(Let’s hope my internet connection doesn’t die while i’m doing this…)
As I previously stated, I have gotten a bunch of emails from a few different hosts. They all obviously have something in common, but I cannot be sure what. The content is similar, but ips never correspond and they even go to differnt emails of mine. I apparently am not alone. What this reminds me of is spam list checks. That refers to hacker/crackers/phishers going through lists of email addresses to see which ones are valid and what gets through. This appears to be another, but with a twist.
Ok, let’s start with what we know: the ips. This is always a good place to start. If you take the ips and go back, you’ll find residential ips. These don’t have much in common that I can see except they all are residential (one was from Spain, another from Isreal, so you can see location varies). The sites themselves that are being “used” seem to be your average, everyday crappy web site. (1-tek.com has been under construction from 2002.) This implies that there is probably a weak smtp server (outgoing mail) on those sites that is just being used to bounce messages. So we have messages coming from a random house and going to a random server and then coming to me. Here’s where we start noticing little things.
Ok, on all of the messages, the headers are pretty limited. Only one of them contains an X-mailer header which is of The Bat! (v 2.02). The Bat! is a valid client program, but there’s something else you should realize: The Bat! is up to 3.5 or 3.8 (can’t remember which). Also, a piece of software called Advanced Mass Sender by kbbsoftware will use that mailer as one of the defaults for sending out massive amounts of mail. Hm… so random clients are using a mass mailer (for Windows including 98) to hit weak and non-existant servers to send out lists. Why?
This is where I start to really theorize/guess. Any good hacker doesn’t send out anything from a computer that can be tracked back. You make “zombies” and use those. These tend to be random civilians that can be exploited. These civilians run Windows, frequently old and unpatched and little to no internet security software. Also, some security firms have started stumbling upon these caches of user data. They need to be tested and sorted. What better way than random zombies?
The difference in headers leads me to think that the domains that are being used are a means of categorizing the data. Other than that, they could just be what was available to distribute the load. Anyway, that’s my thoughts on the subject. Please contribute yours below. I’m quite aware that I could be wrong.