June 2010 . . . . . 339 Billion/day average
December 2010 . . 92 Billion/day average
December 2009 ..205 Billion/day average
So comparing December with the 2010 peak, or comparing December year to year, there is a huge decrease in the last quarter on 2010.
The steady decline from September to December is most likely attributable to the exposure of Igor Gusev in the Russian media, Russian police action in seizing his computers, and the immediate shut-down of his GlavMed affiliate program that was funding the spammers and providing the pharmacy fraud and fake watch scams.
Maybe you have set your sites on the smaller target when you talk about ISPs and the proxy as a work-around. If you raise your sites to target the registrars who honor contracts to register unlawful domain names then you will be able to cause some real damage. This comment applies not only to Intellectual Property theft, but to all the phamacy spam frauds and fake replica trash too. Imagine the gain in global Internet bandwidth if registrars terminated contracts for every domain used for unlawful purposes.
The Net-Chinese registrar in Taiwan has accepted a service contract to register over 1,000 software piracy sites. It is just this sort of widespread abuse for which legislation like this is needed.
It's the registrars who have the power to knock hundreds - even thousands - of spam sites off their perches in one shot, and in response to one complaint. You can see its success rate there.
Where is all this spam abuse people talk about in Google Blogger aka Blogspot?
First of all, anyone who has a Gmail account can create a blog. If I want to create 10,000 blogs to use for spam site redirection, I need to get 10,000 Gmail accounts. That way, when Google tries to communicate about 1 of those 10,000 sites, they will have to go to 1 out of 10,000 accounts. In the last resort, they may terminate the Blog site, and the Gmail account. 1 in 10,000 is not too bad.
So where do I get 10,000 Gmail accounts? Well, heck, that ain't hard. Some enterprising turkey called "William Lim" is selling any number up to 10 Million Gmail accounts over there in the spammer haven, BulkerForum. 10,000 is only a small portion of his portfolio.
Then I have a simple automation tool that cycles to the next one of my list of 10,000 Gmail accounts, logs in, auto-creates a site, and puts in an obfuscated java script that redirects to a spam brand, like "Canadian" Pharmacy - you know, that well documented fake pharmacy using a domain name registered in China, running on a web server in Korea, and if it ships any counterfeit pills or placebos at all, they come from India. Your credit card details and payments go to the herders in Russia, and a month later you find your details have been used to order more domain names.
So you think Google doesn't know all this? Yeah, right. You can see the rate of abuse in the site that builds a list of spamvertized blogspot URLs as they land in the spam-traps. We are talking 600-1000 abuses of the Blogspot terms of service per day. That's about one every 3 or 4 minutes, 24/7!
You can even compare how the competitors, Yahoo (Geocities) and Lycos (Tripod) who have been equally abused at the same rate, are performing in handling this issue. The comparison is in the statistics for the blog site hosters
Having scanned through the entries in this topic, I see it has moved on from the tired old "bash Microsoft" and "extol Linux" rot.
Then there are a few suggestions about how to track botnets and shut them down. The FBI 1 million infections number has been quoted as a US-centric benchmark.
A few months back a botnet herder in Europe went down for running ONE 1.5 million seated botnet. The global botnet infection numbers are therefore in the tens to hundreds of millions of infected machines. Forget about what platform they run on. Obviously the numerical majority of infections will always be on the OS that has the most prevalence. And it will never be the same percentage for higher use as lower use OS. That's because higher use attracts a much higher level of interest by the infection writers. So let's climb down off the hackneyed hobby-horses.
Now to come to the point - shutting down botnets.
Does anyone imagine for one moment that none of the millions of infected machines are sitting under the watchful eyes of law enforcement, botnet tracking operations, and university labs? Who do you think first knows (after the perpetrator) when a spam-bot turns into a DDOS bot? Who thinks that nobody is watching and tracking the CC&C IRC commands coming down to the watched bots?
Catch up with reality. The FBI is working on very specific intelligence from some very intelligent researchers.
