One of the most popular methods of spamming is snowshoe spam, also known as hit and run spam. This involves spam that comes from many IP addresses and many domains, in order to minimize the effect of antispam filtering. The spammer typically sends a burst of such spam and moves to new IP addresses with new domains. Previously used domains and IP addresses are rarely used again, if ever.
Some spammers like to use a similar pattern across their spam campaigns. This blog discusses a particular snowshoe spam operation that I have labeled “From-Name snowshoe”. While there are other features in the message that allow the campaigns to be grouped into the same bucket, the messages’ most distinct feature is that all of the email addresses that appear in the “from” line use real names as their usernames.
- From: [REMOVED] <Leila.Day@[REMOVED]>
- From: [REMOVED] <CharlotteTate@[REMOVED]>
- From: [REMOVED] <Diana.Pope@[REMOVED]>
- From: [REMOVED] <SamuelLambert@[REMOVED]>
- From: [REMOVED] <Jackson.Garza@[REMOVED]>
- From: [REMOVED] <JohnathanParsons@[REMOVED]>
- From: [REMOVED] <EliasTaylor@[REMOVED]>
This From-Name snowshoe campaign had two interesting traits. The first was the timing. Over the course of a few months, I have noticed that this spam operation only sent messages on weekdays.
Figure 1. Over 59 million spam messages have been identified since October 16, 2013.
After further investigating this timing, we discovered that the spam is only sent between 6am and 7pm Pacific Time. Coupled with the fact that messages were only sent during weekdays, this suggested that the operation could be part of a business.
The second trait was the IP addresses that were used for this spam run. As noted above, typical snowshoe spam does not return to the same IP addresses. However, analysis into the senders’ IP addresses revealed that the messages were coming from multiple IP addresses that were owned by the same entity. This organization is called “Network Operations Center,” which is based in Scranton, Pennsylvania, and it’s a well-known spam operation.
Last month, this spam operation began to send the same type of spam messages from IP addresses owned by other entities. One of them was “Nth Air, Inc.”.
Figure 2. Spam sample sent from IP addresses owned by other entities, including “Nth Air, Inc
Figure 3. Email header snippet showing Nth Air, Inc’s IP address
While a simple online search for “Network Operations Center spam” produced many results discussing spam, a similar search for Nth Air did not have as many results. In fact, the company appears to have been a legitimate WiMAX provider in the past, as seen in this press release. I was unable to find news about the company in recent times, which led me to believe that the organization may no longer exist. However, ARIN records indicated that the company was based in San Jose, California, so I decided to visit its offices in the hopes of finding out more information about the organization.
Figure 4. Visiting the building with address listed on Nth Air
I went to the suite that was listed online, but another company was using it.
Figure 5. Suite 70 is now occupied by Sutherland Global Services
I called the phone number listed online to no avail. My email to email@example.com bounced back because, “the recipient does not exist.” Bummer.
Since my visit to “Nth Air, Inc” did not work out as planned, I turned to “LiteUp, Inc”.
Figure 6. Spam sample from LiteUp, Inc’s IP address
Figure 7. Email header snippet showing LiteUp, Inc’s IP address
ARIN listings indicated that the company was located in Berkeley, California, so I went there for a visit. Unfortunately, I was unable to find LiteUp at the listed address.
Figure 8. Address listed by LiteUp. It was a motorcycle store instead.
So that makes two instances of spammers using IP addresses owned by companies that do not exist, at least according to ARIN records.
I was unable to meet the spammers, or those who could be assisting spammers, but we are keeping a close watch to ensure that these spam messages do not reach end users’ inboxes.