A Spamtracker's Blog

The Harmonious Society

Ryan — Mon, 22 Oct 2007 12:49:00 +0200

It may come as something of a surprise to some, but spamtrackers.eu is not visible from China, where it is blacklisted.

I do not know the reasons for this blacklisting, other than perhaps it has to do with an automated rejection of content based on the 'spammy' content. Indeed, to a robot reading spamtrackers.eu, the content is the same as all the usual spam and phishing operations. The difference, of course, is that the spam wiki is there to present the content and to help the public by analyzing it.

And of course the irony of blacklisting one of the internet's best resources on spam while leaving thousands of spammers to go about their business, does not go unnoticed. After all, according to Spamhaus, China is (a distant) second only to the United States in the total number of spams sent.

This blacklisting of the EU website is what led us to establish connections in China, notably with the anti-spam ISP DNSPOD. By having a separate website and network of concerned citizens who fight back against spam in China, the idea was that we could assure that our research and public safety documents could also benefit the Chinese people.

But, as many have noted, spamtrackers.hk is currently offline.
[Edit: As of Tuesday, the 23rd of October, the site is back online, following the conclusion of the congress]

There is a DDoS attack ongoing against DNSPOD, but this is only affecting a couple of the nameservers. The ability of DNSPOD to securely maintain their service and thus the resolution of their customers using DNSPOD nameservers should be applauded.

However, it is not the DDoS attack that has brought down spamtrackers.hk. This has been assured by the the state authorities, which have shut down the server (and many others) to help create a 'harmonious society' in anticipation of the 17th CPC National Congress (what's that?)

Hopefully, once that this congress is over, the server will be re-opened and thus allow Spamtrackers to help end spam in and originating from China. This would indeed help create a more harmonious society.

DNSPOD joins the fight against spam

Ryan — Sat, 15 Sep 2007 12:51:00 +0200

DNSPOD (新闻组, view report) has teamed up with Spamtrackers to bring the power of spam eduction to the Asian continent. By agreeing to host and provide DNS services to spamtrackers in China (TBA), DNSPOD has demonstrated that they are one of those rare ethical ISP that care not only about making a profit, but also in making the internet a safer and more pleasant place for all.
We have been watching DNSPOD for a while, beginning in April 2007, when we posted this article. At that time, spammers had just discovered this service, and were beginning to abuse it. But the founder of DNSPOD was quick to react, by re-creating the account creation interface and making it impossible to anonymously create accounts, which was previously the case. They also added stricter rules, that clearly state that they will suspend any fraudulent account.

The result is that DNSPOD's excellent services have only continued to improve, and so too has the quality of their customers. Like the French 'activist' registrar GANDI.NET (registrar, and relay host of Spamhaus), and the Hong Kong registry HKDNR (who recently have finished removing all spamvertized domains from their database), DNSPOD has decided to take a moral and technical stand in the fight against spam and internet abuse and join the small but growing number of ethical ISP.

When asked why he would take a stance against spammers by not allowing them to use the services of DNS, the founder of DNSPOD, HongShen Wu says that '90% of e-mails I receive each day is spam. So as it is, I hate spammers".

Besides the issue that creates a bond between all internet users (the massive amount of junk mail that contaminates our inbox), Mr. Wu mentions the very real problem of spam from the ISP end. According to Mr. Wu, Spammers cost a large amount of system resources and make servers unstable. Perhaps the most significant technical problem is that their use perturbs the proper functioning of our legal users' domains, so that they don't operate correctly - functions like MX records'.

Just like GANDI and HKDNR, DNSPOD could have gone either way. In the end, however, they made the good decision to go whitehat and to do what is right. DNSPOD's founder believes in building communities and supporting them when he can. For these reasons, Spamtrackers is happy to have chosen them as a partner in our fight against spam.

It's only a matter of time before other ISP realize that being ethical is not only good for the community, it is good for business...

Whois Field Trip Investigations

Ryan — Sat, 01 Sep 2007 09:40:00 +0200

The most interesting part about investigating any abuse claim is looking at the Whois information. While registrars can suspend domains if they are used for spamming, botnets, etc., there is of course the stage where the registrant details are examined for accuracy. Sometims the information is random, sometimes hilarious, but other times it is stolen from real people, or made to look genuine (see the wiki about this). When this is the case, it is often best to contact someone in the area and have them investigate, or go there yourself. Here is a story sent to Spamtrackers by Gandi.net's Abuse Department:

I take great pleasure in investigating whois information when it appears to be correct, because other than being a challenge, it means that there is also the possibility of involving law enforcement.

Sometimes it so happens that a spammer uses an address in France, which to Gandi's abuse department means one thing: field trip!

