The Spam Diaries

News and musings about the fight against spam.
 by Edward Falk

Wednesday, May 31, 2006

Anti-publishing-scam site shut down by "agent"

Not exactly about spam, but it is about abuse of the law to silence critics, which as you know, is a topic dear to my own heart.

In short, the web site Absolute Write serves as a clearing house of information for writers, including information about scammers who prey on writers (anybody remember Woodside Literary Agency?).

Last week, one of the scammers contacted Absolute Write's ISP, JC-Hosting, and threatened them with a bogus DMCA claim if they didn't remove the web site. JC-Hosting, being both ignorant and cowardly, complied. Not only that, but they refuse to return Absolute Write's database so they can move elsewhere.

Read more at BoingBoing: Anti-publishing-scam site shut down by "agent" - needs help

Tuesday, May 30, 2006

Not-so-hidden cost of spam: $250,000

In March, I wrote an essay called "Hidden costs of spam". I discussed many of the uncounted costs of spam, including that of false positives.

In this week's news we manage to count one of those costs. According to The Atlanta Journal-Constitution, a school system in Cobb County was accepting bids for a new phone system by email. Their spam filters gobbled up the lowest bid, so they wound up going with BellSouth, who charged them $250,000 more than the lowest bidder would have.

Consumer Reports also leaking customer emails to spammers?

Lot of this going around lately, it seems. In another abuse group thread, someone reports having given a unique email address to Consumer Reports, and receiving stock spam a couple years later.

Is Kraft selling email addresses to spammers?

A disturbing post in the net-abuse newsgroups: Carl Byington created a targetted spam-trap email address that was only used once — on the Gevalia opt-out page (approriately named "Spam Unsubscription").

That email address subsequently received lottery spam. Current thinking in the abuse group is that Gevalia may have had their email list stolen by an insider. However, this seems to be an on-going problem, which indicates that it's not a one-time theft. More as this develops.

Quote of the day

"I've said before that all companies will spam at some point. It's just a question of how much and for how long. (Marketers just can't help themselves. They're like alcoholics locked in a liquor store.)" — Joe Bednorz

Nifty graph of spam zombies

I just came across this as I caught up on my spam readings: tqmcube.com has published a nifty graph charting the sources of zombie-originated spam.

The worst offenders by far: Comcast and Verizon. These two companies need to start implementing port 25 filtering.

EV1 and The Planet are merging

Two service providers with bad spam histories EV1 and The Planet have announced a merger. What this means for spam is not yet certain, but it can't be good. My speculation is that the more effective of the two abuse departments will be fired and all abuse cases will be handled by the other. Discussion of the merger on the net-abuse newsgroups centers mainly on which of the two has the worst history, and what the merged company should be called (my vote is for Everyone's Spam Planet.)

Wednesday, May 24, 2006

U.S. Government arrests over 500 spammers, scammers, and fraudsters

U.S. Attorney General Alberto Gonzales announced today that 565 arrests were made in a massive law enforcement operation called "Operation Global Con".

According to Gonzales, the mop-up included two fraudsters based in Miami, who managed to collect up to $3million in a ponzi-like financial scam. Gonzales also says that U.S. law enforcement also coordinated with international authorities, resulting in more arrests over seas.

More information available in U.S. Department of Justice press release (pdf). Full transcript of the press conference available from NewsWire.com.

So far, the U.S. media has no new news to report, other than to repeat the information released by the D.O.J., however, there's some coverage in the Canadian press, including this article from the Calgary Sun about twelve Calgarians arrested in the sweep. Those arrested had been involved in a scam to sell fake credit cards for $249.

Sunday, May 21, 2006

National spam news

Kodak's Ofoto service fined under CAN SPAM act. According to the U.K. Register, has been fined for sending two million spam emails promoting it's Ofoto service. The fine will be the same amount Kodak made from the spam* — $26,331 — placing it in the slap-on-the-wrist catagory . In addition, Kodak has agreed to send no more spam* and to implement compliance monitoring. (Other coverage: Security Pro news.)

