Symantec’s Eric Park has conducted an interesting “experiment” based on the analysis of a major spam campaign.
Spammers most often use a technique dubbed “snowshoe” in their campaigns. These types of spam runs rely on a large number of IP addresses in an effort to bypass filters. Basically, the spammers utilize a set of IP addresses only for a short period, after which they move on to new IPs and new domains.
However, Park has spotted one campaign – dubbed “From-Name snowshoe” because all emails contain real names as usernames in the “from” line – in which the emails originated from a set of IP addresses owned by the same entity.
Even more interestingly, the spam emails were sent only on weekdays between 6AM and 7PM, suggesting that the spamming operation could be part of a business.
The IP addresses in question belong to a company called Network Operations Center that’s based in Scranton, Pennsylvania. Network Operations Center is well known for its spam runs.
In addition to the IP addresses of Network Operations Center, last month, the same spam campaign started using IPs owned by another company, Nth Air, Inc., which is apparently based in San Jose, California.
Park decided to visit their offices. He found that another company had been using the suite listed in Nth Air’s address. It seems Nth Air no longer exists.
Another organization whose IP addresses have been used for spam is LiteUp, Inc. Park decided to visit their offices as well. However, the address listed for the company is actually a motorcycle store.
“So that makes two instances of spammers using IP addresses owned by companies that do not exist, at least according to ARIN records,” the expert wrote in his report.
It’s worth noting that more than 59 million spam messages have been sent out as part of this campaign since mid-October 2013.