Support Intelligence
ServicesTechnologyBlogAbout usSign Up

Wednesday, April 25, 2007

Borders Group: Books or Bots - A look at a Six Country Spam Run

Borders seems to do a fairly good job with their containment; unfortunately today we bring you an analysis of a Pharmaceutical spam run launched from Borders servers between March 29 and April 3rd that used resources from six different countries.

As the story goes, on March 29th we began receiving botspam messages from on the Borders network sending us off to buy Viagra at domains created March 23rd and registered to:

Icek Pankovich
Sos. Mihai Bravu,No. 5
Bl. 4, Entr. 4, Apt. 9
Bucuresti, Sector 2 76101

The domains are serviced by Name Servers hosted in Iran, Chile, and Argentina, and registered to owners in China and Texas. All three Name Server domains were registered in February or March of '07, with a 1 year expiration - quite cheaply disposable.

Name Server:
Name Server:
Name Server:

The websites themselves were ultimately hosted by China Telecom, somewhere in Shandong Province.


So as you can see, this single SPAM run makes a six country tour in its setup and makes a nice little case study in how crooks create jurisdictional nightmares to cover their tracks. Odds of successful prosecution anyone?

Strangely, on the Borders side there are also wiggles that make the diagnosis less than straightforward. The reverse DNS for the ip address sending all this SPAM points to, however, the forward A Record for points to which is routed by AS4595 (ICNET).

It's odd that the machine at has a reverse entry pointing to Could this be the outbound facing NAT? Well, the box in question (if it was a box) forged headers from Yahoo, Google, Gmail and others - noticeably lacking any DomainKeys headers that indicate legitimate mail from Yahoo!

As for the legitimate Borders mail, it comes from - And all the mail from this server has Received headers from internal RFC1918 space with reverse DNS pointing to an internal zone claiming to be which doesn't jive with the global DNS, but seems more or less legit. All of which just shows some of the oddities encountered when tracking these types of incidents down.

This kind of compromise happens every day to large and small companies, with the odds of successful prosecution of the criminals involved nearly zero. On the positive side, we're happy to report that Borders was able to mitigate the infection within a week, which is fast compared to some companies that have had infections for months. Stay tuned, we'll be highlighting some of those shortly.

We'll also review some of the companies we've analyzed over the past few weeks to see if any have cleaned themselves up or continue to pollute our mail boxes.

X-UUID: 9d9baf6b-f6aa-4261-9d50-598887d541ff
X-ECP: BordersGroup
Return-Path: <sociologistsoot'>
Received: from (HELO
by with esmtp (20Q,WW067.4I )HQ8)
id 5.0GBD-IAQ'IF-,2
for; Thu, 29 Mar 2007 13:56:55 +0400
From: "Denis Denton"
Subject: Fwd: Pharmacy bulletin
Date: Thu, 29 Mar 2007 13:56:55 +0400
Message-ID: <01c7720a$1c87cdd0$6c822ecf@sociologistsoot's>
MIME-Version: 1.0
Content-Type: multipart/alternative;
X-Mailer: Microsoft Office Outlook, Build 11.0.6353
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
Thread-Index: Aca6QO.5147K'S79Y8@PLZ,WW?9U5R==

This is a multi-part message in MIME format.

Content-Type: text/plain;
Content-Transfer-Encoding: 7bit

Dear valued member!
More and more people are getting concerned with the problem of fake drugs
sold on the Web. This letter is aimed at helping you choose a really reliable Internet drugstore.
It�s not a secret that many Web pharmacies are trying to make profits by
selling fake drugs that not only prove to be totally useless but also can
cause serious health problems. USDrugs is one of very few Internet
drugstores that always offer only 100% generic meds.

Hope that you will find the information provided useful.Please click here
for more information.

With Best Regards, Denis Denton
USDrugs B.V.


Whois for the IP address that sent us the lovely request to look for new meddications

OrgName: Borders, Inc.
Address: 54 S. State Road
City: Ann Arbor
StateProv: MI
PostalCode: 48109
Country: US

NetRange: -
NetHandle: NET-198-179-225-0-1
Parent: NET-198-0-0-0-0
NetType: Direct Assignment
NameServer: NS1.WCOM.NET
NameServer: NS3.WCOM.NET
NameServer: NS2.WCOM.NET
RegDate: 1993-11-04
Updated: 2001-10-01

Spread the word: Bookmark it!    submit If You Can't Measure It, You Can't Manage It to Digg it!    Technorati Related



Sign Up  |   About Us   |   Terms of Use  |   Privacy  |   Contact

© Copyright 2006 Support Intelligence, LLC • All rights reserved