China has a loose handle on external spammers, both Russian and American as seen in this link
Noted ROKSO spammers like Leo Kuvayev (BadCow) and Christopher Brown / Swank's IP addresses are listed. But there has been little action on China's part to shut out the foreign spamming hordes that besmirch their country's reputation as a haven for the more techno-savvy Russians and Americans who have been raping their unprotected infrastructure with immunity to date.
OK, so maybe they should have stuck with Black Frog.
They considered calling it the "Blue Screen of Death" but found that it was copyrighted by a VERY large software company which has sole bragging rights.
Then the spammers will start adding captchas to their opt-out pages.
Let's catch up with recent history, and learn from it, huh?
Fact is, during Blue Frog campaigns, spamvertized sites adopted two counter-measures.
captcha on every feedback, contact-us, order or any other form on the site
detection of incoming blue frog IP addresses and adding them to their firewall's blocking filter
The captcha really slowed down their ordering rate, creating a barrier to business. Few sites left them in place, because it hit the wallet.
The IP filtering cost time and time is money - another hit in the wallet. Some of the incoming IP addresses turned out to be large proxy sites! Plus, the concept of sending out invitations to visit coupled with blocking visits seemed to them to be, shall we say, counter-productive. Wallets could be kept bulging by removing the invitations at source - cleaning out all the blue frog addresses from the invitation list. Hey, come to think of it, wasn't that what the Blue group was asking for too? Hmm, maybe it was working after all . . . we can't have that!
Let's get this straight. Over one day a spammer sends 5 million invitations to go to a web site to buy a product. Over one day 5 million recipients visit the web site and in compliance with the CAN-SPAM Act request to be removed from the mailing list.
A DDOS is an illegal act. 5 million responses to an invitation is a CAN-SPAM compliant act.
Why do so many people not understand the difference? Is it from ignorance, or from vested interests in spreading spam?
When in doubt, blame Microsoft. Screw intelligent research. Maybe somebody somewhere has done some tracking down to see who are the most likely suspects.
The bigger picture on people identified as suspects in the spam and DDOS attacks on Blue Security is painted by Spamhaus / ROKSO. They maintain a global Top 10 list and a global Top 200 list of spammers.
What's the betting that Spamhaus, who dare to mount the evidence, won't be the next DDOS target? I doubt that the pharmamasters would have any success destroying that evidence. But they will be sure to try. Put your money on it.
Blue Security took all the pump-and-dump stock spams and forwarded one example to the SEC. Assistance to law enforcement was another prong of their response when spam contained no URL.
Similar reports went to FTC, Interpol, and in the case of bootleg software, to the software house (McAfee, Microsoft etc). So opt-outs on spamvertized sites was only part of the picture.
All in all a comprehensive service. No wonder the illegal content spammers had to stop Blue Security before they reached the 1-2 million subscriber size and became unstoppable.
If you follow up on the story of the Russian spammer who had his head bashed in, you will find that his attackers were 3 or 4 underage girls that he tried to rap^^^ seduce. The little rotters had the audacity to fight back! More balls than blue frogs!
Apparently they are still available and are said to be partial to pharmaceutical merchants.
So why the fuck haven't the Russian authorities gotten their shit together? I mean, they've been spammer central for years now, well known
Much as I hate to piss on your parade, pal, I urge you to check the raw statistics. One country at the top of the list appears just a wee bit more spammer central, and contributes more than the next 9 all put together.Seems to me the quickest solution to killing the spam from the worst offending country would be to install a blocklist on all of its IP addresses.
Hey, what is this shit that I'm smoking? Gotta go cold turkey. Cough, cough.
You misread the transcript. The term "mate" was used by the Tier-1 person, to whom the DDOSer was messaging. It is his ICQ that is being quoted. Maybe the Tier-1 company employs a gullible tech from "down-under", who will help out a caller from "Blue Security" (yeah, sure) saying
"It's 2 AM here in Israel, but can you help me? We are suffering a DDOS attack, and we need some fast assistance to block all the traffic to our overloaded systems!"
