Analysing lead-gen spam
Yesterday I showed how major companies hire hard core spammers.
Today I’m going to show you some of the technical details as to how I found that data. This is a fairly quick and shallow analysis, the sort of thing I’d typically do for a client to help them decide whether the case was worth pursuing before expending too much money and time on investigation and legal paperwork. I’ve also done it using standard command line tools that are available on pretty much any unix command line (and windows, with a little effort).
There are several questions to answer about the email in question.
- Is it spam?
- Does it violate CAN-SPAM or other legislation?
- Who sent it?
- Did the sender know they were doing something wrong?
- Who is it advertising?
- Who paid for it?
1. Is it spam?
The mail was sent to someone who didn’t ask for it, so it’s spam.
Moreover, it was sent to an email address that hasn’t been publicly visible for over a decade, and hasn’t been used to sign up for anything at all for even longer. Even if Laura were to have signed up for the email there’s no way she would have used this email address. And there’s no way she would have signed up for it because, while we don’t discuss a lady’s age, she’s a long, long way from having any personal interest in the AARP.
There was no pretense in the email sent, nor the landing pages it went to, that the message was anything other than an unsolicited, prospecting lead-generation email – the email equivalent of cold-call telemarketing. And the only way the spammer would even have the email address would be if they’d bought a very, very old list of email addresses.
2. Does it violate CAN-SPAM or other legislation?
My initial take on it is that it probably does, but there’s a lot of grey area involved. This is something I’d discuss as part of my initial legal strategy consult with a client, but isn’t something I’m going to touch on here beyond mentioning it.
3. Who sent it?
This is something that isn’t always clear from the email as it’s displayed to the end user. If you were to look at it in your mail client it claims that it was sent by “AARP Promotion”, the content of the mail shows no mention of anyone other than the AARP. The CAN-SPAM required unsubscription address given is that of the AARP:
Given all that, and the wording of CAN-SPAM, describing the AARP as the sender is perfectly reasonable. They’re not the people who actually sent the spam, though, they just paid for it to be sent.
To find out who actually sent the spam we need to look at the headers and raw body of the spam. Open that up in a new browser window and take a look. We’ve colour-coded the various sections of the email – lets look at the headers, with the grey background.
The Received headers are added each time the email is sent from one mail server to another. I know that, for the email address this was sent to, mx03.nni.com is one of the ISPs mailservers. By starting at the top and following the series of Received headers down I know that this header …
Received: from mx1.denigradeelite.com (denigradeelite.com [188.8.131.52])
by localhost (mx03.nni.com [127.0.0.1]) (amavisd-new, port 10024)
with LMTP id 2IvVrU3z8poM for <deleted>;
Tue, 13 Apr 2010 15:56:53 -0400 (EDT)
… is the header that recorded the delivery from the spammer.
The interesting bit there is the IP address that the email was sent from: 184.108.40.206. If we look at the reverse DNS for that IP address it comes back as denigradeelite.com, which is the same domain that’s used everywhere else throughout the email (the From: address, the links in the mail and so on). That makes it very likely that the owner of that domain is also the owner of the IP address, as the reverse DNS can only be set up by the owner of the IP address, not by the owner of the domain. (It’s not unusual to see a spammer point domains at a server they’ve compromised, such as a trojaned Windows box on a fast cable modem, but they don’t have any way to set up the reverse DNS in that case. As they have here, we know that the domain and IP are operated by the same person).
We can look a bit closer, though. Checking the forward DNS for the domain used in the links in the spam we see it goes to the same IP address. And looking at the nameservers for that domain, they end up at the same IP address too.
So we know that the server it was sent from has the address 220.127.116.11, and that that server is run by the same entity that owns the domain denigradeelite.com. denigradeelite.com is a very odd looking domain name – it looks like the sort of names that are made up by snowshow spammers. Looking at the surrounding IP addresses we see more of the same. (And using some of our in-house tools there’s even more, but it’s just yet more of the same snowshoe behaviour.)
It looks like nni.com has a small infestation of incompetent snowshoe spammers. All those domains are registered by the same person. Usually spammers use fake contact information, such as Domains by Proxy, for their domains. In this case it looks like he didn’t. Regardless of how good your forensic skills or information source are there’s nothing quite as helpful as spammers being stupid.
So we know that the mail was sent by whoever paid for the domain registration for denigradeelite.com and whoever is paying for the server at 18.104.22.168. We’d need to issue some subpoenas to confirm it, but I’m pretty sure they’d end up pointing the finger at Andrew Talbot of Salt Lake City.
4. Did the sender know they were doing something wrong?
Looking at the source of the spam you can see several things. Some of them help demonstrate that the spammer knew what he was doing was wrong, while some of them just demonstrate that he was incompetent.
Incompetent first because, well, it’s funnier. Looking at the HTML part of the email (with the pale yellow background) he’s using Microsoft Word to generate the content. That’s… pretty much the worst way you can generate email content, as the HTML it generates is appallingly bad. That’s probably why it looks so bad in the mail client. For those lucky recipients using a plain text mail client, all they’ll see is the text/plain section with the green background – two obscure URLs and some text that manages to express a lot of illiteracy in just three words.
