Jump to content

HillsCap

Members
  • Posts

    90
  • Joined

  • Last visited

Posts posted by HillsCap

  1. Merlyn wrote:

    [There are other ways.]

    Well, then you should tell us those ways... I've tried everything else, and the only effective means of spam abatement I've found is to hit them where it hurts.

    I've gotten 13 spams in the past 30 days, without using Block Lists, without blocking delivery of any emails. I've got a straight, unhindered shot from the internet to my Inbox. How many spams did you get over the last month?

    But it wasn't an easy road to get to 13 per month... I fought the spammers 24/7 (literally) for months on end (a 'luxury' I'm afforded because I work out of the house)... I developed specialized software to allow semi-automated reporting of high volumes of spam, and more software to do high-volume LART'ing, and even more software is in the works (just wait 'til you see what I've got in store for you next spammers, it'll knock your socks off. Picture FriedSpam.net on steroids, and completely untraceable back to the users).

    Jebuz Jones is correct, the spammers drew the line in the sand... I'm just stepping up to that line, and going toe-to-toe with the spammers. And you know what? They hit like girls, and they've got glass jaws.

    I mean, come on, spammers! Is a DDoS all you can come up with? I've got measures in place that slow your DDoS to a crawl and prevent it from affecting my machines, and it doesn't affect my ability to access the internet. Trying to hack into my machines? Please... it'll only get you reported to your ISP and law enforcement (and I don't even have to lift a finger for that to happen). Mail-bombing? You've tried this before, you know it doesn't work when I can handle more mail than you can throw at me. And you know if you try any of these, I'll track you down... I'll get server logs and do electronic forensics until I've got you... then you're going down.

    If someone kept breaking into your house, despite the fact that you've installed security measures, put a high fence and signs, then crapped on your carpet each time they wormed their way into your home, I GUARANTEE you wouldn't ask them nicely to leave... you'd beat the living hell out of them, especially when they kept coming back, and most especially if you found that there were no police for you to call. Why? Because they're not only violating your personal domain, they're leaving behind something that you find offensive, and costing you money because you now have to clean your carpet, not to mention the expense of those security measures, that high fence and those 'Keep Out' signs.

    It's the same thing with spammers... they worm their way into your Inbox (your personal domain, much as your home is your personal domain) by hook or by crook, then dump their load of crap there (crapping on your carpet), and keep coming back despite the fact that you've set up security measures, high fences and 'Keep Out' signs (anti-spam software, disposable email addresses, email address obfuscation on websites, Block Lists, etc., etc., etc. ad nauseum). And there's no police to call... (weak legislation, no strict penalties, very little enforcement of existing legislation).

    Well, I've had enough... I'm beating the living hell out of every one of them that worms their way into my Inbox and leaves their crap pile there.

    Meanwhile, we still have to work on convincing our policitians to give us effective legislation that protects us from the spammers, with strict punishments doled out for those who violate that legislation. I think of my email Inbox much as I think of my fax machine... if I were receiving hundreds of unsolicited faxes daily, I'd do something about it because IT IS COSTING ME. Same thing with email... it costs all of us in additional bandwidth, time, resources, and frustration having to deal with spam. The amount of cost is much smaller per spam than per fax, but the concept is exactly the same. And the laws that apply to fax machines should apply to email, as well.

  2. You're right, YourBuddy, the ability to remove the cloak of anonymity that spammers now enjoy IS the ultimate solution to the spamming problem... except in cases like Richter, who believes he can still fill our Inboxes because of weak laws.

    First, we have to strengthen the laws, and give them provisions for strict penalties for violating them. Laws are supposed to be created to benefit the majority of people, without trampling on the rights of the minority of people.

    The current law benefits a minority of people, while trampling on the rights of the majority of people, and thus it MUST be changed. Broad participation is required for our voice to be loud enough to be heard in the halls of government. But once our voice is heard, it must be heeded... or the politicians risk getting voted out of office by an angry populace. The longer they allow the spam problem to fester by not enacting effective legislation with strict penalties, the angrier the populace becomes.

    Second, we have to motivate the people to seek their own solutions to the spam problem. By this I mean we must convince people to take action against spammers in whatever form they find morally and ethically agreeable. I have no moral or ethical qualms with doing whatever is necessary to take down a spammer and prevent him from wasting my precious time and resources, so I'm probably a bit more vicious about it than most people would be, but because of the lengths I am willing to go to prevent my resources from being abused, I find that the spammers avoid me like the plague. I receive virtually no spam at all. What spam I do receive is usually from newbie spammers, who are easily convinced to find another means of income production when they learn of the consequences awaiting their decision to send spam.

    I've already written extensively in other posts on this forum about some of the techniques I use... but I have been forced upon occasion to take drastic measures against spammers who thought they could force me into submission by mail-bombing me or attacking my computers. Those spammers quickly found out that I can become quite vicious indeed. They also found that I specialize in configuring computers for high-security computing environments, meaning that no matter what they tried, my computers were unassailable and impregnable. Surprisingly, I found their computers easily assailable and pregnable.

    Thirdly, we must remove the cloak of anonymity that many spammers now enjoy utilizing such techniques as packet spoofing, open relays, RATs (Remote Access Trojans), and open proxies. I've already submitted a proposal to several government officials who requested my input on the solution to the spam problem. Let's hope they have the intestinal fortitude to implement the changes necessary to fix this, rather than going for the feel-good sound bite and political quick fix that assuages the marketing lobbyist groups.

    You know, for a troll, you're not half bad... you're not very annoying and don't try to disrupt entire threads with hundreds of consecutive posts like other trolls I've experienced on other boards, you play Devil's Advocate and encourage further discussion and you force us to challenge our assumptions.

