I made a bet (which I have now lost) that spam volumes would rise to their pre-xmas levels by Jan. 13th. This was in response to the numerous news items that popped up in newspapers such as the Guardian and New York Times back on Jan. 5th or so.
The reason I felt confident in that wager is because in Russia, Orthodox Christmas takes place on January 7th [source].
Looks like our Russian friends just got back a little earlier than expected. This happens every January. You can practically set your watch by it (if you wear a watch.)
Actually pretty much everything on that blog is worth reading to get a much better idea of what kind of research is going on regarding not just Srizbi but several other botnets
They also stated that they were indeed in a position to send the "uninstall" command to the entire swath of the botnet they knew were trying to phone home. They didn't, probably for the very reasons being argued above.
I'm on the side of anyone who is in a position to stop these infections quickly.
And here's another example I'd like to put out there, as an example of the whole "moral high ground" argument:
There are hundreds of infected Unix servers out there. Hundreds if not thousands. They've been infected by the group behind a very large illegal pharmacy spam operation. They take over these servers and use them for everything from web hosting, to DNS, to image hosting, etc. I have been attempting to contact the owners of most of these infected servers for the better part of two years now. They're mostly abandoned. Nobody responds. The servers are mostly hobbyist Unix setups which originally were not even meant to be used as web servers (several are firewall setups, others are PBX installations.)
I know how these hackers are getting in, and I know how to remove the infection reliably, but I cannot stop the box from being infected again, and I can't seem to get the attention of a single one of the owners or operators of these hijacked, infected servers.
What would you do?
I do think the days of these botnets continuing to operate with impugnity MUST be coming to a close. It's very interesting seeing all the media coverage of this (even though it's largely just the geek media.)
I feel that many of the conclusions this article comes to are erroneous.
One must remember at all times that spammers do not organize into "gangs." They are individuals, and they are only looking out for themselves as an individual.
When SanCash was shut down and had their assets frozen, the mailers were possibly the last to know. SanCash is believed to have had anywhere from several dozen to several hundred affiliate mailers, all invitation only. They were spamming just as much volume as usual the day of the shutdown. Spam messages arrived featuring URLs which were usually for domains which had already been shut down (SanCash provided the URLs to the individual mailers to keep track of who generated distinct sales. This is common for most spam sponsor operations.
Not every spammer in the SanCash program used the same botnet. Most people assume that all spammers use the exact same techniques or tools. They do not.
A day later, all the spam that used to be for Canadian Pharmacy, Direct Pharmacy or Worldwide Wholesale Pharmacy (all SanCash properties prior to the shutdown) immediately swung to domains for Canadian Pharmacy, a website property promoted on behalf of Glavmed and Spamit. The copy and overall template of the messages remained identical to ones sent in the previous month promoting Canadian Healthcare, Direct Pharmacy and Worldwide Wholesale Pharmacy, only now they all pointed to one or another Canadian Pharmacy domain. Any spam which used to be sent promoting King Replica, Prestige Replica, or Diamond Replica are now exclusively promoting domains redirecting to websites for Swiss Watches Direct. (Sponsor as yet unknown.)
These same individual mailers never stopped mailing, they just switched their efforts from promoting anything from SanCash to sites sponsored by other competing sponsors. Several people have noticed that spam volume is in fact generally higher than pre-SanCash-shutdown, indicating that the mailers may have taken a financial hit in the shutdown (they probably still had commissions for sales for which they were owed money from SanCash which they will no longer be able to recover.)
Nobody "handed over" a botnet to anyone. Whichever botnet they were already using they continue to use, only to promote a different set of properties. SanCash was only one of several spam-friendly sponsors. It's still a good thing that they've been taken out of the picture. It only means that the mailers (spammers) who do the sending on their behalf have now moved on to other sponsors instead.
