Slashdot Mirror
From Artist To Spam-Hunter
I am Kobayashi writes "Wired has a story about Andy Markley, a graphic artists, whose business domain name was spoofed by infamous spammer Eddy Marin and used to spam thousands of people. After the incident recurred at a new ISP, and at the risk of his business and sanity, Markley fought back. He tracked down Marin through several spoofed email addresses and several hi-jacked servers, and eventually was successful in getting Marin's current ISP to shut down his account. Too bad he was a graphic artist and not a professional bounty hunter...."
Get 10,000,000 more of these guys and major domains will start accepting mail from innocent bystandards like me that are unlucky enough to be on small subnets again.
You can't judge a book by the way it wears its hair.
Spamming is such a dirty business that most spammers will commit some illegality somewhere. Their character is rarely that of a saint. And most ISPs will do anything to keep a spammer off of their bandwidth. So if you go after a spammer, there will probably be some dirt to smear him with somewhere.
Here we see the Spammer in his native environment, lets pull his network connection and see if we can get him rialed up. Crikey, look at em dial tech support!
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
Verio is notoriously spam- and crime-friendly. So much so that I wouldn't be surprised if their management sold their children out to child pornography websites.
As for convicted coke dealer Eddy Marin, he deserves horrible and painful death for his actions. It's sad that no one has taken him out yet.
STOP MISUSING APOSTROPHES, YOU MORONS!!!
Wow, what a revenge! This has all the exciting hallmarks of the most boring story in the world. He shut down a single ISP account. I'm stunned!
I hope the author isn't holding out for a script-writing deal for anything starring Chuck Norris or Lorenzo Lamas. It's hardly going to get rapped about by Dre, is it?
From Artist to Spam-Hunter to zzz...
'Thats they exact same thing a banana wrench monkey.'
Qualified candidates must be professional bounty hunters with verifiable experience and verifiable references.
Yes, my name is Boba Fett and I worked for a Hut called Jabba -- this was a long time ago and in a remote galaxy. During my tenure with Jabba, I successfully tracked and captured Han Solo, wanted for failure to pay back a sizable loan.
I'm fully familiar with the use of various weaponry, grappling hooks, and personal rocket packs. I have also done consulting work for Mr. Vader, a well known businessman who spearheaded the creation of a large spherical space station.
References available upon request.
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
So, this is identity theft. Why cannot spammers be prosecuted for assuming somebody elses "identity" and doing business/making money at the expense of others? This practice is illegal and there must be a legal precedent, yes?
Visit Jonesblog and say hello.
Finally, something to fill in the ????? in my
- Linux
- ?????
- Profit!!
business plan. Now I don't have to hide my email address(es) anymore!-- Stu
/. ID under 2,000. I feel old now.
A scenario: Someone damages you, but it is hard to figure out who it was. You spend money and/or time and track them down. You succeed, and sue them.
Can you include the cost of tracking them down in the damages you are suing for?
Can you sue for more than your actual costs, to account for the risk you took that you'd be unsuccessful in tracking them down (hence your time/money would be gone with no possibility of being repaid)?
Quattuor res in hoc mundo sanctae sunt: libri, liberi, libertas et liberalitas.
OK, enough of these wise-guy posts saying "I've cancelled spammer's ISP accounts before too" and "he could have just used SpamCop." First of all, if you are at all familiar with spam operations, you would know that spammers do not use mail servers hosted on their own network 95% of the time. Second, if you RTFA, you would see that was exactly the case. The article clearly states that he "painstakingly worked his way through a half-dozen hijacked servers."
These were likely servers that had been compromised or accidentaly misconfigued and turned in to open proxies. Spammers use dozens of these per mailing. However, they have to send the spam to these hijacked servers from somewhere. Much of the time these are home users on cable modems or DSL, so this isn't always easy. There is no trace of the actual origin in the headers, just the proxy or relay. The ISP shuts down their connection and the spammer moves on. The hijacked server often has no record of the actual origin of the mail, or upon being cleaned, the records are cleaned. In this case, the victim was able to find where the proxies were getting the original messages from. This isn't as simple as submitting to SpamCop.
