Bill Jones's Spam

While reading my email on February 27th, 2002, I found something quite shocking in my inbox - a spam from a major political candidate, Bill Jones, asking me to help him in securing the Republican nomination for Governor of the state of California. I don't even live there, I'm from Missouri!
The original text of the spam, including headers is available here: spam.txt
The HTML portion of the spam is here: spam.html

Naturally I was furious about this. The first thing I did was go to his webpage and complain. After getting that out of my system, I decided to "unsubscribe" a bogus polpo.org address to see if they'll resell that address to other spammers.

Finally, I started to get to the bottom of the mail. What I suspected was true - this email wasn't sent legitimately from Mr. Jones's campaign office; instead he hired a "professional" spammer who then proceeded to exploit free hosting and open mail servers overseas.

Getting to the bottom of this

First of all, as you can see from the headers, it was sent to ianremovethis@polpo.org, which is a somewhat obfuscated version of my email address. At one time I had planned to block this email or send it to a spam trap, but I forgot. So, it made it to my main inbox, as *@polpo.org automatically gets sent to me.

Header Forging

The Recieved headers are a simple forging job, as you can see below:

Every single line is fake except for the top two, which were generated by my own mail server. The fact that the servers don't "line up" with one another should give away the fac tthat they're forged, along with the bracketed IPs. It's starting to look like Bill Jones hired a "professional" spammer to do his dirty work for him.

Let's take a look at the machine it originally came from, 211.114.54.49. Using whois, I found this information:

inetnum:     211.114.54.48 - 211.114.54.55
netname:     SHINHEUNG-GM-KR
descr:       SHINHEUNG GIRLS MIDDLE SCHOOL
descr:       7-210 3KA SINHEUNGDONG JUNGKU
descr:       INCHON
descr:       400-711
country:     KR

I seriously doubt Bill Jones goes to Shinheung Girls Middle School. What's interesting is that this host isn't listening on port 25 (SMTP), so it probably didn't act as a relay. However, it does have an entry in the MAPS RSS list with a documented spam originating from it on February 5th, 2002.

Image Host

Examining the HTML shows that the images and "unsubscribe" page are being hosted at http://195.235.97.200/personal8/inacct48/. Once again, whois comes to the rescue, and I learn this about 195.235.97.200:

inetnum:      195.235.96.0 - 195.235.97.255
netname:      TERRA-NETWORKS
descr:        TSCR (Telefonica Servicios y Contenidos por la Red)
descr:        Internet Service Provider (NCC#1999052031)
descr:        TERRA NETWORKS
country:      ES

Terra.es is a portal site that is based in Spain that also gives out free webspace. So, it looks like Bill Jones's spammer is exploiting free hosting for those bandwidth-hungry images of Bill Jones and his family.

The "unsubscribe" page

Let's take a look at that so-called unsubscribe page (full source mirrored here).

It uses a fairly novel encoding scheme using Javascript to 'encrypt' the source, turning normal HTML into jibberish like this:

<tl<ed<citd  ouetlyr;a=dcmn.l;e=dcmn.eEeetydw  idwsdbrvrmg`;idwoe=uldcmn.rt=u
lwno.lr=uli(a{ucincE)(s)rtr as;;ucinc({ouetocneteu=cEstieu(c("20}c(;ouetwie""
"eaht-qi=iaeola`cnet`o>);ucincSe i(l|s i ewih=|ewih=){mg;eunfle};f(l{ouetcpue
vnsEetMUEON;ouetomueoncSes{ouetomuepcS;ouetocneteunwFnto(rtr as";ucinn({idwsa
u   ;eTmot"s),0;;s)

etc. The decrypting portion is obfuscated with % codes (such as %20 for space, etc.), like this:

%6B%3D%75%6E%65%73%63%61%70%65%28%22%25%30%44%25%30%41%22%29%3B%69%30%3D%20%6D
%68%64%28%73%65%29%3B%64%6F%63%75%6D%65%6E%74%2E%77

etc. It looks like the spammer really wants to cover his tracks.

The decoding Javascript is pretty easy to uncover:

k=unescape("%0D%0A");i0= mhd(se);document.write(i0);function mhd(s) {var
un="";l=s.length;oh=Math.round(l/2);for(i=0;i<=oh;i++){a=s.charAt(i);
b=s.charAt(i+oh);c=a+b;un=un+c;};K=un.substr(0,l);K=K.replace(/`/g,"'
");K=K.replace(/@@/g,"\\");f = /qg/g;K=K.replace(f,k);return K;};

Which, honestly, isn't much more readable than the original. A friend of mine volunteered to get the rest of it decrypted, and he performed admirably, by replacing the document.write function. The fruits of his labor can be found here: remove.html.

Looking at this code, we find where this form is actually submitted to: http://www.uwho55.com/cgi-bin/jg/billjones/remove.php. Uwho55.com seems pretty innocent: a site for seniors. It doesn't seen finished, though.

Here's who uwho55.com belongs to, thanks again to whois.

Registrant:
 ICS-Hubwest
 3704 Mary Ellen NE
 Albuquerque, NM 87111
 US

 Domain Name: UWHO55.COM
 
 Administrative Contact:
    Pehrson, Adam  AdamP@hubwest.com
    3704 Mary Ellen NE
    Albuquerque, NM 87111
    US
    505-323-2944

Conclusion

Well, so far, that's all I have. If you have any comments or suggestions, feel free to email me at ian@polpo.org.

Updates

February 27, 2002 - 6:45PM: Holy cow!! I got ANOTHER spam! It's almost identical to the original, the only difference being the headers. Check it out here: spam2.txt
This one has a different originating IP, 211.34.27.98. Its info from whois:

inetnum:     211.34.27.96 - 211.34.27.191
netname:     MOOANHAEJE-HS-KR
descr:       MooanHaejeHighSchool
descr:       99 Sinjung-Ri Haeje-Myun Mooan-Kun
descr:       CHONNAM
descr:       534-870
country:     KR

Another Korean school. How odd.

March 3, 2002 - 11:00PM: I posted this page in a Slashdot article about Bill Jones's spamming. After not checking my mailbox all weekend I've found a good number of emails. I'll make sure to write everyone back. A couple people said that these hosts in Korea aren't in fact normal SMTP gateways, but are proxy servers. I'll post more info later.