Been getting "My Canadian Pharmacy" spams for a while but for the past week or so, the domain lookup has always failed with SpamCop (example 1, 2, 3, 4). Other domain lookup services work so it would appear that this hard-core spammer (who breaks into other servers to use them for image hosting) has been able to block queries from SpamCop.

This doesn't prevent manual lookup and reporting of course, but ISPs that choose to host this site deserve to be flooded out of existence with complaints.

I've seen the same thing. I don't believe it would be that difficult to resolve addresses through other domains. What's the best way to ask SpamCop to look into this problem?

08/16/06 01:08:42 dns ecolwont.com
Canonical name: ecolwont.com
Addresses:
63.218.103.8

08/16/06 01:09:03 Slow traceroute ecolwont.com
Trace ecolwont.com (63.218.103.8) ...

http://www.dnsreport.com/tools/dnsreport.c...in=ecolwont.com
Note all the Failures and Warnings .....

08/16/06 01:13:26 Browsing http://ecolwont.com/
Fetching http://ecolwont.com/ ...
GET / HTTP/1.1
Host: ecolwont.com
Connection: close

absolutely nothing returned

08/16/06 01:15:30 Browsing http://bjpskl.ecolwont.com
Fetching http://bjpskl.ecolwont.com/ ...
GET / HTTP/1.1
Host: bjpskl.ecolwont.com
Connection: close
Socket Error

wants to play dead, assumedly as the "unique key" wasn't also passed in the browser request ....

They aren't blocking SpamCop queries. Check out the blog http://www.spamhater.zoomshare.com/

When the domains can't be resolved by SpamCop but can be by other sites like DNSStuff, NWTools, etc and the sites themselves are accessible, it is safe to presume that the block is specific to SpamCop. When the DNS server domains are disabled (as mentioned in the blog), it results in all subsequent lookups failing.

Possible .. but the more likely issue is the time allowed for a return from a DNS lookup ... the SpamCop.net parsing engine doesn't wait around for two or three minutes for a response .....

I would be willing to allow SpamCop to use my computer to do the lookup and wait until a result was returned. I wonder if that would be possible ...

Part of the issue is that DNS is asynchronous. This means that computer A sends a request to a DNS server for resolution of an address, and then goes on about its business. Most programs will actually wait a specified amount of time for this result to return, but the problem here is that while it is waiting, it is not doing other things. The DNS could send the response back to computer A immediately, or several minutes later (worst case). Once the response has been received, it is added to an internal list of resolved addresses on Computer A (in this case the spamcop computer that is processing spam) and is available to subsequent calls until it is considered "stale" at which time it will be requeried. The problem here is that there is now set time as to how long a DNS server might take to send the resolution information. Its not really a matter of processing power, its a matter of processing efficiency.

The other option I see is to have the parser resubmit DNS failed messages to the end of the queue, and by the time they make it to the front for processing again, the resolution should be in. The problem here, is you would have to make sure the parser knew to give up on a message after a couple tries, or the queue would end up filled with messages with unresolvable DNS that just kept getting resubmitted. Again, this means that some messages would have to be parsed more than once, which eats of CPU cycles on an already somewhat overwhelmed parsing system.

Another solution would be to use a multi-threaded approach, so that multiple emails are being parsed simultaneously. That way, if one thread has to wait a little longer for DNS resolution, it will not significantly impact the performance of the server overall as the other threads will continue processing their separate emails.

Your waiting would delay all the other processing going on (spamcop's computer would be waiting for your machine to get the answer and return the value to them. Please remember that the spamcop parser is spitting out lots of reports/second.

Your offer has been made in the past. The whole way spamcop does it's business would need to be modified to use a distributed computing type of approach. Likely too much work for one programmer.

So what is the solution? These spamvertized sites need to be shut down. Could SC try an alternate name server when the first one fails to get a result. The new OpenDNS servers seem quite fast...

There are lots of possible solutions. I outlined a couple above. However, any solution is going to require some major changes to how the parse code works, so is unlikely to happen unless SC suddenly gets some huge funding source and can hire a programming team. If you are really hot on getting the spamvertised sites shut down, then your best bet might simply be to fire off a manual report when SC is unable to get DNS resolution within its timeout period.