Cell phone spam reaches the U.S.? The Pittsburgh Tribune-Review has a short article about cell phone spam being used to promote pump-n-dump schemes.

Saturday, May 20, 2006

Don't open any MS Word documents from strangers

A security bug in Microsoft Word has been found and is being exploited by Chinese and Taiwanese crackers.

The bug is exploited by simply opening a Word document, and it allows crackers to take over your computer. Even fully-patched Windows systems are vulnerable.

More details at eWeek.com and the Internet Storm Center.

Word documents can probably be opened safely by OpenOffice on Linux or Mac.

MSN phisher Jayson Harris sentenced to 21 months.

Phisher Jayson Harris has been sentenced to 21 months in the slammer in connection with his phishing scheme carried out against MSN customers.

In December, Harris pled guilty to fraud and wire fraud. He could have faced up to 30 years on those charges, so the 21-month sentence is practically a slap on the wrist.

The phish was a fairly conventional one, in which email spam was sent to MSN customers that directed them to a fake MSN web site set up to collect credit card and other personal information.

Harris was tracked down by Microsoft security, who then informed the FBI.

The phish snagged between 50 and 250 victims. Harris was ordered to repay approximately $57,000.

Microsoft claims to have filed 125 lawsuits against phishers, and had over 2000 web sites taken down.

For more details, see Yahoo! News and Information Week,

Thursday, May 18, 2006

Secure Your computer; Take Back the Net!

In light of the unfortunately successful DDoS attack against Blue Security, the world has become aware of the harm that can be done by spammers and other cyber-criminals with large numbers of zombie computers at their command.

Zombie computers are used to transmit spam as well as launch denial-of-service attacks. It is now estimated that the majority of email spam is sent by zombies.

In the wake of the Blue Security attack, the Institute for Spam and Internet Public Policy (ISIPP) has launched the "Take Back the Net" campaign to educate people to secure their damn computers.

Learn more at their site: Secure Your Computer and Take Back the Net!

Commtouch claims defense against image-based spam.

Of late, spammers have been bundling their spam into images, insulating them from text-based spam filters. In effect, creating captchas to block automated spam filters. The images are even varied slightly to make them harder to detect.

Now, Commtouch, of Mountain View, CA, says they've developed technology which they call Recurrent Pattern Detection which is designed to look for recurring patterns in images which may identify them as spam.

Details on the alogorithm are sketchy, but it sounds like it might be just a basic image-matching algorithm.

For more details, see their press release and Globe Online article Commtouch claims to have beaten image-based spam.

World Spam News

Scam spammers in the slammer: UK courts have setenced Damon Knight, Nunhead, Kennedy Eguakhide, of Clapham, and Reginald Emelonye, of Abbey Wood for periods ranging from two to three years for conducting a number of "advance fee" frauds. The scammers collected somewhere on the order of a £million, but were only ordered to pay back a token amount. See icSouthLondon article Spam scammers to repay victims for more details.

NetBop Technologies of Wales has been awarded 'best spam filter' by Web User magazine for the second year running. See Ping Wales article Welsh anti-spam software wins gold for more.

Not a lot of international spam news this week. But stay tuned for National spam news.

Wednesday, May 17, 2006

Blue Security throws in the towel

According to Wired news and other sources, Blue Security has folded after a prolonged DDoS attack. CEO Eran Reshef announced that Blue Security did not want to fight a prolonged war which would "rip up the internet" in the process.

For the full story, see Wired article Under Attack, Spam Fighter Folds.

As for me, I mourn this decision. I know that a lot of people, including other spam-fighters had some serious and valid issues with Blue Security's methods, but the bottom line was that it seemed to be working, and at the end of the day, that counts for a lot.

Blue Security's 500,000 users had been successful in convincing six of the top 10 spam operations in the world to use its open-source mailing-list scrubber, which Reshef said proved that Blue Security's technology and approach was effective.

