On The Trail Of Super-Zonda

Dynamoo writes "BBC Radio 4 has been on the trail of the notorious Super-Zonda spammers and crackers, according to this article. Super-Zonda's trick is to find insecure hosts and pressgang them into webservers for mail order brides, viagra and other spam favorites. In this case a server is traced back to a hacked machine at a major international airline. The BBC investigate some of the people allegedly behind the spam in an investigation starting on the Spamhaus houseboat in London and ending in the Netherlands via Moscow. The BBC point the finger at Martijn Bevelander of MegaProvider as being not the innocent party he seems. The BBC provide some evidence to back this up, and are not known for rash accusations."

Open HTTP Proxies

[kiolbasa]

The trick they use, as I understand it, is to rig their DNS servers to respond differently based on the IP address querying the spammed domains. The DNS responds with the address of an open HTTP proxy normally, and when the open HTTP proxy does the lookup, it gets a different address - the spammer's webserver. That webserver then only responds to those open proxies. The moral of the story is to be more careful when you put any proxy on the internet.

Re:Hate the sin, Love the sinner

[ShaiHulud-23]

Oft-quoted blurb from NYTimes article "Tangled up in Spam" (PDF) by James Gleick:

Many people who hate spam believe, honorably enough, that it's protected as free speech. It is not. The Supreme Court has made clear that individuals may preserve a threshold of privacy. ''Nothing in the Constitution compels us to listen to or view any unwanted communication, whatever its merit,'' wrote Chief Justice Warren Burger in a 1970 decision. ''We therefore categorically reject the argument that a vendor has a right under the Constitution or otherwise to send unwanted material into the home of another.''

Re:Hate the sin, Love the sinner

[cabra771]

I believe I heard it best watching the Screen Savers earlier this afternoon. It's not free speech, it's commercial communications. Spammers aren't trying to just sway peoples' judgements...ok, well maybe trying to make guys believe that by taking a pill they can make their junk 25% larger...but on top of that they are selling you something. If this was free speech we would have never seen a national do-not-call directory for telemarketers.

Re:Hooray!: inaccurate though

First, it was not a "hacked" web server.
Second, it appears that Super-Zonda just recently moved the actual host (well, it too was a proxy) to CyberAngels (they had been on servepath.com for a long time, then ev1 [I think it was] for a weekend, then ...

The spammer uses network scanning tools to find an open web proxy. A system where, with the proxy located at {PROXY_IP} as its IP address,

telnet {PROXY_IP} 80
GET / HTTP/1.1
Host: www.nytimes.com

gets the front page of the NY Times.

He then does the following.

He uses something like the following:

telnet {PROXY_IP} 80
GET / HTTP/1.1
Host: [a_hostname_of_his_own]

and looks at his nameserver's records to see whence came a request to resolve his hostname. Now he knows the location of the nameserver/resolver used by the open proxy. He does this a few times (the proxy may use several nameservers - just as in configuring your windows system for the 'net, you enter two nameservers in the settings). He also checks at his web server to see whence comes the connection (the proxy may or may not make its outgoing connections using the same IP address).

Now he sets his nameserver to do the following:

1: It responds to requests to resolve his spam site which come from the nameserver(s) used by the proxy with the correct IP address (of his spam site).

2: It responds to ANYONE else with the IP address of the open web proxy.

He then sets up his web server itself to drop all packets to port 80 (maybe to all other ports as well) EXCEPT packets to his port 80 *which come from the abused proxy*.

The result? Everyone resolves his spamvertized host to the abused, hacked, illegally accessed web proxy and sends HTTP packets thither. That server/proxy attempts to get and serve up the pages by getting the IP address from its resolver which then gets the IP address of the hacker/spammer's actual site and accesses it and gets the page to return to the victim. Even if one happens to guess at the location of the actual spammer's machine, one cannot verify it since it appears dead to anyone except the proxy.

The trick to locating him is to find out what resolver the proxy is using and have your resolver, nslookup or dig in Linux, say, do a lookup, but not via your ISP's nameserver - instead use the proxy's nameserver/resolver. Then you find whence the proxy got what it served up.

[By the way, this is a pro-spam operation and the spammer's site may host some clients' stuff and in some cases, at least, it actually proxies the pages from another site.]

It is not a matter of the spammer "hacking" anything. It is simply his hijacking web servers which serve as proxies but which allow anyone to use them as proxies.

Why "super-zonda"? The names he used for his nameservers were ns1.super-zonda.com, etc. For other spamertized domains he registered different names for the nameservers, but they were located at the same IP addresses/locations.

