SUPPORT INTELLIGENCE  •  FIGHT THE ABUSE   LOG IN   |  SIGN UP   |  CONTACT US   
Support Intelligence
ServicesTechnologyBlogAbout usSign Up

Wednesday, April 25, 2007

Borders Group: Books or Bots - A look at a Six Country Spam Run






Borders seems to do a fairly good job with their containment; unfortunately today we bring you an analysis of a Pharmaceutical spam run launched from Borders servers between March 29 and April 3rd that used resources from six different countries.

As the story goes, on March 29th we began receiving botspam messages from 198.179.227.25 on the Borders network sending us off to buy Viagra at domains created March 23rd and registered to:

Icek Pankovich
Sos. Mihai Bravu,No. 5
Bl. 4, Entr. 4, Apt. 9
Bucuresti, Sector 2 76101
Romania
+040.0212516407
+040.0212516407
icek_pankovich@yahoo.com


The domains are serviced by Name Servers hosted in Iran, Chile, and Argentina, and registered to owners in China and Texas. All three Name Server domains were registered in February or March of '07, with a 1 year expiration - quite cheaply disposable.

Name Server: ns1.nopadvene.com
Name Server: ns2.razovinag.com
Name Server: ns1.thefeminine.net

The websites themselves were ultimately hosted by China Telecom, somewhere in Shandong Province.

Address: 222.173.251.30

So as you can see, this single SPAM run makes a six country tour in its setup and makes a nice little case study in how crooks create jurisdictional nightmares to cover their tracks. Odds of successful prosecution anyone?

Strangely, on the Borders side there are also wiggles that make the diagnosis less than straightforward. The reverse DNS for the ip address sending all this SPAM points to bordersgroupinc.com, however, the forward A Record for bordersgroupinc.com points to 152.160.1.28 which is routed by AS4595 (ICNET).

It's odd that the machine at 198.179.227.25 has a reverse entry pointing to bordersgroupinc.com. Could this be the outbound facing NAT? Well, the box in question (if it was a box) forged headers from Yahoo, Google, Gmail and others - noticeably lacking any DomainKeys headers that indicate legitimate mail from Yahoo!

As for the legitimate Borders mail, it comes from 198.179.227.40 - outboundsmtp.bordersgroupinc.com. And all the mail from this server has Received headers from internal RFC1918 space with reverse DNS pointing to an internal zone claiming to be corpex01.bgpcorp.net which doesn't jive with the global DNS, but seems more or less legit. All of which just shows some of the oddities encountered when tracking these types of incidents down.

This kind of compromise happens every day to large and small companies, with the odds of successful prosecution of the criminals involved nearly zero. On the positive side, we're happy to report that Borders was able to mitigate the infection within a week, which is fast compared to some companies that have had infections for months. Stay tuned, we'll be highlighting some of those shortly.

We'll also review some of the companies we've analyzed over the past few weeks to see if any have cleaned themselves up or continue to pollute our mail boxes.


X-SENDER-IP: 198.179.227.25
X-HELO: bordersgroupinc.com
X-UUID: 9d9baf6b-f6aa-4261-9d50-598887d541ff
X-ECP: BordersGroup
Return-Path: <sociologistsoot's@partyallnight.net>
Received: from 66.196.126.37 (HELO mx5.biz.mail.yahoo.com)
by locaos.com with esmtp (20Q,WW067.4I )HQ8)
id 5.0GBD-IAQ'IF-,2
for rry563@locaos.com; Thu, 29 Mar 2007 13:56:55 +0400
From: "Denis Denton"
To:
Subject: Fwd: Pharmacy bulletin
Date: Thu, 29 Mar 2007 13:56:55 +0400
Message-ID: <01c7720a$1c87cdd0$6c822ecf@sociologistsoot's>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0006_01C771E8.95762DD0"
X-Mailer: Microsoft Office Outlook, Build 11.0.6353
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
Thread-Index: Aca6QO.5147K'S79Y8@PLZ,WW?9U5R==

This is a multi-part message in MIME format.

------=_NextPart_000_0006_01C771E8.95762DD0
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: 7bit


Dear valued member!
More and more people are getting concerned with the problem of fake drugs
sold on the Web. This letter is aimed at helping you choose a really reliable Internet drugstore.
It�s not a secret that many Web pharmacies are trying to make profits by
selling fake drugs that not only prove to be totally useless but also can
cause serious health problems. USDrugs is one of very few Internet
drugstores that always offer only 100% generic meds.

Hope that you will find the information provided useful.Please click here
for more information.

With Best Regards, Denis Denton
USDrugs B.V.

URLS REMOVED


Whois for the IP address that sent us the lovely request to look for new meddications

OrgName: Borders, Inc.
OrgID: BORDER-4
Address: 54 S. State Road
City: Ann Arbor
StateProv: MI
PostalCode: 48109
Country: US

NetRange: 198.179.225.0 - 198.179.228.255
CIDR: 198.179.225.0/24, 198.179.226.0/23, 198.179.228.0/24
NetName: NETBLK-BORDERS
NetHandle: NET-198-179-225-0-1
Parent: NET-198-0-0-0-0
NetType: Direct Assignment
NameServer: NS1.WCOM.NET
NameServer: NS3.WCOM.NET
NameServer: NS2.WCOM.NET
Comment:
RegDate: 1993-11-04
Updated: 2001-10-01

Spread the word:  del.icio.us Bookmark it!    submit If You Can't Measure It, You Can't Manage It to digg.com Digg it!    Technorati Related



 

 

Sign Up  |   About Us   |   Terms of Use  |   Privacy  |   Contact

© Copyright 2006 Support Intelligence, LLC • All rights reserved