  3. Double-opt-in is just that, irregardless of whether the spammers have tried to to redefine it to mean 'typing your email address twice on the signup page'.

    Double-opt-in's traditional meaning is a process by which you sign up to receive email, you then receive a confirmation email with a link you must click to complete the opt-in process.

    This can be the only true meaning of double-opt-in, as this process was created to prevent people other than the holder of the email account from signing others up to receive email. Double-opt-in, as defined by the spammers, does not offer this protection, and thus their definition is a misnomer, an invalid name.

    Double-opt-in is also more descriptive than confirmed-opt-in, as it connotes that two separate (double) opt-ins are required to be added to an emailing list, whereas confirmed-opt-in can be construed to mean what the spammers are trying to redefine double-opt-in as. Namely that you type your email address, then confirm it by typing it again on the same page.

    As for what to look for in your spam to tell if it came from Richter, there is a list of IP addresses and domains that Richter uses here:

    http://www.hillscapital.com/richter.txt

    YourBuddy is correct in one aspect... namely that Richter complies with certain aspects of the CAN-spam bill. He sends his spam from his own IP addresses, doesn't obfuscate his headers, and provides a (presumably) working unsubscribe link.

    But he is incorrect in saying there is no definition of spam... spam is any email marketing message that you did not elect to receive, and do not want to receive, that is sent by a marketer en masse. It is not about CONTENT, it is about CONSENT.

    Unfortunately, our legislators have stupidly made a bill that is unworkable... it allows anyone and everyone to fill our Inboxes with whatever they wish, without our consent, and all they must do is claim that we signed up for it... even if we didn't. There is no process to ascertain whether someone truly signed up for the email, and the legislators bowed to campaign contributions and political pressure from marketing lobbist groups to form a toothless bill that provides no penalties for those unscrupulous email marketers that obtain their email lists by means such as signing people up without their consent (somewhat akin to telephone slamming), spambotting websites, or dictionary attacks.

    The legislators seem to think that if we're on the spammers' lists, we MUST have signed up. They still haven't caught on to the fact that spammers lie.

    Richter is well known for using spambots to harvest email addresses (do you truly believe that over 80 million people signed up to receive his cruft?!), and I suspect he uses dictionary attacks, as well, judging by the spam I've gotten from him.

    But, what YourBuddy doesn't seem to realize is that this is one process by which we can get the laws changed to afford our email accounts the same protections afforded to our fax machines and telephones. Namely, for our telephones, we can sign up to not receive any marketing messages, and any companies that violate that can have penalties levied against them. For our fax machines (a more apropos analogy to our email accounts, since ultimately, we end up paying the bill for receiving the spam in higher ISP bills), there are laws that prevent ALL unsolicited marketing via facsimile machine, with heavy penalties to those who break those laws.

    With enough outrage, enough political activism, and enough people, we can get the laws changed to provide us (the voters... the people who elect those who make the laws) with the relief from spam that we seek. Other nations will see the outrage over spam and the amount of time and resources that it wastes just to benefit a few at the cost of many, and enact similar laws, if they have not done so already.

    A massive action against one of the world's largest spammers will send a message to other spammers to back off and respect our time, productivity and resources.

    And even if this doesn't work, we've helped a lot of people to learn about the issues, about SpamCop and its protection from spam, and hopefully some of them will read my other posts and learn how to take down the spammers in other ways.

    Imagine 1,000,000 people using FriedSpam.net against Richter or any other spammer... they'd be out of business for good in a month.

    Imagine 1,000,000 people running the JackPot MailSwerver fake SMTP server/honeypot to dump relay spam... relay spam would cease to exist.

    Imagine 1,000,000 people filling out bogus data on the spammers' feedback forms or shopping carts... the spammers would get a taste of what spam is like, as they'd have to wade through all the unwanted data (wasting their time on each to verify whether it is valid or not) before getting to the data they want. Even if each person only did this a few times a day... the aggregate total of this would hurt the spammers tremendously.

    People need to stop complaining about spam and start DOING something about it... we all need to take up the sport of spammer hunting, which is great fun and exceedingly challenging.

    It wasn't until I actively began going after the spammers that I stopped receiving spam in large quantities. I now only have 13 spams in my spam folder (which deletes anything older than 30 days). I don't use Block Lists, I don't prevent the delivery of any email, it's just that the spammers have learned to avoid me because I will do everything within my capabilities to take them down.

    If everyone took my stance, and actively went after the spammers, we'd have the spammers running scared. And people would soon find that they no longer receive much spam at all.

  4. Jericodw:

    LMAO... maybe we could hire Snotty Scotty to get the word out...

    You can tell if your spam is from Richter by looking at the list (link below) of IP addresses and domains he uses, then searching your spam corpus for these... I think I'm going to create an Excel spreadsheet that will interact with my Outlook, and do the search automatically... it'll be a lot easier than searching through the thousands of spams manually.

    http://www.hillscapital.com/richter.txt

  5. Everyone sign the petition... meanwhile we'll work on compiling a list of government officials from around the world, and send them the results of the petition.

    This accomplishes two things... we built criticality for the number of people we need to go after Richter, and we let the governments of the world know that we've had enough of the spam.

    Once we've gotten enough public attention and enough people interested, we'll have all those people send their Richter spam to the FTC.

    Mr. Richter, an avalanche is fast approaching you... and there's nowhere for you to run, nowhere for you to hide.

