909-744-2891

Spammers and BGP again

Carl Byington
510 Software Group
2014-12-03

Abstract

Previous claims of spammers using short-lived BGP announcements were analyzed in [1]. Some new data on this topic has been published in [2], implicating AS43239, AS57756, AS57792, and AS197329. I am now re-running the experiment from [1] to see if I can detect this pattern.

BGP Changes since 2008

In 2008, we were seeing about 10 bgp events per minute, with an active population of about 256K prefixes. In 2014, we see about 60 bgp events per minute, with an active population of about 520K prefixes.

Changes to prefix selection

The spammer still needs to select some prefix(es) to announce. Much of the discussion in [1] still applies. [2] points out that the spammer may claim to be a DDOS company as a reason for announcing a large collection of prefixes. I still like 52/8, which is now completely unused.

AS path selection

Given that the spammer controls AS #S, and they are announcing prefixes via their upstream connection on AS #U, a normal AS path would look like

prefix/len path xx ... xx #U #S

In that case, #S is the origin AS for their prefix. However, they can also pretend to have received that announcement from the actual owner of the prefix:

52.1.0.0/16 path xx ... xx #U #S 7823

Results

2014-09-11 04:56:53 117.205.128.0/20 40484 7397 226 6939 35819 48237 35819 174 6453 4755 9829
2014-09-11 04:56:56 smtp connection from 117.205.140.146
2014-09-11 08:43:21 117.205.128.0/20 40484 7397 226 6939 1299 6453 4755 9829 withdrawn
2014-09-11 08:44:12 117.205.128.0/20 40484 7397 226 2914 6453 4755 9829

The covering 117.205.128.0/18 is also announced, with the same behaviour as 117.205.128.0/20 which has had over 140 bgp updates over the last 4 days, but all of them end with 6453 4755 9829. The path into AS6453 bounces around among 174, 209, 1299, 2828, 2914, 3356 and 7843. The suspicious announcement above at 04:56:53 is the only one containing 35819 48237 35819. 117.205.128.0/20 was withdrawn for less than a minute at 08:43:21, but that triggered the detection of a short lived bgp announcement containing an smtp connection. The mail client at 117.205.140.146 was on the SBL (both PBL and CBL) when the smtp connection arrived, so that spam was rejected anyway. It seems unlikely that the spammers that we are looking for would pick a /20 where the enclosing /12 is listed on the PBL. 


2014-08-22 10:25:57 105.228.0.0/16 40484 7397 226 2914 5713 37457
2014-09-12 21:22:28 105.228.12.0/22 40484 7397 226 6939 5713 37457 37457
2014-09-12 21:22:58 105.228.12.0/22 40484 7397 20001 7843 3491 5713 37457 37457
2014-09-12 21:52:07 105.228.12.0/22 40484 7397 226 6939 5713 37457 37457
2014-09-12 21:54:37 105.228.12.0/22 40484 7397 226 6939 5713 5713 37457 37457
2014-09-12 21:55:07 105.228.12.0/22 40484 7397 226 6939 5713 37457 37457
2014-09-12 21:56:55 smtp connection from 105.228.13.241
2014-09-12 22:21:15 105.228.12.0/22 40484 7397 20001 7843 3491 5713 37457 37457
2014-09-12 22:23:15 105.228.12.0/22 40484 7397 226 6939 5713 37457 37457
2014-09-12 22:25:16 105.228.12.0/22 40484 7397 226 6939 5713 5713 37457 37457
2014-09-12 22:25:45 105.228.12.0/22 40484 7397 226 6939 5713 37457 37457
2014-09-12 22:51:53 105.228.12.0/22 40484 7397 20001 7843 3491 5713 37457 37457
2014-09-12 22:54:54 105.228.12.0/22 40484 7397 226 6939 5713 37457 37457
2014-09-12 23:03:27 105.228.12.0/22 40484 7397 226 6939 5713 37457 37457 withdrawn
2014-09-12 23:21:00 105.228.12.0/22 40484 7397 226 6939 5713 37457 37457
2014-09-12 23:22:31 105.228.12.0/22 40484 7397 20001 7843 3491 5713 37457 37457
2014-09-12 23:23:00 105.228.12.0/22 40484 7397 226 2914 3491 5713 37457 37457
2014-09-12 23:23:31 105.228.12.0/22 40484 7397 226 6939 5713 37457 37457
2014-09-12 23:25:31 105.228.12.0/22 40484 7397 20001 7843 3491 5713 37457 37457
2014-09-12 23:28:31 105.228.12.0/22 40484 7397 226 2914 3491 5713 37457 37457
2014-09-12 23:28:51 105.228.12.0/22 40484 7397 226 2914 3491 5713 37457 37457 withdrawn
2014-09-12 23:32:32 105.228.12.0/22 40484 7397 226 6939 5713 37457 37457
2014-09-12 23:33:02 105.228.12.0/22 40484 7397 20001 7843 174 5713 37457 37457
2014-09-12 23:37:02 105.228.12.0/22 40484 7397 20001 7843 174 5713 37457 37457 withdrawn