My hope (and that of many spam investigators) is that law enforcement will now also focus their attention on Spamit / Glavmed, who have ties to the storm worm, the kraken botnet, numerous public website hijacks used to promote either storm worm or Canadian Pharmacy, and numerous other rampant abuses of public web services and domains. Spamit / Glavmed are also alleged to be closely linked to the Russian Business Network (RBN.) They continue to brashly hijack any website they come across and immediately use it in very large spam campaigns promoting these properties and have done so since at least 2006. There are also of course ties to Russian organized crime, and there were hints within the past year or so that the RBN has links to either Russian or Ukranian government officials.
Of course the volume of spam never went down. It's just the content of the spam, and the properties being promoted, which have changed.
Do not purchase from websites promoted via spam. Please. Inform your friends and relatives.
We may have more spammers here, but at least we have a history of prosecuting and convicting at least some of them. What difference does that make to me, sitting here with an inbox full of American spam? Actually, in the case of the particular properties listed in this report (PowerEnlarge, VPXL, Canadian Healthcare, Wondercum) the sponsor for all of those sites is known as SanCash, which is operated jointly out of India and New Zealand. It recently changed its name to ETranz.mu. They list their corporate offices as being located in Mauritius, a notorious offshore location for underground activity.
The mailers who send you this crap are more than likely located in the US, but the ones who profit from it the most are not. (Based on my own research, even the large-scale American spammers tend to be either Russian or from other foreign countries. It is rare that someone born in the US is behind the send button.)
The individuals behind these mass domain registrations may also be located in the US, but again they are not the main profit department from these activities.
These Chinese Registrars may not (repeat: may not) be in cahoots with them either. They merely represented a prime resource due to their total lack of attention to non-Chinese-language complaints.
The other high profile spam operation who profits from this abuse is known alternately as Spamit or GlavMed. They are the affiliate program behind "Canadian Pharmacy", which is notable due to the fact that there is now a direct link between Canadian Pharmacy domains and the Storm worm. (Documented in several blogs and security review sites.) They also have a lengthy history of hacking public web servers to use them as redirections to the actual spammed target, causing grief for a lot of otherwise legitimate domain owners.
Spamit / Glavmed is known to be a largely Russian operation. Glavmed is largely considered a non-spam affiliate program but they deal with precisely the same properties, just without any mention of email spamming.
Not one of the large-scale spam operations has its roots in North America. They are all located offshore, and run by citizens of non-US countries, and remain located in those non-US countries, probably in an attempt to enforce some bogus "immunity" on their criminal activity.
Registrars are a tiny piece of the puzzle. I wish someone would directly investigate and go after these sponsor organizations.
Spamit and SanCash are responsible for the majority of all spam received by most individuals around the world. When they experience difficulties (ie: widepsread domain shutdowns), you begin to see incoming spam revert 100% to stock spam, since they can't spam domains anymore. This is a provable, repeatable experiment.
So who the hell are these people who think it's a good idea to respond to the email from Hector McGillicuddy for Viagra?
Addicts, usually.
When Chris "Rizler" Smith was convicted and sentenced to 30 years in prison for his numerous crimes (among them, pharmacy spamming and money laundering,) court transcripts showed that he routinely spammed known repeat addicts of controlled substances. This was his prime target market.
Not everybody is purchasing their meds from criminal spam operations. But people who have no other means of getting their fix, or those who are way too broke to afford them, will probably rely on only the spamvertised sites to get them.
It's a public safety accident waiting to happen. There are a handful of stories about people who have died from the fake drugs offered by these criminal spam operations. It's bound to get worse before it gets better, and the spammers won't stop as long as it remains profitable (and anonymous. They love that there's never a well-known connection between them, their sponsor, their sponsor's suppliers, etc.)
This focus on investigating exclusively via the internet is only a small portion of this battle.
Why is Visa not cracking down on merchant accounts which are associated with illegal pharmacies like "Canadian Pharmacy"? They're the ones processing the orders. That's not just an internet phenomenon. MasterCard by comparison has very effectively taken action against rogue merchant accounts over the past few years.
Why aren't banks modifying their policies regarding the processing of fake checks used in 419 / Nigeria-style scams?
You don't need to build a whole second internet to take these fundamental steps to stopping cybercrime. And these changes would take far less time and effort than re-creating an entire network infrastructure.
