Mitigate Damage after Massive Spam Impersonating Company Email

We need help with mitigating the damage inflicted by massive spam emails impersonating a company mailbox.


Problem Summary

The problem first started on Sat, Jan 9, 2016, with mass spam emails sent to thousands of customers with a spoofed From: address impersonating a company mailbox. See below for more details. Such spam attacks continued in several waves approximately 2 weeks apart. At the moment of this writing (April 17, 2016) the problem is still ongoing with spam being re-sent sporadically. Consistency and sophistication of the phenomenon make us wonder if it is state-sponsored. We have no proof, though, beyond what is documented here.

While most such emails are filtered out by mail servers on delivery, some do get through. The damage occurs in the following ways.

Below are the details regarding this specific situation, mostly documented during the first 2 waves of spam.

Problem Description

The problem first started on Sat, Jan 9, 2016 at approximately 3:55 AM GMT. Many company customers were sent a spam message that looked similar to the one shown below. A second wave of spam started two weeks later on January 24, 2016 at approximately 8:18 AM GMT.

Spam message example
The From address is impersonated, there are 5 recipients, a short message body, and a link. Here are some additional details about the problem:

   Domain Name: KHYTAT.COM
   Registrar: TURNCOMMERCE, INC. DBA NAMEBRIGHT.COM
   Sponsoring Registrar IANA ID: 1441
   Whois Server: whois.namebright.com
   Referral URL: http://www.namebright.com
   Name Server: NS1.ASINFGS.RU
   Name Server: NS2.ASINFGS.RU
   Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
   Updated Date: 09-jan-2016
   Creation Date: 09-jan-2016
   Expiration Date: 09-jan-2017


Mitigation

There are several aspects to this problem.

  1. Confused customers.
  2. Botnet used to send spam.
  3. Various landing sites and pages where spam leads to.
  4. Ultimate destination at khytat.com to where the above pages redirect traffic.
Let's see whether we can do anything about each of these issues.

Confused Customers

Some customers mistakenly believed the email was real, and clicked on the link. Others may have gotten confused. We can deal with this by sending a follow-up communication explaining the situation.

Botnet

All we can do here is identifying the spam source from message headers. We may then contact Internet Service Providers and tell them about the problem. This may lead to reduction of botnet capability. Below is a partial list of IP addresses believed to be botnet members, which we obtained from bounced message headers. Note that some IP addresses may be listed incorrectly, as it may be hard to tell who is spamming for sure. If any IP address raises a concern about incorrect listing, please comment on this post and we'll see if we can post message headers for additional analysis.

1.22.4.110
14.47.163.91   
41.218.208.145
61.17.14.84
62.149.157.220
79.167.74.92
82.165.38.128
85.25.162.242
92.97.145.203
111.252.214.35
112.204.184.62
112.210.75.81
113.169.38.153
114.38.150.241
116.0.23.225
116.58.243.87
116.220.122.48
117.220.197.98
121.96.96.176    
121.136.146.157 
124.13.207.79
124.144.249.140 
126.44.146.83
139.192.100.37
161.10.234.115
167.56.23.42 
169.0.91.80
171.224.32.137
178.237.13.18
178.238.45.44
180.254.171.0
181.23.211.82
181.189.217.59
186.94.131.253
187.230.41.183
188.49.220.102 
190.7.134.194
190.31.206.95
193.120.164.180
193.253.96.183
195.4.92.141  
201.127.51.107
201.243.239.241
210.186.225.112
212.40.180.15 
212.40.180.155
212.227.17.8
217.160.140.227
218.102.23.34
218.102.62.136
223.205.181.253
223.207.96.224

So, in theory we may do a whois on a botnet address, find an abuse contact for the IP, and communicate to them. Some systems may get fixed or eliminated in this way, reducing future botnet capability.

Landing Sites

Assuming the sites were hacked, we may contact site webmasters and let them know. Below is a partial list of links used in spam emails.

