ROKSO Home  |  ROKSO FAQs & Policies  |  About Spamhaus  |  FAQs
The Register of Known Spam Operations
Chen Yu (AKA Sprincy)

Evidence Menu:

Chen Yu (AKA Sprincy) Index

Country: China
State: Jiangsu
Changshu-based Chen Yu (陈宇) mostly sends digital image retouching and refinishing ("Photo Retouching Services", "Video Editing", etc) spam, but "Application Development" and Textile products spam have also been observed, and some mailings directly advertise spamming services.

Before July 2014 (and since at least Spring 2010) he operated without Internet assets of his own except dropboxes, relying on throwaway webmail accounts, open proxies and open relay sending sources. He hijacked several thousand servers all over the world to have his spam delivered, becoming one of the most serious problem on the Internet and inflicting massive costs to thousands of companies across the world.

After July 2014 he switched to a standard snowshoe distribution method and started to purchase low-cost VPSes from ISPs across the world.

Chen Yu (AKA Sprincy) SBL Listings History
Current SBL Listings
Archived SBL Listings

typical spam sample and modus operandi (before July 2014)

A typical 'Sprincy' spam sample (before July 2014) is shown below. The following points can be noted:

* the body is base64-encoded. Looking for patterns in the bare encoded message will not produce useful results. In the example below the message has been decoded to show its content.

* No website appears in the spam. The only way to contact the sender is through the email addresses indicated in the spam. There is one in the Reply-To field and one in the message body (or two, if you also count the "remove" address). These addresses are almost invariably in a Netease domain (, or a partial list can be found in ROK10059. These addresses are relatively stable, and blocking mails that have one of these addresses in the headers or in the body is an effective and recommended measure.

* The address appearing in the From field, and also in the envelope from, is forged: it does not exist. In the example below it is <>. and were used rather frequently until september 2013, then the spammer started forging addresses in other freemail domains. Every hijacked server sending the spam uses a different sender address. All messages sent by a given server share the same sender address for several hours, then the address changes to something else, and so on. This means that the spammer generates a large number of these forged senders, and so it is not worth to spend time inserting them in access lists.

* The spams are sent using an open proxy-open relay chain:
(spammer) ------> (open proxy) ------> (open relay) ------> (spam victims)

* The true connection IP of the spammer is not visible in the headers. IPs appearing to inject the spam such as in the example below are open proxy servers (either HTTP or SOCKS proxies). The proxy hides the spammer's IP. The spammer uses a relatively stable set of 10-20 open proxies, in most cases located in China (many chinese open proxies survive in spite of constant abuse for many months). It is likely that the spammer real connection is located within the Chinanet Jiangsu province network. The open proxies are normally in the SBL, but they can only be detected by a contents analyzer examining the Received lines in the headers after the message has been accepted by the mail server.

* The spam is injected into open relay mail servers, such as in the example below. The Internet still abunds of open relays. At any given time, the spammer uses a set of the order of 100 open relays. This set is rapidly changing as relays are closed by system administrators and new ones are abused. The spammer or a partner should constantly be scanning the Internet looking for open relays to hijack. Spamhaus makes its best effort to detect and list open relays on the SBL until they stop to emit spam. Over time, we have identified several thousands open relays abused by 'Sprincy', making 'Sprincy' one of the most important criminal server hijackers in operation on the Internet.

* The company names in the signature, such as 'Rondruanin Imaging Professionals' in the example below, are fake: these companies do not exist. A partial list of fake company names observed in their spam can be found in ROK10066.


Received: from (HELO lbex.lange.local) (
by x (x) with ESMTP; Mon, 21 Jan 2013 22:xx:xx +0000
Received: from lbex.lange.local ([]) by lbex.lange.local with Microsoft SMTPSVC(6.0.3790.4675);
Mon, 21 Jan 2013 16:xx:xx -0600
Received: from host2 ([])
by lbex.lange.local (SonicWALL
with ESMTP (AIO); Mon, 21 Jan 2013 16:xx:xx -0600
Date: Tue, 22 Jan 2013 06:xx:xx +0800
From: "Rick" <>
To: "x" <x>
Reply-To: <>
Subject: =?GB2312?B?RGlnaXRhbCBQaG90byBFZGl0aW5nIFNlcg==?=
MIME-Version: 1.0
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Content-Type: text/plain;
Content-Transfer-Encoding: base64
Content-Disposition: inline
X-Mlf-Country-Code: --
X-Mlf-Threat: nothreat
X-Mlf-Threat-Detailed: nothreat;none;none;cloud-
X-Mlf-UniqueId: x
Message-ID: <x@lbex.lange.local>
X-OriginalArrivalTime: 21 Jan 2013 22:xx:xx.xxxx (UTC) FILETIME=[x:x]


We are one of the best digital images retouching/editing company located in China. We provide all kinds of image editing solutions to different companies all over the world.

We provide best quality service in best price.

Our image editing services are: -

. Cut out/masking, clipping path, deep etching, transparent background
. Dust cleaning, spot cleaning
. Colour correction, black and white, light and shadows etc.
. Beauty retouching, skin retouching, face retouching, body retouching
. Fashion/Beauty Image Retouching
. Product image Retouching
. Jewellery image Retouching
. Real estate image Retouching
. Portrait image Retouching
. Restoration and repair old images
. Wedding & Event Album Design.
. Vector Conversion

You can try us by sending a sample image for free test to judge our quality work.

We are waiting for your reply.

Thanks & Regards,
Rondruanin Imaging Professionals


This e-mail (and any attachments) is confidential and may contain
personal views which are not the views of us. unless specifically stated. If you have received
it in error, please delete it from your system, do not use, copy or
disclose the information in any way nor act in reliance on it and
notify the sender immediately.

If you do not wish to receive our newsletter, pls send address to for remove.
Before printing think about the Environment.


The Register of Known Spam Operations (ROKSO) collates information and evidence on entities with a history of spamming or providing spam services, and entities affiliated or otherwise connected with them, for the purpose of assisting ISP Abuse Desks and Law Enforcement Agencies.
The address of this ROKSO record is:

The above consists of information in the public domain. The Spamhaus Project makes every effort to avoid errors in information in the ROKSO database, and will correct any errors as soon as it is able to verify the correction, but accepts no responsibility or liability for any errors or omissions, or liability for any loss or damage, consequential or otherwise, incurred in reliance on the material in these pages. The Spamhaus Project makes no warranties or representations as to the accuracy of the Information in ROKSO records. The information in the ROKSO database is for information purposes only and is not intended as legal advice of any kind.

For information on contacting the ROKSO Team regarding any factual errors in this record, see the ROKSO FAQs.
© 1998-2016 The Spamhaus Project Ltd. All rights reserved.
Legal  |  Privacy