AS37457 is telkom.co.za, and they have the enclosing 105.228.0.0/16 which has been announced continuously since 2014-08-22. 105.228.12.0/22 was only announced for about 2 hours, and that does contain an smtp connection. The mail client at 105.228.13.241 was on the SBL (both PBL and CBL) when the smtp connection arrived, so that spam was rejected anyway. It seems unlikely that the spammers that we are looking for would pick a /22 where the enclosing /15 is listed on the PBL. 


2014-09-13 15:24:50 smtp connection from 105.225.68.197
2014-09-13 15:31:58 105.225.68.0/24 40484 7397 226 567 2152 209 174 5713 37457 37457 withdrawn

AS37457 again announcing parts of their /16 in an unstable manner, similar to the previous case on 2014-09-12. 


2014-10-01 22:41:47 smtp connection 202.153.227.210
2014-10-02 01:24:57 202.153.226.0/23 40484 7397 226 6939 1299 2914 38525 9340 withdrawn

That was already listed on one of the spamhaus lists before the smtp connection, so I think this is another false positive in my detection mechanism. It currently seems to be infected with conficker, or natting for a machine infected with conficker. 


2014-10-02 11:23:21 smtp connection from 177.10.6.109
2014-10-02 13:29:00 177.10.6.0/24 40484 7397 20001 7843 6453 3549 53230 withdrawn

That was already listed on one of the spamhaus lists before the smtp connection, so I think this is another false positive in my detection mechanism. It currently seems to be infected with asprox, or natting for a machine infected with asprox. 


2014-10-19 22:08:27 210.210.144.0/20 40484 7397 20001 7843 6453 38158 4787
2014-10-19 22:08:27 210.210.152.0/21 40484 7397 20001 7843 6453 38158 4787
2014-10-19 22:13:28 210.210.144.0/20 40484 7397 20001 7843 1299 38158 4787
2014-10-19 22:13:28 210.210.152.0/21 40484 7397 20001 7843 1299 38158 4787
2014-10-20 02:08:40 smtp connection from 210.210.154.10
2014-10-20 19:33:46 smtp connection from 210.210.154.10
2014-10-20 22:20:55 210.210.128.0/18 40484 7397 226 7473 38158 4787
2014-10-20 22:20:55 210.210.128.0/19 40484 7397 20001 7843 6453 38158 4787
2014-10-20 22:20:55 210.210.152.0/22 40484 7397 20001 7843 6453 38158 4787
2014-10-20 22:21:26 210.210.152.0/22 40484 7397 20001 7843 1299 38158 4787
2014-10-20 22:24:06 smtp connection from 210.210.154.10
2014-10-20 22:25:03 smtp connection from 210.210.154.10
2014-10-20 22:38:02 210.210.154.0/24 40484 7397 226 6939 4635 55818 38158 4787
2014-10-20 22:38:54 210.210.154.0/24 40484 7397 226 6939 4635 55818 38158 4787 withdrawn
2014-10-20 23:04:11 210.210.128.0/18 40484 7397 20001 7843 1299 38158 4787
2014-10-20 23:04:11 210.210.128.0/19 40484 7397 226 6939 1299 6453 38158 4787
2014-10-20 23:04:42 210.210.128.0/18 40484 7397 226 7473 38158 4787 4787 4787
2014-10-20 23:04:42 210.210.152.0/22 40484 7397 226 6939 1299 6453 38158 4787
2014-10-20 23:04:47 210.210.128.0/19 40484 7397 226 6939 1299 6453 38158 4787 withdrawn
2014-10-20 23:05:12 210.210.152.0/22 40484 7397 226 567 2152 3356 1299 38158 4787
2014-10-20 23:05:17 210.210.152.0/22 40484 7397 226 567 2152 3356 1299 38158 4787 withdrawn
2014-10-21 00:08:08 210.210.128.0/18 40484 7397 226 7473 38158 4787
2014-10-21 00:08:38 210.210.128.0/19 40484 7397 20001 7843 6453 38158 4787
2014-10-21 00:08:38 210.210.152.0/22 40484 7397 20001 7843 1299 38158 4787

AS4787 is PT Cyberindo Aditama / cbn.net.id. There were four delivery attempts from 210.210.154.10. The first two were thru the stable 210.210.152.0/21 prefix, but even then 210.210.154.10 was (and is currently) listed on the spamhaus lists, apparently infected with cutwail, or natting for a machine infected with cutwail. I think this is another false positive in my detection mechanism.


