Spam URL Report

This report is the extraction of URLs and relays from Spam messages.

Sources and Extractions

We and several partners have Spam-pots (basic email addresses) in many places around the world. These accounts are not subscribed and most are not listed anywhere, so any email directed at them would be unrequested and can be considered Spam. We extract certain information from each of these messages, such as the last hop IP (which cannot be spoofed), the sending address (which can be anything and is frequently spoofed), any URLs, and the subject of the message.

We do not save the original messages, only the extractions, because due to the high quantity of messages and the amount of space they would take up, they do not have sufficient value.

False Positives

It is highly likely that non-malicious URLs end up on this report. In fact, we expect them regularly. The source of these URLs is still malicious, but many times Spam messages will include real or correct URLs to help hide the malicious ones that are also included in the messages. When users start looking at the different URLs included in a message, hiding one or two malicious ones amongst the real ones creates a greater environment of trust with the email recipient and will increase the odds of them clicking one of the malicious ones.

We do not filter out any URL we get for several reasons. Primarily, we do not really know which ones would be important for you to see and know about. We could filter out anything that is not specifically hostile, but it might be important for logging purposes. Or perhaps they are referencing your real login directions but redirecting the actual login somewhere else.

Areas of Concern

If the “src” IP is one of their systems, this means your email server was the one sending, routing, or forwarding the Spam messages. The URLs should be of interest even if they are not malicious; they might help guide you to the actual phishing target, or at least give you a heads up that the URL is being used in some sort of Spam/phishing attack. Extra traffic to those URLs might be indicative of some level of success, or testing.

Fields

  • timestamp
    Timestamp of the message
  • url
    URL that was extracted from a Spam message
  • host
    Hostname of the URL location
  • ip
    IP of the URL
  • asn
    ASN where the IP resides
  • geo
    Country location of the IP
  • region
    Regional location of the IP
  • city
    City location of the IP
  • subject
    Subject of the Spam message
  • src
    IP address of the Spam relay that delivered the message (last hop)
  • src_asn
    ASN of the relay IP
  • src_geo
    Country location of the Spam relay
  • src_region
    Regional location of the Spam relay
  • src_city
    City location of the Spam relay
  • sender
    Sender email address if available
  • source
    Source of information, if public

Sample

"timestamp","url","host","ip","asn","geo","region","city","subject","src","src_asn","src_geo","src_region","src_city","sender"
"2010-06-05 00:10:51","http://www.schildag.ch/pilsrcmed.html","www.schildag.ch","213.203.223.99",25074,"CH","LUZERN","ROOT",,"64.12.143.152",1668,"US","VIRGINIA","RESTON",
"2010-06-05 00:12:18","http://www.schildag.ch/pilsrcmed.html","www.schildag.ch","213.203.223.99",25074,"CH","LUZERN","ROOT",,"64.12.143.145",1668,"US","VIRGINIA","RESTON",
"2010-06-05 00:14:52","http://www.schildag.ch/pilsrcmed.html","www.schildag.ch","213.203.223.99",25074,"CH","LUZERN","ROOT",,"205.188.249.130",1668,"US","VIRGINIA","RESTON",
"2010-06-05 00:15:03","http://yahoo.it","yahoo.it","87.248.121.75",42173,"CH","-","-",,"189.61.170.193",28573,"BR","MINAS GERAIS","BELO HORIZONTE",
"2010-06-05 00:17:58","http://www.schildag.ch/pilsrcmed.html","www.schildag.ch","213.203.223.99",25074,"CH","LUZERN","ROOT",,"205.188.249.131",1668,"US","VIRGINIA","RESTON",
"2010-06-05 00:21:30","http://www.schildag.ch/pilsrcmed.html","www.schildag.ch","213.203.223.99",25074,"CH","LUZERN","ROOT",,"205.188.105.144",1668,"US","VIRGINIA","RESTON",
"2010-06-05 00:22:52","http://www.schildag.ch/pilsrcmed.html","www.schildag.ch","213.203.223.99",25074,"CH","LUZERN","ROOT",,"205.188.91.97",1668,"US","VIRGINIA","RESTON",
"2010-06-05 00:30:15","http://krz.ch/v0xa","krz.ch","80.74.158.79",21069,"CH","GENEVE","CH",,"198.173.112.24",2914,"US","OREGON","PORTLAND",
"2010-06-05 00:31:23","http://aslama.com/accueil..php","aslama.com","84.16.92.10",29222,"CH","ZURICH","ZURICH",,"65.54.190.38",8075,"US","NEW YORK","NEW YORK",
"2010-06-05 00:38:07","http://www.schildag.ch/pilsrcmed.html","www.schildag.ch","213.203.223.99",25074,"CH","LUZERN","ROOT",,"64.12.206.42",1668,"US","VIRGINIA","RESTON",
"2010-06-05 00:38:53","http://www.helvetic.com/en/dynamic_content/newsfl_100603_en.html","www.helvetic.com","217.150.246.92",29691,"CH","ZURICH","ZURICH",,"82.195.248.182",16215,"CH","GENEVE","CH",
"2010-06-05 00:39:53","http://yahoo.de","yahoo.de","87.248.121.75",42173,"CH","-","-",,"84.36.201.124",36992,"EG","AL QAHIRAH","CAIRO",
"2010-06-05 00:49:21","http://yahoo.it","yahoo.it","87.248.121.75",42173,"CH","-","-",,"61.28.150.139",9658,"PH","MANILA","MANILA",
"2010-06-05 00:54:48","http://krz.ch/v0x3","krz.ch","80.74.158.79",21069,"CH","GENEVE","CH",,"189.112.218.36",16735,"BR","-","-",
"2010-06-05 01:01:26","http://www.bradesconacional.com.br","www.bradesconacional.com.br","85.90.4.233",39440,"CH","FRIBOURG","FRIBOURG",,"71.168.115.71",13672,"US","NEW HAMPSHIRE","NASHUA",
"2010-06-05 01:12:14","http://public.web.cern.ch/public/","public.web.cern.ch","137.138.144.161",513,"CH","GENEVE","GENEVA",,"202.79.19.193",24481,"BD","DHAKA","DHAKA",
"2010-06-05 01:15:02","http://www.voissaboutique.com/","www.voissaboutique.com","82.195.231.114",16215,"CH","GENEVE","CH",,"91.208.181.88",47841,"FR","ILE-DE-FRANCE","PARIS",
"2010-06-05 01:26:56","http://krz.ch/v0xN","krz.ch","80.74.158.79",21069,"CH","GENEVE","CH",,"81.169.146.190",6724,"DE","BERLIN","BERLIN",

Our 76 Report Types