???? it's not the "requests" that are the issue .. it's the "response" times that are at odds with how "the net" is supposed to work. There are a number of entries existing within the SpamCop FAQ here already dealing with the "resolving of web-site" issues ... primarily dealing with that a SpamCop.net 'notification' is at best just a courtesy. As the majority of these "problem" sites are hosted on known "don't give a damn" China-based hosts ... even that courtesy is a waste of time for the most part. Yet again, "the net" was developed in the mindset that "all users would be trustworthy" .. back when it was a U.S.Government tool to connect U.S. Government resources ..... this is the area that the spammers continue to work around, taking/using those "trusted" aspects and abusing the hell out of those concepts, tools, and data.

In the other hand, resolving them and user-reporting them does offer the opportunity for them to be picked up by the SURBL, but again .... one of those so-what scenarios .... with some spammers buring through 50 sites a day, so what if one or two of them get placed on a BL somewhere ... it was only intended to last a week anyway ....

And, as often repeated, repeated, repeated .. there is nothing that stops "you" from making your own complaints..... do the research, find the addresses, fire it off ....

This isn't a response time issue - the sites in question resolve quickly when checked using other tools (e.g. DNSStuff, NWTools) or accessed directly.My Canadian Pharmacy uses compromised servers (probably via a dictionary attack on the root password) with images held on another compromised server, so informing the admins in this case is more likely to yield results.Agreed - but then far fewer people will take the time to do this, meaning that those ISPs that prioritise on the number of reports received will give this less attention than it deserves. The spammer is clearly finding SpamCop reports a hindrance to take this measure.

I disagree with this. I only got results about half the time on my test below. 500ms is not "quickly", especially when dealing with the numbers spamcop is pushing through. I agree there COULD be another process that waits a longer time or retries for those so inclined, but I don't think there are enough people complaining about this to be worth the time.

Once again, spamvertized websites is NOT SpamCop's primary focus.

DNSStuff lookups with 4 successive refreshes of the page http://www.dnsstuff.com/tools/lookup.ch?na...057&type=A: from your first sample.



517ms total

557ms total



DNS Traversal foy your first sample: http://www.dnsstuff.com/tools/traversal.ch....com&type=A


DNS Traversal for your second sample: http://www.dnsstuff.com/tools/traversal.ch....com&type=A


DNS Traversal for your thrid sample: http://www.dnsstuff.com/tools/traversal.ch....com&type=A


DNS Traversal for your fourth sample: http://www.dnsstuff.com/tools/traversal.ch....com&type=A

Hello.

I have been very active on a few other spam-related message forums and only today discovered this one.

I have a huge amount of information I've been compiling on the My Canadian Pharmacy umbrella of websites if anyone is interested:

http://www.mytempdir.com/917959

This covers a great deal of background research I have been doing including data collated from several pharmaceutical authorities and law enforcement personnel.

I have sent copies of this report to the FBI's IC3 group, Interpol, numerous pharmaceutical regulators, Pfizer, Microsoft and several media outlets. None of them have commented on it (thought I know that IC3 is actively investigating this group of spammers.)

A coleague of mine who alternately goes by the names "Red Dwarf" and "Blue Turkey" has been extremely effective lately in reporting fraudulent DNS usage. The spammers set up DNS which they know registrars will disallow, but they also know that that won't stop it from resolving. A nice loophole. They similarly engage in a practice known as "domain kiting", where they register several hundred domains with a registrar, wait for the five-day "grace period" to nearly complete (within which they will not be charged for the registration of the domain) and cancel all of them, moving them all to a new registrar.

They also abuse several dozen public servers at a time. They do so via the following means:

- Run a root password guesser, attempting to login as root to a set of known IP addresses using 400 passwords. (Note: In most cases they get in with some retardedly simple passwords like "root" or "password." A surprising number of home linux boxes have their root passwords set up this way.)
- Once in as root: they wget and install a series of processes, depending on how they wish to use the server in question:

* tswapd (more recently renamed to "tirqd") - a traffic-forwarding proxy
* uirqd (an undetectable dns server)
* S-root (the root password scanner)

The most common is tswapd / tirqd. That handles all of the traffic for a My Canadian Pharmacy domain, and all requests are proxied through one server, to be delivered via a secondary or even tertiary server.

