Spam's U.S. Roots

ahab_2001 writes "Notwithstanding how tired my finger is getting from deleting all of those unsolicited messages from China and Korea, Information Week reports that a study of filtered messages by the spam-blocking firm CipherTrust revealed that some 86% of spam originates in the U.S. Apparently, a very limited set of IPs with high-bandwidth connections is dishing out the bulk of the spam, according to this study."

Me... Trolling?

[The-Bus]

Funny. My finger's not tired, I use SpamBayes. Sure, I miss out on great messages touting... "A great opportunity... New and spreading via the Internet in a very big way-It's FREE to join, and it promises a lot. Too good to be true?" ...but it makes it easier.

T-Systems connects Scott Richter's net

According to this, notorious spammer Scott Richter has his own netblock (69.6.0.0-69.6.79.255), which until recently was connected to the internet through Taiwan based ISP Chunghwa Telecom. After they gave up on him, Germany based T-Systems took over. If you have any problems with spam from this netblock, their security team would like to hear about it. They have announced that they will terminate the contract if Richter violates it.

I need your help

[Saint+Aardvark]

Weirdly enough, I just wrote about something like this in my journal. In a nutshell, I've been contacted by a list seller asking if the files on my site mean I know how to get in touch with The Bulk Club (you remember The Bulk Club, right?)

I'm looking for suggestions on what to do next. In the meantime, whatever you do, do not run this command:

while [ true ] ; do wget http://www.emailsupply.net/sample.txt -O /dev/null ; done

That's a 4MB sample of the lists the gentleman has for sale, and surely the Slashdot effect runs the risk of using up all his bandwidth. Don't do it, I beg you!

Re:I need your help

Yes, it wouldn't be good if people tried that, but it would be even more important not to try this or variations:

while true; do wget --cookies=off --cache=off --user-agent='Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)' -O /dev/null --random-wait --referer='http://www.ftc.gov/' http://www.emailsupply.net/sample.txt ; done

(All on one line, in case that isn't obvious)

This sets some useful wget options:
1.) the user-agent string is set to look like an ordinary, common browser access. Pick one from a real browser (google for "user-agent string" to find examples). This is for an old Win 95 version of IE.

2.) sets the referer field to some misdirection (e.g., implying you visited their site from a site or domain by clicking on a link at, oh, ftc.gov, another spammer's site with competing services, etc. Be creative, even consider setting it randomly for more fun. It's probably easy to recognize as bogus, but might be worth a "gasp" when they first look at the logs if you put in an FBI, IRS, FTC or similar site with interesting implications). Setting it to point from another page on the site also makes sense, and looks more like a normal visit.

3.) --random wait causes wget to vary its access times to make it more difficult to detect as script-driven (see the man page for more details).

4.) --cache=off sends the appropriate command to ask the remote server to to get the actual file, rather than a cached version (may as well get the most up-to-date version, right?). The server may not honor the request, but it doesn't hurt to ask.

5.) --cookies=off should be obvious. No sense in giving or leaving behind any free information about the session.

Wget is a really useful and versatile program.

Your suggestion was a pretty bad one, yes, but, fortunately, it could have been worse.

Amount is only message-wise.

[Tar-Palantir]

According to the article, Asia has a significantly higher number of spamming machines. It's just that the US, with readily available high bandwidth connections (and nutbars like Alan Ralsky) spews out a disproportionate percentage of all actual spam messages.

Re:What are those?

The Spamhaus ROKSO database lists the netblocks and other relevant information. Interesting tidbit: Scott Richter's address block is now served by T-Systems. It doesn't take small shady ISPs or anonymous DSL accounts to bring spammers online.

Re:Crush

[geminidomino]

AOL v. Cyberpromotions established that servers are private property.

Rowan v. U.S. Post Office Dept., 397 U.S. 728 established that forcing advertising upon unwilling recipients is NOT protected speech.

Spammers can *invoke* the first amendment all they like. (HINT: They also claim they are legitimate, ethical buisnesses). Rule #1: Spammers lie.

From the US?

[bannerman]

I could have sworn I just saw a slashdot article stating that 80% of all spam came from some country like Elbonia or something. does anyone else remember that? Maybe someone with the skills to find it?

Re:From the US?

[Saluton_Mondo]

This might be what you're after: http://it.slashdot.org/article.pl?sid=04/05/20/165 0255&tid=111

According to this /. article 71% of spam servers are located in China

Re:Limited set of IP's?

[Zapman]

Ciphertrust is an anti-spam company. They'll sell less of their product if they give away that info.

That said, we use their Ironmail product at work, and it is AWESOME. We're blocking 200k spams a week for under 2000 mailboxes. It also wraps anti-virus (from sophos), and OWA proxy, imap, pop3, content filtering, etc. It's a wonderful appliance, that's unix based, and it's even got a really nice web front end.

If you do anti-spam for part of your paycheck, it's a product worth considering.

Makes sense

[Sarojin]

Given the relative popularity of Windows here. According to The Register 80% of spam also comes from infected Windows PCs!

Re:not

[gorbachev]

Spamcop reports on SENDING IP addresses.

The study was reporting on who actually sent the spam.

It is widely known US based spammers use open proxies, zombies, open relays and paid foreign spammers abroad to hide their tracks.

So both studies are correct. It's just that they're reporting different things.

