Chinese Spam Mafia?
When I decided to change over my website recently, I installed the new blog ‘engine’ into a subdirectory (you can see that this is so by looking in the address bar of the browser). All of my stories have been archived over the years in various search engines, and to route requests for these stories to their new locations would have taken me some time to code, so I blew it off. Instead, I decided to put up a custom 404 error page, so people who don’t get where they thought they were going at least end up on my site with a nice message and search box instead of just the unfriendly white default server page. As a side effect of the custom page, I get emailed whenever a person hits this page with the address *from which* they were coming so I can attempt to fix the problem. As it turns out, this little change led me right to the Chinese Spam Mafia.
The emails I get look like this:
A user tried to go to http://www.in8sworld.net/blog/article.php?story=20040403163653898 and received a 404 (page not found) error. It wasn’t their fault, so try fixing it.
They came from http://209.8.22.250/tools/proxer/proxy.txt
As it turns out, I kept a copy of the old Geeklog site running on my powerbook, so I can tell that the story above is the one about when I went to the Hubble Deep Field lecture in 2004. It might well be indexed someplace in a search engine because it has a lot of popular terms in it, and it also has a lot of links to other popular sites in it. But something was strange about the referring page. Why was it an IP number instead of a human readable domain name? Why was the referring page a .txt (text) file? This looked like a spammer using a proxy tool to automatically go out and hit stories on blogs and attempt to comment some spam on them.
So I started doing some investigation. First thing i did wasn’t very wise – I typed that IP into my address bar and loaded it up. I really didn’t expect to get anything back, but I got a phpinfo page! I usually hide any page with this php function on it behind some password, because I don’t want the world to know the details of my server. I suspected immediately that this wasn’t a real phpinfo page, but rather a faked one designed to either lure in hackers or just obfusticate things. It claimed the server was running
FreeBSD MC101180 5.4-RELEASE-p5 FreeBSD 5.4-RELEASE-p5 #4: Tue Jul 26 12:58:02 UTC 2005 root@ah9.realitychecknetork.com:/usr/src/sys/i386/compile/Z i386
realitychecknetork.com is not registered to anyone at this time.
and that the page on which it ran supposedly gave away the username (zacjesus105):
/home/zacjesus105/209.8.22.250.com/index.php
It also had this listed in sendmail settings:
/usr/sbin/sendmail -t -i -f xzac@prytv.com
The prytv.com site was an html page with every possible combination of sex related words on it, so our spammer is not out to stimulate just good conversation.
-=[ Voyeur PORN paginas voyeur – web, dorm sex and videos voyer project, cams, porn, private
A Whois on that domain IP (206.161.192.13) gives
PryTV
Russia Moscow
4, Zubovsky Boulevard
Moscow, NA 119021
RU
and is located on the Beyond The Network America Inc network based in the US, not Russia.
A trip to http://209.8.22.250/tools/proxer/proxy.txt returned a 403 error (forbidden).
This IP is probably the proxy server itself. It may be a hacked machine. In fact, running nmap against it returned an error saying that the machine is NOT really running FreeBSD, but it might just be that my version of nmap is rather old and unable to determine it properly.
A Whois on the IP returned this possibly bogus information:
IP Location: United States – New Jersey – Egg Harbor Township – Axxa Commerce Llc
Reverse DNS: 209-8-22-250.pccwglobal.net.22.8.209.in-addr.arpa
OrgTechName: Kim, Joon
Who could this Joon Kim of Axxa Commerce LLC character be? Is this the guy responsible, or has his machine been hacked by someone upstream?
It seems Hidden Mysteries has him pegged this IP as being in the range of IPs which are organized crime spammers out of China and he calls for the US government to block the entire IP set of ranges, as they seem to be the ultimate source of most of the spam we are dealing with day to day (I’ve gotten 5 more spambot attempt emails since I started writing).
All I can do is try to track down all the possible leads.
Axxa Commerce seems to have a legitimate website e-commerce business.
Registrant Contact: AxxaCommerce LLC
3 Canale Drive, Suite 6
Egg Harbor Township, NJ 08234 US
Administrative Contact: Cyber-Services L.L.C. Kelly Grillo
The Map of the Internet lists the 209 portion of the IP as being in the US, but is is right next to 210 which is the start of the Asian-Pacific IP ranges. I searched the APNIC database, but that IP was not in Asia. I searched the ARIN database, and there it was. The IP is indeed in the US.
The Better Business Bureau lists Cyber-Services as an Internet Shopping Services company and having one complaint against them in November which had been resolved. So we have a connection to a real world company. The IP address for Axxa (198.107.176.35) is not in the same range as my sneaky character’s, they’re using a server in Colorado (running IIS!) some Cyber-Services company, using Windows :p
I was starting to think that what must be going on is poor Mr Kim’s legitimate business had been hacked by someone in China and one of his PCs was automatically spamming my sites. But a traceroute to the suspect IP revealed that the IP just upstream is 63.218.44.125
OrgName: Beyond The Network America, Inc.
