Jump to content


  • Posts

  • Joined

  • Last visited

Everything posted by HillsCap

  1. I think you might be able to get a DynDNS account to set up JackPot, if you're on a dynamic IP address, but I'm not sure. You'd have to just give it a try and see if it works. As for whether your IP address will get added to the open proxy / open relay lists... that's the idea. That's the fastest way to attract the spammers. Since most people don't (aren't allowed to) do direct-to-MX mailing from their own computer, it won't matter if your IP address is on those lists, since the mail server of your ISP should still be clean, allowing you to send mail without problems. That's how I attracted the spammers to my JackPot... it sat idle for quite a while, so I submitted it to the open relay testing websites to get it listed. After that, the spammers showed up in droves. I've had them try to relay as many as 1,100,000 spams in a day.
  2. Hi, all. If you're looking for a good way to take a hunk out of a spammer's hide, you can easily do so by running up their web hosting costs. I've used FriedSpam.net in the past (you've probably all read my posts on using anonymous proxies to hammer spamvertised websites), but I've got an even better, faster way of hitting them. Some of you may have heard of the Lad Vampire, used to hit 419 sites and run up their hosting costs until they're taken offline. I ran it for a while to be sure it was effective. During that time, I downloaded about 100 GB of data, and helped to take down twelve 419 sites. Since the Lad Vampire source code was contributed anonymously, I figured that Mr. Anonymous probably wouldn't mind if I reworked the code to suit my own purposes. So, that's what I did. You can get a look at it here: http://www.hillscapital.com/antispam/index.htm Feel free to grab the source code and set up a spam Vampire to use against your own spammers. If everyone did this, spamming would be so expensive that the spammers wouldn't be able to spam anymore. You don't need a website to run the spam Vampire, it'll run just as well as a local file on your computer. If you want to help out, I'm currently hammering a couple of HKNet.com hosted websites that HKNet.com said they'd take down, but didn't, and a couple of USA Lenders Network websites.
  3. If they do start up again, I've found that having a FriedSpam.net party with 10 of your friends for a couple weeks usually knocks a clue into the spammer's thick skull. Hitting their website about 100,000 times a day per FriedSpam participant tends to do that. What I've found to be extremely effective is to contact the spammers and TELL them that you'll be hitting their sites, and tell them to never send spam to your domain again. I've only gotten 3 spams so far this week. Of those three, one was from a newbie spammer, and two were from USA Lenders Network (ironically, they give their address as being in Canada), whose sites I've been working on / mauling for a while now.
  4. It looks as though Yahoo! has changed their tune a bit... every spam I submitted to them in the past, even if it contained a Yahoo! email address, came back with their boilerplate "The spam in question does not appear to have originated from or traveled through the Yahoo! mail system." message. Of course, we're using SBC/Yahoo! as our ISP, so ALL the messages to us travel through the Yahoo! mail system, but apparently they weren't smart enough to figure that out. At least now, they're shutting off email addresses that are advertised in spam. It's about time.
  5. I've got some VBA code that might work with older versions of Outlook. I'm running Outlook 2000, that's what it was designed for. It'll work with Outlook 2003, if you change the code workaround that forces Outlook 2000 to immediately send the spam reports, rather than waiting for the next scheduled Send/Receive. Outlook 2000 has a bug in it that requires the code workaround, Outlook 2003 doesn't have that bug. You might also have to change the code that looks at the folders and finds which one you're using for spam. http://www.hillscapital.com/spammerslammer.zip It's got full installation instructions in the source code, including how to create your own security certificate and sign the VBA code with it, so you can keep Macro Security at High, and the VBA code will still run, while blocking unsigned scripts from running. Just open the .bas file in NotePad, and print it out. The instructions are pretty comprehensive (read: long), but it's everything you need to get the code running. The code's got error checking (so you can't accidentally report SpamCop autoresponder emails as spam, so you can't accidentally report non-mail items as spam, etc.), and a whitelist that checks the email's sending address against those in your Contacts folder, so if a friend's email accidentally ends up in your spam folder, and you accidentally try to report it, you've got a chance to cancel the report. You can report multiple spams at once by selecting all of them, then clicking the 'Report As spam' button. And, the code's been tweaked to get around some of the issues that SpamCop experiences (the Would Send error, the Dumb Bot issue, non-printing characters, etc.) It helps if you know a bit of VBA coding, so you can tweak the code to suit you, if you want. I've got my copy set up to report to SpamCop, the FTC, and several Block Lists. You can add in any reporting addresses you want, in either the To:, CC: or BCC: fields. The code's open source with attribution, so feel free to tweak it, distribute it, create a self-installing plug-in with it, etc. If you update it, let me know, so I can get a look at the updated code and learn a bit.