  6. Ok, everyone, how's this for the petition declaration:

    Part 1:

    We feel that our email accounts, being a communication medium that is considered to be within our personal domains, should be subject to the same privacy conventions and laws as any other means of communication which is considered to be within our personal domains. These other communication mediums include our land-line telephones, facsimile machines, and cellular telephones, amongst others. These other means of communication have certain limits placed upon them with regards to whether, when and how commercial marketing messages can be disseminated through them.

    Part 2:

    We feel that, much like the facsimile machine, the ability to shift the cost of delivery of emails from the sender to the receiver of those emails, lends this communication medium to much abuse at the hands of unscrupulous individuals or entities. Indeed, much abuse already takes place. Because of this, we feel that the only effective means of stopping this abuse is to require all email marketers to utilize double-opt-in marketing, under strict penalty of law.

    Part 3:

    We feel that the classification of email as UCE (Unsolicited Commercial Email) or UBE (Unsolicited Bulk Email), commonly known as 'spam', hinges not upon content, but upon consent. Without our consent, no spam email should arrive at our email accounts. It matters not whether the email in question carries legitimate header information, is sent from the sender's true IP address, carries tag lines such as 'ADV:' or 'ADLT:'. If we did not consent to receiving that email, it is a violation of the sanctity and privacy of an extension of our personal domain, namely our email accounts. Because of the cost-shifting characteristics of email, it is somewhat akin to someone accosting us against our wills in our own homes, yelling marketing messages at us, then forcing us to pay them for their time and trouble of delivering those marketing messages!

    Part 4:

    We believe the governmental organizations dedicated to stemming the abuse associated with spam should focus on a 'top down' approach, meaning that they should focus their efforts on the most prolific of the professional spammers first, in an attempt to bring these professional spammers' email marketing operations either in compliance with the public's wishes (double-opt-in marketing) or have these professional spamming operations disbanded.

    The top professional spamming operations (according to Spamhaus.org) are:

    1 Alan Ralsky

    2 Scott Richter - Wholesalebandwidth

    3 Alexey Panov - ckync.com

    4 John Grandinetti - 321send.com

    5 Anthony 'Tony' M. Banks

    6 Eric Reinertsen

    7 lmihosting.com

    8 Webfinity / Dynamic Pipe

    9 Scott Richter - OptInRealBig

    10 Eddy Marin - Oneroute

    Part 5:

    We believe that, as Mr. Scott Richter appears twice in the list of the top 10 most prolific spammers in the world (at positions 2 and 9), and as Mr. Scott Richter has the unmitigated gall to actually bring a lawsuit against a well known Block List using misleading information, in an attempt to force that Block List to allow delivery of his email marketing messages, the governmental organizations dedicated to stemming the abuse associated with spam should focus extra attention upon Mr. Scott Richter, ensuring that his email marketing companies abide by the wishes of the public, and use double-opt-in marketing, while requiring his email marketing companies to remove all existing email addresses from their databases, as these databases have obviously become tainted, allowing delivery of email marketing messages to those who never consented to receiving them.

    Part 6:

    We believe that spam email has become such a burden to our everyday personal and business lives that something must be done immediately. We believe this to be a large enough issue that it could possibly sway our choice in elections to those candidates who take a stance on spam more in tune with the public's wishes.

  7. Hi, all.

    I did a bit of digging at ROKSO, and came up with the following list of IP addresses used by Richter.

    http://www.hillscapital.com/richter.txt

    BadJeffy, that sounds like a good idea... Linux would probably be a better choice for this, as our server is a Win2K box (probably wouldn't be able to handle all the signups once this thing takes off). Plus, I'm not real heavy on programming to input to a database, which is what I envision for this.

    Or, we could use a suggestion from TPP (someone who's already signed up at StopSnottyScotty[at]yahoo.com), and go with http://www.PetitionOnline.com/ .

    That would probably be easier to do... now all we need is the wording for the petition. We'll need to compile the list of Senators, Legislators, and FTC contacts to send the petition to.

    I guarantee if we get enough people signing up for this petition, and we tell each and every one of our Senators and Legislators, Governors, etc. about it, there'll be pressure brought to bear on Richter.

    Spread the word, everybody... forget 1,000... let's try for 1,000,000 or more.

  8. Merlyn wrote:

    [What would happen if IronPort brought in sacks and sacks of postal mail sent to them with a hardcop of every single piece of spam Scotty Snooty sent them with a disclaimer saying it was never opted in for? I am talking millions of letters?]

    Exactly what I'm aiming for... except it won't be IronPort or SpamCop walking in with wheelbarrows of printed-out spam along with depositions, it'll be the Federal Trade Commission and the Federal Government. Now how can a judge argue with that?

  9. OK, I've set up an email account at Yahoo specifically for this...

    StopSnottyScotty[at]yahoo.com

    dra007, I've got DreamweaverMX and I'm a whiz at HTML, so if you've got the space for a webpage, I can whip up a page with an explanation of what our goals are.

    Ralsky's Fatal Tumor, my thinking was that people would naturally be suspicious of leaving their email addresses with me (or with any of us, since they don't know us and don't know if they can trust us with their email addresses), so I figured "Who would they trust? Well, SpamCop itself!"

    So, I think we'd get a higher percentage of people signing up to register their interest here, rather than leaving their email address with any of us.

    If we can't gather at least 1000 people, then it's not really worth going to the FTC, as the damages that can be shown wouldn't be large enough to take Richter down for good. Once we get 1000 people, I'll give the contact details for my contact at the FTC, you all can either call or email her, she can send out the depositions and give you the FedEx shipping number.

    A website is a good idea, but we still need some means of communication between us and the people who are interested. Again, I don't think we'll get a large number of people giving out their email addresses, so that's why I went with this forum.