But as we can see: they abuse all kinds of servers, using them for traffic proxies (and monitoring), or web hosts, or DNS servers, all costing them nothing.

These spammers are alleged to have ties to child porn and credit card theft. In fact not one single pharmacy oversite organization (including Pharmacy Checker or CIPA) has ever heard of anyone actually receiving a single product after placing an order via these sites.

I'm babbling but I wanted to contribute this information to a group that might find it useful. This goes beyond "some server in China". They use that as a cover. They really take over any server, anywhere in the world. We've uncovered more on them but this is plenty to get started with.

Thanx for listening.

SiL

Apologies for the delayed response (I've been offline for a while) and thanks for the analysis. If this is a simple timing issue then it should be easy to address but it does seem that SpamCop is making things harder for itself by not caching previously successful results.Websites do need to be a focus (since it is only by shutting them down that spamming is ever likely to stop), even if not the primary one. Though this could really be a topic for another thread, spam reports could be used to build a domain (or even ISP) based blocklist though there are others out there doing this.Thanks for the information - lots of good detective work there. This makes it more important for the server owners to be contacted (though someone careless enough to use a weak password isn't likely too bothered about the consequences).

I'll beat Wazoo to the punch:

There are a number of other threads dealing with the web site resolving, reporting prority, etc., issues. But, here's the main FAQ link where most opinions have been summarized.: FAQ: SpamCop reporting of spamvertized sites - some philosophy

Also, there is a SURBL, which I believe does pull from the SC reported lists:SURBL.org website

Now now - no need to spoil his fun.
The sc.surbl.org Data page seems the most relevant as it mentions the data pulled in from SpamCop's Spamvertised Sites page. However since this page only lists sites with a known abuse address, it would also seem that domains "evading" resolution by SpamCop would also avoid the sc.surbl.

And that would be a flaw in that system. They are using spamcop provides for reference and using it to determine listing. Many thoings could go wrong with that system. Most importantly, spamcop could decide to stop publishing that information.

I will make the same offer to you that I have made to others, provide a service that focuses on reporting spamvertized web sites and I will use it. I'm sure many others here would use it. I even think you might get spamcop to off load those requests onto your service. Spamcop's resources are devoted to finding and listing the source of the spam.

Since there is now a new wave of this spam (plus the related operation "LegalRX"), now would seem a good time to point out that a retaliator is available which can place fake orders (including a CC number that passes the site's verification). This is effective enough that the spamgang behind these sites soon block IP addresses (use Tor to get around this), so enough people using it should encourage them to stop spamming altogether.

This retaliator requires the Firefox browser with the Greasemonkey extension (with NoScript and User Agent Switcher extensions strongly recommended). See the Pharma KS FormFiller thread for more details and download location.

And this has nothng to do with the SpamCop.net Parsing & Reporting system. There are dozens of exising Topics/Discussions on various retaliation tools, modes, functions, etc. in the Lounge area.

That just seems like a potentially bad idea and might even be construed as CC fraud. I'm not a lawyer, so I don't know anything about it, but although I realize the concept is to stop a rogue company, this just seems like a bad way of going about it. You would be putting yourself at something that is risky legally and even technically if you were to get a website wrong. I think reporting it to the FTC/FDA is the best idea for end users, and SpamCop obviously allows for reporting to ISPs and the correct abuse depts.

From what I've seen, the sites that MCP and USRX are using require specific referal/key codes to access the specific page. When one drops off those codes, you'll often get a blank page or a 'cannot be found' error.

They do a lot of HTML trickery, to ensure that the entire link isn't picked up in the reporting process, too.. that is most likely why the parsers aren't catching the links.

Rather than continue this debate here, I would simply suggest people review the Wilders New Spam Retaliation Tool which discusses the ethics/morality/legality of this.

As for the parsing, I'm not too sure about the need for the referer codes since entering the domain on its own without them always works. It could be that it is resolving (deliberately) too slowly for SpamCop or that they are able to identify SpamCop domain lookups by other means.

And for those who prefer not to revert to "symmetrical justice" and the whole retaliation/revenge thing, a reminder that spamislame has offered considerable other resources, earlier in this topic (though the mytempdir URL has expired, no doubt he can be contacted through Wilders).