Western Union could also tighten things up. The second I hear that company's name, I immediately think of two terms: "fraud" and "money laundering." That's not good for their brand or their services.
Yes, law enforcement worldwide *must* act faster, and more proactively, and with greater cooperation, to thwart this type of crime -- but assuming that purely online methods are the key is a bit misguided, in my opinion.
And while we're at it: when is anyone in Russian law enforcement going to shut down the people behind storm worm (etc.)? I'm sure the obvious answer to that would be "when the bribe money stops coming in." But seriously: It's the elephant in the room and nobody is talking about any kind of action against Russia / Ukraine / Romania. The Russian government continues to try to gain acceptance into the WTO, all the while endorsing very large-scale, rampant international cybercrime and fraud. Who has the ability to ask these questions and take action? The WTO? Nato? The UN?
how do you propose we remove the economic incentive for spam?
The most effective way to shut down the profits of the spammers - whether we're talking about email spam, instant messaging spam, SMS spam or blog spammers - is to follow the trail to their websites.
I and several colleagues over the past two years or so have been relentlessly reporting every spamvertised domain we find. At first this was daunting, and extremely time consuming, but we have automated the process a great deal, resulting in a tool now known as "The Complainterator(TM)" [http://complainterator.com/]
This tool will take in a spamvertised URL, perform automated hosting lookups, and create complaint emails which are to be sent to the appropriate registrar for either the website domain, or the domain registrar for the DNS servers.
Reporting DNS servers has definitely had a severe impact on several large-scale spammers, and we've seen them complain about these DNS servers being shut down. In some cases it's led to some retaliation from some of the more ornery spammers, but this only confirms just how effective this is.
One spammer posted a message on one of their forums claiming that a single aol user was so effective in reporting his domains and getting them shut down that he was now out $5000 in hosting fees. This is good news. (I don't even think that particular user was using the complainterator. He was just as thorough in his relentless complaints to web hosting companies and domain registrars.)
In my opinion filtering is like hiding your head in the sand. There are enough people on this earth that absolutely despise spammers and their tactics. If we want to get rid of it, we definitely have to be proactive about it. Spammers have been lulled into thinkin that our inaction means we really don't mind it. I and many others are doing our best to prove that theory wrong.
Not a joke: real people are dying from these scumbags.
There are also several mentions of death via overdose or fake prescriptions containing harmful particles in the recent court documents released on the Chris "Rizler" Smith conviction as well:
They definitely are killing people, it's just not publicized very often, if at all.
The downside you speak of is lack of any interest on the part of the media in exposing these (mostly Russian) criminals for the scum that they are. They'll raise the issue of allofmp3.com violating copyright as a barrier to Russia entering the WTO, but not this. I don't understand why.
How was the perp able to withdraw money from a frozen account?
-jcr
> How was the perp able to withdraw money from a frozen account?
From the sentencing transcript, available here:
On June 6, 2005, in an act that he later admitted was directly in violation of the Court's preliminary injunction, Smith made two withdrawals from Xpress Pharmacy Direct's U.S. Bank account (of $1,000 each, plus transaction fees) by way of Xpress Pharmacy Direct cash card previously issued to Smith. Smith made the withdrawals from a casino located in Santo Domingo, Dominican Republic. The U.S. Bank account had been frozen by the Court's preliminary injunction, but was temporarily unfrozen by the receiver for the purpose of paying employees.
Romania passed anti-piracy laws nearly 10 years ago, but nearly 70 percent of software used in the country continues to be of an illicit nature.
It seems to me that much more than 70% of EVERYTHING done in that country is of an illicit nature. Phishing, ebay fraud, virus creation, drive by trojan-installing websites, credit card theft, identity theft, child porn, spamming, boasting about spamming, fake escrow companies, fake banks, money laundering Etc. etc.
The only time I ever hear about anything from Romania it's usually tied to some illicit operation, and the conclusion is always the same: this is the way life is in Romania. Period. Nobody will ever change it. It's aggravating.