WCG.net, and told the tech support staff what had been happening. Within a few hours, Marin's account had been canceled.
/24s. Then they feign this concern by "shinning" on those who complain about their dubious customers. Why don't someone ask them about Wholesalebandwidth.com/Optigate?
c efile=1114
Baloney! It is likely that they told Marin to change the domain name before Markley sues and WCG loses their big bonus blood money.
But WCG sounded sincerely surprised to find out the infamous Eddy Marin was one of their customers."
Rule #1! Williams Communications Group is notorious for continuously providing bandwidth to spammers with dirty
Anyone who wants to know about Marin and his scum operation can see it on Spamhaus.org:
http://www.spamhaus.org/rokso/search.lasso?eviden
!@#$% whole-grain cereal. When I want fiber, I eat some wicker furniture. - G. Carlin
No one does spam filtering at routers.
There are filters and blocklists, but they have nothing to do with
routers. Long ago particularly egregious spammers were blackholed at the
router level, but that hasn't happened for years.
No ISP can stop all spam, but given enough resources we can stop most
of it. The problem is usually somewhat like you allude to, that there
is a certain set of people with an absolute horror of a non-spam
message being bounced. They claim "loss of email", and thereupon close
their ears.
But there is a more insidious foe, the scan-and-delete error.
Most admins today have two basic ways to stop spam -- blocking and user-
based filtering. Blocking rejects spam detected (via filter or
blocklist) and puts the onus on the sender to re-establish the
communication. User-based filtering puts the onus on the recipient to
review their spam folder and look for "false positives".
And there are three ways to play your two tools.
1. Little or weak filtering or blocking means communications are lost as
people have scan-and-delete errors due to battle fatigue from their
daily fight with spam in their mailbox. Much legitimate email is
lost, and it is lost and *neither party knows it was never read*.
This collateral damage is spread over every part of the net,
spam-friendly or no.
2. Aggressive filtering and tagging for dropping in the user's "spam"
folder means that legitimate communications are tagged as false-
positives. People usually don't scan their spam folders carefully,
because such a high percentage is spam. Again, legitimate email is
lost and *neither party knows it was never read*. This collateral
damage is spread over every part of the net, spam-friendly or no.
3. Aggressive rejection of email via blocklisting causes some legitimate
email to be rejected. However, that collateral damage is limited to
spam-friendly parts of the Internet. The sender knows full well it
was not read and can re-send the message via another channel if it is
important. This knowledge also allows them to take action to correct
blocking errors; and heightens awareness of who is not doing their
part to fight spam.
To me, selecting #3 is a no-brainer. When legitimate email gets lost,
the sender knows it was not received. And it is almost all lost from
networks participating in the massive denial of service attack on the
Internet at large that is spam.
AOL, for example, does a simply outstanding job of making sure spam is
not sourced from their network. They don't allow spam hosting of any
kind. I *never* want to lose mail from them. Same with Earthlink, MSN,
and Hotmail. They deserve that consideration due to their effort. If my
users lose mail from them due to scan and delete errors, I have not done
my job. I would much rather have them lose email from the people who pay
the spam-friendly providers. (And no, folks, those fake hotmail.com
addresses in the From line don't mean they source spam.)
You can do filtering at the MTA level too with rejections, but I don't
do that except with filter settings that have a near-zero false-
positive rate.
The spammer was forging mail from one of my domains. Since the domain name was a registered trademark, I had some extra leverage. ISPs have a "safe harbor" for E-mail content, but not for trademark infringements.