http://10servis.com/looked.php?sjkw
http://10servis.com/thrown.php?qb
http://alvisfashion.co.uk/yes.php?4
http://bioway.in/power.php
http://c00036.247development.net/himself.php?931
http://c00036.247development.net/living.php?3y
http://clear.ya1.ru/either.php?v03uo
http://clear.ya1.ru/them.php?m
http://congnghiepthanhlong.com/brother.php?ox5g5
http://congnghiepthanhlong.com/probably.php?0s7
http://christopherschopf.com/beautiful.php?m9
http://denicious.com/heard.php?up
http://denicious.com/read.php?hgs
http://elrewiee.com/continued.php?xh2f
http://elrewiee.com/order.php?4jd2o
http://elrewiee.com/whenever.php?a3
http://estoncamlievler76.com/body.php?z
http://estoncamlievler76.com/leaving.php?8cf5h
http://estoncamlievler76.com/lying.php?c5jd
http://estoncamlievler76.com/towards.php?vncw
http://denicious.com/small.php?7jogk
http://gpsapartners.com/back.php?mci
http://iperfume.co.il/found.php?7
http://lauraclauvi.ro/this.php?98
http://mahanketab.com/anything.php?m1r8
http://mahanketab.com/persons.php?s3
http://mahanketab.com/work.php?an
http://mannyaniceto.com/says.php?sg
http://mawiteknik.com/standing.php?ais0
http://mawiteknik.com/surprised.php?xf61
http://montear.info/showed.php?m9yp
http://neox.tmpl.mk.ua/also.php?bp
http://neox.tmpl.mk.ua/truth.php?62k6q
http://neox.tmpl.mk.ua/which.php?4pv61
http://netsynchcomputersolutions.com/offer.php?53a
http://qataratalgamal.com/caught.php?v
http://rsgaz.ru/satisfied.php?cxcg
http://rsgaz.ru/satisfied.php?cxcg
http://sanpham.techpal.vn/towards.php?fa8
http://serrurier--paris.pro/beauty.php?r
http://soltravelservices.com/wanted.php?m3
http://stock-bazar.ir/conversation.php?muwup
http://stock-bazar.ir/tired.php?k1sz7
http://totalexecutivemgmt.com/engaged.php?lngxn
http://totalexecutivemgmt.com/morning.php?f
http://tubemulticouche.fr/seat.php?umy
http://tutikutyu.hu/ask.php?38l
http://tutikutyu.hu/chance.php?ykog
http://vintage-vision.com/fact.php?8hg2
http://xerox.web.tr/natural.php?5
http://webfactory.webbandit.co.za/brother.php?3o1p
http://webfactory.webbandit.co.za/finding.php?w7j0t
http://сон33.рф/manners.php?xgfv9

Ultimate Destination

Apparently, contacting a webmaster would not do anything here, as this is the place where data is ultimately harvested. Here are some examples of pages where redirect is was occurring to:

http://172-fitness.khytat.com/enyupb/we-everyday/pure-natural-forskolin/
http://315-healthandbeauty.khytat.com/endfbz/we-everyday/pure-natural-forskolin/

Let's do nslookup on the domain to see what's there. Below is the result of the query on January 10, 2016:

nslookup results for khytat.com

nslookup results for khytat.com on Jan 10, 2016


We see a round-robin setup with 4 servers for the domain with 2 providers. We may try contacting the hosting providers and letting them know. This actually works, at least partially, as the same query a day later returns this:

nslookup results for khytat.com

nslookup results for khytat.com on Jan 11, 2016



nslookup results for khytat.com

nslookup results for khytat.com on Jan 12, 2016



nslookup results for khytat.com

nslookup results for khytat.com on Jan 12, 2016 at 18:07 GMT



nslookup results for khytat.com

nslookup results for khytat.com on Jan 12, 2016 at 19:15 GMT



Wave 2

Wave 2 Botnet

1.1.162.5
43.241.26.183
46.121.97.247
49.149.21.66
85.64.216.156
109.120.205.222
114.31.0.72
118.172.67.107
122.1.226.75
122.172.36.127
122.172.119.146
176.44.208.90
182.70.112.94
187.230.83.72
188.159.60.53
201.142.224.22
201.143.178.178
212.233.220.139
213.92.5.226

Wave 2 Landing Pages

http://10servis.com/ashamed.php?yf
http://airmedia.su/ah.php?xhqzd
http://esportskart.com/loved.php?o
http://estoncamlievler76.com/lying.php?v9
http://iperfume.co.il/from.php?2ckc
http://ishahbeauty.com/show.php?o9sw0
http://ks.mpt.ru/back.php?6
http://neox.tmpl.mk.ua/also.php?qxi
http://neox.tmpl.mk.ua/news.php?y
http://neox.tmpl.mk.ua/altogether.php?4
http://neox.tmpl.mk.ua/truth.php?7
http://netsynchcomputersolutions.com/before.php?z
http://netsynchcomputersolutions.com/perfect.php?6
http://oficinacriativa-d.com.br/order.php?y
http://radek.pomorze.pl/he.php?6n
http://sanpham.techpal.vn/consider.php?he2
http://sanpham.techpal.vn/court.php?fw45
http://sanpham.techpal.vn/touched.php?hb
http://sewakostumbandung.com/change.php?454u2
http://sewakostumbandung.com/heavy.php?y38wc
http://stock-bazar.ir/conversation.php?lvj
http://test.sibelayakkabicilik.com.tr/strength.php?hipa9
http://test.sibelayakkabicilik.com.tr/worth.php?2
http://totalexecutivemgmt.com/no.php?u
http://xerox.web.tr/woman.php?u9u5
http://www.amstartoys.com/green.php?hz73
http://www.amstartoys.com/happened.php?wu6