  6. It worked. I went to the SpamCop web submission page, entered the headers and body, and removed all references to multipart boundaries from both. Upon submitting, it found the link and submitted to the right place. Now, I just have to figure out how to do that in my VBA code.
  7. No, it's not the application that's the problem... grabbing the spam right off the server via web interface also shows that what I submitted is exactly how the spam was formatted by the spammer, (except for the last 2 lines added by my VBA code). I did quite a bit of work on the VBA code to ensure that it reconstructed the emails the way they were originally. I suppose I could set up the VBA code do a search through the spam source code, strip out any multipart boundaries, then insert my own, to be sure that it's constructed properly, but that'd be materially changing the source code of the spam, something I think SpamCop frowns upon. Plus, as you said, since spammers don't seem to mind garbling their source code in the interest of filter sidestepping and reporting subversion, if the source code wasn't properly done to begin with, it'd be hard to determine just where to place the new multipart boundaries. I wonder what would happen if I just stripped out all multipart boundaries, didn't enter any new ones of my own, and submitted to SpamCop that way? Would that affect SpamCop's parsing?
  8. Actually, I HAVE experienced this before... when I was working up the VBA code for Outlook. My VBA code creates a new mail message, strips out the headers and body of the spam, concatenates them into one (since you can't get the headers and body all at once in Outlook), puts that into a .tmp file, and attaches that .tmp file to the new mail message. In the body of the new mail message is some information to make the reports compatible with other spam-reporting entities (size of spam, state of residence of spam submitter, date and time received, etc.). I'd set the code so that when it was putting the date and time received, it entered it as: Received: (date and time) SpamCop glitched on this, thinking that it was a header. In that instance, it thought I was reporting two spams... the spam in the attachment, and the new mail message itself. I dubbed it the 'Dumb Bot' error. It was easily fixed in that instance by setting the code to put the date and time received as: Received - (date and time) So, how do I code around this for future spams, since the spammers have obviously found a way to game SpamCop with this?
  9. Aaahhh, I just noticed that, too. That's odd... I got referred to a webpage that says the error was because I'd somehow changed the text of the spam and it wasn't anything the spammer was doing. But, I didn't change anything in the actual spam source code... looking at the source of the actual spam, it's identical to what is in the spam report, except for the addition of the last 2 lines (added by my VBA code). If SpamCop finds headers outside the multipart boundary, shouldn't it just ignore them?
  10. Ooookkkayyyy. When I clicked the button to submit that, I got the following: Reports have already been sent. No userid found Your authorization code is invalid. Please obtain a new authorization code. I'm a free SpamCop user, I don't think I ever had an authorization code, whatever that is. Is SpamCop glitching right now, or is it on my end?
  11. Hi, all. Got the following error on a spam I received last night: Finding links in message body error: couldn't parse head Message body parser requires full, accurate copy of message More information on this error.. no links found The specific spam report is located at: http://www.spamcop.net/sc?id=z512974943z97...0368fc6fbf3336z The spam itself looks like this: http://www.spamcop.net/sc?id=z512974943z97...&action=display Notice that the only thing added by my VBA code for Outlook (http://www.hillscapital.com/spammerslammer.zip) is the very last two lines... it does this to get around any occurences of the 'Would Send' error for emails that have no body. This has always worked just fine in the past... but I haven't reported any spam in a while (haven't gotten any in a while), so I'm wondering if some requirement has changed, and if so, how do I change the VBA code referenced above to come into compliance with those changes' requirements? If no requirements have changed, can anyone tell me what's going on with this one? Specifically the 'couldn't parse head, message body parser requires full accurate copy of message' part of it?
