Slashdot Mirror
On The Trail Of Super-Zonda
Dynamoo writes "BBC Radio 4 has been on the trail of the notorious Super-Zonda spammers and crackers, according to this article. Super-Zonda's trick is to find insecure hosts and pressgang them into webservers for mail order brides, viagra and other spam favorites. In this case a server is traced back to a hacked machine at a major international airline.
The BBC investigate some of the people allegedly behind the spam in an investigation starting on the Spamhaus houseboat in London and ending in the Netherlands via Moscow. The BBC point the finger at Martijn Bevelander of MegaProvider as being not the innocent party he seems. The BBC provide some evidence to back this up, and are not known for rash accusations."
But it is a crime that is very difficult to police, and a crime that is growing daily, as spammers find ever more inventive ways of staying ahead.
Well, now Microsoft is on the case. So they'd just better watch out.
The coolest voice ever.
A special investigation by the BBC has revealed that British Airways was used without its knowledge to host a website advertising Russian mail order brides.
As if the BBC would ever admit its nation's premier airline was desperate for some hot Siberian lovin'.
The coolest voice ever.
I thought the mail order bride email were jokes, not SPAM.
...."
<russian accent>
"Hello, My name is Tania and I have executed 18 years of age. I love
</russian accent>
People that run open SMTP relays are part of the problem. Just as pawn shops that accept goods of dubious origin serve as fences and bear some responsibility for the problem of burglary, so do administrators that run open SMTP relays, either maliciously or out of stupidity, bear some responsibility for the spam problem.
I'd like to see owners of open SMTP relays be liable.
Paypal donations to hi-tech hit squads, a la Tom Clancy and his Mr. Clark, to track down and eliminate, with EXTREME prejudice, any and all spammers, anywhere in the world. I'd give them $5/month, easy. Hell, film it and broadcast it like COPS. It's not like the embedded media have any real use for those handy portable vidcams they were sporting recently. Now _THAT'S_ a pay per view!
These guys don't care about laws, and any and all fines they MAY receive are just a cost of doing business and a lesson learned on how NOT to do it next time. Mind you, I think they'd start caring if they starting being hurt and/or killed.
And I'm only half kidding...
Anyone wishing to apply for such a squad, please email to...
$0.02 (CDN)
Damn, here I was hoping there would be a chance of prosicuting in a country that still has the death penalty. Preferably something slow.
Have you watched British television lately?
"Why Subscribe?" Good question...
General Geekery
These spammers would get caught, go to jail, and share a cell with many men who have enlarged thier penises, taken viagra, and are looking for a new relationship. Now that would be poetic justice.
Second, it appears that Super-Zonda just recently moved the actual host (well, it too was a proxy) to CyberAngels (they had been on servepath.com for a long time, then ev1 [I think it was] for a weekend, then
The spammer uses network scanning tools to find an open web proxy. A system where, with the proxy located at {PROXY_IP} as its IP address,
telnet {PROXY_IP} 80
GET / HTTP/1.1
Host: www.nytimes.com
gets the front page of the NY Times.
He then does the following.
He uses something like the following:
telnet {PROXY_IP} 80
GET / HTTP/1.1
Host: [a_hostname_of_his_own]
and looks at his nameserver's records to see whence came a request to resolve his hostname. Now he knows the location of the nameserver/resolver used by the open proxy. He does this a few times (the proxy may use several nameservers - just as in configuring your windows system for the 'net, you enter two nameservers in the settings). He also checks at his web server to see whence comes the connection (the proxy may or may not make its outgoing connections using the same IP address).
Now he sets his nameserver to do the following:
1: It responds to requests to resolve his spam site which come from the nameserver(s) used by the proxy with the correct IP address (of his spam site).
2: It responds to ANYONE else with the IP address of the open web proxy.
He then sets up his web server itself to drop all packets to port 80 (maybe to all other ports as well) EXCEPT packets to his port 80 *which come from the abused proxy*.
The result? Everyone resolves his spamvertized host to the abused, hacked, illegally accessed web proxy and sends HTTP packets thither. That server/proxy attempts to get and serve up the pages by getting the IP address from its resolver which then gets the IP address of the hacker/spammer's actual site and accesses it and gets the page to return to the victim. Even if one happens to guess at the location of the actual spammer's machine, one cannot verify it since it appears dead to anyone except the proxy.
The trick to locating him is to find out what resolver the proxy is using and have your resolver, nslookup or dig in Linux, say, do a lookup, but not via your ISP's nameserver - instead use the proxy's nameserver/resolver. Then you find whence the proxy got what it served up.
[By the way, this is a pro-spam operation and the spammer's site may host some clients' stuff and in some cases, at least, it actually proxies the pages from another site.]
It is not a matter of the spammer "hacking" anything. It is simply his hijacking web servers which serve as proxies but which allow anyone to use them as proxies.
Why "super-zonda"? The names he used for his nameservers were ns1.super-zonda.com, etc. For other spamertized domains he registered different names for the nameservers, but they were located at the same IP addresses/locations.
One of the web servers/open proxies he hijacked was a British Airways travel shop server. He also hijacked a mideast bank web server. A K12 server in Colorado, I think it was. Several in Korea. He would spam for many clients at once, hijacking several web servers (one for every one or two of the hostnames).
The article on the BBC says:
"When Paul and Matt looked up which computer the website was using to host its service, the IP address belonged to British Airways."
Wrong. That was what it appeared to be. The pages were not there.
That site was proxying them.
I'm really sick of hearing how the way to take the money out of spam is to charge for e-mail.
Instead of attacking the supply side, attack the demand side. Forget the fact that most of these spammers are outside the US. The fact is, most spam *advertisers* are in the US.
If the law allowed companies/people to be sued for using a service that has been convicted of using illegal means to send spam (invalid return address, hijacked systems, forged headers, etc), it would take about one or two high publicity lawsuits against a couple of spam buyers (lower mortgage rates! viagra! enlargement!) to curb the problem.
This legislation to kill spam by going after the senders will work for all of about a day, until all the buyers start buying service from someone offshore.
This would be self-regulating, market driven phenomenon if played out properly. Legitimate mailing companies could advertise their "legitimacy" and real companies could use those services for real, honest-to-goodness marketing. If someone used a shady mailing company, then they expose themselves to damages.
Whatever. Spam will not significantly decrease until the companies that contract out the services of these mailers have the screws put to 'em.