Now you know who is talking, read the transcript again:
ICQ Message: "Support b [tier-1 ISP name withheld] says: Yes wont be a problem, i'll make sure to block all traffic to this domain very soon just get me reports mate"
"b [tier-1 ISP name withheld] will block traffic to your websites god i love this war "
It is obvious that the perps who did the DDOS are American, because "dollar" (Brown) lives in Missouri as does zMack (Burch). All the Russian stuff refers to the spam attacks by "killthem" - whose command of English extends over 30 expletives and a few conjunctions.
DDOS - Americans,
Spam attacks - Americans, and Russians with linguistic assistance from people with a better command of English, bar a few telltale spellnig (!) errors.
Quote: I do believe that the Blue Security method of whacking spammer's websites probably looks a lot like a DDoS (which in effect it is).
You will need to explain the logic. Spammer sends 2.5 million invitations to visit a web site. 2.5 million recipients visit the web site. Spamvertised website claims he has suffered DDOS attack. (And heart attack) Have I got that right? Please post your reality check.
Who let the frogs out?
First, these idiots set up an "anti-spam" service whose response to abuse is...abuse."
Not exactly. First, abuse or not, it's my response to spam, not Blue Security's. Just because I have them doing it for me doesn't make it any less my action. Anyone in the Blue Community would agree. Second, it's one-for-one. For each spam from a given spammer, one opt out is sent. The fact that it often ends up in a DoS for that spammer from only the Blue subset of his spam list tells you how much abuse he's doling out himself.
Careful with our terminology here. Miss out a word or two and the whole meaning changes. Instead of For each spam from a given spammer, one opt out is sent let's try For each spam from a given spammer, no more than one opt out is sent.
In practice, when the Blue Frog opt-out requests were being sent to spamvertised websites, asking them to clean their lists, the average number of forms filled in was around 500 to 600. Now, try turning that into a DDOS attack.
Let's look at the math. Two million spams sent advertising a web site. If everyone decides immediately after reading the ad that they will indeed visit that site, again, is that another DDOS attack? And if so, who is responsible for that DDOS attack?
Send your answers to The CAN of SPAM contest. First prize, a year's supply of scrumptious canned spam.
From the Prolexic web site, the big blurb babbles blissfully, and I quote -
Distributed Denial of Service (DDoS) attacks have rapidly become a commonplace threat to doing business on the internet. With over 2,000 distinct attacks per week, denial of service has quickly become the most costly form of cyber-crime businesses face today.
From the Prolexic web site, the big blurb babbles blissfully, and I quote -
Distributed Denial of Service (DDoS) attacks have rapidly become a commonplace threat to doing business on the internet. With over 2,000 distinct attacks per week, denial of service has quickly become the most costly form of cyber-crime businesses face today.
Slashdot Mirror
Yes, there was a holiday period dip, as usual. What is different is the longer term (12 month) view
.205 Billion/day average
http://www.senderbase.org/home/detail_spam_volume?displayed=last18months&action=&screen=&order=
June 2010 . . . . . 339 Billion/day average
December 2010 . . 92 Billion/day average
December 2009 .
So comparing December with the 2010 peak, or comparing December year to year, there is a huge decrease in the last quarter on 2010.
The steady decline from September to December is most likely attributable to the exposure of Igor Gusev in the Russian media, Russian police action in seizing his computers, and the immediate shut-down of his GlavMed affiliate program that was funding the spammers and providing the pharmacy fraud and fake watch scams.
Maybe you have set your sites on the smaller target when you talk about ISPs and the proxy as a work-around. If you raise your sites to target the registrars who honor contracts to register unlawful domain names then you will be able to cause some real damage. This comment applies not only to Intellectual Property theft, but to all the phamacy spam frauds and fake replica trash too. Imagine the gain in global Internet bandwidth if registrars terminated contracts for every domain used for unlawful purposes.
The Net-Chinese registrar in Taiwan has accepted a service contract to register over 1,000 software piracy sites. It is just this sort of widespread abuse for which legislation like this is needed.