Going to the address of a registrant address as listed in the whois to verify its validity is always an interesting because you are never sure just what the story will be at the end of the day. Riding the public transportation on the way to the listed address, we talk about ordinary things: "what is better, plasma or LCD?", "...I used to get off at this stop for practice", etc. Invariably though, as we near the final stop, someone takes out the file and flips through the printouts, reading out loud the incredible aspects of the spam.

After arriving at the destination of the registrant, there is only two things that will happen: the address is fake, or stolen. A criminal never gives his real address, because he would be arrested before our whois team would arrive.

Once, we arrived at the address, and called the number from a public pay phone just outsite the front door. In that case, the person used his parent's address! It was oh so very tempting to tell his folks just what activities their nice little son was involved with these days....

But usually, the address is simply false - like the recent case of Reliable Pharmacy - which does not exist. In such instances, I make it a point of interviewing local residents to see what they have to say about the case, or to confirm that the address and registrant are indeed incorrect. It is not only a way to assure that the whois information is deliberately false, but also a nice way to meet new people in a neighbourhood that I would otherwise never visit, and to hear people's stories...

Going out on field investigations like this are a nice experience for abuse teams as it puts a real face on the problem of spam. Actually meeting someone that has been listed as the registrant of a pharmacy spam domain by having their information stolen, or seeing that the address listed for a pharmacy is actually a take-out pizza joint is the best way to keep it real for the team.

Spam is not just a technical problem - there is a real human behind the operation, and real people are involved. I recommend all abuse departments to go on Whois field trips as often as possible - it helps remind us that behind the cat-and-mouse game between spammers and registrars is real criminal activity, in the real world, involving real people - not just IP addresses.

You might even solve the problem of LCD versus plasma... ;)

Spam-Court.com - spreading the wealth.

Spamtracker — Sat, 12 May 2007 21:43:00 +0200

This is the first of what may become numerous postings regarding the recent threats made against spam-court.com. While this particular blog might not have as wide a readership as spam-court does, I still intend to try backing up a lot of the research that the owner and operator of that site has made over the past several months.

As many of you may be aware, spam-court.com recently came under treat by one well-known illegal spammer using the pseudonym "Nick Danger." He has also previously put the call out to other spammers - publicly, on bulkerforum - to attack or "shut down" spam-court.com. That posting was later completely removed, showing a need to either cover their tracks or a wish to not draw any legal heat to bulkerforum.biz.

I intend to include as many postings as time will allow me to back up. I'll start with the most recent ones first, and try my best to grab the older ones as I go. Much of it is interesting reading even if it only hints at far more expository information.

Since that blog was written in English only, I will only be posting in English. Anyone who wants to perform translations into other languages is welcome to do so.

Before continuing I thought it was worth mentioning that there is no doubt in anyone's minds, including that of several legal personnel I have shown this evidence to, that bulkerforum.biz is a forum which is very clearly designed to discuss and plan all sorts of illegal activity, and which any individual could choose to join and monitor over time to draw the same conclusions. As we speak, several publicly-posted threads discuss the following topics:

- Theft of computer services from the general public via hacking

- Spam and stock market manipulation, and how to do all of these acts undetected.

- Theft of personal data and identity on a massive scale

- Sale and trading of lists of personal data for people who absolutely did not want to hear from any of these spammers, or the spammers who subsequently received or purchased those lists.

- Abuse of the identity of homeless people in numerous states, used as "straw man" identities while registering illegal businesses or other entities.

The operators of bulkerforum.biz naturally do not want that information to be broadcast anywhere but their precious forum, and claim that they will strike down any entity which does so, either via DDOS'ing the servers which do so, or via what appear to be frivolous lawsuits, as is the case with spam-court.com. For this reason, I feel it is crucial to continue to spread the word about all of their planned illegal acts, and to continue the hunt for the actual identities of all involved, as spam-court has done.

Thanx for reading. The first backup posts will appear shortly.

SiL

Bulker art?

Ryan — Fri, 11 May 2007 07:40:00 +0200

It is evident that I did not subscribe to any mailing list, click any radio button, or fill out any form that granted any individual(s), companies, or non-profit organisations the right to send me adverts via e-mail. This has not stopped the 1000+ UBE that I receive per day, however - some in languages I cannot readily identify, or that can not even be rendered correctly by my e-mail client.

This being said, aside from the usual mass e-mail templates, I saw one the other day that caught my attention, because it was actually ... well ... creative in a bulk e-mailer sort of way.

Who would have thought: ASCII art!

Of course one wonders why so many people who see such a mail would believe that the above-mentioned drugs are actually being sold and proceed to give the anonymous enterprise his/her credit card information for a purchase; and yet such is the case.

