Ongoing spam campaign with forged headers and Amazon EC2 abuse team advises to contact the bogon overlords

Recently I’ve been monitoring an ongoing email spam campaign using forged email headers all referencing bogons as the sending servers’ IP addresses. I wasn’t sure why Gmail’s servers would even process these messages since they were blatantly spoofed. Google didn’t respond for my request for comment.

Here are three example header snippets:

spf=neutral (google.com: 91.232.208.157 is neither permitted nor denied by best guess record for domain of mlhhmaidthf@nghpcsqbwbp.com) smtp.mailfrom=mlhhmaidthf@nghpcsqbwbp.com
Return-Path: <mlhhmaidthf@nghpcsqbwbp.com>
Received: from nghpcsqbwbp.com ([91.232.208.157])
by mx.google.com with ESMTP id w4si2021201ywi.300.2017.07.22.23.41.33

Received-SPF: neutral (google.com: 91.232.208.157 is neither permitted nor denied by best guess record for domain of mlhhmaidthf@nghpcsqbwbp.com) client-ip=91.232.208.157;
Authentication-Results: mx.google.com;
spf=neutral (google.com: 91.232.208.157 is neither permitted nor denied by best guess record for domain of mlhhmaidthf@nghpcsqbwbp.com) smtp.mailfrom=mlhhmaidthf@nghpcsqbwbp.com

Date: Sat, 22 Jul 2017 23:41:33 -0700
From: Becca <66062547.28875F4A9BC62EC42E46B0mlhhmaidthf@nghpcsqbwbp.com>
To: (removed email)
Subject: 1 Weird Trick I Wish My Ex-Boyfriend Knew (Uncensored)

—————————————————————-

spf=neutral (google.com: 194.40.240.181 is neither permitted nor denied by best guess record for domain of amwdnrtjyax@vikhhaeewuf.com) smtp.mailfrom=amwdnrtjyax@vikhhaeewuf.com
Return-Path: <amwdnrtjyax@vikhhaeewuf.com>
Received: from vikhhaeewuf.com ([194.40.240.181])
by mx.google.com with ESMTP id p188si4088924oig.219.2017.07.26.15.19.59

Received-SPF: neutral (google.com: 194.40.240.181 is neither permitted nor denied by best guess record for domain of amwdnrtjyax@vikhhaeewuf.com) client-ip=194.40.240.181;

Authentication-Results: mx.google.com;
spf=neutral (google.com: 194.40.240.181 is neither permitted nor denied by best guess record for domain of amwdnrtjyax@vikhhaeewuf.com) smtp.mailfrom=amwdnrtjyax@vikhhaeewuf.com

Date: Wed, 26 Jul 2017 15:19:59 -0700
From: Single Adult Personals PromoPartner <66298910.977C49F4706816BF7B57F1amwdnrtjyax@vikhhaeewuf.com>
To: (removed email)
Subject: Drool over these sexy selfies

—————————————————————-

spf=neutral (google.com: 212.115.52.158 is neither permitted nor denied by best guess record for domain of bpgpszkntahceo@dhgtghersuiscp.com)
smtp.mailfrom=bpgpszkntahceo@dhgtghersuiscp.com
Return-Path: <bpgpszkntahceo@dhgtghersuiscp.com>
Received: from dhgtghersuiscp.com ([212.115.52.158])
by mx.google.com with ESMTP id d4si11107829qtc.389.2017.07.25.04.21.42

Received-SPF: neutral (google.com: 212.115.52.158 is neither permitted nor denied by best guess record for domain of bpgpszkntahceo@dhgtghersuiscp.com) client-ip=212.115.52.158;

Authentication-Results: mx.google.com;
spf=neutral (google.com: 212.115.52.158 is neither permitted nor denied by best guess record for domain of bpgpszkntahceo@dhgtghersuiscp.com)
smtp.mailfrom=bpgpszkntahceo@dhgtghersuiscp.com

Date: Tue, 25 Jul 2017 04:21:42 -0700
From: Becca <38459093.0ECB22A1DCFEFE74808A2Abpgpszkntahceo@dhgtghersuiscp.com>
To: (removed email)
Subject: 1 Weird Trick I Wish My Ex-Boyfriend Knew (Uncensored)

I ran a check on DomainTools.com of the IP addresses referenced in the email headers:

  • 91.232.208.157
  • 194.40.240.181
  • 212.115.52.158

 If you see this object as a result of a single IP query,  it means the IP address is currently in the free pool of address space managed by the RIPE NCC.