SiL's tools are nothing more than form fillers/submission tools meant to piss off spammers by giving them tons and tons of junk leads (I recall seeing some users clock 30K+ a day to different sites)

Since these sites are on Chinese servers an seem to be a black hole that no one dare look to stop the abuse, I fail to see what using/abusing their resources and wasting a spammers time will do to hurt our cause. Maybe if an ISP sees a drain in bandwidth and bothers to check that IP/box, we HAVE done some good, since I'm not convinced that SpamCop reports mean s*it to Chinese providers.

This operation is now using hijacked systems around the world, with images held on another server. The only way to put an end to it is either to secure every single PC on this planet or to make these spammers' business unprofitable. Posting false orders is the only way to achieve the latter - I'd be interested in anyone providing a method to somehow achieve the former, especially given the ignorance of many such server admins.

I don't think anyone proposed that it might harm "the cause". To use or not to use is mainly a moral judgement as I see it. I for one am not about to lecture on the rights and wrongs - people need to make their own call. There are other issues (such as consumption of internet bandwidth) which are certainly not critical.

And sadly, when one box is cleaned up, they've moved to another, only to hop back to the original ISP's servers. One of the things that SiL and others have done is to track down the back end information and report THOSE ISPs/hosts. Those guys also send out numerous emails to hosts/registrars of the nameservers (which there was a huge hit to some of them over the weekend).. if the hijacked host won't do anything, go to the nameserver, I guess.

I will take a look at that. I'm not against the idea of using other "outside the box" methods of trying to bring down spammers sites. I recall the project by Lycos "Make Love Not Spam" screensaver that used aggregate data (even from SC) to try to overload spamvertized URLs. However, there was so much backlash from people that it was shut down not too soon after it was started. I thought the project was an interesting concept and thought it might be successful.

Another thing to take into consideration is the example of BlueFrog, a service somewhat similar to SC, that was essentially shut down by spammers in retribution for trying to report spammers to Law enforcement and ISPs and so forth. I know that there have been attacks DoS against SC in the past, and they might go on continuously (I am not sure about this), as they do with other major DNSbls.

So, there are several things to take into consideration. One is from the perspective of the end user who is using these scripts to retaliate against rogue spamvertized sites. There are possible issues of excess bandwidth consumption (as mentioned by Farelf), legal questions, whether or not this would violate end users AUP/TOS for their ISP and so forth.

Secondly, the recommendation being made by the authors of these scripts is to use TOR to connect to these sites. I believe that probably most individuals running TOR nodes would not appreciate this possible misuse of their servers, since, not only could it result in retaliation against them, but TOR, as an overall community, would most likely be slowed down (as if it isn't slow enough already) by constant barrages of attacks on websites over and over.

Finally, there is obviously potential for misuse with these scripts. These are clearly made for an "advanced" usergroup that would (or should) be able to know which sites are the rogue "Canadian pharm" sites. But, because of their ease of use, it could be possible to be used against other targets.

As far as SC not being able to parse the URLs, this has been brought up recently, and includes other sites, not just ones mentioned here. I have posted a brief "how to" on manually reporting URLs that SC doesn't resolve which can be found here.

Also, as I mentioned above, individuals can report fraudulent sites like these to the FTC and FDA. Anyway, what it all comes down to is a judgement call, but one that I would advise people not to take lightly. There are people who want to go "by the book" so to speak, and use a tool like SC to simply report said UCEs and hope to get them shut down. Other people might want to take it farther and use a vigilantly approach to combating spam. Either way, it's clear that people are taking these steps because the influx of spam is becoming even more enormous and overwhelming. I understand why people would choose this step, and it's an obvious evolution from becoming beyond annoyed with the problems of email and failure of responsible parties to take appropriate action to stem the tide of spam.

@Mods: Since this discussion has sort of gotten off topic of the original post, I think it might be appropriate to chop it from Paranoid's post about the "pharmkilla" scripts and move it to another folder. Just my 2¢.

...But before they can make the call, they have to know the issues. IMHO, most people don't....Why is it not critical? Isn't that one of the things we dislike about spam -- that it abuses internet bandwidth? It's certainly critical to me! You (and others) are certainly entitled to disagree with me about this but IMHO it warrants more than a dismissive "certainly not critical."

