Happily, in this case the spammer seems to have been consistent in the naming convention used to identify the sending domains and subdomains.Back in October 2016 (when these spam messages were sent) the FQDN “minitanth.info-88[dot]top” resolved to a specific IP address: 184.108.40.206.The so-called “fully qualified domain names” or FQDNs in the list above can be found just to the right of the open parentheses in each line.When this information is present in the headers (and not simply listed as “unknown”) it is the fully-verified, real name of the machine that sent the message (at least as far as the domain name system is concerned).In 2010, Deniro Marketing found itself the subject of a class-action lawsuit that alleged the company employed spammers to promote an online dating service that was overrun with automated, fake profiles of young women.
Like a snowshoe spreads the load of a traveler across a wide area of snow, snowshoe spamming is a technique used by spammers to spread spam output across many IPs and domains, in order to dilute reputation metrics and evade filters,” writes anti-spam group Spamhaus in its useful spam glossary.
So, armed with all of that information, it took just one or two short steps to locate the IP addresses of the corresponding botnet reporting panels.
Quite simply, one does DNS lookups to find the names of the name servers that were providing DNS service for each of this spammer’s second-level domains.
Using passive DNS tools from Farsight Security — which keeps a historic record of which domain names map to which IP addresses — I was able to find that the spammer who set up the domain info-88[dot]top had associated the domain with hundreds of third-level subdomains (e.g.
minithanth.info-88[dot]top, achoretsq.info-88[dot]top, etc.). It was also clear that this spammer controlled a great many top-level domain names, and that he had countless third-level subdomains assigned to every domain name.
For several months I’ve been poking at a decent-sized spam botnet that appears to be used mainly for promoting adult dating sites.