LART'ing spammers...

[HillsCap]

Hi, all.

You know from my other posts that I run the JackPot fake SMTP server/teergrube/honeypot. So far, I've dumped over 1.3 million emails in the past week alone using that.

But I also have other tools in my LART arsenal... one of them being FriedSpam (http://www.FriedSpam.net/).

But, me being like I am (always pushing the envelope and trying new ways of doing things), I don't use FriedSpam like most people do.

Most people use FriedSpam to repeatedly download a web page from a spammer's website, using a direct connection from their machine to the spammer's website. Unfortunately, doing this reveals your IP address to the spammer, leaving you open to hacking and DDoS/DoS attacks. I've been through several myself.

So, I went about finding a way to still use FriedSpam, while obfuscating my IP address.

I found the solution in what is called an 'Anonymous Proxy Rotator'. Essentially, what an Anonymous Proxy Rotator does is allows your machine to connect through a constantly rotating list of anonymous proxies to download the web page from the spammer's website. Thus, the spammer never sees your IP address, and can't attack you.

The program I use is called MultiProxy... it's an older program that hasn't been updated in a couple years, but it's rock-solid and never gives me any problems.

The way I've got it set up for the IP chain is:

IE <<Port 8081>> WebWasher <<Port 8082>> MultiProxy <<external proxy port>> external proxies <<>> FriedSpam.net <<>> spammer's website

Essentially, I set it up in Control Panel >> Internet Options >> Connections tab >> LAN Settings >> Advanced, so that HTTP requests went to localhost, port 8081. This connects IE to WebWasher. In the Exceptions box, I put sites I regularly visit that I want to bypass the proxy.

I then went into the WebWasher Preferences, and set the 'Local HTTP proxy port' to 8081.

In WebWasher Preferences, under Proxy Engine >> Client, I set up HTTP 1 to use 127.0.0.1, port 8082, and again put the sites I regularly visit and want to bypass the proxy into the 'Do not use proxy servers for domains beginning with:' box.

This connects WebWasher to MultiProxy.

In the MultiProxy Options >> General Options tab, I set the 'Accept connections on port' setting to 8082.

On the MultiProxy Options >> Advanced Options tab, I clicked 'Override local IP', and entered 127.0.0.1 as the Local IP, and clicked 'Override local host', and entered localhost at the Local Host.

In the 'Allow connections from the following IP addresses only' box, I put 127.0.0.1.

Now comes the hard part... acquiring, maintaining and updating your list of anonymous proxies.

I went to http://www.StayInvisible.com/ and cut-and-pasted every proxy listed into NotePad.

After cutting and pasting all the proxies (approximately 1300 of them) from all the pages, I saved the file to my Desktop. I then went into Excel, and imported the file, using spaces as the column delimiter.

I used the Data >> Sort menu to sort the proxies by their level of anonymity, and removed all proxies listed as 'Transparent'. You DO NOT want to use transparent proxies, as they show your IP address.

I then removed all columns of data except for the proxy IP address and the port number.

I selected all of the remaining data, and pasted it into a new NotePad window, then did a Search-And-Replace, searching for a single space ( ), and replacing it with a colon (.

This gave me my list in the required format to import into MultiProxy... namely:

IP Address:Port

which I saved to a plain .txt file on my Desktop.

I went to the MultiProxy Options >> Proxy servers list tab >> Menu button >> Files >> Import Proxy List, to import that file into MultiProxy.

After doing that, I went to MultiProxy Options >> Proxy servers list tab >> Menu button >> Proxy List >> Test all proxies.

After testing, the proxies that didn't pass the internal MultiProxy tests were marked with a red dot. The ones that did pass were marked with a green dot. I selected all the red-dot marked proxies, right clicked, and selected 'Delete' to get rid of the test failures.

Next, I tested again a few times, just to be sure, deleting any red-dot marked proxies that showed up in the list.

I then selected MultiProxy Options >> Proxy servers list tab >> Menu button >> Files >> Export All, saving the resulting .txt file on my desktop.

After that, I started another program I found called Proxy Clean, which contains a list of proxy servers controlled by various governmental and law enforcement agencies. I used this program to clean the exported proxies list. (If any of you needs the updated list of proxies controlled by governmental and law enforcement agencies, let me know and I'll send it to you. The list that comes with Proxy Clean is pretty sparse, so I did some research of my own on hacker sites and doing a lot of WHOIS' with Sam Spade to come up with an updated list.)

After cleaning the list, I selected all the proxies in MultiProxy Options >> Proxy servers list tab and deleted them, then went to MultiProxy Options >> Proxy servers list tab >> Menu button >> Files >> Import proxy list, importing the cleaned list.

