[Dshield] RE: What is spylog?

James C. Slora, Jr. Jim.Slora at phra.com
Fri Jul 19 18:27:44 GMT 2002


Ellen Clary wrote Tue, 16 Jul 2002 12:12:47 -0700:

>We just got this spam email from Spain (forged, but not relayed - see
below),<!-snip>

The mail actually could have been sent through an open proxy rather than
forged. Open proxies can send mail that appears to have originated at the
host that connected to you. We get spammers probing us for open proxies all
the time. All the information in your spam (other than the sending host) are
a match for a known worldwide spam company, Markazi Holdings, in Russia.

With an open proxy, the spammer uses a TCP port 80, 81, 8080, or 3128
connection to the open proxy server to send a mail message directly through
your mail host - no relaying is required, and the sender's IP is completely
hidden. Only the proxy's logs might show the true source IP of the spam.

> The front page references software called spylog (.com or .ru).  Anyone
know
> what it is?  A quick google showed lots and lots of Russian references.

My Russian is a bit rusty, but I looked at Spylog's home page. Spylog
appears to be a hit counter and analyzer service a la WebTrends.

My interpretation based on my memory from when I looked at www.nospam.ru
earlier this week is that a visit to this page is supposed to remove you
from the spammer's list. It looks like they are using Spylog to track the
users who visit the removal page (presumably so they can add you to another
spam list).

Interestingly, www.nospam.ru does not appear to exist anymore. It was there
a couple of days ago when I first glanced at the page. Also interesting is
that the "from" address demetrius at bk.ru in your spam actually matches the
listed admin address of www.nospam.ru. RIPE does not even list it, RIPN
gives very weak info about that host, and I can't even get an IP address for
it today.

You might consider blocking bk.ru entirely, even though the message was not
actually sent from bk.ru's mail server. I've been it for about a year, and
all I've lost has been spam. You might also consider blocking web visits to
www.nopam.ru so your users don't inadvertantly trigger more spam.

bk.ru resolves to 194.67.23.232
www.bk.ru resolves to 194.67.23.232
Mail for bk.ru is handled by mxs.mail.ru (10) 194.67.57.100

whois -h magic bk.ru
whois -h whois.ripn.net bk.ru

domain:  BK.RU
type:    CORPORATE
descr:   Corporative domain for  Markazi Holdings LTD
admin-o: MARKAZI-ORG-RIPN

Markazi is a spam company who also runs inbox.ru and other spam domains.
There is a fairly good chance that your mail was really from bk.ru, and that
they were using an open proxy in Spain to send the mail.




More information about the list mailing list