Translation: BOGONS!

What about the domain names referenced in the headers, those can’t be fake too, right?

  • nghpcsqbwbp.com
  • vikhhaeewuf.com
  • dhgtghersuiscp.com

Sadly they aren’t even registered and as such, don’t exist.

So who can we contact to report this network abuse? Looking deeper into the body of the emails, I found they all contain a link for the recipient to click on. The DNS names extracted from those links are:

  • mgvtuzwjyhz.popexploitsraved.club
  • hokaehxylug.gcyclingcyberspacemod.site
  • iezegviufre.gmanglerszorchingspoofing.site

According to DomainTools.com all three domains are registered through Namecheap.com and the owner’s information is hidden by WhoisGuard, Inc.

Namecheap logo

Upon contacting Namecheap and advising them of the above details, I received the following response from Sergey Chernenko in the Legal & Abuse Department:

In this situation, Namecheap acts as the registrar only. It means that our ability to investigate the matter is limited since the content transmitted via the website is not located on our server. Please also note that we do not own the reported domain name, we are simply the company the domain name was registered with.

Considering the aforementioned points, we recommend that you contact the hosting provider, who would be in a better position to validate your claim and take the appropriate action. For your convenience, here are contact details of the company that owns IP address assigned to the domain: https://whois.domaintools.com/35.160.47.71

I followed up and provided additional details to Ksenia Bezuglaya in Namecheap’s Legal & Abuse Department, however it was to no avail and it was clear that Namecheap would not blackhole the DNS records for the three domain names.

At this point, I contacted the hosting provider, Amazon Elastic Compute Cloud (Amazon EC2), I provided them with all the details of my investigation. The two Amazon EC2 managed IP addresses found in the emails were 35.160.47.71 and 35.167.123.130.

Amazon EC2 logo

The first reply I received from the Amazon EC2 abuse team, was somewhat confusing:

We understand your concern regarding the continued availability of this content. As noted previously, as a courtesy we notified our customer of your request to have the content removed or access disabled, however, as we do not consider this content to be in violation of our terms, we are not able to take additional action. We strongly encourage you to continue to work with our customer directly to address any additional concerns that you may have.

So I followed up asking them to confirm AWS allows users to send emails with forged headers and are in violation of U.S. Federal Law 15 U.S.C. ch. 103 (CAN-SPAM Act of 2003). I didn’t hear back from the Amazon EC2 abuse team for a week, so I sent another follow-up asking for further comment.  Shortly thereafter, I received a reply:

Apologies for the delay. As the email wasn’t sent from the AWS IP space, there isn’t any action we can take to stop this from occurring. If you haven’t already, please contact the hosting provider(s) for these IPs to address the origin of the emails.

The only content hosted on AWS are the domains iezegviufre.gmanglerszorchingspoofing.site and hokaehxylug.gcyclingcyberspacemod.site. We determined that this content is not against our Acceptable Use Policy (https://aws.amazon.com/aup/) so we notified our customer(s), but we will not take action.

I replied back and provided them with an explanation of what bogons were and reminded them the AWS AUP clearly states:

You may not use the Services to violate the security or integrity of any network, computer or communications system, software application, or network or computing device (each, a “System”). Prohibited activities include:
Falsification of Origin. Forging TCP-IP packet headers, e-mail  headers, or any part of a message describing its origin or route. The legitimate use of aliases and anonymous remailers is not prohibited by this provision.

Two days later I received the following update from the AWS Abuse team:

Our customer has taken action to resolve the matter.

Please let us know if you receive any further reports and we will investigate further.

Unfortunately the spam campaign continues, so I will be following up with Amazon EC2 abuse again.

Leave a Reply