For the last 5 days alone, see the pirate sites listed at http://rss.uribl.com/nic/NET_CHINESE_CO_LTD_.html
For over 1,000 examples in October/November check http://spamtrackers.eu/wiki/index.php/Net-Chinese
If the US can't ensure compliance at home, how can anyone expect to convince the Taiwanese piracy sponsors?
It's the registrars who have the power to knock hundreds - even thousands - of spam sites off their perches in one shot, and in response to one complaint. You can see its success rate there.
Where is all this spam abuse people talk about in Google Blogger aka Blogspot?
First of all, anyone who has a Gmail account can create a blog. If I want to create 10,000 blogs to use for spam site redirection, I need to get 10,000 Gmail accounts. That way, when Google tries to communicate about 1 of those 10,000 sites, they will have to go to 1 out of 10,000 accounts. In the last resort, they may terminate the Blog site, and the Gmail account. 1 in 10,000 is not too bad.
So where do I get 10,000 Gmail accounts? Well, heck, that ain't hard. Some enterprising turkey called "William Lim" is selling any number up to 10 Million Gmail accounts over there in the spammer haven, BulkerForum. 10,000 is only a small portion of his portfolio.
Then I have a simple automation tool that cycles to the next one of my list of 10,000 Gmail accounts, logs in, auto-creates a site, and puts in an obfuscated java script that redirects to a spam brand, like "Canadian" Pharmacy - you know, that well documented fake pharmacy using a domain name registered in China, running on a web server in Korea, and if it ships any counterfeit pills or placebos at all, they come from India. Your credit card details and payments go to the herders in Russia, and a month later you find your details have been used to order more domain names.
So you think Google doesn't know all this? Yeah, right. You can see the rate of abuse in the site that builds a list of spamvertized blogspot URLs as they land in the spam-traps. We are talking 600-1000 abuses of the Blogspot terms of service per day. That's about one every 3 or 4 minutes, 24/7!
The abuse list for the last 5 days is updated in real time and is at the URIBL blogspot tracking site
You can even compare how the competitors, Yahoo (Geocities) and Lycos (Tripod) who have been equally abused at the same rate, are performing in handling this issue. The comparison is in the statistics for the blog site hosters
Having scanned through the entries in this topic, I see it has moved on from the tired old "bash Microsoft" and "extol Linux" rot. Then there are a few suggestions about how to track botnets and shut them down. The FBI 1 million infections number has been quoted as a US-centric benchmark.
A few months back a botnet herder in Europe went down for running ONE 1.5 million seated botnet. The global botnet infection numbers are therefore in the tens to hundreds of millions of infected machines. Forget about what platform they run on. Obviously the numerical majority of infections will always be on the OS that has the most prevalence. And it will never be the same percentage for higher use as lower use OS. That's because higher use attracts a much higher level of interest by the infection writers. So let's climb down off the hackneyed hobby-horses.
Now to come to the point - shutting down botnets.
Does anyone imagine for one moment that none of the millions of infected machines are sitting under the watchful eyes of law enforcement, botnet tracking operations, and university labs? Who do you think first knows (after the perpetrator) when a spam-bot turns into a DDOS bot? Who thinks that nobody is watching and tracking the CC&C IRC commands coming down to the watched bots?
Catch up with reality. The FBI is working on very specific intelligence from some very intelligent researchers.
China has a loose handle on external spammers, both Russian and American as seen in this link
Noted ROKSO spammers like Leo Kuvayev (BadCow) and Christopher Brown / Swank's IP addresses are listed. But there has been little action on China's part to shut out the foreign spamming hordes that besmirch their country's reputation as a haven for the more techno-savvy Russians and Americans who have been raping their unprotected infrastructure with immunity to date.
Quick guide to SpamCop Quick Reporting
There is a good description of the process for setting up Quick Reporting in SpamCop, and the Pro's and Con's, at the CastleCops site.
OK, so maybe they should have stuck with Black Frog.
They considered calling it the "Blue Screen of Death" but found that it was copyrighted by a VERY large software company which has sole bragging rights.
Let's catch up with recent history, and learn from it, huh? Fact is, during Blue Frog campaigns, spamvertized sites adopted two counter-measures.
