17 sites were active every day of the week.
923 is not a huge network by botnet standards but it certainly makes the task of hunting down the spammers that much harder.

Finally, if you are wondering where all those proxies are ...

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Richard manages SophosLabs' operations in the United States. His principal security interests are endpoint security and user education. When he's not worrying about digital perils he enjoys singing, much to the distress of his cat, whose name does not feature in any of his passwords.