While I expect several non-illegal Romanians to chime in that that's a generalist statement, I have a lot of evidence to back all of that up, as do most international law enforcement entities.
Their IT "industry" claims would be awesome if more of it was involved in legitimate business. It's disappointing that even their own government doesn't seem to care about their reputation as an illegal, corrupt haven for criminals of every stripe.
I thought it was worth mentioning that merely profiting from the actual pump itself is only part of the spammers' equation with this particular type of spam.
Many spammers, on their forums, openly talk about the existence of "stock sponsors". These are brokers of one sort or another who contact the spammers to drum up the price of a victim stock. The spammers themselves may not even have actual shares of the stock, but get paid a commission based on how much they are able to manipulate the price of the victim stock.
Nobody mentions this in any of these articles. It's an even deeper type of fraud in that case because they are actively concealing the relationship between the party who is profiting from the manipulation (the sponsor) and the spammer. This is a huge legal loophole as far as I am concerned.
I agree that some kind of mandatory "hold" on all pinksheet / otc stock activity should most definitely be in place dependent on volume. It is literally impossible to miss the sharp rise in volumes for stocks which are in the midst of a spam run. Months of 1000- or 2000-size daily volumes, followed by two days of 3.5 million shares being moved, then back to the 1000-, 2000- etc.. That's not suspicious? To anyone?
Additionally, companies like eTrade and Yahoo Finance (among a zillion others) should consider some kind of "storm warning" notification on their sites, informing potential investors that a stock is in the midst of a spam run and that caution should be exercised.
In other words, I suspect it's probably not a great long term plan to be smug about windows vulnerabilities causing all of the problems. It will continue to be one, for sure, but the spammers have other tricks which are contributing to the problem:/
Amen to that!
I have been tracking one particularly rampant group of spammers and they DEFINITELY seek out *nix servers with root passwords set to any of the following (and I have proof):
root
password
123
1234
123456
123456789
admin
passwd
pass
r00t
In this day and age: who the hell is allowing this to continue?! Granted some of these have been hobbyist machines but I mean come on! What kind of idiot keeps a root password set as frikkin' "1234". You are part of the problem!
People can debate about the security of *nix versus osx versus windows (ahem) all they like: if you set a top-level password to be something a 3 year old might pick: you are part of a very large problem. If a child porn site ends up hosted on your box: you have nobody to blame but yourself. (Please Note: several of the world's top spammers have verifiable ties to child porn)
SiL
Well the effort is the hugest roadblock, but I would suggest that the lack of effort generally is what got us into this mess in the first place. It was considered too much effort to actually stop spam when it was in much more manageable volumes than today. Now it appears to be overwhelming.
If even a handful of people took the 15 to 20 minutes (and that's the top end, usually) that it takes to do this, we could see one of two things happen:
- Slowing of the spam or a reduction of volume for that specific product (something I do indeed see for the ones I've reported recently.)
- More spam even though the urls don't work, because the spammer is an angry little tyrant (also seen this.)
The first one is the longest one to report. After that you can usually copy / paste some boilerplate into each report. Do it enough times and you do indeed see a much more immediate response to these complaints. Yahoo domains shuts down any domain I report to them (properly, with evidence) within 30 minutes of reporting it. That's only gotten that fast recently because I've probably reported hundreds of domains to them over the past two years.
It does work. We just have to be less complacent about it.
SiL
A couple of ways that work pretty effectively if enough tech-savvy people do it:
- Do a whois on the domain name you were spammed with. - Make note of the dns server domains for that domain. Those are 99% of the time also owned by the spammers. - Whois each of those domains to find the root registrar. (usually a real registrar like tucows, enom, etc.) - Report the domains to the registrar and ICANN as being name servers to a large number of spammed domains - Repeat as needed.
I and two other private individuals have been doing this for a couple of months and it is slowly having a pretty big impact on the spammers ability to keep their sites loading.
Another thing that helps: don't set the root password to your hobby unix / linux box to something obvious. 100% of the web servers, DNS servers and image hosts for one very large group of sites is hosted on hijacked unix or linux machines which had their root password set as something like "123". Secure your unix boxes.