The interesting aspect of this e-mail message is that it stands in testimony to:

the reactive-nature of e-mail filters: E-mail filters are created in response to bulk e-mailer innovations in contouring such filters. For example, one now needs to consider the possibility of filtering out ASCII art that spells out keywords...
the effectiveness of e-mail filters: bulk e-mailers must go to great lengths to ensure that their message arrives in as many in-boxes in their lists as possible.
the ineffectiveness of e-mail filters: I don't need the above-mentioned drugs, and most certainly did not request any adverts for such. The very fact that I was allowed to view this e-mail implies a failure in the system.

I take my hat off to the creativeness of the person behind the idea of ASCII art as a medium for spam - while at the same time I am absolutely enraged that it has allowed the message to appear in my in-box.

I find it reprehensible that such a creative person devoted time to furthering the cause of spam, and I can only hope that he or she will find a better use of their talent in the future.

DNSPOD.NET: anonymous name server

Ryan — Mon, 30 Apr 2007 19:43:00 +0200

There is a new DNS service that has just appeared on the market called DNSPOD.NET. The concept is actually quite interesting, both on a service level and on a technical level. Dnspod.net allows anyone to use their name servers for their domain name, for free.

Unfortunately, their service has come under attack by spammers who use their name servers to service spamvertised domains.

Description of my dnspod.net experience

At first, the interface - all in Chinese - is unsettling. This being said, with the help of an online translater I was able to set up an account in just a minute or two and apply the DNS to one of my domains.

In wanting to see if I could remain anonymous, I entered false information into every box. This was not a problem. I was then given a box in which to enter my domain - afterwards I was given access to the zone file editor.

You are only given a choice between the following records: A, CNAME, MX, so it is definitely targeting the absolute basic services, but these are enough to allow for a spamvertised domain to be visible on the web. All the record specifications were by drop-down menus, and so I did not need to enter records manually using BIND syntax.

Examples of spamvertized domains using dnspod.net

buyvista2007cheap.biz
office2007buynow.info
softwaresmarket.info
vista-enterprise.info
alline1cdssoftwares.biz
trackerronline.com
bluetechriver.com
mysoftwarehouse.biz
bestsoftwaresforyou.biz

It appears that the "Cheap Software & OEM Cds" sponsor considers his DNSPOD.NET to be a free bullet-proof NS.

MySpace Phishing

Ryan — Mon, 19 Mar 2007 05:49:00 +0100

We have all begun to notice MySpace.com phishing schemes these days, whether in the news or as spam in our mailboxes. What is noteworthy about the MySpace phishing fraud is the relative ease with which phishers manage to get users/victims' login codes.

This is due to human factors, and not any technological default on the part of MySpace. Indeed, Myspace phishing schemes are successful for the same reason as other forms of fraud: victims honestly believe that they are providing their information to the legitimate website.

This entry explores one type of MySpace phishing in detail, with the hopes of bringing to the topic of phishing to the forefront of spamtrackers.eu. Today's topic: MySpace phishing, how it works, and what can be done about it.

MySpace is particularly vulnerable to phishing since their users are likely to be less cautious about logging in to a myspace account than someone who whose intention is to log into their personal bank account thus making them an easier victim.

Additionally, given the broad range of socio-economic profiles that use MySpace services (a user can be as young as 14), there is a significant percentage of MySpace users that are unaware of the problems of phishing, how to detect it, or that may not have much knowledge about internet safety.

The scheme described below is one of many different types, though one that appears to be on the rise. A special myspace.com phishing awareness page will soon be added to the SpamWiki detailing the numerous known phishing schemes.

How this scam works works:

Step 1. Setting up the fake login page

The phisher registers a domain name at a domain name registrar that he or she believes will be slow to reply to an abuse complaint. This domain name that they will register will resemble a string of code, such as a12e53cE.com.

Then, the phisher creates a masked web forwarding address for the domain name that is based on a subdomain or a catch-all. This way, when one visits any URL that is based off of the domain name of the domain name that was just created, they will be forwarded to another website (where the actual identity theft will occur).

For example, to an inattentive user, the following link may appear to be a legitimate MySpace login page, especially since in the URL address bar of the web browser only the first half may be visible:

http://login.myspace.cfm.fuseaction.splash.mytoken.76701a26.da3e.44a3.a17b.76701.a17b.959e3c5a151271a26.da3e.44a376701.a12e53cE.com

However, as you can see, the above link really belongs to the phishing domain, a12e53cE.com, and has nothing whatsoever to do with myspace.com. This is because URLs are read from right to left. The phisher is counting on this lack of knowledge of the victim.

Step 2. Forwarding to the site where the victim's information is stolen

Presently, the domain name, loginmyspaceses.com (registered at Bejing Innovative, or other similar domain such as myispaceses.com) is used for a phishing botnet against the website myspace.com. Its present nameservers are:

ns5.sweeuetharts.net
ns3.sweeuetharts.net
ns2.sweeuetharts.net
ns1.sweeuetharts.net

NOTE: All of the above nameservers have had their glue records erased by Gandi by having them set to the black hole IP of 217.70.185.0, thus rendering the DNS inactive. As long as loginmyspaceses.com uses these DNS, the domain cannot be used.

