Introduction

This report is the extraction of URL's and relays from Spam messages.

Sources and Extractions

We and several partners have Spam-pots (basic email addresses) in many places around the world. These accounts are not subscribed and most are not listed anywhere, so ANY email directed at them would be unrequested and can be considered Spam. We extract out certain information from each of these messages, such as the last hop IP which cannot be spoofed, the sending address which can be anything and is frequently spoofed, any URL's, and the subject of the message.

We do not save the original messages, only the extractions. This is due to the high quantity of messages and the amount of space they would take up does not have sufficient value.

False Positives

It is highly likely that non-malicious URL's end up on this report. In fact we expect them regularly. The source of these URL's is still malicious, but many times Spam messages will include real or correct URL's to help hide the malicious ones that are also included in the messages. When users start looking at the different included URL's in a message, having one or two malicious ones hiding amongst the real ones creates a greater environment of trust with the email recipient and will increase the odds of them clicking one of the malicious ones.

We do not filter out any URL we get for several reasons. The primary is that we do not really know which ones would be important for you to see and know about. We could filter out anything that is not specifically hostile but might be important for logging purposes. Or perhaps they are referencing your real login directions but redirect the actual login somewhere else.

Areas of Concern

Recipients of these reports should be concerned for a few reasons. If the "src" IP is one of their systems, this means that your email server was the one sending, routing, or forwarding the Spam messages. The URL's should be of interest even if they are not malicious. It might help guide you to the actual phishing target, or at least give you a heads up that the URL is being used in some sort of Spam/phishing attack. Extra traffic to those URL's might be indicative of some level of success, or testing.

Fields

Field Description
timestamp Timestamp of the message
url URL that was extracted from a Spam message
host Hostname of the URL location
ip IP of the URL
asn ASN where the IP resides
geo Country location of the IP
region Regional location of the IP
city City location of the IP
subject Subject of the Spam message
src IP address of the Spam relay that delivered the message (last hop)
src_asn ASN of the relay IP
src_geo Country location of the Spam relay
src_region Regional location of the Spam relay
src_city City location of the Spam relay
sender Sender email address if available
source Source of information, if public

Sample

"timestamp","url","host","ip","asn","geo","region","city","subject","src","src_asn","src_geo","src_region","src_city","sender"
"2010-06-05 00:10:51","http://www.schildag.ch/pilsrcmed.html","www.schildag.ch","213.203.223.99",25074,"CH","LUZERN","ROOT",,"64.12.143.152",1668,"US","VIRGINIA","RESTON",
"2010-06-05 00:12:18","http://www.schildag.ch/pilsrcmed.html","www.schildag.ch","213.203.223.99",25074,"CH","LUZERN","ROOT",,"64.12.143.145",1668,"US","VIRGINIA","RESTON",
"2010-06-05 00:14:52","http://www.schildag.ch/pilsrcmed.html","www.schildag.ch","213.203.223.99",25074,"CH","LUZERN","ROOT",,"205.188.249.130",1668,"US","VIRGINIA","RESTON",
"2010-06-05 00:15:03","http://yahoo.it","yahoo.it","87.248.121.75",42173,"CH","-","-",,"189.61.170.193",28573,"BR","MINAS GERAIS","BELO HORIZONTE",
"2010-06-05 00:17:58","http://www.schildag.ch/pilsrcmed.html","www.schildag.ch","213.203.223.99",25074,"CH","LUZERN","ROOT",,"205.188.249.131",1668,"US","VIRGINIA","RESTON",
"2010-06-05 00:21:30","http://www.schildag.ch/pilsrcmed.html","www.schildag.ch","213.203.223.99",25074,"CH","LUZERN","ROOT",,"205.188.105.144",1668,"US","VIRGINIA","RESTON",
"2010-06-05 00:22:52","http://www.schildag.ch/pilsrcmed.html","www.schildag.ch","213.203.223.99",25074,"CH","LUZERN","ROOT",,"205.188.91.97",1668,"US","VIRGINIA","RESTON",
"2010-06-05 00:30:15","http://krz.ch/v0xa","krz.ch","80.74.158.79",21069,"CH","GENEVE","CH",,"198.173.112.24",2914,"US","OREGON","PORTLAND",
"2010-06-05 00:31:23","http://aslama.com/accueil..php","aslama.com","84.16.92.10",29222,"CH","ZURICH","ZURICH",,"65.54.190.38",8075,"US","NEW YORK","NEW YORK",
"2010-06-05 00:38:07","http://www.schildag.ch/pilsrcmed.html","www.schildag.ch","213.203.223.99",25074,"CH","LUZERN","ROOT",,"64.12.206.42",1668,"US","VIRGINIA","RESTON",
"2010-06-05 00:38:53","http://www.helvetic.com/en/dynamic_content/newsfl_100603_en.html","www.helvetic.com","217.150.246.92",29691,"CH","ZURICH","ZURICH",,"82.195.248.182",16215,"CH","GENEVE","CH",
"2010-06-05 00:39:53","http://yahoo.de","yahoo.de","87.248.121.75",42173,"CH","-","-",,"84.36.201.124",36992,"EG","AL QAHIRAH","CAIRO",
"2010-06-05 00:49:21","http://yahoo.it","yahoo.it","87.248.121.75",42173,"CH","-","-",,"61.28.150.139",9658,"PH","MANILA","MANILA",
"2010-06-05 00:54:48","http://krz.ch/v0x3","krz.ch","80.74.158.79",21069,"CH","GENEVE","CH",,"189.112.218.36",16735,"BR","-","-",
"2010-06-05 01:01:26","http://www.bradesconacional.com.br","www.bradesconacional.com.br","85.90.4.233",39440,"CH","FRIBOURG","FRIBOURG",,"71.168.115.71",13672,"US","NEW HAMPSHIRE","NASHUA",
"2010-06-05 01:12:14","http://public.web.cern.ch/public/","public.web.cern.ch","137.138.144.161",513,"CH","GENEVE","GENEVA",,"202.79.19.193",24481,"BD","DHAKA","DHAKA",
"2010-06-05 01:15:02","http://www.voissaboutique.com/","www.voissaboutique.com","82.195.231.114",16215,"CH","GENEVE","CH",,"91.208.181.88",47841,"FR","ILE-DE-FRANCE","PARIS",
"2010-06-05 01:26:56","http://krz.ch/v0xN","krz.ch","80.74.158.79",21069,"CH","GENEVE","CH",,"81.169.146.190",6724,"DE","BERLIN","BERLIN",

<< | Reports | >>