Looking at the headers at the top of the message you’ll see that our mail filters decided it was spam due to the use of the denigradeelite.com domain in the message. A smart spammer would have used any of a number of ploys to avoid having blacklisted domains being used. Andrew didn’t. Instead, Andrew added that domain to the message an additional 46 times. That’s the pale grey on pale yellow text labeled as “Random incompetence”.
OK, now to Andrew knowing that he’s doing a Bad Thing. We’ve already touched on some minor issues – Andrew is lying about who is sending the mail, claiming it’s coming from “AARP Promotions”, for instance. And there’s all the snowshoe-style behaviour we talked about earlier. But there’s much worse than that.
Andrew is using images for almost the entire content of the message. There’s nothing wrong with using images in commercial email – it’s a good practice, in general, for branding reasons if nothing else. But Andrew’s AARP spam is completely illegible with images turned off. That’s not a good practice, and is something very distinctive to naive spammers who think that if spam filters can’t read the text of their email, they won’t be able to block it. Even more distinctive, and pretty much unique to really scummy spammers, is including the (CAN-SPAM required) postal address solely as an image. Whether that even fulfills the CAN-SPAM requirement is unclear, but it’s something that only realio-trulio spammers do.
But wait! There’s more!
If you look at the source of the spam you’ll see a bunch of sections I’ve highlighted in bright red on pale yellow and labeled as “Hashbuster”. Hashbusters are something we’ve not talked about in much detail before, but they’re something only incredibly hard core spammers do. They’re sections of text, either random words or sections of text from books or webpages, that are added to spam in a way that’s not visible to the recipient. The idea is that by loading the email up with hundreds of “non-spammy” random words that will persuade spam filters to ignore all the other signs that an email is spam. This doesn’t work. This hasn’t worked in many years, and even then it didn’t work well. Using them is an absolutely solid, 100% certain, no question about it sign that the sender is spamming, knows they’re spamming, knows that their mail is unwanted, knows it’s likely to be blocked and will do absolutely anything, however wrong-headed, to get their spam in front of the recipients eyeballs. It’s also usually a sign that the spammer is both incompetent and is using obsolete spamware, but that’s the AARPs business problem, not ours.
In the vast majority of cases I’d mention Domains by Proxy and other ways to falsify domain registration at this point, as they’re a pretty sure sign that the sender knows what they’re doing is wrong. In this particular case, though, the spammer seems not to be smart enough to use false information in his domain registrations.
All in all, I’d have no problem testifying that Andrew is not only spamming, he’s also under no illusions about what he’s doing being spam.
5. Who is it advertising?
It’s clear from the content of the message that it’s advertising the AARP. Specifically it’s lead generation spam advertising for new members to sign up with them.
The advertised website is at aarpmembership.org. The landing page is a signup form for the AARP:
All the links on that page go to URLs at aarp.org.
If you fill in the form you end up at another page at aarpmembership.org:
All the links on that page go to URLs at aarp.org too.
aarpmembership.org is hosted by SureClick, who advertise that one of their lead generation customers is the AARP.
There’s no question that it’s advertising the AARP.
6. Who paid for it?
When you click on one of the links in the spam it will take you to a landing page at aarpmembership.org. But it doesn’t take you there immediately – it bounces you through several other URLs first. The reason it does this is so that each link in the chain between the advertiser and the spammer can track that click, so that they can pay out on it if it leads to a signup.
So to track who is responsible for the spam, who paid for it, all we need to do is track the URLs that are redirected through.
First we go to the URL in the spam itself, hosted at denigradeelite.com, and we “click” on that link. We do that not with a web browser but using telnet, a simple network access tool that lets us do the web transaction “by hand”. In this case the query returns a webpage that contains a “meta-refresh” header that tells the browser to immediately load a page at www.afftrackinglinks.com.
So then we follow that link. Again, we don’t use a normal web browser. This time we use a commandline tool called “curl” that will run a web transaction, and print out the response it gets. This time instead of getting a web page returned, we get what’s called a “302 redirect” response. This doesn’t show a page at all, rather it tells the browser to immediately load the URL given in the Location: header of the response – a tracking URL at affiliate.sctracking.com.
And we keep on going. We follow that link, using curl again. Again we get a 302 redirect response. This time the Location: header points to a URL on www.aarpmembership.org.
And that’s where the chain of redirects ends, so that’s the URL we finally end up at.
So the spammer, denigradeelite.com, is sending clicks to afftrackinglinks.com. We know that afftrackinglinks.com is OfferWeb.net, as the domain registration for the two domains is identical.
Offerweb are then sending tracking links to affiliate.sctracking.com, who we can tell from their webpage are SureClick.
affiliate.sctracking.com are then sending the clicks to aarpmembership.org. We want to identify who is operating aarpmembership.org (which may be different from who originally registered it). We know that aarpmembership.org is hosted at 22.214.171.124. And we know that the operator of 126.96.36.199 claims that it’s smtp.sureclick.com. And we confirm that smtp.sureclick.com really is 188.8.131.52. So we know that the landing page and signup form is being operated by SureClick, who we know are selling lead-generation services to the AARP.
So either someone is working for free, or the AARP pays SureClick who pay OfferWeb who pay “Andrew Talbot” to send blatant, really badly done, spam on the behalf of the AARP.