Re:iptables -I FORWARD -s isp/20 -j DROP

[bwindle2]

I wrote a little script that parses my mail filter's logs, and anyone who is rejected by a DNSBL but keeps trying gets dropped into my boarder router's ACL. These hit counts were reset yesterday afternoon. Some of the worst ones:

deny tcp 64.156.187.0 0.0.0.255 any eq smtp (2551 matches)
deny tcp 206.71.48.0 0.0.15.255 any eq smtp (5914 matches)
deny tcp 66.109.16.0 0.0.15.255 any eq smtp (9594 matches)

us top spammer, china top hoster?

[blanks]

http://spam.weblogsinc.com/entry/4463682046968893/ Link goes to quote, plus more links backing up this data.... "A study released this week by Commtouch reveals that about 55% of all spam originates in the United States, and that more than 73% of spam refers to websites which are hosted in China. Ninety-nine percent of all websites mentioned in spam sample analyzed by Commtouch were hosted in China, South Korea, the United States, Russia, or Brazil" Here is another link, with a more detailed article. http://www.securitypipeline.com/showArticle.jhtml? articleId=22103058

Re:Crush

[GreyPoopon]

We should add the entire American IP address range to the great blacklist and move along! :)

I know your comment was meant to be funny, but that's EXACTLY what I think other countries should do. They should contact the US government and tell them they have 30 days to fix the spam problem before a nationwide block goes into place. I predict the end to most of the spam within 5 to 10 days. I'm an American, BTW, and I don't think my country should be treated with any more consideration than some of the Asian countries we've advocated taking this approach with.

That's not new, ROKSO

[cpghost]

Spamhaus published ROKSO list has always shown that most top spammers are U.S.-based.

All it takes is more vigorous law enforcement. Where are the prosecutors, when we really need them?

Re:Limited set of IP's?

[tokennrg]

Spamhaus will certainly help you out with a list of IP's to block. They'll also tell you what country spams the most and what ISP a majority of the spam comes from, just check the stats at the bottom of the homepage. Spamhaus is also one of the few DNS Blacklists around that you can actually work with.

Normally they list IP addresses that spam comes from , unlike some lists like the five-ten group that lists all but 1 IP address (127.0.0.1). Spamhaus will also remove IP's that no longer spew spam and so legitimate businesses don't get blocked erroneously.

Spamhaus also has a nifty thing called The ROKSO List which lists know repeat offenders and spam gangs so ISP's can keep from signing them up for service in the first place.

Re:Crush

[(54)T-Dub]

I'm not a nationalist or anything. But the rest of the world's economy would take a severe hit if they were cut of from America even in limited fashion like email.

Re:Crush

[just+fiddling+around]

Looks like this thing takes the adresses of the included images in spam emails and makes you reload them a lot.

Give those spammers a slashdotting!!!

Re:Crush

[The+Ultimate+Fartkno]

> What the hell are you linking us to?

It's a "Lad Vampire" site. Some anonymous person coded the first one and used it to attack fake banks created online by 419 scammers and escrow cheats. "Artists Against 419" are still running one and organize flashmobs every once in a while to get hundreds of people using them all at once. The page links to just the images on spamvertised websites and reloads them over and over without caching, which sends the hosting costs of the server through the roof. Before long the site gets shut down for good and the spammer owes for some serious bandwidth costs. In cases where the sites are being served by zombied cable boxes then the ISP at least gets alerted to the problem and closes the user 'til their box is disinfected. The speed option allows you to change the reload speed depending on your bandwith. (Admins with access to fat pipes always get a grin out of opening it up all the way.)

> Thanks for wasting my time, I guess.

No problem. You seem like someone who doesn't feel complete without something to be angry about.

Re:You paid for that spam -- enjoy it.

[fmaxwell]

Over the years I have received more and more spam, and yet paid less and less for my internet connection (adjusted - barely!- for bandwidth).

Over the years, how much have computer costs, adjusted for performance and storage, dropped? The question isn't whether your absolute costs have dropped, it's how much they could have dropped were it not for spam.

Absolutely: spam costs ISPs big bucks. Absolutely: ISPs pass on these costs to their customers. But we're probably talking about cents per month per customer.

According to ISPs, the average cost, per month per customer, is between $2 and $3. That's $24 to $36/year, a significant sum. Businesses spend huge amount dealing with the spam problem. Take a look at NetworkFusionWorld's Spam Calculator" to see just how expensive spam is to businesses.

When you go to Best Buy, a percentage of what you pay for your purchase is to offset the cost of dealing with spam in the corporate offices. When you pay your taxes, a significant sum is paying government workers to deal with spam. When you order from Amazon.com, some of the money you spend there is to cover their costs for spam. I would not be at all surprised to see the total cost of spam per person averaging over $100/year.

BTW: bandwidth, servers, disks - none of these actually cost much money. The extra sysadmin or two to manage all of that... that's what costs money.

In general, I agree with that, but enterprise-class machines with RAID, tape backup, etc. is not the same as home PCs. The cost may be outweighed by the cost of system administrators, but it's still significant -- especially if it means that your connection is slower because their capital equipment budget on another mail server instead of additional broadband routers.

Re:Crush

[The+Ultimate+Fartkno]

What browser are you running? At this point the vampire pages only seem to work in IE and (maybe) Konqueror. Are you getting a blue background and that's it, or blue with the (x) marks for the broken images?