2014-10-26 07:40:30 88.222.0.0/17 40484 7397 226 6939 13194 39354
2014-10-26 07:42:31 88.222.0.0/17 40484 7397 226 2914 3320 13194 39354
2014-10-26 07:44:31 88.222.0.0/17 40484 7397 226 6939 13194 39354
2014-10-26 07:48:03 88.222.0.0/17 40484 7397 2828 3356 13194 13194 13194 39354
2014-10-26 07:48:29 88.222.0.0/17 40484 7397 2828 3356 13194 13194 13194 39354 withdrawn
2014-10-26 08:00:38 88.222.0.0/17 40484 7397 226 6939 12578 39354
2014-10-26 08:50:57 88.222.0.0/17 40484 7397 226 2914 3320 12578 39354
2014-10-26 08:51:28 88.222.0.0/17 40484 7397 226 2914 3320 13194 39354
2014-10-26 08:51:28 88.222.0.0/22 40484 7397 226 2914 3320 13194 39354
2014-10-26 08:52:39 smtp connection from 88.222.0.10
2014-10-26 08:52:58 88.222.0.0/22 40484 7397 226 567 2152 3356 3320 13194 39354
2014-10-26 08:53:26 88.222.0.0/22 40484 7397 226 567 2152 3356 3320 13194 39354 withdrawn
2014-10-26 20:16:55 88.222.0.0/17 40484 7397 226 2914 3320 13194 39354
2014-10-26 20:28:46 88.222.0.0/17 40484 7397 226 2914 3320 13194 39354

This looks more like a network connectivity issue; Dokeda dropping and recovering a link to their primary upstream, with a 10 minute complete loss of connectivity. Both spamassassin and the dcc rejected the delivery attempt, which was a simple financial scam spam, injected into their webmail (SquirrelMail authenticated user edita) from 178.162.199.130. 


2014-11-10 22:24:22 smtp connection from 157.56.111.56
2014-11-10 22:25:40 157.56.110.0/23 40484 7397 226 6939 1299 174 4826 12076 8075 withdrawn

This seems to be a routing instability for Microsoft outlook.com. The mail server on the other end of that connection was clearly a Microsoft machine. 


2014-11-24 02:13:37 107.179.95.0/24 40484 7397 226 2914 32421 46573
2014-11-24 04:45:15 smtp connection 107.179.95.220
2014-11-24 04:54:53 107.179.95.0/24 40484 7397 226 567 2152 3356 2914 32421 46573
2014-11-24 04:55:24 107.179.95.0/24 40484 7397 20001 7843 2828 2914 32421 46573
2014-11-24 04:55:54 107.179.95.0/24 40484 7397 226 2914 32421 46573
2014-11-24 06:18:19 107.179.95.0/24 40484 7397 226 6939 1299 2914 32421 46573
2014-11-24 06:18:25 107.179.95.0/24 40484 7397 226 6939 1299 2914 32421 46573 withdrawn
2014-11-24 06:21:20 107.179.95.0/24 40484 7397 226 2914 32421 46573
2014-11-24 08:18:23 107.179.95.0/24 40484 7397 226 6939 1299 2914 32421 46573

107.179.95.220 had and still has reverse dns name of volunteer.madpatriot.com, which is now listed on both the SURBL and DBL lists. The spam run started 2014-11-24 04:33:03 and ended at 05:58:16. For all of those, 107.179.95.220 sent "EHLO volunteer.madpatriot.com". The first spam was accepted, the rest were rejected by the DCC until 05:25:38 when ZEN listed the ip address. All the rest were rejected by ZEN. I think this is another false positive - that /24 announcement is a bit unstable, and I think it was coincidence that it disappeared for a short time in the middle of their spam run.

Conclusions

I still see no evidence that spammers are actually using short-lived BGP announcements to send spam. The current test ran for 80 days, and looked at about 2.3M SMTP connections.

Of course, it is possible that we have simply filtered out too many bgp events, that spammers are using this technique, and we are just not seeing their bgp events because those events were filtered out as noise.

Rather than short-lived BGP announcements, at least one spammer decided to use very long-lived BGP announcements. In a grand BGP hijack, AS201640 took over large chunks of address space between 2014-09 and 2014-11. At one point, that included 36.0.56.0/21 41.92.206.0/23 41.198.80.0/20 41.198.224.0/20 61.242.128.0/19 119.227.224.0/19 123.29.96.0/19 177.22.117.0/24 177.46.48.0/22 187.189.158.0/23 202.39.112.0/20 See this and this.

References

[1] Carl Byington, Spammers and BGP, http://www.five-ten-sg.com/mapper/flap July 2008.

[2] Andree Toonk, Using BGP data to find Spammers, http://www.bgpmon.net/using-bgp-data-to-find-spammers/ Sept. 2014.