Attack them where it hurts: the sites that they need people to actually visit and place orders. Report the domains with lots of evidence including the original spam message. It actually does make a difference. It's time consuming but trust me: if three of us can have the impact we're seeing, imagine if 20 or 30 or 100 people did it.
By "impact" I mean: we went from seeing dozens of pharma or refi spam, to seeing strictly stock spam. Stock spam says to me that they're back to the drawing board. The top spammers are all known criminals. Everything they spam is in some way illegal (bad drugs / nonexistant drugs / stock fraud / credit card fraud / identity theft.) That extends to how their entire infrastructure is built and we let them get away with it every day. It takes ten minutes to investigate and report a spammed domain to a registrar. I say that's ten minutes worth taking.
Slashdot Mirror
I made a bet (which I have now lost) that spam volumes would rise to their pre-xmas levels by Jan. 13th. This was in response to the numerous news items that popped up in newspapers such as the Guardian and New York Times back on Jan. 5th or so.
The reason I felt confident in that wager is because in Russia, Orthodox Christmas takes place on January 7th [source].
Looks like our Russian friends just got back a little earlier than expected. This happens every January. You can practically set your watch by it (if you wear a watch.)
They did, but there was only so much budget they were alotted.
Read this:
http://blog.fireeye.com/research/2008/11/fallback-cc-channels-part-deux.html
Actually pretty much everything on that blog is worth reading to get a much better idea of what kind of research is going on regarding not just Srizbi but several other botnets
They also stated that they were indeed in a position to send the "uninstall" command to the entire swath of the botnet they knew were trying to phone home. They didn't, probably for the very reasons being argued above.
I'm on the side of anyone who is in a position to stop these infections quickly.
And here's another example I'd like to put out there, as an example of the whole "moral high ground" argument:
There are hundreds of infected Unix servers out there. Hundreds if not thousands. They've been infected by the group behind a very large illegal pharmacy spam operation. They take over these servers and use them for everything from web hosting, to DNS, to image hosting, etc. I have been attempting to contact the owners of most of these infected servers for the better part of two years now. They're mostly abandoned. Nobody responds. The servers are mostly hobbyist Unix setups which originally were not even meant to be used as web servers (several are firewall setups, others are PBX installations.)
I know how these hackers are getting in, and I know how to remove the infection reliably, but I cannot stop the box from being infected again, and I can't seem to get the attention of a single one of the owners or operators of these hijacked, infected servers.
What would you do?
I do think the days of these botnets continuing to operate with impugnity MUST be coming to a close. It's very interesting seeing all the media coverage of this (even though it's largely just the geek media.)
SiL / IKS / concerned citizen
I feel that many of the conclusions this article comes to are erroneous.
One must remember at all times that spammers do not organize into "gangs." They are individuals, and they are only looking out for themselves as an individual.
When SanCash was shut down and had their assets frozen, the mailers were possibly the last to know. SanCash is believed to have had anywhere from several dozen to several hundred affiliate mailers, all invitation only. They were spamming just as much volume as usual the day of the shutdown. Spam messages arrived featuring URLs which were usually for domains which had already been shut down (SanCash provided the URLs to the individual mailers to keep track of who generated distinct sales. This is common for most spam sponsor operations.
Not every spammer in the SanCash program used the same botnet. Most people assume that all spammers use the exact same techniques or tools. They do not.
A day later, all the spam that used to be for Canadian Pharmacy, Direct Pharmacy or Worldwide Wholesale Pharmacy (all SanCash properties prior to the shutdown) immediately swung to domains for Canadian Pharmacy, a website property promoted on behalf of Glavmed and Spamit. The copy and overall template of the messages remained identical to ones sent in the previous month promoting Canadian Healthcare, Direct Pharmacy and Worldwide Wholesale Pharmacy, only now they all pointed to one or another Canadian Pharmacy domain. Any spam which used to be sent promoting King Replica, Prestige Replica, or Diamond Replica are now exclusively promoting domains redirecting to websites for Swiss Watches Direct. (Sponsor as yet unknown.)