One of the web servers/open proxies he hijacked was a British Airways travel shop server. He also hijacked a mideast bank web server. A K12 server in Colorado, I think it was. Several in Korea. He would spam for many clients at once, hijacking several web servers (one for every one or two of the hostnames).

The article on the BBC says:

"When Paul and Matt looked up which computer the website was using to host its service, the IP address belonged to British Airways."

Wrong. That was what it appeared to be. The pages were not there.
That site was proxying them.

Re:Solution to all spam

[JOW]

The last one year a number of "Free" SPAM relay tools has start to scan Ip's, the one I seen most is the "send safe" Software that uses a "Free" proxy to send out SPAM, and then relay the IP's found to other users of the software One way to stop misuse of proxy's open or not is to use server based tools http://kabel.netvisit.nl/~nieuwe03/squidefender.ht ml

In a country like Cambodia that I work in, it cost 0.1Usd pr. Mb in/out so not only do every one pay to get the dame thing, but the open systems owners pay 2 times, get it and proxy it out

Not all users in 3rd world country's know how to setup and run servers or even home computers. Often updates are not made as the software comes from the local, 2usd pr. CD market.

Send the guy his SPAM back
http://www.bevelander.nl/

Algemene vragen en/of opmerkingen info@megaprovider.nl

Technische vragen support@megaprovider.nl

Vragen over tarieven en wederverkoop sales@megaprovider.nl

Vragen over administratie administratie@megaprovider.nl

Klachten over open relay's, spam, hackpogingen etc. abuse@megaprovider.nl

Vragen/opmerkingen over deze site webmaster@megaprovider.nl

Or just subscribe him (Martijn Bevelander ) to some good useful catalogs

Mega Provider B.V.
Postbus 6356
2001 HJ Haarlem

Mega Provider B.V.
Pascalstraat 17
2014 KZ Haarlem

Good hunting

Re:Open Relays?

[AndroidCat]

Mainly these days, it's open proxies. Open relays leave a trail in the headers, proxies don't. Outgoing filters won't help in that case because it's not going through the ISP's mail server.

Administrators can't do anything in cases where management doesn't mind pink spammer money, or where the sales guys are clueless about known spammers.

For plenty of block lists, start at sprews.org and follow the links. Eventually you'll find one of the flavour you want.

Re:Hate the sin, Love the sinner

[robogun]

If you are not a troll, or a spammer, you are grossly misinformed.

The Supreme Court has repeatedly ruled that advertising enjoys less protection than ordinary speech. The most recent decision was in 1980 and is called the Central Hudson Case.

In the decision, the exceptions to First Amendment protection of advertising speech were clearly outlined (the four-part Central Hudson Test).

Here is a link: http://www.bodi.com/papers/advertising/adv-1.htm
but to summarize, spam speech cannot even get past the first test (the advertising must be of lawful activity and not be misleading).

The FTC handles actions against spammers in the US. In a decision only today, the infamous Berrytrim Plus spammer had their ass handed to them to the tune of a million dollars. http://story.news.yahoo.com/news?tmpl=story&u=/ibs ys/20030701/lo_WCVB/1681009

Re:Hooray!

[tqft]

"If you want a good example of a bad publicly-funded media, look no farther than the US's PBS. It is corrupt, biased, and often times not very interesting or helpful"

Never seen PBS except for the odd "special" that gets repeated here. Maybe they are. But at least it is balance to the Rupert and Kerry (Packer) worldview we get shoved in our faces in Oz. If I want real news I go to Reuters, Bloomberg, maybe a speciality site (Jane's for mil stuff, /. for SCo vs IBM), maybe a Google search or two and a few other sites to try and get as many facts as possible and make up my own mind.

Current affairs on the commercial networks is basically chasing shonky 2nd hand car dealers and other scam artists. They have never done spammers that I have seen - Packer's network is in bed with MS - the Packer's TV station website ninemsn.com. And they also fuckup the StarTrek schedule too which they have the rights.

Commercial News - good for local bank robberies and traffic etc
ABC (main public) - political news
SBS (multicultural channel) - world news

Re:Power to the People

[pe1chl]

>It is a fairly trivial matter for most regular /. readers to back trace a spam mail to the source server. In nearly all cases the server is an open relay or has been owned - either way the plug should be pulled.

I think you have not looked at the matter last year.
What you say may have been true in the past, but the spammer's tactics have changed.
They use proxies now, not relays.
There is no way to trace the path back to them, for a regular /. reader.

You would need co-operation from the access provider of an "innocent" family using cable or adsl internet, and from that family.

Well, in fact even from losers like the author of AnalogX Proxy and other Windows proxies that are by default open to the Internet and do not log.

