[Mimedefang] Spammer zombie group behaviour

[Joseph Brennan]

--On Thursday, April 22, 2004 1:57 PM -0500 Chris Myers 
<chris at by-design.net> wrote:

> I don't have a way to get my hands on one of the compromised systems, so I
> don't know how they're communicating (I can speculate of course...), but
> it seems pretty clear to me that they ARE communicating.


We had one on campus.  The communication is not by mail but through
other ports.   It is a distributed network too.  The campus host--
a Windows PC of course-- was getting small bursts of inbound data,
sending a few dozen spam messages, and also sending small bursts of
outbound data to other hosts.  It was taken off the network and the
owner reformatted the disk.  Clearly some kind of software had been
installed on it to do what it was doing.  The owner may have
downloaded dodgy file sharing software or the like; we don't know.

I have also seen the results in syslog in other cases.  If I extract
lines with similar subjects like vicodin ads, sometimes I can see
recipients progress through the alphabet, even though the mail comes
from different IPs, almost one recipient per sender IP, it is so
widely distributed.  The only sign of not being coincidental is the
nice alphabetical progression of recipient addresses.

Following the money... the advertised web sites were hosted in China.
They are believed to be controlled by the very large spam enterprises
like Alan Ralsky's operation.

The lovely irony for us is that because the government of China has
some political issues with Columbia University, many Chinese sites
won't resolve for our IP space, and thus sometimes the spammer's
sites are unreachable from here.  It doesn't really make me feel
any better but it is a small laff.

Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia University in the City of New York