OrgID: BNA-42
Address: 520 Herndon Parkway
Address: Suite E
City: Herndon
StateProv: VA
PostalCode: 20170
Country: US
OrgTechEmail: jkim@pccwglobal.com
OrgNOCEmail: supportamerica@btnaccess.com
There’s our Mr. Kim again! Looks like he’s involved in a bunch of businesses, all internet related and connected to a big Chinese ISP. Seems like the company is based in Virginia, but may be owned by a Chinese broadband company PCCW Global. You can download a nice PDF of their cable lines here. Now why wouldn’t an internet shopping company, and a ‘Cyber Services’ company that is directly connected to a giant, global ISP not run their websites on their own network?
And why would a machine supposedly in the US be attempting to access stories on my blog every 15 minutes or so? Even if it’s not dear Mr. Kim who wants to post comments on my blog about penis enlargement and Viagra pills, I’ll hold him responsible since his name is on the domains from which I am receiving this crap. Something tells me he’s not really interested in what I have to say. Whoever the piece of crap is, when he notices that his spambot is getting 404 errors repeatedly on my domain he’ll either move on or tweak his scripts to work more effectively against my new blog engine. Then we’ll have to shift into higher gear.
Others in the blogosphere have encountered Mr. Kim as well. Spacequad, another geeklog user was pretty fed up with Mr. Kim as well in his post about Proxy Referrer Spam. It seems to be a Geeklog-specific comment spam script, here’s a page where Dirk (the guy who co-develops Geeklog) battles with the bastard.
Comment posted on 1-7-2007
OK – so, in hopes of stopping the endless stream of emails generated by this situation, I found a helpful page on macmerc.com that described how to add a couple lines to my .htaccess file which looks at the referrer and marks those that match as ’spammer’. Of course, if the spammers speak english and read this, they will just change their scripts, but they have to change the scripts anyways if they want to post some comment spam. So far, its working – the emails have stopped for now.
That gained me all of about 5 hours of peace. Apparently the spammers script was broken and I was seeing something that I wasn’t supposed to see. Now that he’s fixed it, he is spoofing the ‘Referer’ – what this means is that his script replaces the part of the transaction where the server sees what page he clicked on to get to the page he wants to spam on with my own domain name, so I can’t use the htaccess trick to deny him. In other words, it looks like this now:
You see, he didn’t come from where it says he’s coming from ‘cuz it doesn’t exist anymore! I moved the whole site to a subdirectory (and changed the whole site code) so there is no article.php in there. I’m thinking I might be able to use that fact to block him again. More on this later.
Comment posted on 1-7-2007
For those that run windows based mail servers, I recommend using Spamfilter ISP in front of their mail server. You can get to the link on our site at http://www.spacequad.com and download a free evaluation copy. As far as the comment spam or any other spam on our site, I haven’t seen any as of lately. They’ve tried to post but the captcha has stpped them cold in their tracks for now. The only way someone can post on our system is to manually post by hand…bots are not welcomed.
Ironmax
Comment posted on 1-7-2007
Nate,
I know where they are coming from initially. I found that they are cruising the search engines to find these links and thats why I ended up moving my mail signup form for email. Then putting a fake one in its place. Those spammers in Nigeria were saying anything just to try and get a free email account. Unbenounced to them it was a booby trap, and they got caught in the act. So I wont be seeing them for some time.
As far as finding or seeing the referer, try changing your script around juat a little to throw them off, theey’ll have to change theirs to keep up.
Ironmax
Comment posted on 1-7-2007
A similar thing was happening at work, and we called in a security friend of mine who traced a couple of the IPs back to compromised Linksys routers to which they had supposedly uploaded some hacked firmware. He was able to read the logs on one of the routers which had other IPs (supposedly the real criminals). On those machines he found links to an IRC channel which he turned me on to. I was stunned – they apparently had broken into a bank someplace and were processing stolen credit cards through some scripts that were running there. Something about an eGold account which I didn’t quite understand… Seems like the US is going to need to start training an army of counter insurgent hackers soon – they haven’t been doing too good of a job so far.
Comment posted on 12-28-2007
I’ve decided to re-enable anonymous commenting. This is just a test to make sure it’s working again. I may need to install some more anti-spammer tests, but the coast seems to have cleared a bit.
Comment posted on 12-28-2007
Added an image / math challenge to commenting care of Peter’s Math Anti-spam plugin. Along with the otherwise very impressive Akismet plugin, this should make it a lot safer to enable anonymous commenting.