This report is the extraction of URLs and relays from Spam messages.
The Spam-URL report which has been going out as part of the free victim daily remediation feeds from Shadowserver since 2010 has been enhanced with a new feed from the SISSDEN spampot deployment.
Description
SISSDEN has spampot deployments in many places around the world. These listen as open mails relays for potential spammers to abuse. We capture the spam e-mails sent and extract certain information from each of these messages, such as the last hop IP (which cannot be spoofed), the sending address (which can be anything and is frequently spoofed), any URLs, and the subject of the message. No assessment of the URLs itself is provided - these may be benign in themselves. Nevertheless this assessment has to be carried out by the report recipient. The URLs should be of interest even if they are not malicious; they might help guide you to the actual phishing target, or at least give you a heads up that the URL is being used in some sort of Spam/phishing attack. Extra traffic to those URLs might be indicative of some level of success, or testing.
Fields
Field | Description |
timestamp | Time that the amplification DDoS was registered in UTC+0 |
ip | The IP address being DDoSed |
protocol | Protocol used for the DDoS reflection attack |
dst_port | Port being used for the DDoS reflection attack (ie. associated with the service/protocol used for amplification) |
tag | Additional attack information for example, service name used for attack |
src_port | Source port of the spoofed packets being sent |
hostname | PTR record of the target IP |
asn | ASN announcing the target IP |
geo | Country where the target IP resides |
region | State / Province / Administrative region where the target IP resides |
city | ASN of where the target IP resides |
subject | Subject of the Spam message |
src | IP address of the Spam relay that delivered the message (last hop) |
src_asn | ASN of the relay IP |
src_geo | Country location of the Spam relay |
src_region | Regional location of the Spam relay |
src_city | City location of the Spam relay |
sender | Sender email address if available |
Delivery Mechanism
The report is sent out daily via The Shadowserver Foundation’s free victim remediation reporting service. All events coming from SISSDEN are clearly marked as “SISSDEN” for every event reported.
Sample Report
"timestamp","url","host","ip","asn","geo","region","city","subject","src","src_asn","src_geo","src_region","src_city","sender","source","md5","naics","sic","sic" "2019-04-29 00:00:13","https://youtu.be/RPV2czlat80","youtu.be","192.0.2.10",15169,"US","CALIFORNIA","MOUNTAIN VIEW","Dein Tesla-Auto","203.0.113.5",5089,"UK","BRISTOL","BRISTOL","postmaster@localhost.com","sissden",519130,,, "2019-04-29 00:02:53","http://klklk-90.info/jygwuq/","klklk-90.info","192.0.2.100",60307,"UA","KHARKIVS'KA OBLAST'","KHARKIV","hallo","203.0.113.100",24940,"DE","HESSEN","MARBURG","yfaqgiha@kundenhilfe-veripay.com","sissden",0,,, "2019-04-29 13:12:43","https://drive.google.com/file/d/1mtkDMEA1z07_-2wuR32Ez87yjuBwr16U","drive.google.com","192.0.2.155",15169,"US","CALIFORNIA","MOUNTAIN VIEW","Weight Loss 15 Pounds Easy","203.0.133.199",8953,"RO","BUCARESTI","BUCHAREST","msgeri123@bellsouth.net","sissden",519130,,, "2019-04-29 17:13:46","http://kxhxgq.com","kxhxgq.com","198.51.100.3",22612,"US","CALIFORNIA","LOS ANGELES","786159 ATTENTION!","203.0.113.201",20473,"US","ILLINOIS","ELK GROVE VILLAGE","ssl-wvyesgpf@bbva.com","sissden",518210,,,