  12. In my first post of this thread, I stated that I chain IE through WebWasher, then through MultiProxy, then through FriedSpam.net, to 'data drain' spamvertised websites. I've learned that if you are simultaneously running the JackPot fake SMTP server / teergrube / honeypot and WebWasher, you'll see memory leaks in WebWasher and memory handle leaks in JackPot. WebWasher and JackPot don't play well together, so my advice is to stop using WebWasher, and chain IE directly to MultiProxy. Doing this allows JackPot to run without experiencing memory handle leaks, and speeds up your internet connection so you can fry spamvertised websites faster via FriedSpam.net. Also, if you're running ZoneAlarm, DO NOT update to the latest version, and DO NOT install the latest update if you're already running the latest version. It's causing major problems (computer hangs and not even Task Manager responds, major memory leaks, etc.). I recommend the Sygate firewall, instead.
  13. I figured out where the memory handle leak in my copy of Jackpot was coming from... I actually had three resource leak problems... 1) ZoneAlarm: ZoneAlarm has had a memory leak for quite some time now. The latest update causes users computer to hang for long periods of time, and the memory leak is worse than ever. I dumped ZoneAlarm, and installed Sygate's firewall. It is awesome... much better than ZoneAlarm. 2) WebWasher kept grabbing memory and not releasing it. It got to the point where I had to shut down WebWasher every few hours. 3) JackPot kept grabbing memory handles and not releasing them, building up to the point where it was sometimes taking over 600,000 memory handles. The WebWasher and JackPot resource leaks were related... for some reason, every time JackPot grabbed a memory handle, WebWasher would take more memory, and every time WebWasher grabbed more memory, it caused JackPot to grab more memory handles. It was a vicious cycle. Shutting down JackPot would make WebWasher stop taking more memory, and shutting down WebWasher would make JackPot stop taking more memory handles. So, I dumped WebWasher. Now, JackPot is running stably, even with 250 simultaneous incoming Port TCP 25 SMTP connections. A side benefit of all this is that my internet connection is much faster now (partly due to dumping ZoneAlarm, partly due to dumping WebWasher). Hence, when using FriedSpam.net through anonymous proxies, I'm hitting spamvertised websites much harder now. Another side benefit (now that I don't have any resource leaks) is that I can LART spammers 24/7 without having to reboot for weeks or months at a time. Look out spammers, here I come...
  14. Yeah, except I get the same exact replies from the Taiwan ISPs when I submit my JackPot fake SMTP / teergrube / honeypot URL for the logs to them, and I keep getting spam from the same IP addresses they say they've shut down. They SHOULD take my LARTs seriously, considering that I'm giving them the IP addresses of the spammers themselves, and not some email headers that might or might not be forged, and due to the fact that I'm reporting hundreds of thousands of spam attempts, not just one spam, but it doesn't seem to matter. I'm now dumping on the order of 600,000 spams per day coming from mainland China, Taiwan, and Hong Kong. I think all of the Taiwan IP addresses should be blocked for a time, that'd make the ISPs there wake up and get a clue.
  15. It's hard for me to gauge the amount of spam that others see, as I haven't gotten any in the last 9 days and counting. All I have to go on is the statistics that spamcop shows me. It looks like it's quite a bit lower, and it's been that way for a while now. If it is because of the SpamCop servers being slow, they've been slow for a few days now... I wonder if they're having problems?
  16. For spam that you've received in the past, you can parse through the (rather lengthy) list of IP addresses and domain names Richter has used: http://www.hillscapital.com/richter.txt Of course, with him moving to CAIS, we'll have to redo the list soon.