These same individual mailers never stopped mailing, they just switched their efforts from promoting anything from SanCash to sites sponsored by other competing sponsors. Several people have noticed that spam volume is in fact generally higher than pre-SanCash-shutdown, indicating that the mailers may have taken a financial hit in the shutdown (they probably still had commissions for sales for which they were owed money from SanCash which they will no longer be able to recover.)
Nobody "handed over" a botnet to anyone. Whichever botnet they were already using they continue to use, only to promote a different set of properties. SanCash was only one of several spam-friendly sponsors. It's still a good thing that they've been taken out of the picture. It only means that the mailers (spammers) who do the sending on their behalf have now moved on to other sponsors instead.
My hope (and that of many spam investigators) is that law enforcement will now also focus their attention on Spamit / Glavmed, who have ties to the storm worm, the kraken botnet, numerous public website hijacks used to promote either storm worm or Canadian Pharmacy, and numerous other rampant abuses of public web services and domains. Spamit / Glavmed are also alleged to be closely linked to the Russian Business Network (RBN.) They continue to brashly hijack any website they come across and immediately use it in very large spam campaigns promoting these properties and have done so since at least 2006. There are also of course ties to Russian organized crime, and there were hints within the past year or so that the RBN has links to either Russian or Ukranian government officials.
Of course the volume of spam never went down. It's just the content of the spam, and the properties being promoted, which have changed.
Do not purchase from websites promoted via spam. Please. Inform your friends and relatives.
SiL / IKS / concerned citizen
The mailers who send you this crap are more than likely located in the US, but the ones who profit from it the most are not. (Based on my own research, even the large-scale American spammers tend to be either Russian or from other foreign countries. It is rare that someone born in the US is behind the send button.)
The individuals behind these mass domain registrations may also be located in the US, but again they are not the main profit department from these activities.
These Chinese Registrars may not (repeat: may not) be in cahoots with them either. They merely represented a prime resource due to their total lack of attention to non-Chinese-language complaints.
The other high profile spam operation who profits from this abuse is known alternately as Spamit or GlavMed. They are the affiliate program behind "Canadian Pharmacy", which is notable due to the fact that there is now a direct link between Canadian Pharmacy domains and the Storm worm. (Documented in several blogs and security review sites.) They also have a lengthy history of hacking public web servers to use them as redirections to the actual spammed target, causing grief for a lot of otherwise legitimate domain owners.
Spamit / Glavmed is known to be a largely Russian operation. Glavmed is largely considered a non-spam affiliate program but they deal with precisely the same properties, just without any mention of email spamming.
Not one of the large-scale spam operations has its roots in North America. They are all located offshore, and run by citizens of non-US countries, and remain located in those non-US countries, probably in an attempt to enforce some bogus "immunity" on their criminal activity.
Registrars are a tiny piece of the puzzle. I wish someone would directly investigate and go after these sponsor organizations.
Spamit and SanCash are responsible for the majority of all spam received by most individuals around the world. When they experience difficulties (ie: widepsread domain shutdowns), you begin to see incoming spam revert 100% to stock spam, since they can't spam domains anymore. This is a provable, repeatable experiment.
SiL / IKS / concerned citizen
Addicts, usually.
When Chris "Rizler" Smith was convicted and sentenced to 30 years in prison for his numerous crimes (among them, pharmacy spamming and money laundering,) court transcripts showed that he routinely spammed known repeat addicts of controlled substances. This was his prime target market.
Not everybody is purchasing their meds from criminal spam operations. But people who have no other means of getting their fix, or those who are way too broke to afford them, will probably rely on only the spamvertised sites to get them.
It's a public safety accident waiting to happen. There are a handful of stories about people who have died from the fake drugs offered by these criminal spam operations. It's bound to get worse before it gets better, and the spammers won't stop as long as it remains profitable (and anonymous. They love that there's never a well-known connection between them, their sponsor, their sponsor's suppliers, etc.)
SiL / IKS / concerned citizen
This focus on investigating exclusively via the internet is only a small portion of this battle.