  10. Hi, all.

    Since Scott Richter is suing SpamCop to stop them from blocking his spam, I say it's time to strike back against this evil SOB, and protect the SpamCop service which has kept our Inboxes relatively unmolested for so long.

    Here's my plan:

    I want everyone interested in participating in a lawsuit against Richter to register their interest by posting to this thread.

    Then, we'll all compile our Richter spams, submit them to the FTC along with depositions, and have the FTC take Richter to court. There would be no cost to any of you except for the time required to fill out the deposition and print out the spam source code of each spam from Richter. The FTC will even pay for FedEx'ing the stuff back to them.

    I'm looking for at least 1,000 people, so let's all pitch in and bring this scumbag down. If you know of anyone using SpamCop who doesn't regularly frequent these forums, and they're interested in participating, let them know to come here to register their interest.

    After I've got the requisite number of people willing to fill out depositions, I'll get in touch with my contact at the FTC, and provide you all with the information necessary to send your depositions and spam printouts to her (contact name, address, FedEx shipping number, etc.).

    Let's get to it.

  11. Certainly I'll help if I'm able... we keep all spam reports (with the source code of each spam) for a year.

    Just let me know via this forum what spams to look for.

    I'm in pretty regular contact with the FTC, so if you like, I can ask them to put additional pressure on Snotty Scotty. They've been pretty receptive to my ideas for going after spammers, so far (allowing them access to JackPot logs, going after a Florida spammer, etc.), so I'm sure they'd love to hook one of the biggest fish in the pond.

    Perhaps we can bring so much pressure to bear on Snotty Scotty that he'll be out of business before any major court battles commence.

    Bring it on, Richter, like I've said in other posts, the spam war (and it is a war) is a war of attrition... and there are more of us than there are of you. And I'm meaner than 10 junkyard dogs. Once I get my jaws into you, I'll never let go. You can't win.

    In fact, if Richter goes forward with this case against SpamCop, I'll dig out all our Richter spam, submit it along with a deposition to the FTC, and take the case to court with the FTC's help. I urge all the rest of you to join me in a class action lawsuit against Scott Richter. What the hell, the FTC pays for it.

  12. 'Fighting abuse with abuse', as you call it, works.

    That's why we have a little thing I call 'war'.

    These are bad people we're dealing with, they don't understand or respond to 'niceness'. They'll do anything and everything they can to try to make money at other peoples' expense. We HAVE to fight fire with fire.

    In a similar fashion, we have to fight rogue nations or leaders, with war... they'll do anything to attain and sustain their power, because it makes them rich and powerful. They'll use people and resources that they have no right using. They'll try to expand their borders (and thus their power and wealth) without regard to others.

    Both rogue leaders/nations and spammers operate outside normal conventions of society and outside the law... making laws to stop them doesn't work, since they ignore laws. Asking them nicely to stop their nefarious activities doesn't work, because they're only concerned with themselves, and don't care about how much damage they do to others. They don't respect others.

    And it's all about respect or fear. If they don't respect you, they MUST fear you. Otherwise they'll walk all over you.

    Respect isn't in the vocabulary of a spammer, if it was, they wouldn't rape SMTP servers, infect people's computers with trojans so they can control them and send spam, inundate everyone with an aggregate estimated 2.5 billion spams per day, completely fill server hard drives of smaller ISPs with their cruft while at the same time driving these smaller ISPs out of business due to their bandwidth requirements sometimes doubling or tripling just due to spam, etc.

    Since respect isn't an option, we have to make the spammers FEAR. They have to be made so afraid to send out spam that they don't do it. They have to fear for their websites, for their internet connections, for their income, even for their freedom (put them in jail), etc.

    The only way to do that is to start taking them down... hit them where it hurts. Go after their sources of revenue to make spamming such a painful endeavor that they give up. Call in all your resources to bring them down... take down their websites by contacting their webhosts, fill their email accounts with crud so anyone trying to buy from them via email gets their email bounced (takes away their customers), convince their mail providers to redirect incoming email to spammer accounts to the bit-bucket while leaving that account open (confuses the spammers, since they're getting no response to their spam), get the government to go after them by reporting them to the FTC (and in the case of internet pharmacies, the FDA), block their spew by reporting to the Block Lists, fill out their web forms or shopping carts with bogus information to waste their time and money, run up their bandwidth (and thus their hosting costs) to make spamming no longer economically viable, teach people to never respond to spam by purchasing from spammers (to take away their income stream), run a fake SMTP server to absorb and dump their spew (reduce their ability to reach their audience), find out who their credit card processing company is, and report to them to take away their ability to accept credit card purchases, report to the credit card processing company's ISP and mail host, so if they continue to support spammers, they'll be shut off from the 'net, etc.

    You call it abuse... no, what they are doing is abuse... what I am doing is defending the internet from the abusers by striking back at them, forcing them to back down. Without them, we stand to save an estimated annual $51.2 billion (U.S.) worldwide in costs associated with dealing with spam (additional equipment and software purchases, lost productivity, bandwidth costs, etc.).

    Trust me, I've tried every other way... I've tried just hitting the 'Delete' key, I've tried unsubscribing, I've tried complaining to their web hosts and ISPs, I've tried reporting them to the Block Lists.

    It wasn't until I 'stooped to their level', as you call it (I call it fighting them on their own battleground... they waste my time and resources, I waste theirs... it's a war of attrition, and I refuse to be attrited) that they left me alone. I've only gotten one spam this week, only 14 over the last month, and I guarantee I'll never get spam from any of them again.