  17. Comcast finally deciding to clean up its act, along with Richter getting booted off Optigate seems to have dropped the spam delivery rate by quite a great amount. Look at the SpamCop spam reporting statistics... it's less than half what it was before. I haven't gotten any spam in the last week, so I can't gauge whether the amount of spam being sent is falling or not... is anyone seeing less spam being delivered to their accounts?
  18. Well, I tried sending an email to CAIS Internet, urging them to drop Richter before he rapes their resources and leaves them high-and-dry with a bad reputation as a spammer friendly ISP, but the email bounced... their mail box is full. So, either a lot of other people are sending similar messages, or Richter has already started spamming, and they're getting complaints about that. Why do some ISPs have to learn the hard way?
  19. Actually, it's CAIS Internet... I think that if they get enough emails and phone calls complaining to them about their incredibly stupid decision to host one of the world's most prolific spammers, they'll drop him like Optigate did. Canonical name: www.wvfiber.com Addresses: Canonical name: www.ibis7.net Addresses: whois -h whois.arin.net ... OrgName: CAIS Internet OrgID: CAIS Address: 6861 Elm Street, Third Floor City: McLean StateProv: VA PostalCode: 22101 Country: US ReferralServer: rwhois://rwhois.cais.net:4321/ NetRange: - CIDR: NetName: CAIS-CIDR7 NetHandle: NET-63-216-0-0-1 Parent: NET-63-0-0-0-0 NetType: Direct Allocation NameServer: NS.CAIS.COM NameServer: NS2.CAIS.COM Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE RegDate: 1999-12-09 Updated: 2001-05-21 TechHandle: CAIS-NOC-ARIN TechName: Network Operations Center TechPhone: +1-703-448-4470 TechEmail: domreg[at]cais.net
  20. Oh, you might want to add one more final step to the procedure outlined above. Before you use the proxies, you should ensure that they are indeed anonymous proxies. The easiest way to do this is to disable all but the first proxy in the list, and surf to http://www.dslreports.com/whois . If your IP address doesn't show there, then that proxy is anonymous. Disable it, enable the next one, and hit the 'Reload' button in your browser, checking the reported IP address again to be sure it isn't your own. Repeat the procedure for each proxy in the list. If your IP DOES show, then you should delete that proxy from the list. If you start out with a list of 1000 proxies, after all this testing you'll have around 20-30 good, fast, stable, anonymous proxies. I've gone through several thousand from around the world, and have built up a list of several dozen that I regularly use to FriedSpam spamvertised websites. Unfortunately, like everything with spammers, it's an arms race. They're starting to get wise and block each anonymous proxy from accessing their servers. But, I'm creating more work and more expense for them. Eventually, they'll have a list of every anonymous proxy in the world, and will be blocking our attempts at using FriedSpam in this fashion against them. That is why I'm coming up with DeepFriedSpam... it's kind of like FriedSpam on steroids... using spoofed packets. If they want to try to block that, they'll have to block every backbone router on the internet, effectively cutting them off from the internet. Let's see them try to beat that... But I need help on it from some C programming gurus... any takers?
  21. The really cool thing is that if you don't get a lot of spam anymore, but still want to use FriedSpam.net to go after spammers, you have a real-time list of spammers at your disposal. http://www.spamcop.net/w3m?action=inprogress&type=www Just pick 5 or so from the above list, drop them into FriedSpam, and let it run. You can also fashion URLs (instructions are on the FriedSpam.net website) so your more technologically-challenged friends can just click a link on your website, 'blog, or an email you send them, and it'll all be set up for them. You can even set it up so they don't even have to click the Start button... they just click the link, and they're frying spam.
  22. Hi, all. I've figured out a work-around to the problem of Unsolicited Commando grabbing ports when it's carrying out its tactical orders, then not releasing those ports when it's done. I set up Task Scheduler so that UC would run once every two hours, and would be shut down one hour after starting up. The UC server caches the tactical orders for each UC client, so you can leave the UC client shut down for a while, and when you start it up again, it'll run through all the tactical orders that have been cached for it in quick succession. This allows you to avoid the build-up of ports that UC grabs and doesn't release, and automates running it so you don't ever have to even think about it. Works great... I'm working on a similar solution for the JackPot fake SMTP server / teergrube / honeypot, to work around the memory handles leak. I'll post here when I've got it completed. Using these solutions, you should be able to run both UC and JackPot for as long as you like without having to manually start them up or shut them down. In other words, they're more 'set it and forget it'.