Wednesday, May 10, 2006

National Spam News

There's a new phishing scheme making the rounds that employs voip. In this version, you receive an email that asks you to call a phone number. The marks call the number, and find themselves in a voicemail system that seems like a legitimate bank, but in fact belongs to the phishers. Voip is used because voip services are easier to anonymize, making it harder to track down the phishers. See Phishing Attacks Use VoIP Systems To Dupe Users, for one story.

Amusing column in USA Today: Don't be that person helping keep spam alive. Columnist Andrew Kantor points out the obvious: there wouldn't be a spam problem if stupid people didn't buy things from spammers.

Gambling industry organization International Gaming Affiliate Marketing Initiative has blacklisted online casino 888.com for what it calls "unethical marketing techniques" — namely messageboard spamming. Full story in Silicon.com article Web casino blacklisted for 'messageboard spam'. It's nice to see someone taking web spamming seriously.

Silicon.com reports that Jeanson James Ancheta, who pled guilty in January to operating a network of hundreds of thousands of zombie computers, has been sentenced to nearly five years in prison. According to the article, Ancheta even infected military computers at China Lake*. Ancheta was ordered to pay the US Navy $15,000 in damages. Also covered by the L.A. Times.

Tuesday, May 09, 2006

Renesys calls BS on B.S.

I really need to learn to listen to those nagging doubts in the back of my head.

Yesterday, I wrote about the details of the attack on Blue Security. To summarize, according to Blue Security, the Russian spammer/hacker known as PharmaMaster somehow managed to arrange for the routers at an internet backbone site to null-route all communications to Blue Security from the outside world (in a technique that Blue Security called "blackhole filtering").

The questions remaining were: which internet backbone was it, and how did PharmaMaster manage it? Was it an inside job by someone in the pay of PharmaMaster, or did PharmaMaster actually break in? And why was corrupting a single backbone site sufficient to do the job?

Well today, Todd Underwood, Chief Operations and Security Officer of Renesys Corporation has a few things to say about it. Note that Renesys is a company that monitors internet routing changes.

In short, Underwood asserts that the attack was a simple garden-variety denial of service attack. This actually makes sense to me as I think about it. When a denial of service (DOS) attack is underway, one of the first things that the upstream providers will do is to use blackhole routing to protect the rest of the network.

Bottom line: the business about the blackhole filtering seems to be PR spin on Blue Security's part. More as this develops.

Monday, May 08, 2006

Details of Blue Security attack

Last week, spam-fighting service Blue Security was the target of a massive denial-of-service attack. Today, they've posted a detailed timeline of the attack.

Here are the highlights:
  • The attacks are blamed on a Russian spammer known as PharmaMaster.
  • Starting May 1st, extortion emails were sent to as many Blue Frog subscriber emails as the spamming community could find, demanding that subscribers drop Blue Frog. It's not known if PharmaMaster was behind the emails.
  • The next stage of attack was a technique known as "Blackhole Filtering". Blackhole filtering works by programming routers to deliver traffic to the non-existant "Null0" device, causing that traffic to be sent to the proverbial bit bucket. Normally, blackhole filtering is used to protect against a dos attack -- sacrificing traffic to one network block in order to save the rest of the network. In this case, the attacker managed to maliciously reprogram the routers of a major backbone service provider (Blue Security isn't saying which one). This would have required that PharmaMaster have an inside contact at that provider, or have managed to hack in.
  • Blue Security redirected the DNS entry for their home page to their blog page so that customers could get information about what had happened. Forty minutes later, a massive DDOS attack began against the blog, which was hosted by Six Apart. All Six Apart customers are affected by the attack.
  • Blue Security's DNS provider, Tucows is attacked next with another DDoS attack. Tucows caves in and terminates Blue Security's account.
Service was finally restored on May 4th.

