As Morpheus from the movie The Matrix once said. “You take the blue pill and the story ends. You wake in your bed and believe whatever you want to believe. You take the red pill and you stay in Wonderland and I show you how deep the rabbit-hole goes. Remember — all I am offering is the truth, nothing more.”
We came across a rather interesting message today, though not for the contents of the message itself, but rather the amount of trouble the spammer went to in order to protect and hide himself by involving so many different countries in his campaign. Lets begin with the message itself which arrived on an email account that belongs to an American company.
The message contained a single image, as seen above, with text written in Hebrew. Whether it was a targeted message or randomly spammed we’re not certain. The call-to-action link and image are hosted on a .in TLD site which is India’s country code. When you do a whois on the domain, you see the following.
Registrant Name:chang lee
Registrant Organization:chang lee
Registrant Street1:399 Youth Road
Registrant Postal Code:250200
The person claiming to own the domain is from Hong Kong which we can assume is not the actual person, with a @yahoo.com email address. If you look further down you see the name server is actually on a .ru TLD which is Russia. We can take it even further by getting the IP of the name server which resolves to 126.96.36.199. Doing a whois on the IP address we find that it belongs to CAT Telecom Data Comm., which is based out of Bangkok Thailand and is where the wild goose chase ends.
Despite the spammer going through all this trouble to remain hidden, it doesn’t change the methods we use to block these messages. It just makes the lives of those trying to track them down a little more difficult since they need to go through multiple jurisdictions to catch them.