Yep, which is why I suggested the author of the tool had other tactics, jongrose chipped in with a f'rinstance - feel free to add your own.Call me old-fashioned but I sort of reserve the description "critical" as an absolute. Critical would be if, of itself, it brought the internet down. I don't believe that to be the case (though certainly it won't do it any good). Is that being dismissive? It was not intended to be so. I had thought of commenting that sending 35,000 order forms to achieve a reduction of a few hundred (?unsure of claimed/implied number) spam does not sound like a desirable level of efficiency - but refrained because that is probably not indicative of "performance" on a broader scale, might be construed as carping. Seems I was foredoomed in any event.

Oh sorry, I went off on a tangent in earlier answer. The moral issue is whether it is OK to join the spammers in the misuse of the internet. Not much else to know, really.

...Having explained what you meant, no, it is no longer dismissive. <g> However, I think you may be underestimating the impact -- we're not really sure how close we are to bringing the internet down, do we? We certainly don't need a lot of retaliation packets adding to the load spammers are already causing....Well, precisely that retaliation tactic might, in fact, be misusing the internet. I expect there are many people considering retaliatory tactics who are not clued in to that. Even whether any particular retaliation tactic is a misuse of the internet probably needs to be aired before people can make an informed judgment as to whether to use it.

No question in my mind, it is misuse.Hadn't considered that - then I've never thought "the end justifies the means¹" to be morally defensible and things are pretty clear cut if one can proceed from there. It follows I'm not a fan of vigilantism either - revenge² being the highest motive there, bestiality the lowest.

¹IIUC Layola (who, as the founder of the Jesuits, would ordinarily be considered some sort of moral authority) said the end justified all, presumably because St. Paul said, "... that by any means I might win some." (I'm no theologian). But they were talking about the end of "saving men's souls" (and the occasional woman's) for pity's sake - or St. Paul was at least. Special case, absolute faith a prerequisite. I don't buy any mundane cause even coming close to qualifying.

²Sir Francis Bacon (who knew the dock from both sides) reckoned "Revenge puts the law out of office," his quaint way of saying it usurped the rule of law. - it was 400 years ago after all. I think his observation is fairly well self-evident and I happen to prefer the rule of law (be it ever so halt) to the alternative.

And I said I wouldn't lecture (it's Steve T's fault ) ... well, I'm not claiming infallability on the issues and others will beg to differ.

Assuming that you were referring to the Spur-M-Enator, such concerns are groundless. This tool places orders directly to the spammers' back end database so has negligible bandwidth consumption. Specifically it sends a URL containing all the order data (about 600 bytes) and receives back a webpage under 340 bytes in size (it used to be blank but the spammers added a scri_pt to fire up 100 popups). So at under 1,000 bytes per transaction, 35,000 orders would take 35MB bandwidth plus protocol overheads.

By way of contrast a typical SpamCop report would take over 50K (22,600 bytes submission page plus 29,000 bytes report page plus the size of the spam submitted). So this retalation example would have taken the same bandwidth as 700 typical SpamCop reports - and I'm willing to bet I alone have submitted close to that number for this particular spammer.

The other retaliators are bandwidth-light also since they work by emulating "normal" web traffic. The only bandwidth-intensive tool I know of is SpamVampire and the bandwidth that consumes should be weighed against the "90% of all email traffic" DoS that we receive in our inboxes every day.I run a Tor exit node myself and I can assure you that such retaliators have no visible impact. The biggest problem Tor has is with people dragging 80MB+ Rapidshare downloads through it (to get around Rapidshare's IP-based download limits - since traffic is routed via 3 nodes this comes to 320MB+ of bandwidth). I would of course encourage anyone making heavy use of Tor to contribute back by running a server themselves, but that's certainly a topic for another thread.

I don't think any of these retaliation tactics are abusive. I am using my bandwidth, which I pay for, so how can that be considered abusive? On the other hand, a large number of these websites are used for nothing more than collecting information used for identity theft. By poisoning the spammers database so that only 1 in 1000 or 10000 leads is usable, you have done a HUGE service to protect the people that were nieve (read: ignorant) enough to put real information into these forms.

There is also the very real possiblity of spammers losing their clients to whom the sell identity and CC information because they data they are selling is no longer usable. This directly impacts the spammers bottom line, and when dealing with criminals may put him in a very undesirable position.

So, as long as a spammer is paying for their internet access, they can not be abusive?