The $64 question here is: which Tier 1 ISP was compromised in the attack and how was it done? My money is UUNet, mainly because of this InfoWorld article. Of course, the possibility exists that blackhole filtering isn't involved at all, and that this was an ordinary DDoS attack.

There is a Slashdot discussion which covers the attack in some detail.

Update: Spamhaus.org seems to think that Missouri spammer Christopher J. Brown is involved in the attack.

Saturday, May 06, 2006

Walter Rines also tagged by FTC

In all the excitement about Sanford Wallace nominally being fined by the FTC, I forgot to mention that his sometime partner Walt "Pickle Jar" Rines also made the news. And for nearly the same reasons.

The Register reports that the FTC has obtained a court injunction against Rines and his company Odysseus Marketing over their scumware installations.

Consumers were tricked into downloading software called "Kazanon" which would allow them to use peer-to-peer file sharing software anonymously, but in fact, the software actually hijacked search engine results, putting Rines' clients sites first. The software also captured consumers' personal information including names, addresses, email addresses, phone numbers, internet browsing and shopping history.

The installed trojan, "clientman" then installs other third-party software from other sites, presumably belonging to Rines' clients.

The actual counts against Rines:
  1. The "Kazanon" program doesn't work; it doesn't hide your identity or IP address at all.
  2. Failure to adequately disclose the presense and nature of bundled software
  3. Consumers cannot remove software. When installed, clientman uses stealth as well as patching parts of the actual OS to make it effectively impossible to remove. Rines later added an uninstall program to his web site, but the uninstall program does not un-patch the files that were modified when clientman was installed, nor does it remove the third-party software.
The actual FTC documents can be found at this site. Most are in pdf format.

Like the Sanford Wallace case, this court order seems to have no teeth. There's no kind of punishment involved, and Rines isn't even losing the profits he made from these computer crimes. Here's to hoping that there's more to come in this case.

Thursday, May 04, 2006

Sanford Wallace ordered to pay over $4 million

And the sweetest thing to cross my desk today: TechWeb reports that the FTC has ordered Sanford Wallace to pay back more than $4 million he made from selling fake anti-spyware software.

The scheme, which I first wrote about in 2001, and which was covered in some detail by c|net involved exploiting a security hole in Internet Explorer in order to install spyware on the victim's computer. The program would randomly pop open the computer's CD tray and put a pop-up ad on the screen telling the victim to buy Wallace's product to remove the spyware. In essence, it was a cyber-extortion racket.

More details can be found on the FTC web page.

The final judgement (23 pages, pdf) can be downloaded from the FTC web site.

Highlights from the judgement:
  • Wallace's lawyer quit on October 11, 2005. The court gave Wallace 20 days to get a new lawyer or file a pro se appearance. Wallace did neither and the court entered a default judgement.
  • Co-defendants Jared Lansky and OptinTrade, Inc. are also named for helping Wallace distribute the spyware.
  • Wallace also exploited an IE bug* to change consumer's home page to a malicious page controlled by Wallace that flooded the screen with popup ads and prevented the users from viewing the pages of their choice.
  • Wallace also hijacked users' searches, redirecting them to advertising.
  • Third parties paid Wallace at least $1.6 million to install spyware on victims' computers.
  • OptinTrade and Lansky paid Wallace at least $1.4 million for third-party spyware downloads.
  • Also named as co-defendants: John Robert Martinson, Spy Wiper, Inc., and Spy Deleter, Inc., the authors of the fake anti-spyware software, who paid Wallace a commission on every copy sold. Total commissions were at least $951,135.
  • Wallace is enjoined from entering the spyware business again.
  • The FTC is authorized to monitor Wallace for compliance, up to and including obtaining discovery at any time, inspecting Wallace's business, and interviewing his employees.
OK, here are my questions: Why no jail time? Why did it take over four years for this to happen? What are the chances of the FTC actually collecting any of this money?

World spam news

Finally, the Spam Diaries catches up with world spam news.