The captcha really slowed down their ordering rate, creating a barrier to business. Few sites left them in place, because it hit the wallet.
The IP filtering cost time and time is money - another hit in the wallet. Some of the incoming IP addresses turned out to be large proxy sites! Plus, the concept of sending out invitations to visit coupled with blocking visits seemed to them to be, shall we say, counter-productive. Wallets could be kept bulging by removing the invitations at source - cleaning out all the blue frog addresses from the invitation list. Hey, come to think of it, wasn't that what the Blue group was asking for too? Hmm, maybe it was working after all . . . we can't have that!
Let's get this straight. Over one day a spammer sends 5 million invitations to go to a web site to buy a product. Over one day 5 million recipients visit the web site and in compliance with the CAN-SPAM Act request to be removed from the mailing list.
A DDOS is an illegal act. 5 million responses to an invitation is a CAN-SPAM compliant act.
Why do so many people not understand the difference? Is it from ignorance, or from vested interests in spreading spam?
---
nostalgia ain't what it used to be
When in doubt, blame Microsoft. Screw intelligent research. Maybe somebody somewhere has done some tracking down to see who are the most likely suspects.
The bigger picture on people identified as suspects in the spam and DDOS attacks on Blue Security is painted by Spamhaus / ROKSO. They maintain a global Top 10 list and a global Top 200 list of spammers.
A quick search on "bluesecurity" digs out
ROK6138 - Alex Blood / Alexander Mosh / AlekseyB / Alex Polyakov - Main Info
ROK5514 - Christopher J. Brown / Swank AKA Dollar - Main Info
ROK6643 - Joshua Burch - Interactive Adult Solutions / BulkEmailSchool.com - Main Info
ROK4932 - Leo Kuvayev / BadCow - Main Info
ROK5125 - Leo Kuvayev / BadCow - Partner-In-Spam: Vladislav "Vlad" Khokholkov / Apex Systems Ltd.
What's the betting that Spamhaus, who dare to mount the evidence, won't be the next DDOS target? I doubt that the pharmamasters would have any success destroying that evidence. But they will be sure to try. Put your money on it.
LOL! You tried it for two whole weeks and it didn't work? Nice one.
The do not intrude registry was refreshed every week. That's one week gone. Spammers would refresh their copy once a week. That's two weeks gone
So you gave up the day the effect of joining was about to kick in.
News flash! Real life isn't a half hour television show, buddy.
Blue Security took all the pump-and-dump stock spams and forwarded one example to the SEC. Assistance to law enforcement was another prong of their response when spam contained no URL.
Similar reports went to FTC, Interpol, and in the case of bootleg software, to the software house (McAfee, Microsoft etc). So opt-outs on spamvertized sites was only part of the picture.
All in all a comprehensive service. No wonder the illegal content spammers had to stop Blue Security before they reached the 1-2 million subscriber size and became unstoppable.
If you follow up on the story of the Russian spammer who had his head bashed in, you will find that his attackers were 3 or 4 underage girls that he tried to rap^^^ seduce. The little rotters had the audacity to fight back! More balls than blue frogs! Apparently they are still available and are said to be partial to pharmaceutical merchants.
So why the fuck haven't the Russian authorities gotten their shit together? I mean, they've been spammer central for years now, well known
Much as I hate to piss on your parade, pal, I urge you to check the raw statistics. One country at the top of the list appears just a wee bit more spammer central, and contributes more than the next 9 all put together.Seems to me the quickest solution to killing the spam from the worst offending country would be to install a blocklist on all of its IP addresses.
Hey, what is this shit that I'm smoking? Gotta go cold turkey. Cough, cough.
You misread the transcript. The term "mate" was used by the Tier-1 person, to whom the DDOSer was messaging. It is his ICQ that is being quoted. Maybe the Tier-1 company employs a gullible tech from "down-under", who will help out a caller from "Blue Security" (yeah, sure) saying
"It's 2 AM here in Israel, but can you help me? We are suffering a DDOS attack, and we need some fast assistance to block all the traffic to our overloaded systems!"
