Today we are seeing another high volume spam campaign. It is very similar to the one I wrote about yesterday:
- The IPs are all compromised (i.e., the spam is coming directly from botnets).
- The URLs point mostly to compromised web hosts, that is, the URLs are legitimate but have been broken into and are either serving malware or hosting phishing pages. But not all of them are compromised, some look like they have been created exclusively for the purpose of spamming.
- The content contains legitimate words and phrasing but to the trained eye (or even the untrained one) it is clearly phishing (or spoofing in an attempt to infect you with malware, or resolve to a pharmaceutical page which is kind of weird – confirm your identity leads to an advertising landing page?).
- Many of the sending domains do not contain SPF records, meaning that the spammers can spoof them without negatively impacting delivery.
My guess is that this is the same spammer that was doing it yesterday. After getting blocked he just updated his campaign: he rotated his spamming IPs, compromised URLs and message content.
My sources indicate that this is the darkmailer botnet. Looking back over my historical data, darkmailer sends in waves. The past couple of days have seen an increase in activity after a “quiet” period of a couple of weeks. This would lend credence to my theory of a spammer renting the botnet since most spammers don’t do it continuously but instead rent the equipment for a period of time.
My stats also indicate that most of the spamming IPs over the past couple of days originate in China. This is unusual for a botnet these days because the most commonly occurring botnets are in the US, Russia, India and south east Asia (and parts of Europe). China used to be a spam source but has cleaned up its act significantly.