    As for Joe-jobs, it's pretty easy to tell what is and isn't a Joe-job, after you've seen 10,000 or so spams. It becomes second nature.

    As for my ISP, they don't consider it abuse or a violation of their TOS until I've breached the provisions of the Computer Fraud and Abuse Act... which I definitely haven't.

  13. Hoo, boy! If you increase the number of threads, be sure your bandwidth and machine can handle it...

    I set it so JackPot would use 201 threads. Within 1/2 hour, I had 200 simultaneous incoming SMTP connections.

    Fortunately, I've tweaked the memory settings and garbage collection for JackPot, so it's not taking much CPU time, and the memory handle leak isn't so bad.

    But, there must be a huge spam ring originating in Taiwan, since all the connections came from there.

    And, I drilled a hole through my router for JackPot's HTTP server, so now I'm serving the JackPot log results to the internet. This will allow me to send LART emails (JackPot does an abuse email address lookup for each IP address of the incoming SMTP connections), by clicking on the links in the JackPot logs, then I put the URL to my JackPot HTTP server into that email, and the ISPs can see for themselves what their users are doing, in real time.

    Of course, I'll also start Sam Spade and do a quick traceroute, so I can report to the ISPs' upstream as well, to apply a little more pressure on the ISPs to fix their spamming problem (it's giga.net and twnic.net.tw, and they've got a huge spammer problem).

    But first, I want to let the spammers waste more of their time and resources sending to the bit-bucket... I figure another 5 million messages collected, then I'll report them. By then, I'll have collected enough data that there'll be irrefutable proof that those ISPs have a spammer problem they can't afford to ignore.

  14. Hi, all.

    A quick update / bump.

    The spammers are becoming much more aggressive in the number of connections they establish, as I said in my last post. They're also trying to spew more, by increasing the number of recipients per message.

    So far, I'm just over 1,400,000 spam emails blocked.

    I've been in contact with Jack Cleaver, the program's author, and due to the recent upswing in interest in the program, he's going to go to work on it to fix the few remaining bugs.

    So, hopefully, in a few weeks or so, we'll have a rock stable version out that doesn't have a memory handle leak.

    BTW, does anyone know how to force the JRE 1.5.0 b1 to do more aggressive Garbage Collection? I'm trying to get it to clean up those memory handles, since the JRE takes care of memory management, not the program. My thinking is that it might be that the reason the handle count continues upward is that Garbage Collection can't clean up fast enough due to how hard the spammers are hitting my JackPot. By increasing the aggressiveness of the JRE Garbage Collection, I hope to keep the memory handle count under control.

  15. Feels good, doesn't it? Knowing that your email isn't polluted with a bunch of cruft that you have to wade through...

    Before I began hammering the spammers, it felt each morning like I had to wade neck deep through a septic tank to get to any real work. The spam wasted my time, raised my blood pressure, and generally made each day a bad start.

    Now, I look forward to checking my email, knowing that only legitimate messages are waiting for me.

    Plus, if I do get a spam now and then, I've got the free time (now that I'm not wasting 30-45 minutes a day dealing with spam) to really hammer that scumbag into the ground.

    Good job, dra007, and congratulations.

  16. Hi, all.

    You know from my other posts that I run the JackPot fake SMTP server/teergrube/honeypot. So far, I've dumped over 1.3 million emails in the past week alone using that.

    But I also have other tools in my LART arsenal... one of them being FriedSpam (http://www.FriedSpam.net/).

    But, me being like I am (always pushing the envelope and trying new ways of doing things), I don't use FriedSpam like most people do.

    Most people use FriedSpam to repeatedly download a web page from a spammer's website, using a direct connection from their machine to the spammer's website. Unfortunately, doing this reveals your IP address to the spammer, leaving you open to hacking and DDoS/DoS attacks. I've been through several myself.

    So, I went about finding a way to still use FriedSpam, while obfuscating my IP address.

    I found the solution in what is called an 'Anonymous Proxy Rotator'. Essentially, what an Anonymous Proxy Rotator does is allows your machine to connect through a constantly rotating list of anonymous proxies to download the web page from the spammer's website. Thus, the spammer never sees your IP address, and can't attack you.

    The program I use is called MultiProxy... it's an older program that hasn't been updated in a couple years, but it's rock-solid and never gives me any problems.

    The way I've got it set up for the IP chain is:

    IE <<Port 8081>> WebWasher <<Port 8082>> MultiProxy <<external proxy port>> external proxies <<>> FriedSpam.net <<>> spammer's website

    Essentially, I set it up in Control Panel >> Internet Options >> Connections tab >> LAN Settings >> Advanced, so that HTTP requests went to localhost, port 8081. This connects IE to WebWasher. In the Exceptions box, I put sites I regularly visit that I want to bypass the proxy.

    I then went into the WebWasher Preferences, and set the 'Local HTTP proxy port' to 8081.

    In WebWasher Preferences, under Proxy Engine >> Client, I set up HTTP 1 to use 127.0.0.1, port 8082, and again put the sites I regularly visit and want to bypass the proxy into the 'Do not use proxy servers for domains beginning with:' box.

    This connects WebWasher to MultiProxy.

    In the MultiProxy Options >> General Options tab, I set the 'Accept connections on port' setting to 8082.

    On the MultiProxy Options >> Advanced Options tab, I clicked 'Override local IP', and entered 127.0.0.1 as the Local IP, and clicked 'Override local host', and entered localhost at the Local Host.

    In the 'Allow connections from the following IP addresses only' box, I put 127.0.0.1.

    Now comes the hard part... acquiring, maintaining and updating your list of anonymous proxies.

    I went to http://www.StayInvisible.com/ and cut-and-pasted every proxy listed into NotePad.

