Saturday, April 16, 2005

You're being frisked

Some of the local user group is complaining of a new type of spam. I've
seen it (or its ilk) before. It slips through filters because of its
size, it appears to be made up entirely of a mishmash of characters from
the BIG5 character set, and has three links.

Looking at the source
code tells an entirely different story. The message is HTML-based and
contains a mail bug that looks like:

email_user=EMAIL_ADDRESS&site=A_CODE" border="0" width="0"

where EMAIL_ADDRESS is the address of the email
recipient and A_CODE appears to be another unique identifier or some

So, if you opened the message with a HTML-capable mail reader,
you just gave up a LOT of information:

  • first of all (and probably
    what they were looking for), you've verified a valid email
  • along with the IP address of the system you use to read
    mail (for most of us, our home IP)
  • the OS of that
  • the browser version on that system
  • plus a whole
    slew of less valuable information

Best case: this was an
attempt at harvesting valid email addresses (ones with humans at the end
of them).

Worse case: this is an attempt to find systems at IP
addresses with specific versions of a browser (pre-staging an

Worst case: ???

In any case, a bit more can be learned from it. There are three "interesting" lines in the header. Line 1:

Received: from ( []) by (Postfix) with ESMTP id 3BBF83F67B for ; Thu, 14 Apr 2005 06:05:25 -0400 (EDT)

Line 2:

Received: from (unknown []) by (Postfix) with SMTP id D5ADBE0449 for ; Thu, 14 Apr 2005 03:04:12 -0700 (PDT)

Line 3:

Received: from by; Thu, 14 Apr 2005 12:58:28 +0300

The first one is valid (generated by the local mail server). The second one is also valid as it is one of 757's mail handlers. However, it's a good bet that the third one is forged.

As the primary purpose of the message is getting the mail bug "out there", let's assume that the other URLs and email addresses are garbage.

A quick research of returns info on the domain that appears to be registered to "LU huang" in China. The IP address is also Chinese and is owned by "Lui Jing" whose email address is "".

Grabbing the headers from list returns:

HTTP request sent, awaiting response...
1 HTTP/1.1 200 OK
2 Server: Microsoft-IIS/5.0
3 X-Powered-By: ASP.NET
4 Connection: keep-alive
5 Content-Location:
6 Date: Sat, 16 Apr 2005 13:03:26 GMT
7 Content-Type: text/html
8 Accept-Ranges: bytes
9 Last-Modified: Thu, 06 Jan 2005 11:30:42 GMT
10 ETag: "7efcce27e3f3c41:1642"
11 Content-Length: 3585

The page returned appears to be an error page but the above indicates a code 200 so it's probably intended to be mistaken as an error page.

Grabbing returns two errors:

PHP Notice: Undefined index: email_user in D:\idccweb\ftpacc\wwwroot\CheckEmailReaded.php on line 77
PHP Notice: Undefined index: site in D:\idccweb\ftpacc\wwwroot\CheckEmailReaded.php on line 78

Trying to grab returns only the line 78 error.

Trying to grab returns the same error.

So... It appears that there's a custom PHP script on the far end.

Performing Google searches on the URLs returns some spam complaints and a lot of Chinese web pages.

Google Groups searches for and CheckEmailReaded returns the usual spam complaints but not a whole lot of them.

Following the links leads to a music site and a Chinese porn site (both hosted in Hong Kong).

In summary, it appears to be just an attempt to harvest valid e-mail addresses. All-in-all, pretty much of a waste of an hour, researching the spam.

No comments:

Post a Comment