Spam dating page
In late October 2016, an anonymous source shared with Krebs On a list of nearly 100 URLs that — when loaded into a Firefox browser — each displayed what appeared to be a crude but otherwise effective text-based panel designed to report in real time how many “bots” were reporting in for duty.Here’s a set of archived screenshots of those counters illustrating how these various botnet controllers keep a running tab of how many “activebots” — hacked servers set up to relay spam — are sitting idly by and waiting for instructions.Received: from minitanth.info-88(037008194168.suwalki.[126.96.36.199]) Received: from exundancyc.megabulkmessage225(109241011223.slupsk.[109.2]) Received: from disfrockinga.message-49(unknown [.251]) Received: from offenders.megabulkmessage223(088156021226.olsztyn.[88.1]) Received: from snaileaterl.inboxmsg-228(109241018033[109.2]) Received: from soapberryl.inboxmsg-242(037008209142.suwalki.[188.8.131.52]) Received: from dicrostonyxc.inboxmsg-230(088156042129.olsztyn.[88.1]) To learn more about what information you can glean from email headers, see this post.But for now, here’s a crash course for our purposes.
But a note of caution: I’d strongly encourage anyone interested in following my research to take care before visiting these panels, preferably doing so from a disposable “virtual” machine that runs something other than Microsoft Windows.
So how did Krebs On Security tie the spam that was sent to promote these two adult dating schemes to the network of spam botnet panels that I mentioned at the outset of this post?
I should say it helped immensely that one anti-spam source maintains a comprehensive, historic collection of spam samples, and that this source shared more than a half dozen related spam samples. All of those spams had similar information included in their “headers” — the metadata that accompanies all email messages.
So, armed with all of that information, it took just one or two short steps to locate the IP addresses of the corresponding botnet reporting panels.
Quite simply, one does DNS lookups to find the names of the name servers that were providing DNS service for each of this spammer’s second-level domains.
Currently, the entire botnet (counting the active bots from all working bot panels) seems to hover around 80,000 systems.