Now you know who is talking, read the transcript again:
ICQ Message: "Support b [tier-1 ISP name withheld] says: Yes wont be a problem, i'll make sure to block all traffic to this domain very soon just get me reports mate"
"b [tier-1 ISP name withheld] will block traffic to your websites god i love this war "
Got it now?
Great link, great read. Now I see why Blue Security moved their operation under the DDOS protection of Prolexic.
Dyslexics of the world untie!
Background
Burch = http://www.spamhaus.org/rokso/listing.lasso?-op=c
Brown = http://www.spamhaus.org/rokso/listing.lasso?-op=c
Bragging rights aka self-incriminating evidence:
http://www.specialham.com
That's it, my homework assignment is done. Now can I watch the Simpsons, please Daddy? Pretty please?
The question was: "Do you have a sense of humor?"
Quote: It seems obvious the perp is an American. It shouldn't be that difficult to track him down, especially since he's IM'ing the victims.
o _id=ROK5514
Spamhaus / Rokso nail a couple of Americans up for your pleasure at http://www.spamhaus.org/rokso/evidence.lasso?roks
Use the frog, Luke
Quote: I do believe that the Blue Security method of whacking spammer's websites probably looks a lot like a DDoS (which in effect it is). You will need to explain the logic. Spammer sends 2.5 million invitations to visit a web site. 2.5 million recipients visit the web site. Spamvertised website claims he has suffered DDOS attack. (And heart attack) Have I got that right? Please post your reality check. Who let the frogs out?
First, these idiots set up an "anti-spam" service whose response to abuse is...abuse."
Not exactly. First, abuse or not, it's my response to spam, not Blue Security's. Just because I have them doing it for me doesn't make it any less my action. Anyone in the Blue Community would agree. Second, it's one-for-one. For each spam from a given spammer, one opt out is sent. The fact that it often ends up in a DoS for that spammer from only the Blue subset of his spam list tells you how much abuse he's doling out himself.
Careful with our terminology here. Miss out a word or two and the whole meaning changes. Instead of For each spam from a given spammer, one opt out is sent let's try For each spam from a given spammer, no more than one opt out is sent.
In practice, when the Blue Frog opt-out requests were being sent to spamvertised websites, asking them to clean their lists, the average number of forms filled in was around 500 to 600. Now, try turning that into a DDOS attack.
Let's look at the math. Two million spams sent advertising a web site. If everyone decides immediately after reading the ad that they will indeed visit that site, again, is that another DDOS attack? And if so, who is responsible for that DDOS attack?
Send your answers to The CAN of SPAM contest. First prize, a year's supply of scrumptious canned spam.
Ta Da!
Hey, lookathis.
From the Prolexic web site, the big blurb babbles blissfully, and I quote -
Distributed Denial of Service (DDoS) attacks have rapidly become a commonplace threat to doing business on the internet. With over 2,000 distinct attacks per week, denial of service has quickly become the most costly form of cyber-crime businesses face today.
Then lookie here, lookie here -
bluesecurity.com. SOA IN 300
Primary DNS server: gdc.prolexic.net.
Serial: 2006050403
Refresh: 86400 (1d)
Retry: 900 (15m)
Expire: 1209600 (2w)
Minimum/NegTTL: 7200 (2h)
There are no lapses in your synapses. Zip-pe-de-doo-dah!
Ta Da!
Hey, lookathis.
From the Prolexic web site, the big blurb babbles blissfully, and I quote -
Distributed Denial of Service (DDoS) attacks have rapidly become a commonplace threat to doing business on the internet. With over 2,000 distinct attacks per week, denial of service has quickly become the most costly form of cyber-crime businesses face today.
Then lookie here, lookie here -
bluesecurity.com. SOA IN 300
Primary DNS server: gdc.prolexic.net.
Serial: 2006050403
Refresh: 86400 (1d)
Retry: 900 (15m)
Expire: 1209600 (2w)
Minimum/NegTTL: 7200 (2h)
There are no lapses in your synapses. Zip-pe-de-doo-dah!