    After cutting and pasting all the proxies (approximately 1300 of them) from all the pages, I saved the file to my Desktop. I then went into Excel, and imported the file, using spaces as the column delimiter.

    I used the Data >> Sort menu to sort the proxies by their level of anonymity, and removed all proxies listed as 'Transparent'. You DO NOT want to use transparent proxies, as they show your IP address.

    I then removed all columns of data except for the proxy IP address and the port number.

    I selected all of the remaining data, and pasted it into a new NotePad window, then did a Search-And-Replace, searching for a single space ( ), and replacing it with a colon (:).

    This gave me my list in the required format to import into MultiProxy... namely:

    IP Address:Port

    which I saved to a plain .txt file on my Desktop.

    I went to the MultiProxy Options >> Proxy servers list tab >> Menu button >> Files >> Import Proxy List, to import that file into MultiProxy.

    After doing that, I went to MultiProxy Options >> Proxy servers list tab >> Menu button >> Proxy List >> Test all proxies.

    After testing, the proxies that didn't pass the internal MultiProxy tests were marked with a red dot. The ones that did pass were marked with a green dot. I selected all the red-dot marked proxies, right clicked, and selected 'Delete' to get rid of the test failures.

    Next, I tested again a few times, just to be sure, deleting any red-dot marked proxies that showed up in the list.

    I then selected MultiProxy Options >> Proxy servers list tab >> Menu button >> Files >> Export All, saving the resulting .txt file on my desktop.

    After that, I started another program I found called Proxy Clean, which contains a list of proxy servers controlled by various governmental and law enforcement agencies. I used this program to clean the exported proxies list. (If any of you needs the updated list of proxies controlled by governmental and law enforcement agencies, let me know and I'll send it to you. The list that comes with Proxy Clean is pretty sparse, so I did some research of my own on hacker sites and doing a lot of WHOIS' with Sam Spade to come up with an updated list.)

    After cleaning the list, I selected all the proxies in MultiProxy Options >> Proxy servers list tab and deleted them, then went to MultiProxy Options >> Proxy servers list tab >> Menu button >> Files >> Import proxy list, importing the cleaned list.

    As a final step, I right-clicked on WebWasher, selected 'Use a proxy server' to send IE HTTP requests through the anonymous proxies, then surfed to Google, where I searched for the word 'porn'.

    I know what you're thinking, but I don't surf porn... we're using the search results as a final test of the anonymous proxies, for two very good reasons...

    1) Some of these proxies will pass the internal MultiProxy tests, but will redirect you to sites of their own... so if the Google search results look normal, that proxy must be working as we want it to.

    2) Some proxies will block certain content. By searching for the worst of that content, we'll trigger any blocking that might take place, so we can remove that proxy from our list.

    Now, I went into the MultiProxy Options >> Proxy servers list tab, and selected all but the first proxy, right clicked, and selected 'Disable'. This disabled all but the first proxy. I then clicked the 'Next' link in the Google search page to see if that proxy was working as I wanted.

    If it was, I disabled it, enabled the next one in the list, and repeated the process, clicking the 'Next' link in the Google search page again.

    If the proxy either blocked the content, or redirected me, I clicked that proxy, right-clicked, and selected 'Delete', removing that proxy from the list. If the proxy was too slow to be usable, I did the same.

    After completing that rather lengthy process, I had a large list of fast, anonymous proxies that didn't block content and didn't redirect me.

    Now, I was ready for FriedSpam.net... I just surfed to http://www.FriedSpam.net/, entered the list of spammer URLs that I wanted to 'fry', and hit the 'Start' button.

    I'm using it right now, as a matter of fact...

  17. Actually, the URL for Labrea is:

    http://labrea.sourceforge.net/labrea-info.html

    I've downloaded it, and will check it out. Unfortunately, JackPot has a memory handle leak that requires me to restart it about twice a day.

    But, it sure is working! I've had as many as 95 simultaneous incoming SMTP connections, and I blew past the 1,000,000 spam emails dumped mark. I'm now just over 1,100,000.

    Oh, on the jackpot.properties file, you might want to change a few settings:

    #Extra time taken to respond to commands when in a spam run.

    #This is applied to every line entered in a HELO dialog; the default is 1s. This is enough to make a HTML message from Outlook Express take almost a minute to enter.

    TarpitDelay=1000

    (You might want to increase this when the number of spammers is high, to keep JackPot from taking too much of your CPU. DO NOT use the 'Administer JackPot' link in the JackPot's HTTP server home page to change this... for some reason, when you do, it causes JackPot to take more CPU time than just changing it manually in jackpot.properties, then restarting JackPot.)

    #Specifies what kinds of message get output to the system logs. This is a bit-set, the values are as follows:

    # SMTP = 1;

    # HTTP = 2;

    # RELAY = 4;

    # STATUS = 8;

    # PROXY = 16;

    # ENVE = 32;

    # CONFIG = 64;

    # DEBUG = 128;

    FileLogging=255

    ConsoleLogging=255

    (Set FileLogging=128, otherwise the logfile collects everything (which is redundant, since everything is also stored elsewhere) and can grow quite large (mine was a couple hundred MB before I deleted it. Setting it to 128 only collects DEBUG messages (i.e.: errors), making the file size much smaller.)

    #This entry controls the size of the ThreadPool. Jackpot will politely decline protocol activities on ports 25 and [HTTP-port] once the number of free threads falls below 5.

    MaxThreads = 150

    (You can control how many spammers can connect at once by changing this... if you set it to 150, only 149 spammers can connect at once. If JackPot it taking too much CPU time, crank this down to around 50 or so.) I'd say the minimum to set this is around 20.)