Organization for Economic Cooperation and Development (OECD) calls for international cooperation among governments and businesses in the fight against spam.

... And the U.S. Federal Trade commission joins in! We may be at the threshold of true international cooperation in the fight against spam.

Scotsman.com reports that a third of UK companies violate the UK's anti-spam laws.

TheLocal.se reports that three quarters of all email sent to the Swedish parliament is spam. They're working on installing filters, but false positives are a problem, especially for those MPs dealing with health care issues, who often receive legitimate email about drugs from their constituents.

The Register has an interesting article on email authentication and how the idea is gaining momentum.

The Globe and Mail of Canada has an article about the projected next generation of spam, which will be sent from virus-infected computers and be personalized through the email address books on the infected computers. Spam from such zombies would look like legitimate mail from someone the recipient knows. See also VNUNet article for another of many articles on the subject.

IT Wire of Australia declares Beijing the spam-zombie capital of the world.

Sophos has released its latest spam rankings. Not surprisingly, the United States was the worst offender, but China was a very close second place. Third place went to S. Korea, with less than half the spam of China. Read on for more about China's efforts to combat its spam problem.

China seems to be taking the spam issue very seriously now — perhaps too seriously. The new anti-spam law requires that anybody operating an email server must have a license, and that service providers must keep copies of emails for two months. A frightening prospect where human rights are concerned, but I can't help wondering what would happen here in the U.S. if service providers were required to take a little responsibility for what comes out of their servers.

The National Telecommunications Commission of the Philippines has begun a crackdown on cellphone text spam.

The Register speculates that Google's servers have become saturated because of web spam, causing their index to fail to be updated in several weeks. I'm not too sure about this myself; I remember the last time FUD about the Google index was spread, it turned out to be an advertising campaign by a search engine optimization business.

And finally, catching up with today's news, TV NZ reports on strong criticism of New Zealand's anti-spam law. The criticism seems to come from the Retailers Association. Who would have guessed?

Blue Security DOS attack allegedly redirected to Six Apart

According to Q Daily News, in their article The dishonor of Blue Security, Blue Security's answer to the ongoing DOS attack by spammers was to redirect the dns entry for www.bluesecurity.com to their TypePad-hosted bluesecurity.blogs.com. This had the effect of redirecting the dos attack from their own network to that of Six Apart, a service provider which hosts Live Journal and a number of other web sites.

If true, Blue Security has a lot of 'splaining to do.

Update: Blue Security has published details on the attack, and claim that the DDoS attack against Six Apart did not begin until after Blue Security had redirected their DNS.

Wednesday, May 03, 2006

Rumors of Ralsky's arrest may be premature

On Friday, I reported that Alan Ralsky was rumored to have been arrested. Sadly, it seems that the story was a hoax, and has been retracted by ValleyWag. See articles Is the Spam King on the loose? and Spam King probably not arrested.

Labels: ,

Tuesday, May 02, 2006

Blue Security under DDoS attack

In another sign that Blue Security has the spammers very worried, there are reports that Blue Security is under massive DDoS attack right now. More details as they become available, but at the moment, their web site is not reachable. There is a brief report of the attack on Realtech News.

Blue Security "do not email" list obtained by spammers

Background: Blue Security is an anti-spam service which I've written about on previous occasions. In a nutshell, users sign up with the Blue Frog service which publishes a "do not spam" database. If a spammer fails to honor the "do not spam" list, Blue Frog then coordinates a massive complaint campaign (one complaint from each subscriber) against the spammer's web site. John Levine explains that the process is not perfect, in that it requires the spammer to have a web site to complain about (most spammers use throw-away web sites, knowing they'll be closed down soon enough.) However, it's worth pointing out that the complaints are also directed at the spam's sponsors, who do have something at stake in their web site.

Presumably the list was protected in some way which allowed spammers to use it to wash their own lists against it, but which did not allow the spammers to simply obtain the list itself.