As a final step, I right-clicked on WebWasher, selected 'Use a proxy server' to send IE HTTP requests through the anonymous proxies, then surfed to Google, where I searched for the word 'porn'.

I know what you're thinking, but I don't surf porn... we're using the search results as a final test of the anonymous proxies, for two very good reasons...

1) Some of these proxies will pass the internal MultiProxy tests, but will redirect you to sites of their own... so if the Google search results look normal, that proxy must be working as we want it to.

2) Some proxies will block certain content. By searching for the worst of that content, we'll trigger any blocking that might take place, so we can remove that proxy from our list.

Now, I went into the MultiProxy Options >> Proxy servers list tab, and selected all but the first proxy, right clicked, and selected 'Disable'. This disabled all but the first proxy. I then clicked the 'Next' link in the Google search page to see if that proxy was working as I wanted.

If it was, I disabled it, enabled the next one in the list, and repeated the process, clicking the 'Next' link in the Google search page again.

If the proxy either blocked the content, or redirected me, I clicked that proxy, right-clicked, and selected 'Delete', removing that proxy from the list. If the proxy was too slow to be usable, I did the same.

After completing that rather lengthy process, I had a large list of fast, anonymous proxies that didn't block content and didn't redirect me.

Now, I was ready for FriedSpam.net... I just surfed to http://www.FriedSpam.net/, entered the list of spammer URLs that I wanted to 'fry', and hit the 'Start' button.

I'm using it right now, as a matter of fact...

[jseymour]

Now, I was ready for FriedSpam.net... I just surfed to http: //www.FriedSpam.net/, entered the list of spammer URLs that I wanted to 'fry', and hit the 'Start' button.

I'm using it right now, as a matter of fact...

I would call this "fighting abuse with abuse" and consider it an unacceptable breach of ethics. In addition to stooping to the spammers' level, you also run the risk of attacking an innocent bystander's site and/or violating your ISP's terms of service.

[HillsCap]

'Fighting abuse with abuse', as you call it, works.

That's why we have a little thing I call 'war'.

These are bad people we're dealing with, they don't understand or respond to 'niceness'. They'll do anything and everything they can to try to make money at other peoples' expense. We HAVE to fight fire with fire.

In a similar fashion, we have to fight rogue nations or leaders, with war... they'll do anything to attain and sustain their power, because it makes them rich and powerful. They'll use people and resources that they have no right using. They'll try to expand their borders (and thus their power and wealth) without regard to others.

Both rogue leaders/nations and spammers operate outside normal conventions of society and outside the law... making laws to stop them doesn't work, since they ignore laws. Asking them nicely to stop their nefarious activities doesn't work, because they're only concerned with themselves, and don't care about how much damage they do to others. They don't respect others.

And it's all about respect or fear. If they don't respect you, they MUST fear you. Otherwise they'll walk all over you.

Respect isn't in the vocabulary of a spammer, if it was, they wouldn't rape SMTP servers, infect people's computers with trojans so they can control them and send spam, inundate everyone with an aggregate estimated 2.5 billion spams per day, completely fill server hard drives of smaller ISPs with their cruft while at the same time driving these smaller ISPs out of business due to their bandwidth requirements sometimes doubling or tripling just due to spam, etc.

Since respect isn't an option, we have to make the spammers FEAR. They have to be made so afraid to send out spam that they don't do it. They have to fear for their websites, for their internet connections, for their income, even for their freedom (put them in jail), etc.

The only way to do that is to start taking them down... hit them where it hurts. Go after their sources of revenue to make spamming such a painful endeavor that they give up. Call in all your resources to bring them down... take down their websites by contacting their webhosts, fill their email accounts with crud so anyone trying to buy from them via email gets their email bounced (takes away their customers), convince their mail providers to redirect incoming email to spammer accounts to the bit-bucket while leaving that account open (confuses the spammers, since they're getting no response to their spam), get the government to go after them by reporting them to the FTC (and in the case of internet pharmacies, the FDA), block their spew by reporting to the Block Lists, fill out their web forms or shopping carts with bogus information to waste their time and money, run up their bandwidth (and thus their hosting costs) to make spamming no longer economically viable, teach people to never respond to spam by purchasing from spammers (to take away their income stream), run a fake SMTP server to absorb and dump their spew (reduce their ability to reach their audience), find out who their credit card processing company is, and report to them to take away their ability to accept credit card purchases, report to the credit card processing company's ISP and mail host, so if they continue to support spammers, they'll be shut off from the 'net, etc.