    I'll let you all know how running LaBrea goes...

  18. Hey, everybody.

    I'm up to 47 inbound SMTP connections to my JackPot server, and a total of over 500,000 spams blocked.

    I slowed down a bandwidth-intensive distributed computing project I'm participating in to give JackPot more bandwidth. As soon as I did, my IDS/IRS made noise several times (I set up my IDS/IRS to play a specific .WAV file when port 25 is hit, to alert me to spammers using JackPot), signifying that several more SMTP port TCP 25 connections were being made.

    They're loading it up so much that the text is flying by so fast I can't read it.

    My goal is to monopolize as much of their connection bandwidth as possible, so they send as much spam as possible to my bit-bucket, where I know it's getting dumped. If I ran with less bandwidth, they'd just find another place to spew through, and it could potentially be an actual open relay, which means people would receive spam, and the spammers would get visitors (and buyers).

    Too bad I don't have a larger pipe... I'd love to see them trying to fill a 45Mbps connection.

    Has anyone else set up JackPot? If so, the first thing you should do is configure it so that when you submit it to the open-relay testing sites, it'll relay pretty much everything. I did this by drastically shortening the time required between email messages (right now, I've got it set up to bit-bucket everything with more than one recipient, and everything sent sooner than 25 seconds after a previous message... you should set it up with a high recipient count and a low time duration between emails before submitting it for testing).

    Submit your JackPot for testing... once it passes and you're listed as an open relay (especially if you find overseas testing websites... they're most likely set up by spammers to find and exploit open relays submitted by people who don't know any better), the spammers will come flocking. Then you can tighten up the settings to bit-bucket everything with more than one recipient, or if it's sent sooner than a certain time limit.

    Let me know how it goes... perhaps we could keep stats counts to compare how everyone is doing.

  19. Hi, all.

    Well, I've got 21 spammers connecting to my JackPot teergrube/honeypot right now, and I've blocked around 400,000 spam emails.

    Another bit of good news... I just talked with an FTC representative, and we're looking into setting it up so the FTC can check the JackPot logs and use them as evidence against spammers.

    Since JackPot records everything (times, dates, IP addresses, headers, message body, etc), it'd be a great resource for them to go after spammers.

    This might be the next phase in spammer hunting...

  20. Here's my jackpot.properties file, to help you in setting it up.

    I've obfuscated the admin username and password, the Httpport, the ServerName, and the htmlpath, of course.

    #####################################################

    #This file contains general configuration data for Jackpot. The first section contains stuff you should customise before running Jackpot for real.

    #This entry specifies the value returned in the "Server: " HTTP header returned by Jackpot.

    #ServerHeader=SMTPD32-6.06

    ServerHeader=Smail 3.1.29.1

    #IP Address where SMTP will be served, if your host is multi-homed. If the host is multi-homed, and this entry is missing or blank, SMTP will be served on all addresses.

    SmtpAddress=

    #Specifies a virtual path for HTML. This defaults to "html", i.e. the root hosts page is http://<jackpot>:<port>/html/hosts.html.

    #If you set this value to "xyzzy", then HTTP requests must be of the form http://<jackpot>:<port>/xyzzy/something.html, otherwise they will elicit a 404. This is supposed to make it easier for Jackpot to be stealthy.

    HtmlPath=xyzzy

    #Specifies an email address to which all mail to postmaster[at][jackpot] or abuse[at][jackpot] is to be forwarded.

    RoleAccountAlias=

    #UserID for access to Web-Admin.

    AdminUser=admin

    #Password for access to Web-Admin

    AdminPassword=password

    #####################################################

    #The next section contains stuff you might customise to make this Jackpot look different from other Jackpots. If you want to customise these entries, telnet to a real mailserver and see how *it* behaves.

    #Port for serving HTTP; it would be a good idea to change this, because the Jackpot server could be fingerprinted by finding it's HTTP server.

    HttpPort=8080

    #This entry specifies the response sent to (all) VRFY requests.

    VrfyResponse=502 VRFY not available

    #This entry specifies the response to (all) EXPN requests.

    ExpnResponse=502 EXPN not available

    #This entry specifies the response to (all) TURN requests.

    TurnResponse=502 TURN not available

    #Specifies the 503 message

    BadSequenceResponse=503 bad command sequence

    #This entry specifies the response to a DATA request.

    DataResponse=enter DATA end with CR.CR

    #This entry specifies the response to a connection request when no threads are available in the SMTP pool.

    DiskFullResponse=452 services unavailable, try again later

    #Controls whether Jackpot adds a Received: header. Defaults to yes. If it doesn't, it's a badly-broken relay.

    AddReceivedHeader=yes

    #Controls whether any Received: header should show the sending host and address.

    #If not, then the received header will show only the return path from the HELO (which a spammer would normally forge). If this is No, Jackpot acts as a blind relay.

    ShowReceivedHost=no

    #This entry specifies the name of the mail server, as output in the banner.

    #There are some (commented out) examples below from real mail-servers.

    #MTADescription=ESMTP Sendmail V8

    #MTADescription=SMTPD32-6.06

    MTADescription=Smail 3.1.29.1

    #This entry specifies the name of this machine, used in the response to HELO/EHLO, in any Received: header added by Jackpot to relayed messages,

    #and to construct a postmaster address. Defaults to the name of your localhost (best setting).

    ServerName=mail.pbi.net

    #####################################################

    #This section contains stuff related to logging and so on - general system control.

    #If set to Yes, bounce-messages will be sent for unaliased addresses in this (Jackpot's) domain, and whenever a recipient's mailhosts cannot be contacted.

