Spammer Tactics – How they try to mislead you?
József Pálfi

Spammer Tactics – How they try to mislead you?

József Pálfi

Spammers are enemies of all sysadmins, because they are altering their tactics day by day. Keeping softwares up-to-date on your servers is not always as easy and solvable as we might think. Even though you have the latest application which is protected against the known security risks, you can have a lot of user-related contents which are like honey for hackers.

In case of a hosting provider, lots of customers use shared resources. Unfortunately, they often lack knowledge on how to keep their website up-to-date. You can send them tons of e-mails about the importance of strong passwords or raise attention to the significance of continuous security updates, if it is ineffective – and often it is – the conclusion is that, you have to protect their websites by yourself instead of them. Furthermore, some customers will be angry about these kinds of mails or simply become frightened and move their sites to the concurrent provider instead of patching the code.

Outdated content management systems, their themes and plugins are popular targets for spammers. Attempts below are from the same IP and reflect how spammers’ tactics have changed in the last 1-2 years. And it’s just one example from many many different kinds.
A typical spam attempt from about 1.5 years ago:

 

list_data

 

 

It was interesting to decode ‘list’ and ‘data’ HTTP GET parameters then discovering the regular sequences. After we base64 decoced them, first thing we realized the “,amo” sequence in the string.

33161:671;Bss,amo!33161:7:;0Bss,amo!33161:4375Bss,amo!33161;2:46Bss,amo!3316623;14Bss,amo!

Our CEO, George said he had seen this before, as the encoded form of .com domain TLD, then we began to decode the whole text. The result was a list of e-mail addresses with hashmark delimiters between them.

The attacker often operates simple rotation or XORing with a constant key, and after a while, you can realise, these parameters are input of a spammer script, namely e-mail addresses and spam contents.

 

list_data_decoded

 

 

As sysadmins created different kinds of rules to reject these attempts, spammers’ tactics have changed and switched ‘list’ and ‘data’ to ‘layer’ and ‘dimm’ respectively, but the encoding remained the same.

 

layer_dimm

 

 

Clearly visible, simple pattern matching is beating the air. These keys can be various. Just take a look at the next example, where parameters are totally random and currently this is the common practice.

 

random

  

So, what can we do? Prevention is the basis of all defense, you have to stop spammers at an early stage. BitNinja has an up-to-date database with spammer IPs and it can help to discover scripts on your server that spammers are trying to use.

Share your ideas with us about this article

Previous posts

Server Security Checklist – How to maintain the security of your server?
We are convinced that almost all server owners have to struggle with the maintenance of their server, which is not always as easy and transparent as we would assume.  Our treasured servers are vulnerable, sensitive and exposed to many many types of attacks, exploits or malfunctions. That is why we have to take care of them on a regular basis. We have consulted some websites, added our own ideas, and came up with the following checklist, which will evidently serve your advantage.         #1 Backup Before you decide to make some changes on your serv...
Pi-Ninja-Security for RaspberryPi
The real geek escaped from one Ninjastic developer of ours lately, and in his freetime he decided to try to install BitNinja on his Raspberry Pi 2 model B. And guess what happened? He was successful! What is more, BitNinja also captured some attacks with its port honeypot module. Now, let me describe you the process of the installation and what he exactly found. So the tool is Raspberry Pi 2 model B, and he uses Linux: Raspbian GNU/Linux 8 on it.   The process: Bitninja is not available for arm architecture, so he was not able to install it from the Bitninja debian reposit...