A typical 'Sprincy' spam sample (before July 2014) is shown below. The following points can be noted:
* the body is base64-encoded. Looking for patterns in the bare encoded message will not produce useful results. In the example below the message has been decoded to show its content.
* No website appears in the spam. The only way to contact the sender is through the email addresses indicated in the spam. There is one in the Reply-To field and one in the message body (or two, if you also count the "remove" address). These addresses are almost invariably in a Netease domain (126.com, 163.com or yeah.net): a partial list can be found in ROK10059. These addresses are relatively stable, and blocking mails that have one of these addresses in the headers or in the body is an effective and recommended measure.
* The address appearing in the From field, and also in the envelope from, is forged: it does not exist. In the example below it is <firstname.lastname@example.org>. msn.com and yahoo.de were used rather frequently until september 2013, then the spammer started forging addresses in other freemail domains. Every hijacked server sending the spam uses a different sender address. All messages sent by a given server share the same sender address for several hours, then the address changes to something else, and so on. This means that the spammer generates a large number of these forged senders, and so it is not worth to spend time inserting them in access lists.
* The spams are sent using an open proxy-open relay chain:
(spammer) ------> (open proxy) ------> (open relay) ------> (spam victims)
* The true connection IP of the spammer is not visible in the headers. IPs appearing to inject the spam such as 220.127.116.11 in the example below are open proxy servers (either HTTP or SOCKS proxies). The proxy hides the spammer's IP. The spammer uses a relatively stable set of 10-20 open proxies, in most cases located in China (many chinese open proxies survive in spite of constant abuse for many months). It is likely that the spammer real connection is located within the Chinanet Jiangsu province network. The open proxies are normally in the SBL, but they can only be detected by a contents analyzer examining the Received lines in the headers after the message has been accepted by the mail server.
* The spam is injected into open relay mail servers, such as 18.104.22.168 in the example below. The Internet still abunds of open relays. At any given time, the spammer uses a set of the order of 100 open relays. This set is rapidly changing as relays are closed by system administrators and new ones are abused. The spammer or a partner should constantly be scanning the Internet looking for open relays to hijack. Spamhaus makes its best effort to detect and list open relays on the SBL until they stop to emit spam. Over time, we have identified several thousands open relays abused by 'Sprincy', making 'Sprincy' one of the most important criminal server hijackers in operation on the Internet.
* The company names in the signature, such as 'Rondruanin Imaging Professionals' in the example below, are fake: these companies do not exist. A partial list of fake company names observed in their spam can be found in ROK10066.
Received: from h184-60-84-203.nwblwi.dedicated.static.tds.net (HELO lbex.lange.local) (22.214.171.124)
by x (x) with ESMTP; Mon, 21 Jan 2013 22:xx:xx +0000
Received: from lbex.lange.local ([10.0.0.6]) by lbex.lange.local with Microsoft SMTPSVC(6.0.3790.4675);
Mon, 21 Jan 2013 16:xx:xx -0600
Received: from host2 ([126.96.36.199])
by lbex.lange.local (SonicWALL 188.8.131.5269)
with ESMTP (AIO); Mon, 21 Jan 2013 16:xx:xx -0600
Date: Tue, 22 Jan 2013 06:xx:xx +0800
From: "Rick" <email@example.com>
To: "x" <x>
X-Mailer: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
X-OriginalArrivalTime: 21 Jan 2013 22:xx:xx.xxxx (UTC) FILETIME=[x:x]
We are one of the best digital images retouching/editing company located in China. We provide all kinds of image editing solutions to different companies all over the world.
We provide best quality service in best price.
Our image editing services are: -
. Cut out/masking, clipping path, deep etching, transparent background
. Dust cleaning, spot cleaning
. Colour correction, black and white, light and shadows etc.
. Beauty retouching, skin retouching, face retouching, body retouching
. Fashion/Beauty Image Retouching
. Product image Retouching
. Jewellery image Retouching
. Real estate image Retouching
. Portrait image Retouching
. Restoration and repair old images
. Wedding & Event Album Design.
. Vector Conversion
You can try us by sending a sample image for free test to judge our quality work.
We are waiting for your reply.
Thanks & Regards,
Rondruanin Imaging Professionals
This e-mail (and any attachments) is confidential and may contain
personal views which are not the views of us. unless specifically stated. If you have received
it in error, please delete it from your system, do not use, copy or
disclose the information in any way nor act in reliance on it and
notify the sender immediately.
If you do not wish to receive our newsletter, pls send address to firstname.lastname@example.org for remove.
Before printing think about the Environment.
The Register of Known Spam Operations (ROKSO) collates information and evidence on entities with a history of spamming or providing spam services, and entities affiliated or otherwise connected with them, for the purpose of assisting ISP Abuse Desks and Law Enforcement Agencies.