I didn't request their emails. However, their emails specifically requested that I visit their websites, they just didn't specify how many times

Some 'advertising companies' that buy lists from other people pay for their ISP/host service, but the abuse comes from that person sending the unsolicited mail. I think it's a positive thing that these lackidasical ISPs are starting to see the drain from retalitory programs and persons.. it might make them aware to the problems they harbor.

...Either these quotes demonstrate that you two don't understand how the internet works or that I don't <g>. AIUI, what appears to be a "direct connection" to another machine is accomplished in actuality by sending packets into the "ether," which are picked up and forwarded by one or more other machines. A TRACERT will demonstrate this. Those are machines we all use and although a very large resource, limited....Put that way (and assuming you are correct, which I shall until someone else shows you to be wrong), this makes it seem less abusive. Nevertheless, I would still prefer more conventional means of reporting spam abuse, such as reports to providers, registrars, FTC, etc but, then, that's just my opinion and others are free to act on their own opinions (provided those opinions are grounded in analysis such as presented by Paranoid2000 in the quote immediately above and not simply on a desire for a "clever" retaliatory scheme).

...Glad we agree on that but it's not you to whom I'm referring when I mention people who might not be thinking along these lines or are not knowledgeable enough to come to a valid conclusion (and by "valid" I don't mean necessarily the same one we've come to -- that it is abuse)....Again, you aren't the subject of my call for consideration.
...Isn't "the ends don't justify the means" a misquote? After all, if the ends don't justify the means, what does? My understanding is that the point is that the ends don't justify just any means.

Well, sure, ... what? "The ends justify the means" is often quoted in an inverted context to demonstrate just the opposite but then wrongly (in my view) taken by others to "prove" the literal meaning. Such twistings are common - through limited attention spans, Chinese whispers, malice and politics.

St. Iggy of Loyola (sp), oft-quoted proponent of the wrongful maxim has supposedly been given a bum rap in exactly that sense. "Loyola's mandate was that the end justified the means, and any means of restoring Vatican domination was acceptable." - voxfux.com (!). The official line is that, to the contrary, "He impressed on his followers the doctrine that in all things the end was to be considered. Never would Ignatius have countenanced so perverted an idea as that the end justified the means, for with his spiritual light and zeal for God's glory he saw clearly that means in themselves unjust were opposed to the very end he held in view." (11th edition, Encyclopaedia Britannica).

But yeah, in the normal course of events the means to any given end are justified by it (either fortuitously or deliberately considered). The danger is in assuming it is always so, and especially if the means are illicit or the importance of the ends turns out to be exaggerated.

I ran this over night and it placed 3,237 orders until they banned the IP address. I'm working on my 2nd IP address now LOL.

Well, one could argue that there are two vigilantly methods of spam poisoning: passive and aggressive. On my blog, I use a passive means. Other people might opt for the aggressive means, which would be the scri_pt flood attacks on spamvertized URLs.

(BTW, why is the word s c r i p t censored out?)

One word
more words
and I don't recall getting back to making a Forum FAQ entry, now that you ask.

You didn't include this post? I'm hurt (j/k)!

Ouch! A better Subject line, a better question, a better answer, .... a much better link.
Aplologies and thanks ....

No need for that, and you're welcome. (Good thing I remembered asking about it.)

I just added that to all my CMS-based sites... we'll see if it does any good.

Now, I know that SC's main objective is to report the source of spam, but the recent inability to catch a reporting address for a spamvertized link is a little disheartening.

http://www.spamcop.net/sc?id=z1179130855zd...2550d5a40b8ba4z

Couldn't catch: copeckstable.com, which can be pinged: http://www.dnsstuff.com/tools/ping.ch?ip=copeckstable.com. The DNS WHOIS finds the record and a traceroute finds the hosting IP: http://www.dnsstuff.com/tools/tracert.ch?ip=copeckstable.com.

So why is SC not catching this?

...This is way beyond my direct knowledge but I infer from StevenUnderwood's reply in SpamCop Forum thread "DNS entries missing?" that SpamCop does not use tracert but rather uses domain: http://www.dnsreport.com/tools/dnsreport.c...opeckstable.com (or something analogous).
...Hopefully someone more knowledgeable that I will happen by with a more complete and/or authoritative answer.