Nameservers used for this 'root' domain often involve a set of 5 round-robin nameservers, with a spelling that often has repeated vowels or consonants, such as the now suspended apppplepieee.net.

When forwarded to this website, the user will still see the original URL in the bar (if they arrived via masked forwarding) and yet the user will see the content of the new website (see a sample website connection activity log). From this page, all the links will take the user to the real MySpace.com website, and so the user/victim would never know that he or she was on a fake website.

Step 3. Stealing the user's login codes

The actual theft occurs when the user enters his or her in the fake myspace login area on this page. There will be a fake login area, that looks nearly identical to the authentic one:

When the user posts the data (see activity log), one copy is sent to the phisher, and another copy is sent to myspace.com, where the user will continue to use their service as normal.

Because the code on the phishing website (ex. loginmyspaceses.com) will post the login data to the real MySpace website as well, the user will successfully log into the real website, thus never being aware that he or she was on a fake site, and had personal information stolen.

Conclusion:

While the example discussed here pertains to MySpace phishing, it is equally applicable to any other website that asks users to enter their login codes before accessing their personal content or area. It is especially effective with MySpace users, however given the large percentage of their customers that are not well-versed in internet safety.

While the MySpace codes themselves may not be of great interest to the phishers, many people use the same codes and passwords for creating Ebay or PayPal accounts, etc. which are indeed of interest to the phisher.

To successfully shut down such a scheme requires a combination of items:

Education: It is imperative that all users of the internet at least become suspicious of phishing, and at best know how to identify it.

Users must know how to clearly identify that they are logging into the authentic MySpace website, and not a fake. There is a very educative site for MySpace phishing at the Spamhuntress blog.

On the subject of user education, it is important that users of these services choose passwords that are not the same as ones used for other services. Such as using a myspace password that is the same as a hotmail or gmail password. Knowing the email account given on a myspace page, it is logical to assume the hacker will attempt to log into that account with the phished password to search for banking and personal emails that may lead to more valuable logons.

Additionally, there are plug-ins to browsers that can warn users about this type of forwarding and provide increased security by restricting certain sites and scripting. For example:

IE 6 and 7:

Build in phish filter (don't use IE myself)

Both IE and Firefox:

McAfee (SiteAdvisor) plugin Spybot Search and Destroy provides a list of unsafe sites for installation in windows restricted zones

Complaining to registrars: In the phishing scheme described in this blog entry, there are possibly four different registrars that can be contacted to file an abuse complaint:

1. The registrar of the phishing website (ex. loginmyspaceses.com)
2. The registrar of the nameservers for the phishing website
3. The registrar of the domain used to forward to the phishing website
4. The registrar of the nameservers for the forwarding website

The successful shutting-down of any of the above domains will cause a disruption in the phishing scheme. The most effective suspension would be of the phishing website (1) as that would render all the other domains inactive. Shutting down the nameservers of the phishing domain will temporarily take off the phishing website until the DNS are changed.

This being said, shutting down the forwarding domain will only close one "branch" of the phishing scheme (there may be hundreds), and while less effective, is nevertheless important - especially if the registrar that sponsors the phishing domain is unresponsive to complaints.

Improved security on the MySpace website. MySpace and other pages could improve security by using cookies and variable questions, or even prompts set by the user. Requiring a user name, password, and security question, would thwart the phisher.

Complaining to the web host of the phishing website. Since the phishing site is using copyrighted material for illicit use, they may be brought to task for copyright infringement.

If you spot any MySpace phishing schemes that are different than the one described above, please send full a description of it (be sure to include all URLs and headers) to: myspace(-at-)spamtrackers.eu, or post a descripion of it in the spamtrackers' forum, here.

Forseti, and DougW contributed to this article. Special thanks to Jane.

Creation of the Spamtracker's Blog

Ryan — Sat, 17 Feb 2007 14:37:00 +0100

Spamtrackers.eu is a resource center that is devoted to educating e-mail and internet users about spam and the misuse of the internet.

Created and maintained as a combined volunteer effort of respected members of the IT community, the information found on this site may be considered as authoritative.

In the same tradition as open-source software, content on spamtrackers.eu is the result of the cooperation of all its contributors. Consequently, this site is constantly kept up-to-date, and its articles cannot by definition be biased towards the views of only one individual. Nonetheless, in the event that you spot information that you feel is inaccurate or biased, please feel free to notify the administrator at admin(at)spamtrackers.eu.

To assure the authority of the information provided in the SpamWiki and other annexed resources of spamtrackers.eu, contribution from the general public has not been enabled. We have therefore created this space for you, as a place for discussion, as a space for you to post your own comments, and a way for you to bring errors or omissions to our attention.