As I was eluding to in my previous post, I have been doing some research on the geographical location of the servers where spammy URLs are hosted. In doing this research, I came across a curious phenomenon which I call the 3+1 scenario – these domains have multiple A-records, 3 of which are hosted in China while 1 is hosted in Russia. It occurs again and again and again. Observe:
japyufad.cn
203.93.208.86
China
218.75.144.6
China
220.196.59.35
Russia
91.213.33.10
China
wqejayot.cn
203.93.208.86
China
218.75.144.6
China
220.196.59.35
China
91.213.33.10
Russia
shegugaz.cn
203.93.208.86
China
218.75.144.6
China
220.196.59.35
China
91.213.33.10
Russia
djemuqot.cn
203.93.208.86
China
218.75.144.6
China
220.196.59.35
China
91.213.33.10
Russia
psuyojox.cn
220.196.59.35
China
91.213.33.10
Russia
203.93.208.86
China
218.75.144.6
China
Why are three hosted in China and one points to Russia? Notice that the IPs are all the same across these, indicating that this is most likely the work of one spammer. Registrar information, unfortunately, is not available. The Chinese IP spaces are owned by China United Network Communications (Unicom), China Unicom (hmm, probably the same company), and Chinanet Hunan. The Russian IP space is owned by CGM-Net (CGM Ltd). Unfortunately, the Chinese netblocks in Whois do not have ASN information otherwise I could have looked for patterns there, but my initial guess is that this spammer is looking for non-correlated spam friendly hosting and has found his picks. He reuses them over and over again.
This particular spammer is one of the more prolific ones. In my sample, these IPs appear 12% of the time for all of the unique IPs. This guy’s been busy; he’s got built-in redundancy so he’s obviously trying to make sure that if one goes down, he has a working backup. Clever thinking, in my opinion.
This might be a good time to do a small series on fast-flux.