I ignored where the mail was coming from, and concentrated on where the money went when you placed an order. The spammer had two phony "billing companies", with phony addresses. Accepting credit cards without providing a valid business name is illegal in many states, so, by sending appropriate letters to the ISPs that hosted his billing sites, I was able to turn off his income stream. The sites reappeared on other ISPs, but with some work, I was able to get his domain registrar to lock some of his domains.
This is an effective tactic. If you file an "incorrect whois data" complaint with the Internic, and the registrar can't contact the domain owner, the domain goes to "locked" state. Then, if you get the hosting company to dump them, they can't move the site. In this case, the spammer operated his own DNS servers (triply redundant, on different ISPs), so I had to get all of them kicked off various ISPs.
By now, I'd had this guy kicked off ISPs from Dallas to London to Sao Paulo. This was made easier by the fact that he was paying for much, if not all, of his hosting with stolen credit card numbers. Since his porno sites generated credit card numbers, he could keep signing up for new hosting accounts with his customer's credit cards. That doesn't work once the ISP knows who to look for.
Finally, the guy retreated to his home ISP in St. Petersburg, Russia, where he apparently felt safe. That took a while to crack. I found out that the upstream provider used by the small St. Petersburg ISP was a larger telecom company in Moscow. That company was in the process of doing an initial public offering on NASDAQ. I talked to their investment people in New York, and eventually received a call from the Russian telecom's CEO. It turned out that we had some friends in common, and that he knew about the small St. Petersburg ISP as a known problem.
With that connection, I had some discussions with the St. Petersburg ISP, which kicked off the spammer. He came back with new accounts the next day. I got those accounts closed. This went on for several weeks. Finally, after some additional prodding, the St. Petersburg ISP shut the guy down and kept him shut down.
It's been months now, and the spammer's content is nowhere that Google can find it, so he seems to be out of business.
The key to dealing with spammers is to follow the money. While dealing with this problem, I talked to bankers, the people who developed his billing system, and a company to which he'd outsourced web design. Eventually, a picture of the spammer emerged. This was basically a one or two person operation devoted to stealing credit card numbers. Once I knew that, getting cooperation in shutting the guy down was reasonably easy.
Trademarking your web site name gives you some additional legal options, and is definitely worth the $450 or so it costs. When you raise a trademark issue, the problem escalates to the ISP's legal department, and you're no longer dealing with the customer service people.
Once you get to the legal people, and fraud is involved, you can point out that the ISP, once informed of the problem, is knowingly aiding and abetting a fraud scheme. This usually results in quick action.
It's always useful to check business license and corporate filing data. If you find a Whois entry for Phonycorp, Inc. at a Mail Boxes Etc. address, find out whether the company has a business license (where required) and is registered as a corporation in the state. If they don't, they're doing business illegally. So report them to the IRS, the state tax authorities, and the local authorities. ("Hello, City Assessor's Office? I'm trying to locate the offices
What has your experience with SpamCop's system been?
Nothing but good things to say about them, and I've been on the other end too - I've worked in the abuse department at an ISP, and the vast majority of our spam complaints came from SpamCop. They put all the most important info in the subject line and the reports are all formatted consistently, making it very easy to deal with them. We were understaffed for awhile, so the SpamCop reports were the ones I dealt with first, because I could get them out of the way faster.
I also use the service myself. There have been some occasional glitches, which have almost entirely been due to denial of service attacks. These glitches have not caused me to lose mail, but DDoS attacks have caused mail to be delayed on occasion - normally it's delivered in seconds, but I've seen it take a day or so.
The way I have it set up, mail to my domain is forwarded to my SpamCop account, and anything that doesn't get stopped by their filter is forwarded on to my server at home. If I have any problems with my server at home, I can disable the forwarding and use SpamCop's webmail temporarily.
Depending on how you have things set up, if SpamCop thinks something doesn't look right, it is possible to report yourself to your own ISP's abuse department. They don't like that much. When submitting a complaint, be sure to review the list of addresses the complaint will be sent to before sending it.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;