ernesto[at]osint.net who are You?

[karlisma]

three types of spam:

1. one third of it being stock buyers "guides"

2. one third of them russian viaghhrax sellers via chinese domains.

3. third of it being spamvertizing domains registered to ernesto[at]osint.net

Who are You, Ernesto?

I love You... geeels alvays pik da gaiz viz mani!

[fatima]

A copy of an e-mail I have sent to osi[at]osi.net <osi[at]osi.net>, domadmin[at]uvg.edu.gt (CC ernesto[at]osint.net, info[at]uvg.edu.gt):

*****************************************************************************

Subject: English assistance required - a security problem in your network!

Dear Colleagues,

I am constantly plagued by sexually explicit spam advertising sites that appear to be located in your network (SpamCop gives "ernesto[at]osint.net" as the administrative contact). Today´s batch of spamwertized domains that made it through my relatively strict spamfilter includes, among others,

http://numader.com/i/sp/

http://slusgast.com/y/xl2/

http://garefil.com/i/xl2/

http://unigaimop.com/y/xl2/

http://desmeif.com/i/sp/

Moreover, all these sites seems to reside at 168.234.218.4, which gives just the standard default apache server startup page when contacted directly, and appears to be associated with Universidad del Valle de Guatemala. I therefore suspect that this is a cracked server running some weird trash, and that your colleague Ernesto might be an innocent victim. However, I woud be really grateful if you could bring this issue to the attention of someone responsible, and help to stop this. My possibilities are somewhat limited, since I do not understand Spanish, and I also do not know any Spanish-speaking person here.

Any feedback will be appreciated (even an information that I found a completely wrong address, if this happens to be the case).

With best regards,

Fatima Cvrckova, Prague, Czech Republic

This issue is apparently widely known (see e.g. http://forum.spamcop.net/forums/lofiversio...php/t6950.html),

[Farelf]

Nice work Fatima, karlisma in particular will be pleased if you help shut this one down. Thanks for bringing it "here".

[added - not sure how responsive any of these folk will be. CIDR report notes Sprint as an upstream (don't know about them either) - http://www.cidr-report.org/cgi-bin/as-report?as=AS10586 ]

[turetzsr]

<snip>

Subject: English assistance required - a security problem in your network!

<snip>

I do not understand Spanish, and I also do not know any Spanish-speaking person here.

<snip>

Hi, fatima!

...This might help: Free Online & Professional Translation by WorldLingo. Sometimes it is overly literal so the results may be humorous or hard for a Spanish-speaker to understand but .... <g>

[karlisma]

update: information on first post at this thread hasn't changed a lot....

thee beloved is still on job, receiving everything, hosting, collecting, washing etc...

oh, bella ernesto, kam az yu ar. even if u r e guy. i take yu. manii is fun.

[fullnameoralias]

I get about 10 junk messages per day advertising sites hosted there. I stopped sending complaints though because I think they'll just use my messages to confirm my email is active. I don't think there's any way to get Guatemalan hoster to comply with no-spam regulations?..

[Paranoid2000]

There has been a tool released for tackling these sites by placing fake orders directly with their backend database. See the Kill Spammers Spur-M-Enator thread for details.

[karlisma]

ernesto has switched to nnlhy[at]gxcc.com.cn stats stay the same, third of the spam being this.

oh, ernesto... You are dead?

or are You hidin' from such a nice as me...

[99clunk]

There has been a tool released for tackling these sites by placing fake orders directly with their backend database. See the Kill Spammers Spur-M-Enator thread for details.

This works with Safari on Mac as well as Firefox on PC (haven't tried Firefox 2 with it yet).

This seems at first sight an excellent method to get spammers to stop. I do however see potential problems.

How much of this is just pure revenge motive clouding the real issues? It would certainly feel great leaving it running but are there any moral questions here? Also, a 'defense' can always be turned around into an attack. This could be modified and used against bona fide companies as an extortion lever, similar to deliberately spamvertising innocent parties to extort money.

