A long-running spam campaign selling email lists consisting of thousands of addresses tied to specific business types. Some of the business types are:
- Criminal Attorneys
- General practitioners
- Hospital Administrators
- Financial planners
- Medical equipment suppliers
- Pharmaceutical companies
- Real estate agents
- Massage Therapists
- Police and Sheriff Services
All the emails in this campaign have a separate address to be "removed," in the form of "disappear" or "rembox" at the spammer domain. This isn’t an attempt to abide by the CAN-SPAM law —as they break other CAN-SPAM requirements—so this is perhaps an easy way for "complainers" to be removed, or just a way to confirm active addresses.
The messages that make up this campaign are sent from MTAs all over the world, exploited as open relays. The vast majority of the connections originate from "22.214.171.124" or "126.96.36.199" to the open relay, then from the open relay to the recipient.
The call-to-action is always a URI in the form of a mailto. The domain that appears in the mailto is a newly registered domain typically within the .co.cc TLD, however other TLDs sighted include "us", "at", "tk", "cz.cc". The domains are configured by the spammers to be a "wildcard" or "catchall" domain, such that emails sent to *any* address at their spammer domain will be accepted. The MX for these domains is always "fairpricelists.info" (188.8.131.52) and "mailserver.cjb.net" (184.108.40.206).
Tricks spammers use in this campaign include:
- Frequently registering new domains to avoid domain based block lists.
- Using "catch all" domains, to randomize call-to-action mailtos appearing in the messages themselves.
- Exploiting legitimate MTAs to relay their spam through to avoid policy based block lists.
- Obfuscating the call-to-action mailtos to avoid simple mailto extraction.