    #Default is no.

    SendBounceMessages=no

    #This entry specifies the maximum number of recipients in a message-envelope before it is rejected as spam. If you find you are getting relay-requests with multiple recipients, consider raising it.

    MaxRecipients=1

    #Extra time taken to respond to commands when in a spam run.

    #This is applied to every line entered in a HELO dialog; the default is 1s. This is enough to make a HTML message from Outlook Express take almost a minute to enter.

    TarpitDelay=1000

    #The amount of time considered 'too soon' for the purposes of determining if a message should be relayed. Messages submitted via SMTP may also be subject to tarpitting if they arrive 'too soon'. Default is 20s.

    MinSpamInterval=25000

    #This entry specifies the location for log output.

    logfile=jackpot.log

    #This entry controls the size of the ThreadPool. Jackpot will politely decline protocol activities on ports 25 and [HTTP-port] once the number of free threads falls below 5.

    MaxThreads = 150

    #Specifies the nameserver to use. If not provided, uses the system default.

    #NameServer=

    #Specifies the (comma-delimited)names:ports of the HTTP servers to be updated when SMTP traffic is captured.

    LogServers=127.0.0.1:8080

    #Determines whether an Ident service should be offered to abuse.net (speeds up inquiries).

    IdentForAbuse=no

    #Specifies what kinds of message get output to the system logs. This is a bit-set, the values are as follows:

    # SMTP = 1;

    # HTTP = 2;

    # RELAY = 4;

    # STATUS = 8;

    # PROXY = 16;

    # ENVE = 32;

    # CONFIG = 64;

    # DEBUG = 128;

    FileLogging=255

    ConsoleLogging=255

    #Specifies a limit on the number of spams that should be stored for each spam-source.

    MaxStoragePerSource=150

    #####################################################

    #This section specifies timouts for socket-connections used for several different purposes. Times are in milliseconds.

    #How long to wait for proxy-test results

    ProxyCheckTimeout=10000

    #How long to wait for abuse.net lookups

    AbuseLookupTimeout=10000

    #How long to wait for SBL lookups

    SBLLookupTimeout=5000

    #####################################################

    #This section controls what is running, and how, at system startup.

    #Whether to start the HTTP service.

    StartupHttp=yes

    #Whether to start the SMTP service

    StartupSmtp=yes

    #Whether to start up with relaying enabled

    StartupRelay=yes

    #Whether to start up with tarpitting enabled

    StartupTarpit=yes

    #Whether to start up with POSTing to storage enabled

    StartupStorage=yes

    #Whether to start up with the SOCKSV4 Proxy Server running

    StartupProxy=no

    #####################################################

    #The last section contains stuff you are unlikely to need to change, at least for now.

    #Port for serving SMTP; if you change this, you'll probably be the only person who ever sends mail to your Jackpot server.

    SmtpPort=25

    #This entry restricts the maximum number of messages that can be queued at any one time.

    #The queue is in memory, and Spammy will have to send relay-requests on multiple connections simultaneously to have a chance of filling it up.

    MaxQueueSize=1500

  21. Hi, all.

    I've hammered the spammers into submission so badly that I no longer receive spam in any great quantity. I've only gotten 8 over the last month, and that number is still falling.

    So, I had to find another method of fighting spammers. I decided to set up the JackPot SMTP teergrube / honeypot, from http://jackpot.uk.net/.

    This is a cool Java program... it lets a spammer's test emails be relayed, while blocking the actual spam that is sent. It also keeps a log of spammer activity, and serves that log via a built-in HTTP server. If you open a hole for that HTTP server's port through your firewall/router, you can give the URL for it to ISPs, so they can see for themselves that their users are spamming. And reporting that a user is trying to send hundreds of thousands of spams carries much more weight than reporting that you received a single spam email.

    Anyway, I set up JackPot about a month or so ago, but didn't get any hits on it. So, I contacted Jack Cleaver, the author of the program. He suggested that I submit my JackPot to the various websites for open relay testing, which I did.

    Apparently, that worked. Over the last week or so, I've been getting nibbles from spammers in Taiwan, sending test messages (which, of course, JackPot let be delivered, to trick the spammers into thinking that it was, indeed, an open relay).

    Yesterday, the spammers got serious, and started sending spam, which JackPot is dumping to the bit-bucket. Over the last 24 hours, I've dumped over 200,000 spam emails, mostly addressed to HotMail accounts.

    If everyone using SpamCop also ran JackPot, I think that would allow us to catch a lot more spammers, and it could possibly force the spammers to either quit sending spam (because the chances of getting caught goes up dramatically due to more JackPot servers running, and the spammers are wasting more of their time and resources sending to SMTP servers that then just bit-bucket the spam), or to find another method of spamming.

    Either way, it's a great way to slow them down. Imagine if 1000 people were running JackPot, each dumping 200,000 spams per day. That's 200,000,000 spams that don't get delivered. And it's a lot more spammers getting caught and shut down.

    If you haven't tried it, I highly recommend it.

  22. Well, I've only had the occasion to test it a couple times, since I don't get much spam anymore, but the last couple of spam submissions didn't result in the bounce message... so I'm assuming IronPort had something misconfigured and was copying spam submission reports accidentally to a non-existent address.

  23. Sorry, a mix-up in terminology...

    I meant to say that the email address I used to register on the SpamCop website is the same email address that I use to report spam.

    The address that I report to is entered into the VBA code that I created for MS Outlook, so I never have to worry that it's correct. I get a spam, I click a button to report it. Pretty no-brainer.

×
×
  • Create New...