Does anyone recognize this e-mail sniffer or malware using ROT13 encoding?

I have a private website that every week sends e-mails with two different http links to a group of around 30 people. When a link is clicked, the answer is registered in a database. Starting last week, one of the recipient's links is automatically followed by either a network sniffer or some malware on the recipient's computer.

Each e-mail is sent individually since the links contain each recipient's e-mail adress:

Yes, I will attend:
http://mywebsite.com/[email protected]&answer=yes

No, I can't attend:
http://mywebsite.com/[email protected]&answer=no

Around 20 minutes after the e-mail has been sent, I get the following request to my website:

UserHostName: 209.133.77.166
UserHostAddress: 209.133.77.166
UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2; MS-RTC LM 8)
Browser: IE 7.0
Platform: WinXP
HttpMethod: GET
Path: /default.aspx
Url: http://mywebsite.com/default.aspx?answer=ab&[email protected]
UrlReferrer: 

There are some strange things to observe here:

  • The e-mail adress and answer are both ROT13-encoded (but not the parameter names).
  • The order of the parameters are reversed.
  • Only the second link, with answer=no, is followed.

Also:

  • The IP-adress, UserAgent, Browser and Platform fields do not match those of the recipient's computer (but they might be spoofed, of course).
  • The IP-address used last week was 209.133.77.167. Both addresses seems to be dynamically allocated at the above.net domain, performing a tracert yields the hostname 209.133.77.166.T01713-01.above.net.
  • Checking the e-mail headers, the e-mail was sent from my web hotel binero.net via messagelabs.com to the recipients mailserver.
  • It is only this single recipient that have these problems.

Does anyone recognize the pattern of following e-mail links and encoding the parameters with ROT13?


Solution 1:

Hah, 5 minutes after posting the question I found the answer myself. Ever had that happen to you? :-)

https://security.stackexchange.com/questions/48684/help-investigating-potential-website-attack-url-rewriting-and-rot-13-obfuscatio

Essentially:

It took a few calls with AboveNet (now part of Zayo), but we were finally able to determine that one of their customers is an anti-malware firm based in the UK, providing services to two of our common customers. They were scanning all incoming emails and probing any hyperlinks to identify potential hazards and/or vulnerabilities in the destinations.