You call it abuse... no, what they are doing is abuse... what I am doing is defending the internet from the abusers by striking back at them, forcing them to back down. Without them, we stand to save an estimated annual $51.2 billion (U.S.) worldwide in costs associated with dealing with spam (additional equipment and software purchases, lost productivity, bandwidth costs, etc.).

Trust me, I've tried every other way... I've tried just hitting the 'Delete' key, I've tried unsubscribing, I've tried complaining to their web hosts and ISPs, I've tried reporting them to the Block Lists.

It wasn't until I 'stooped to their level', as you call it (I call it fighting them on their own battleground... they waste my time and resources, I waste theirs... it's a war of attrition, and I refuse to be attrited) that they left me alone. I've only gotten one spam this week, only 14 over the last month, and I guarantee I'll never get spam from any of them again.

As for Joe-jobs, it's pretty easy to tell what is and isn't a Joe-job, after you've seen 10,000 or so spams. It becomes second nature.

As for my ISP, they don't consider it abuse or a violation of their TOS until I've breached the provisions of the Computer Fraud and Abuse Act... which I definitely haven't.

[dra007]

I and I suspect many other here support and admire your fighting spirit. Personally I have no moral or ethical reservations fighting the criminal spammers tooth and nail... and using every single means available to do it... In my case it made a big difference already, one of my ISPs has taken an aggressive approach fighting spam... Another is starting to be more understanding and receptive to my complains...

It is really in the ISPs hands how they handdle this fight and it is only when users are concerned and put the right pressure that results become palpable.

Unfortunately it is the biggest ISPs who are the worst offenders, they deal with volume, not quality, having their offending IPs blocked may be the only method to get them to react and do something about it... Lately I've started getting report confirmations from some, especially after pointing to the illegal nature of their spew..

[cybersaur]

By any means necessary!

[HillsCap]

The really cool thing is that if you don't get a lot of spam anymore, but still want to use FriedSpam.net to go after spammers, you have a real-time list of spammers at your disposal.

http://www.spamcop.net/w3m?action=inprogress&type=www

Just pick 5 or so from the above list, drop them into FriedSpam, and let it run.

You can also fashion URLs (instructions are on the FriedSpam.net website) so your more technologically-challenged friends can just click a link on your website, 'blog, or an email you send them, and it'll all be set up for them. You can even set it up so they don't even have to click the Start button... they just click the link, and they're frying spam.

[HillsCap]

Oh, you might want to add one more final step to the procedure outlined above.

Before you use the proxies, you should ensure that they are indeed anonymous proxies.

The easiest way to do this is to disable all but the first proxy in the list, and surf to http://www.dslreports.com/whois .

If your IP address doesn't show there, then that proxy is anonymous. Disable it, enable the next one, and hit the 'Reload' button in your browser, checking the reported IP address again to be sure it isn't your own. Repeat the procedure for each proxy in the list.

If your IP DOES show, then you should delete that proxy from the list.

If you start out with a list of 1000 proxies, after all this testing you'll have around 20-30 good, fast, stable, anonymous proxies.

I've gone through several thousand from around the world, and have built up a list of several dozen that I regularly use to FriedSpam spamvertised websites.

Unfortunately, like everything with spammers, it's an arms race. They're starting to get wise and block each anonymous proxy from accessing their servers. But, I'm creating more work and more expense for them.

Eventually, they'll have a list of every anonymous proxy in the world, and will be blocking our attempts at using FriedSpam in this fashion against them.

That is why I'm coming up with DeepFriedSpam... it's kind of like FriedSpam on steroids... using spoofed packets. If they want to try to block that, they'll have to block every backbone router on the internet, effectively cutting them off from the internet. Let's see them try to beat that...

But I need help on it from some C programming gurus... any takers?

[HillsCap]

In my first post of this thread, I stated that I chain IE through WebWasher, then through MultiProxy, then through FriedSpam.net, to 'data drain' spamvertised websites.

I've learned that if you are simultaneously running the JackPot fake SMTP server / teergrube / honeypot and WebWasher, you'll see memory leaks in WebWasher and memory handle leaks in JackPot.

WebWasher and JackPot don't play well together, so my advice is to stop using WebWasher, and chain IE directly to MultiProxy.

Doing this allows JackPot to run without experiencing memory handle leaks, and speeds up your internet connection so you can fry spamvertised websites faster via FriedSpam.net.

Also, if you're running ZoneAlarm, DO NOT update to the latest version, and DO NOT install the latest update if you're already running the latest version. It's causing major problems (computer hangs and not even Task Manager responds, major memory leaks, etc.). I recommend the Sygate firewall, instead.