Why is Visa not cracking down on merchant accounts which are associated with illegal pharmacies like "Canadian Pharmacy"? They're the ones processing the orders. That's not just an internet phenomenon. MasterCard by comparison has very effectively taken action against rogue merchant accounts over the past few years.
Why aren't banks modifying their policies regarding the processing of fake checks used in 419 / Nigeria-style scams?
You don't need to build a whole second internet to take these fundamental steps to stopping cybercrime. And these changes would take far less time and effort than re-creating an entire network infrastructure.
Western Union could also tighten things up. The second I hear that company's name, I immediately think of two terms: "fraud" and "money laundering." That's not good for their brand or their services.
Yes, law enforcement worldwide *must* act faster, and more proactively, and with greater cooperation, to thwart this type of crime -- but assuming that purely online methods are the key is a bit misguided, in my opinion.
And while we're at it: when is anyone in Russian law enforcement going to shut down the people behind storm worm (etc.)? I'm sure the obvious answer to that would be "when the bribe money stops coming in." But seriously: It's the elephant in the room and nobody is talking about any kind of action against Russia / Ukraine / Romania. The Russian government continues to try to gain acceptance into the WTO, all the while endorsing very large-scale, rampant international cybercrime and fraud. Who has the ability to ask these questions and take action? The WTO? Nato? The UN?
SiL / IKS / concerned citizen
The most effective way to shut down the profits of the spammers - whether we're talking about email spam, instant messaging spam, SMS spam or blog spammers - is to follow the trail to their websites.
I and several colleagues over the past two years or so have been relentlessly reporting every spamvertised domain we find. At first this was daunting, and extremely time consuming, but we have automated the process a great deal, resulting in a tool now known as "The Complainterator(TM)" [http://complainterator.com/]
This tool will take in a spamvertised URL, perform automated hosting lookups, and create complaint emails which are to be sent to the appropriate registrar for either the website domain, or the domain registrar for the DNS servers.
Reporting DNS servers has definitely had a severe impact on several large-scale spammers, and we've seen them complain about these DNS servers being shut down. In some cases it's led to some retaliation from some of the more ornery spammers, but this only confirms just how effective this is.
One spammer posted a message on one of their forums claiming that a single aol user was so effective in reporting his domains and getting them shut down that he was now out $5000 in hosting fees. This is good news. (I don't even think that particular user was using the complainterator. He was just as thorough in his relentless complaints to web hosting companies and domain registrars.)
In my opinion filtering is like hiding your head in the sand. There are enough people on this earth that absolutely despise spammers and their tactics. If we want to get rid of it, we definitely have to be proactive about it. Spammers have been lulled into thinkin that our inaction means we really don't mind it. I and many others are doing our best to prove that theory wrong.
SiL / IKS concerned citizen
This is unfortunately already happening:
Vancouver Sun: Online drugs can prove deadly: coroner
Not a joke: real people are dying from these scumbags.
There are also several mentions of death via overdose or fake prescriptions containing harmful particles in the recent court documents released on the Chris "Rizler" Smith conviction as well:
http://spamsuite.com/node/195
They definitely are killing people, it's just not publicized very often, if at all.
The downside you speak of is lack of any interest on the part of the media in exposing these (mostly Russian) criminals for the scum that they are. They'll raise the issue of allofmp3.com violating copyright as a barrier to Russia entering the WTO, but not this. I don't understand why.
SiL
-jcr
> How was the perp able to withdraw money from a frozen account? From the sentencing transcript, available here: SiL
Romania passed anti-piracy laws nearly 10 years ago, but nearly 70 percent of software used in the country continues to be of an illicit nature.
It seems to me that much more than 70% of EVERYTHING done in that country is of an illicit nature. Phishing, ebay fraud, virus creation, drive by trojan-installing websites, credit card theft, identity theft, child porn, spamming, boasting about spamming, fake escrow companies, fake banks, money laundering Etc. etc.
The only time I ever hear about anything from Romania it's usually tied to some illicit operation, and the conclusion is always the same: this is the way life is in Romania. Period. Nobody will ever change it. It's aggravating.