However, spammers have apparently obtained the raw list, or at least part of it, and intend to use it to retaliate against Blue Security and its customers.

Anti-spam blogger Richi Jennings has examined the list and determined that it's not complete. The most likely explanation is that a spammer simply compared his own mailing list before and after washing it against the Blue Security database.

One Blue Frog user reports:

So I am a member of BlueFrog and this morning I get a message from a spammer threatening me that if I don’t remove myself from BlueFrog in the next 48-72 hours, they will bombard me with spam…

Sounds to me like they’re running scared. For the past years, spammers have done nothing but ignore any requests to stop…since they can’t ignore BlueFrog, now they’re threatening like a bully in a schoolyard.

I’m staying with BlueFrog…at least it’s seeing results.
Given the vitriol with which spammers are attacking Blue Security, I can only conclude that the system has spammers running scared.

Update: Slashdot has coverage of the issue.

Update: Here is the text of one threatening letter:

To: EMAILADDRESSREMOVED@memphis.edu
Hey,

You are recieving this email because you are a member of BlueSecurity (http://www.bluesecurity.com).

You signed up because you were expecting to recieve a lesser amount of spam, unfortunately, due to the tactics used by BlueSecurity, you will end up recieving this message, or other nonsensical spams 20-40 times more than you would normally.

How do you make it stop?

Simple, in 48 hours, and every 48 hours thereafter, we will run our current list of BlueSecurity subscribers through BlueSecurity's database, if you arent there.. you wont get this again.

We have devised a method to retrieve your address from their database, so by signing up and remaining a BlueSecurity user not only are you opening yourself up for this, you are also potentially verifying your email address through them to even more spammers, and will end up getting up even more spam as an end-result.

By signing up for bluesecurity, you are doing the exact opposite of what you want, so delete your account, and you will stop recieving this.

Why are we doing this?

Its simple, we dont want to, but BlueSecurity is forcing us. We would much rather not waste our resources and send you these useless mails.


Its simple, we dont want to, but BlueSecurity is forcing us. We would much rather not waste our resources and send you these useless mails, but do not believe for one second that we will stop this tirade of emails if you choose to stay with BlueSecurity.
Just remember one thing when you read this, we didnt do this to you, BlueSecurity did.

If BlueSecurity decides to play fair, we will do the same.

Just remove yourself from BlueSecurity, and make it easier on you.

Update: Realtech News also has an article about the attacks.

Yahoo sued over typo-squatting

Yesterday, I reviewed an article from the Washington Post which covered the typo-squatting issue.

Today, in his Security Fix column, Washington Post writer Brian Krebs covers a class-action lawsuit against Yahoo alleging syndication fraud. Related to last month's report of Yahoo and click fraud, the claims are that Yahoo knowingly displays advertisements on typosquatting sites and through spyware.

4. For example, in spite of Defendants' promise and duty not to place ads in pernicious spyware programs, Defendants have done just that, and have charged their advertising customers for every click made on spyware pop-up ads. Defendants have also represented that advertisements would be "highly targeted" when, in fact, Defendants entered into syndication agreements with companies that show random ads that are the opposite of "highly targetd." Defendants have further represented that advertisements would appear in "high quality" substantive sites when, in fact, Defendants and their Syndication Partners ... placed such advertisements in a variety of low-quality sites without bona fide content....

The lawsuit alleges that Yahoo didn't merely fail to prevent abuse by typosquatting sites, but actually knowingly manipulated that system for its own purposes.

20. However, instead of safeguarding against such abuse, finding such practices, and diligently putting a stop to them, Defendants have actually engaged in such abuses. In fact, not only have Defendants turned a blind eye to abuse of their PPC advertising system, but Defendants knowingly have manipulated that system for their own benefit, by increasing the volumne of improper advertising displays during financial reporting periods when Defendants were at risk of failing to meet investor expectations.
For the full story, see Suit Levels Spyware, Typosquatting Allegations at Yahoo. A copy of the lawsuit is available (pdf).