Martijn Bevelander's history

I'm a network engineer for a medium-sized ISP in The Netherlands. Martijn Bevelander has been operating in de dutch ISP world for years now. Previously most people saw him as a huge clown; his daddy (some chief somewhere) seems to always fund his playing in the internetworld while he manages to get all his companies to go broke.

His staff continues to show their good knowledge on the Internet: see this mail where one of his noc monkeys notifies the operators on the Amsterdam Internet Exchange of a new announcement from Bevelander Internet Services: 192.168.0.0/16. Perhaps this was just a sneak preview into the future?

The dutch media have reported on several occasions on him: check this link from Webwereld.

Insiders still laugh on his ignorance regarding security. He used to have his printers wide open connected to the internet, resulting people to send complete black pages to it. Another great story is how he continued to buy new 3com switches after he failed to change the administrators access to them and someone from the outside shutdown't his uplink port. Yeah Martijn, they were all broken.

So far he was just a joke. The troubles started when his company Bevelander Internet Services got broke and he quickly setup a new company called Megaprovider. After most of the customers were transferred, he sold the empty remains to Concepts ICT. Appearantly Megaprovider is not doing to good as well, seeing his Cyberangels adventure.

One of his well-known associates, Joshua Dodds, is known as a true DDoS-kiddo, DoS'ing everyting and everyone who says a bad thing about him on IRCnet. I guess they will never learn...

Here.

If you just check his own site, you'll see an address right there at the bottom of the page:

Pascalstraat 17
2014KZ Haarlem
Tel.023-5101094
Fax.023-5441982

It is probably an office address, but I'd guess he spends time there as well. International callers should not forget to add the country code for the Netherlands, which is 31.

Martijn Bevelander is a highly controversial figure: he dropped out of school, then started an internet company (at a very young age) during the boom, got into legal trouble with lots of people, and finally went broke. Some people think he is the second coming of Bill Gates (quite a few people think of Bill as a role model...). Others think he is a lier and a thief. He appears to have made a business out of hijacking domain names, but foolishly forgot to register his own name.

There is a very critical article in Dutch here (search for "martijn"). Another list of critical articles, again in Dutch, is here. There is a picture here, although (according to the first link) the equipment in the background is not actually his.

All in all, although he himself thinks he is a genius, in reality he is nothing more than a parasite.

I cannot, of course, condone any course of violence against his person. However, if (for example) the United States were to think of him as an international crack dealer and demand his extradition, I wouldn't shed any tears for this fellow countryman...

BBC funding

[evilandi]

Their satelite channels run adverts as well

The channels aimed at British audiences (ie. for those who pay the licence fee) do not carry adverts. These are BBC1, 2, 3, 4, Children's BBC, CBebbies (for toddlers), News 24 and BBC Parliament. Same goes for audio services Radio 1,2,3,4,5,6,7, Asian Network, BBC Cymru (Welsh language), BBC Local Radio etc. These are almost entirely funded by the licence fee.

In the case of advert-free satellite signals these are quite literally "aimed"; the BBC broadcast advert-free from a satellite with tight coverage of the UK mainland with only very minimal bleed into the rest of Europe.

The channels aimed at international audiences (ie. for those who do not pay the licence fee) are funded by a mixture of foriegn office taxpayer's money, adverts and in some cases subscriptions. These include BBC World, BBC Prime and BBC America and are handled by a slightly seperate commerical company called BBC Worldwide and are broadcast on a number of satellites with coverage for most countries.

The international audio stations such as BBC World Service and BBC English By Radio are funded solely by the foreign office (similar to the funding for the Voice of America).

British viewers can also see BBC programming on non-BBC channels with advertising such as S4C (Welsh language), UK Gold (comedy & soap repeats) and UK History (documentary repeats). Some of these channels are entirely funded by advertising, some also have small injections from various government departments such as the Welsh Office, Scottish Office and European Union, in the case of regional language programming such as Welsh or Scots Gaelic. For instance, the popular Welsh soap opera Pobl Y Cum (Valley People) is made by the BBC but broadcast on independent station S4C supported by both advertising and government funding [PDF, Welsh and English].

Re:Solution to all spam

[WuphonsReach]

Domain spoofing is solveable at least. That can be controlled on the recipient end by changes to the inbound SMTP software. Basically, everyone would be required to list their outbound mail servers in their DNS records. E-mail that purports to be from domain X, that is sent from an IP address that does not appear in the domain's DNS record would be suspect. (Up to the admin whether to accept/reject at that point.) Whether you do that by adding a new record type to the DNS or just use the A records which already exist is open for debate.

That, at least, would make whitelists a bit more reliable. Peer pressure would get companies to add the appropriate records to their DNS. And in order to spoof a domain, the spammer would have to hack the domain's DNS records.