Just asking - no firm opinion yet as I'm still thinking it through.

[Paranoid2000]

The Wilders New spam Retaliation Tool thread has some discussion of the ethics/morals of this. Ultimately though, if someone is filling your inbox with junk and not giving you the chance to stop them, this sort of response is not only justifiable but necessary IMHO.

As for possible abuse - look at the code. It has to be tailored to a site and in this case, was only possible due to the total lack of security on these spammers' systems (credit card details passed through in the clear for example). This type of action could not be done with any legitimate merchant using a properly secured setup - while other means of harrassment are possible, an attacker would need to get large numbers of PC users involved for them to be effective.

[99clunk]

The Wilders New spam Retaliation Tool thread has some discussion of the ethics/morals of this. Ultimately though, if someone is filling your inbox with junk and not giving you the chance to stop them, this sort of response is not only justifiable but necessary IMHO.

As for possible abuse - look at the code. It has to be tailored to a site and in this case, was only possible due to the total lack of security on these spammers' systems (credit card details passed through in the clear for example). This type of action could not be done with any legitimate merchant using a properly secured setup - while other means of harrassment are possible, an attacker would need to get large numbers of PC users involved for them to be effective.

Just been on wilderssecurity prior to reading your message Synchronicity strikes again...

My Heart says: Right, I've thought it through. Go get 'em.

It's not dissimilar to ripping up junk mail and 'distributing' it back to the senders. This incurs a cost on them* so why not in this case? * The odd metal item included in the envelope bumps the weight up nicely.

My Head says: Yes, I think I can justify it ethically, now what about any legal or practical implications. My guess is that there couldn't/wouldn't be any. Would any ISP take a complaint from them seriously?

[turetzsr]

...My only concern about such retaliatory schemes is filling the internet with packets (I don't know if that applies to this scheme but it seems likely from what I've read of it here). One of the evils of spam is that it takes internet resources to send those packets around ... same problem may be true of the retaliation.

[Paranoid2000]

True - any response consumes some network bandwidth. However this is only a fraction of that taken up by spam so it doesn't take much for such measures to have a net benefit (pun intended). I've only received a couple of spams from this bunch in the last two weeks compared to the 3-4 day I was seeing previously.

Ultimately though, this forces spammers to incur higher costs in terms of creating a more secure setup, which in conjunction with those needed to bypass filters (scrambling content, renting botnets) and avoid shutdown ("bulletproof" hosting, compliant domain registrars) means that only the largest and best-organised operations can make a profit. It is when these costs outweigh the profits that the spammer business model dies, and that has to be the objective for anyone who wishes to be able to keep using email in the future.

[99clunk]

...My only concern about such retaliatory schemes is filling the internet with packets (I don't know if that applies to this scheme but it seems likely from what I've read of it here). One of the evils of spam is that it takes internet resources to send those packets around ... same problem may be true of the retaliation.

Fair point. If the retaliation has the desired effect of reducing spam then the overall level of resource usage would go down - but is this likely? I think it's definitely worth testing, but still find myself vaguely uncomfortable with the notion of retaliation. Hmmmm...

As a separate thought, heaving all that spam around must generate masses of heat and energy usage - I wonder how much CO2 spam contributes?

[Telarin]

Keep in mind that the bandwidth consumed by posting data to their website is PAID FOR bandwidth, unlike most of the bandwidth stolen by sending spam. It is either paid for by the spammer themselves if they are using some kind of bulletproof hosting, or by the clueless ISP if they are unknowingly harboring spammers. Either way, it seems justified to me.

Not to mention the fact that most of these sites are designed primarily for the purpose of credit card and identity theft, so if you can poison a list so that 99% of the leads and credit card numbers on it are bogus, you have done a service to the handful of clueless people that put real data in as you have made the list unusable.

However, you need to make sure that the fake leads are not easily seperable from the good leads. This means you'll need to use a rotating IP proxy, otherwise they can just throw out all the leads that were logged from the same IP address, meaning you have only wasted a few seconds of their time. This is where things start to get kind of hairy though. Most rotating proxy software uses "open proxy" lists, most of which are compromised computers, so then you are getting into the same kinds of resource theft that the spammers engage in.