Wave 2 Redirects from Landing Pages

<meta http-equiv="refresh" content="2; url=http://rxwzia.com/?a=370957&c=wl_con">
<meta http-equiv="refresh" content="2; url=http://iijiig.com/?a=370957&c=wl_con">
<meta http-equiv="refresh" content="2; url=http://bmxnxa.com/?a=370957&c=wl_con">
<meta http-equiv="refresh" content="2; url=http://hxdegt.com/?a=370957&c=wl_con">

Wave 2 Ultimate Destination

This is a small subset of destination pages.
http://295-health.ofyjk.com/eniztv/we-everyday/pure-natural-forskolin/
http://238-fitness.iijiig.com/enzzsz/we-everyday/pure-natural-forskolin/
http://492-health.iijiig.com/enpqai/we-everyday/pure-natural-forskolin/
http://854-fitness.iijiig.com/encxnd/we-everyday/pure-natural-forskolin/
http://855-diet.iijiig.com/entyzj/we-everyday/pure-natural-forskolin/
http://775-weightloss.iijiig.com/enlftz/we-everyday/pure-natural-forskolin/

Name servers for iijiig.com on Jan 25, 2016 12:05 AM:

ns1.cnasoigse.ru
ns2.cnasoigse.ru

nslookup results for iijiig.com on Jan 25, 2016 12:05 AM:

> iijiig.com
Server:		ns1.cnasoigse.ru
Address:	62.213.67.104#53

iijiig.com
	origin = ns1.iijiig.com.iijiig.com
	mail addr = admin.iijiig.com.iijiig.com
	serial = 1
	refresh = 300
	retry = 300
	expire = 300
	minimum = 1440
Name:	iijiig.com
Address: 43.245.203.75
Name:	iijiig.com
Address: 92.243.21.22
Name:	iijiig.com
Address: 92.243.9.188
Name:	iijiig.com
Address: 43.245.203.76
>


Name servers for ofyjk.com on Jan 25, 2016 12:05 AM GMT:

ns1.sncoid.ru
ns2.sncoid.ru

nslookup results for ofyjk.com on Jan 25, 2016 12:05 AM GMT:

> ofyjk.com
Server:		sncoid.ru
Address:	188.127.231.97#53

ofyjk.com
	origin = ns1.ofyjk.com.ofyjk.com
	mail addr = admin.ofyjk.com.ofyjk.com
	serial = 1
	refresh = 300
	retry = 300
	expire = 300
	minimum = 1440
Name:	ofyjk.com
Address: 43.245.203.75
Name:	ofyjk.com
Address: 92.243.21.22
Name:	ofyjk.com
Address: 92.243.9.188
Name:	ofyjk.com
Address: 43.245.203.76
>


Name servers for rxwzia.com on Jan 25, 2016 8:00 PM GMT:

ns1.ckmasoigsec.ru
ns2.ckmasoigsec.ru

nslookup results for rxwzia.com on Jan 25, 2016 8:00 PM GMT:

> rxwzia.com
Server:		ckmasoigsec.ru
Address:	62.141.36.69#53

rxwzia.com
	origin = ns1.rxwzia.com.rxwzia.com
	mail addr = admin.rxwzia.com.rxwzia.com
	serial = 1
	refresh = 300
	retry = 300
	expire = 300
	minimum = 1440
Name:	rxwzia.com
Address: 212.129.52.19
Name:	rxwzia.com
Address: 212.129.52.232
Name:	rxwzia.com
Address: 43.245.203.76
Name:	rxwzia.com
Address: 43.245.203.75

Improving SPF Record

The company DNS already used a Sender Policy Framework (SPF) record. Such record allows a domain owner to specify IP addresses or subnets that are authorized to send email on their behalf. The objective here is to reduce the amount of spam that gets through.

"v=spf1 permitted_senders_here ~all"

We see that the above SPF record is somewhat relaxed (with ~all softfail mechanism). We may improve it by making it more strict. -all means that only specified servers are allowed to send mail from the domain.

"v=spf1 permitted_senders_here -all"

Using DKIM

Another thing we can do is to use DKIM, when possible. If we send mail via Google servers, we can include their DKIM public key in our DNS zone by first obtaining it from the control panel in Google Apps. For example:

"v=DKIM1; k=rsa; p=MIGfMA0GCS...AQAB"

Summary

In this project, we improved spam protection by rectifying an SPF record and adding a DKIM public key in the company DNS zone. We also reported the offending destination domain to their hosting providers. The problem is that once they are disconnected, they easily change the provider, so this part actually accomplish very little by making their operation a bit more expensive.

You can leave a comment on this project, or post a new project for consideration.