  23. The longest I've gone is 10 days (IIRC) without receiving a spam, but I hope to break that over the next week. (I hope I don't jinx it by posting this).
  24. I don't want to be disrespectful, Miss Betsy, because I know that you contribute a great deal of information to these discussion threads, but I don't know of ANY ISPs that operate that way. Besides, even if an ISP did block the unwanted emails, they would have to do so AT THEIR SERVERS (because they'd have to classify the spam AS spam, meaning the servers would have to parse through the entire body of the email first), meaning that the bandwidth required to transmit the spam has already been consumed by that ISP (as well as the CPU time), and therefore that ISP has to pay for that bandwidth (and additional computing resources) (and they WILL pass that cost on to you, the end user). If they're doing IP blocking, it mitigates that somewhat, but I can tell you from experience with running the JackPot fake SMTP server that the spammers will: a) send through open relays (of which there are thousands) send through RATs (of which there are hundreds of thousands) c) otherwise obfuscate their IP address I've had one single spammer (sending the same message from each location) send to me over the course of a day from over 300 IP addresses and 12 different ISPs. Obviously, he was tapped into the RAT pool, using them as open proxies. Blocking all those IP addresses would be prohibitively expensive in terms of time and manpower, and when those RAT-infected computers get fixed, how do you know to remove it from the list of blocked IPs? Especially if it's on a dynamic IP address? Do you block list an entire ISP (like Road Runner, one of the most anti-spam ISPs out there, yet a large contributor to IP addresses I'm picking up from this particular spammer)? Where does it stop? When you've Block Listed the entire internet? That's been tried before. No, I've already got the most effective method to stopping spam... it doesn't entail reconfiguring the email transport protocol and infrastructure, it doesn't require finding a new ISP that magically blocks spam without incurring extra costs associated with CPU time and bandwidth and spam blocking software, it doesn't require new anti-spam legislation, it requires people to stop complaining about the problem, and become an active part of the solution. It requires taking action... if you saw a theft in progress on the street, would you not report it to the police? Of course, everyone would. Yet, with spam (a theft of our resources) most people are content (or conditioned) to simply hit the 'Delete' key, mutter "OK, spammer, here's a tiny bit more of my time and money and bandwidth... gosh I hate you.", but never do anything more about it! They should be reporting it... to SpamCop, to the other Block Lists, to their ISPs, to the ISPs of the spam sender, to the BBB and State Attorneys General for U.S. spammers, to the Federal Trade Commission, and in the case of spam hawking medicine, to the FDA. Granted, I've got it all automated, so it only takes three clicks per spam to accomplish all this, but there's no reason others couldn't do the same. And for those who believe in pro-active crime prevention, they can do like I do... I walk right up to the spammer thief and kick him in the crotch. If you send me spam, your spamming days are definitely numbered. It's not vigilantism to protect your time and resources from abuse, even by pro-active means.
  25. You can also call OptiGate at (303) 464-8164, and Scott Richter's number has been reported to be (303) 550-9828. Also, if you want a complete set of tools for tracking down spammers, you can't go wrong with Sam Spade. [edit] Oh, before I forget, Jebuz Jones noted the Unsolicited Commando program, which fills out offending websites feedback forms with bogus data. I've used it for a long time. Unfortunately, the UC program grabs a port, connects to the offending website, then when it's finished, never releases that port, grabbing yet another for the next website... if left running long enough, all your ports are consumed and your internet connection becomes unusable until you shut down the UC program. I've already contacted Adam Keeney, the UC program author... let's hope he's hard at work fixing it. If any of you are Java programming wizards, perhaps you could lend a helping hand by inspecting the source code at his website: http://www.astrobastards.net/uc/source/
  • Create New...