While I expect several non-illegal Romanians to chime in that that's a generalist statement, I have a lot of evidence to back all of that up, as do most international law enforcement entities.
Their IT "industry" claims would be awesome if more of it was involved in legitimate business. It's disappointing that even their own government doesn't seem to care about their reputation as an illegal, corrupt haven for criminals of every stripe.
SiL
I thought it was worth mentioning that merely profiting from the actual pump itself is only part of the spammers' equation with this particular type of spam.
Many spammers, on their forums, openly talk about the existence of "stock sponsors". These are brokers of one sort or another who contact the spammers to drum up the price of a victim stock. The spammers themselves may not even have actual shares of the stock, but get paid a commission based on how much they are able to manipulate the price of the victim stock.
Nobody mentions this in any of these articles. It's an even deeper type of fraud in that case because they are actively concealing the relationship between the party who is profiting from the manipulation (the sponsor) and the spammer. This is a huge legal loophole as far as I am concerned.
I agree that some kind of mandatory "hold" on all pinksheet / otc stock activity should most definitely be in place dependent on volume. It is literally impossible to miss the sharp rise in volumes for stocks which are in the midst of a spam run. Months of 1000- or 2000-size daily volumes, followed by two days of 3.5 million shares being moved, then back to the 1000-, 2000- etc.. That's not suspicious? To anyone?
Additionally, companies like eTrade and Yahoo Finance (among a zillion others) should consider some kind of "storm warning" notification on their sites, informing potential investors that a stock is in the midst of a spam run and that caution should be exercised.
Why people fall for this crap is beyond me.
SiL
Well the effort is the hugest roadblock, but I would suggest that the lack of effort generally is what got us into this mess in the first place. It was considered too much effort to actually stop spam when it was in much more manageable volumes than today. Now it appears to be overwhelming. If even a handful of people took the 15 to 20 minutes (and that's the top end, usually) that it takes to do this, we could see one of two things happen: - Slowing of the spam or a reduction of volume for that specific product (something I do indeed see for the ones I've reported recently.) - More spam even though the urls don't work, because the spammer is an angry little tyrant (also seen this.) The first one is the longest one to report. After that you can usually copy / paste some boilerplate into each report. Do it enough times and you do indeed see a much more immediate response to these complaints. Yahoo domains shuts down any domain I report to them (properly, with evidence) within 30 minutes of reporting it. That's only gotten that fast recently because I've probably reported hundreds of domains to them over the past two years. It does work. We just have to be less complacent about it. SiL
A couple of ways that work pretty effectively if enough tech-savvy people do it:
- Do a whois on the domain name you were spammed with.
- Make note of the dns server domains for that domain. Those are 99% of the time also owned by the spammers.
- Whois each of those domains to find the root registrar. (usually a real registrar like tucows, enom, etc.)
- Report the domains to the registrar and ICANN as being name servers to a large number of spammed domains
- Repeat as needed.
I and two other private individuals have been doing this for a couple of months and it is slowly having a pretty big impact on the spammers ability to keep their sites loading.
Another thing that helps: don't set the root password to your hobby unix / linux box to something obvious. 100% of the web servers, DNS servers and image hosts for one very large group of sites is hosted on hijacked unix or linux machines which had their root password set as something like "123". Secure your unix boxes.
Attack them where it hurts: the sites that they need people to actually visit and place orders. Report the domains with lots of evidence including the original spam message. It actually does make a difference. It's time consuming but trust me: if three of us can have the impact we're seeing, imagine if 20 or 30 or 100 people did it.
By "impact" I mean: we went from seeing dozens of pharma or refi spam, to seeing strictly stock spam. Stock spam says to me that they're back to the drawing board. The top spammers are all known criminals. Everything they spam is in some way illegal (bad drugs / nonexistant drugs / stock fraud / credit card fraud / identity theft.) That extends to how their entire infrastructure is built and we let them get away with it every day. It takes ten minutes to investigate and report a spammed domain to a registrar. I say that's ten minutes worth taking.
SiL