We’ve been following an attack against one of our North American customers for the last couple of weeks. The incoming spam is pretty typical, coming from a mix of snowshoe ranges and possibly botted single IP addresses. What’s more interesting about this attack is the URLs in the payloads. The domains all appear to be legitimate (mostly related to photography), but the host parts of the URLs are non-standard, like “ww”, “wwww”, or “jhjkh” - we’ve even seen instances where the recipient’s email address was used as the hostname. Going to www at the domains will get you to the real website, but going to any other hostname at those domains will take you to the spammer’s payload site, via a ‘wildcard’ DNS zone entry.
All of the legitimate domains appear to be hosted by the same company. At this point, Cloudmark is concluding that there’s been an intrusion at the hosting company that has allowed an unauthorized party to insert their own DNS records into the zones of otherwise-valid domains, in an attempt to leverage the reputations of those domains. We’re in the process of contacting both the hosting company and the company that provides DNS for these domains to make them aware of this situation.