Saturday, April 16, 2005

You're being frisked

Some of the local user group is complaining of a new type of spam. I've
seen it (or its ilk) before. It slips through filters because of its
size, it appears to be made up entirely of a mishmash of characters from
the BIG5 character set, and has three links.

Looking at the source
code tells an entirely different story. The message is HTML-based and
contains a mail bug that looks like:

<img
src="http://list168.com/CheckEmailReaded.php?
email_user=EMAIL_ADDRESS&site=A_CODE" border="0" width="0"
height="0">

where EMAIL_ADDRESS is the address of the email
recipient and A_CODE appears to be another unique identifier or some
such.

So, if you opened the message with a HTML-capable mail reader,
you just gave up a LOT of information:

  • first of all (and probably
    what they were looking for), you've verified a valid email
    address
  • along with the IP address of the system you use to read
    mail (for most of us, our home IP)
  • the OS of that
    system
  • the browser version on that system
  • plus a whole
    slew of less valuable information

Best case: this was an
attempt at harvesting valid email addresses (ones with humans at the end
of them).

Worse case: this is an attempt to find systems at IP
addresses with specific versions of a browser (pre-staging an
attack).

Worst case: ???

In any case, a bit more can be learned from it. There are three "interesting" lines in the header. Line 1:

Received: from finwait.mrhz.net (ip-64-32-173-93.s1c.megapath.net [64.32.173.93]) by users.757.org (Postfix) with ESMTP id 3BBF83F67B for ; Thu, 14 Apr 2005 06:05:25 -0400 (EDT)

Line 2:

Received: from 64.32.173.93 (unknown [202.160.161.100]) by finwait.mrhz.net (Postfix) with SMTP id D5ADBE0449 for ; Thu, 14 Apr 2005 03:04:12 -0700 (PDT)

Line 3:

Received: from 111.144.71.128 by 202.160.169.134; Thu, 14 Apr 2005 12:58:28 +0300

The first one is valid (generated by the local mail server). The second one is also valid as it is one of 757's mail handlers. However, it's a good bet that the third one is forged.

As the primary purpose of the message is getting the mail bug "out there", let's assume that the other URLs and email addresses are garbage.

A quick research of list168.com returns info on the domain that appears to be registered to "LU huang" in China. The IP address is also Chinese and is owned by "Lui Jing" whose email address is "lakesmi@163.net".

Grabbing the headers from list returns:


HTTP request sent, awaiting response...
1 HTTP/1.1 200 OK
2 Server: Microsoft-IIS/5.0
3 X-Powered-By: ASP.NET
4 Connection: keep-alive
5 Content-Location: http://list168.com/index.htm
6 Date: Sat, 16 Apr 2005 13:03:26 GMT
7 Content-Type: text/html
8 Accept-Ranges: bytes
9 Last-Modified: Thu, 06 Jan 2005 11:30:42 GMT
10 ETag: "7efcce27e3f3c41:1642"
11 Content-Length: 3585

The page returned appears to be an error page but the above indicates a code 200 so it's probably intended to be mistaken as an error page.

Grabbing http://list168.com/CheckEmailReaded.php returns two errors:

PHP Notice: Undefined index: email_user in D:\idccweb\ftpacc\wwwroot\CheckEmailReaded.php on line 77
PHP Notice: Undefined index: site in D:\idccweb\ftpacc\wwwroot\CheckEmailReaded.php on line 78

Trying to grab http://list168.com/CheckEmailReaded.php?email_user=
youre@busted.com&site=avcd returns only the line 78 error.

Trying to grab http://list168.com/CheckEmailReaded.php?email_user=
youre@757.org&site=avcd returns the same error.

So... It appears that there's a custom PHP script on the far end.

Performing Google searches on the URLs returns some spam complaints and a lot of Chinese web pages.

Google Groups searches for list168.com and CheckEmailReaded returns the usual spam complaints but not a whole lot of them.

Following the 686.to links leads to a music site and a Chinese porn site (both hosted in Hong Kong).

In summary, it appears to be just an attempt to harvest valid e-mail addresses. All-in-all, pretty much of a waste of an hour, researching the spam.