I suppose it is up to each person to decide if the ends justify the means, since no two people are going to weigh all of these factors the same.

As a separate thought, heaving all that spam around must generate masses of heat and energy usage - I wonder how much CO2 spam contributes?

I don't know if you intended that as a joke, but in reality, you are probably on to something. A computer under load consumes substantially more power than an idle computer, and since spam accounts for 80%+ of all email traffic, one can easily conclude that it probably accounts for a substantial amount of power when you add it all up. I think it would be nearly impossible to work out realistic figures on just how much, but if you were inclined and had the equipment to measure, you could probably work out some estimates.

[turetzsr]

<snip>

Keep in mind that the bandwidth consumed by posting data to their website is PAID FOR bandwidth, unlike most of the bandwidth stolen by sending spam. It is either paid for by the spammer themselves if they are using some kind of bulletproof hosting, or by the clueless ISP if they are unknowingly harboring spammers. Either way, it seems justified to me.

<snip>

Hi, Will,

...If you are responding to my post (not clear, as you didn't "quote" anything), I was not referring specifically to the bandwidth consumed by the hosting service provider, but, rather, the resources consumed passing the packets through the internet.

...Addressing the resources of the hosting provider: the retaliation could still be harming innocent bystanders (innocent customers of the provider). If the retaliatory program were the only way of getting the attention of the hosting provider, that would be one thing but if there were other ways, I would prefer mean other than this type of retaliation.

[StevenUnderwood]

I don't know if you intended that as a joke, but in reality, you are probably on to something. A computer under load consumes substantially more power than an idle computer, and since spam accounts for 80%+ of all email traffic, one can easily conclude that it probably accounts for a substantial amount of power when you add it all up. I think it would be nearly impossible to work out realistic figures on just how much, but if you were inclined and had the equipment to measure, you could probably work out some estimates.

Sounds like a doctoral thesis

[Paranoid2000]

...This means you'll need to use a rotating IP proxy, otherwise they can just throw out all the leads that were logged from the same IP address, meaning you have only wasted a few seconds of their time. This is where things start to get kind of hairy though. Most rotating proxy software uses "open proxy" lists, most of which are compromised computers, so then you are getting into the same kinds of resource theft that the spammers engage in.

This is where Tor comes in - an anonymising network made up of hundreds of volunteer users worldwide. The Tor client will change connections every 10 minutes by default, making this an excellent choice for fulfilling all your pharmaceutical needs. Please do consider participating as an exit node if you do make use of Tor in this fashion though - the more nodes, the harder it is for a spammer to block them all (installing the Vidalia GUI makes setup simpler and provides a useful bandwidth graph and network map).

As for the cost of spam, the greatest would seem to be time involved - even the casual deleter would need a second per spam. SpamCop reporters would likely take 10 seconds to a minute or more to report (depending on the details and investigation involved) with those doing more in-depth reporting (checking for site redirection, reporting to domain registrars) easily racking up 30 minutes or more.

Then you have ISP abuse desks, mail server administrators, blocklist maintainers, anti-malware (botnet) groups, companies and individuals along with law enforcement. Even a small time spammer is likely responsible for more lost time by society generally than a serial killer, so the main ones should certainly merit long (lifetime ideally) imprisonment.

[Paranoid2000]

Just a quick note - the spammers' database server appears to have been taken down so the Spur-M-Enator can no longer be used (it just returns SQL errors). However Karlston's Firefox FormFillers can be used (FormFiller HGH in this case) to automate the process of placing orders at specific sites - they will ban IP addresses after multiple orders but with Vidalia/Tor, you can just keep changing address (Vidalia includes a "New Identity" option for manual switching).

I find that the most effective method is to go through the order process, then hit Back twice at the confirmation page to return to the item selection.

These spammers seem to have given up on poor old Ernesto though - did he keel over from too much Viagramax?