Message Board

Tracking Harvesters/Spammers

Cyveillance unleashed

Author: P.Hauser (28 Sep 07 11:39am)

Cyveillance unleashed [Part I]

We discovered a source of "data pollution" for the HoneyPot-database. Ironically this source is a security company running its harvesters for chasing webbased malware for their customers. A generic description of the IP-candidates of this company here would be a harvester with

1) no associated mailserver and
2) the user-agent "Mozilla/4.0 (compatible; MSIE 6.0; Windows XP)" or "Mozilla/4.0 (compatible; MSIE 6.1; Windows XP)".

Now what scares me a little concerning Honeypot data is the fact, that this company covered our webspace from 15/May/2005 on with 5 CIDR-24-ranges, which is eqivalent to 1.280 hosts or harvesters! Now you will probably answer that the Honeypot database "trusts" these IPs.

We could receive distinct database generated harvests from this company here from within the ranges of 38.100.41.0/24, 38.118.42.0/24, 63.100.163.0/24, 63.148.99.0/24, 65.222.176.0/24. So far I found the following harvester-IPs of this company here:

38.100.41.107, 38.118.42.36, .38, 63.100.163.63, 63.148.99.234, .237, 239, 65.222.176.122, 123, 124, 125

Other reports say, that this security company uses from 2.888 hosts up to 2.100.040 hosts for their activities. Even if they use only, let's say, 3.000 hosts for their harvests and even if they change the ranges very often for some strategical reason, this will be almost impossible to comment in the Honeypot web-interface for all Spider-IPs. It will lead to false-positive-comments like someone found their harvester-IPs in APEWS, since the security company rented a "dirty" range somewhere.

Thats actually why I put my posting here and not in any IP comment.

Post Edited (28 Sep 07 12:03pm)

Cyveillance unleashed

Author: P.Hauser (28 Sep 07 11:40am)

Cyveillance unleashed [Part II]

To be precise at http://www.spam-whackers.com/blog/2007/08/06/who-is-cyveillance/ the following ranges were claimed to be used from this company:

38.100.41.64/26 38.100.41.64 - 38.100.41.127 [64 hosts]
38.112.21.0/24 38.112.21.0 - 38.112.21.255 [256 hosts]
38.118.42.32/29 38.118.42.32 - 38.118.42.39 [8 hosts]
38.118.42.0/24 38.118.42.0 - 38.118.42.255 [256 hosts]
63.100.163.0/24 63.100.163.0 - 63.100.163.255 [256 hosts]
63.148.99.0/24 63.148.99.0 - 63.148.99.255 [256 hosts]
65.118.41.0/24 65.118.41.0 - 65.118.41.255 [256 hosts]
65.222.176.0/24 65.222.176.0 - 65.222.176.255 [256 hosts]
65.222.185.0/24 65.222.185.0 - 65.222.185.255 [256 hosts]
65.192.0.0/11 65.192.0.0 - 65.223.255.255 [2097152 hosts]
68.48.24.0/24 68.48.24.0 - 68.48.24.255 [256 hosts]
151.173.221.0/24 151.173.221.0 - 151.173.221.255 [256 hosts]
207.87.178.0/24 207.87.178.0 - 207.87.178.255 [256 hosts]
216.32.64.0/24 216.32.64.0 - 216.32.64.255 [256 hosts]

The security company's name is "Cyveillance". Sources to study this issue:

The source of the harvesters: http://cyveillance.com/

Use cases of the harvests: http://www.spam-whackers.com/blog/2007/08/06/who-is-cyveillance/
Use cases of the harvests: http://cyveillance.linuxgod.net/
and last not least: http://cyveillance.linuxgod.net/logs/emails/final-reply.txt
and http://cyveillance.linuxgod.net/logs/emails/paul1.txt

Post Edited (28 Sep 07 3:11pm)

Cyveillance unleashed

Author: P.Hauser (28 Sep 07 11:42am)

Cyveillance unleashed [Part III]

After all I understand that a company like this wants to keep privacy, from where they harvest and how often they change their harvest-ranges.

On the other hand this activity way of "polluts" the data and leads to false positive comments. Check the comments at IP 65.222.176.125 here as an example.

Malware of course is located in ranges of unprofessional and negligent owners that you will find also in APEWS a lot. From a first guess in the IP-search result one would say, this Cyveillance-IP is a spam-harvester, though without associated mailservers so far.

We believe, "Cyveillance" uses at least a few 100 harvesters, that would be sooner or later all in the Honeypot database.

Now, is there a way to trust and "flag" such trusted IPs and issues already in the web-interface? Any clues?

Post Edited (28 Sep 07 3:12pm)

Re: Cyveillance unleashed

Author: P.Hauser (30 Sep 07 5:27am)

OK, let me give this question a forth and final approach to get this issue straight.

According to http://ws.arin.net/whois Cyveillance Inc. ownes 104 hosts in the following ranges:

Cyveillance Inc. (CYVEIL)
Cyveillance Inc. (AS39972) AS-CYVEILLANCE-INC 39972

63.146.13.64/27 63.146.13.64 - 63.146.13.95 [32 hosts]
65.213.208.128/27 65.213.208.128 - 65.213.208.159 [32 hosts]
65.222.176.96/27 65.222.176.96 - 65.222.176.127 [32 hosts]
65.222.185.72/29 65.222.185.72 - 65.222.185.79 [8 hosts]

According to this information we would have clearly identified just about the range 65.222.176.96/27 and not all the other claimed ranges from the sources I mentioned above including Project HoneyPot, e.g. range 38.100.41.64/26, to speak, lets say, of the IPs 38.100.41.105 and 38.100.41.107 found here.

Now I am not going to check all the web-claimed Cyveillance-ranges via the HoneyPot web-interface oder via the http:BL-API, since You can clearify this a lot easier via a local SQL-query against Your database.

Maybe there is a way to clearify these facts or ... claimed ... facts from here with Cyveillance Inc. and flag such IP-candidates here?

Post Edited (30 Sep 07 12:58pm)

Re: Cyveillance unleashed

Author: A.Parker4 (19 Dec 09 7:17pm)

I just wanted to point out that ARIN/RIPE/etc (RIR) data cannot be counted on alone:

My AS is 30085, according to ARIN, I only have 208.95.172.0/22, but I've also got 2 /24's from one of my upstreams (208.71.112.0/24 and 208.71.118.0/24). To get more accurate data on what I'm currently advertising, you'd want to check something like robtex.com (http://www.robtex.com/as/as30085.html#bgp).