Icq messenger fraud online dating
Happily, in this case the spammer seems to have been consistent in the naming convention used to identify the sending domains and subdomains.Back in October 2016 (when these spam messages were sent) the FQDN “minitanth.info-88[dot]top” resolved to a specific IP address: 220.127.116.11.This type of spamming is known as “snowshoe” spamming.
After that, each address happily loaded a Web page displaying the number of bots connecting to each IP address at any given time.
Here’s the output of one controller that’s currently getting pinged by more than 12,000 systems configured to relay porn spam (the relevant part is the first bit on the second line below — “current activebots=”).
In late October 2016, an anonymous source shared with Krebs On a list of nearly 100 URLs that — when loaded into a Firefox browser — each displayed what appeared to be a crude but otherwise effective text-based panel designed to report in real time how many “bots” were reporting in for duty.
Here’s a set of archived screenshots of those counters illustrating how these various botnet controllers keep a running tab of how many “activebots” — hacked servers set up to relay spam — are sitting idly by and waiting for instructions.
That’s because spammers are usually involved in the distribution of malicious software, and spammers who maintain vast networks of apparently compromised systems are almost always involved in creating or at least commissioning the creation of said malware.
Worse, porn spammers are some of the lowest of the low, so it’s only prudent to behave as if any and all of their online assets are actively hostile or malicious.Received: from minitanth.info-88(037008194168.suwalki.[18.104.22.168]) Received: from exundancyc.megabulkmessage225(109241011223.slupsk.[109.2]) Received: from disfrockinga.message-49(unknown [.251]) Received: from offenders.megabulkmessage223(088156021226.olsztyn.[88.1]) Received: from snaileaterl.inboxmsg-228(109241018033[109.2]) Received: from soapberryl.inboxmsg-242(037008209142.suwalki.[22.214.171.124]) Received: from dicrostonyxc.inboxmsg-230(088156042129.olsztyn.[88.1]) To learn more about what information you can glean from email headers, see this post.But for now, here’s a crash course for our purposes.So, armed with all of that information, it took just one or two short steps to locate the IP addresses of the corresponding botnet reporting panels.Quite simply, one does DNS lookups to find the names of the name servers that were providing DNS service for each of this spammer’s second-level domains.Using passive DNS tools from Farsight Security — which keeps a historic record of which domain names map to which IP addresses — I was able to find that the spammer who set up the domain info-88[dot]top had associated the domain with hundreds of third-level subdomains (e.g.Tags: Adult Dating, affair dating, sex dating