Spammers vs Free Speech

Apparently Hotmail (Microsoft Corporation) is now selling private label email service, and some of its customers offer that service "free" to the Nigerian identity theft syndicate.

A typical fraud email offers the usual box of money stranded somehow in Nigeria, and to reclaim it I must email the gov't of Nigeria at atm.cardremmitance@hotellos.nl. (Yes, people actually fall for this. Mostly it's wanna-be con artists who think they're gonna con the Nigerians.) I got three copies. The MX records for hotellos.nl are
hotellos.nl. 86024 IN MX 0 1023266581.pamx1.hotmail.com.
hotellos.nl. 86024 IN MX 10 1023266581.pamx1.hotmail.com.
That is, Hotmail hosts this Nigerian identity theft mailbox account.

The only address that seems to work at all for Hotmail is report_spam@hotmail.com. Abuse@ and Postmaster@ don't work. I sent a complete, simple spam report. Hotmail said:

Unfortunately, in order to process your request, Hotmail Support needs a valid MSN/Hotmail hosted account.

The response came within a couple of minutes. Nobody told the abuse deaprtment about these new private-labeled domains. An automatic filter is throwing away reports of hotmail hosted spam. Until this is fixed, spammer accounts on Hotmail are pretty much bullet proof.

Labels: Microsoft Hotmail Idiots

This is just too funny. From a spam posted to news.admin.net-abuse.email.

Delivered-To: [redacted address]
Received: from exch2.aclu.org (smtp01.aclu.org [65.206.18.18])
   by [redacted hostname] (Postfix) with ESMTP id E004A11423
    for <[redacted address]>; Tue, 8 Apr 2008 10:27:31 -0700 (PDT)
Received: from nyexfe01.aclu.org ([10.1.1.248]) by exch2.aclu.org with Microsoft
    SMTPSVC(5.0.2195.6713);
    Tue, 8 Apr 2008 13:27:06 -0400
Received: from User ([85.120.78.130]) by nyexfe01.aclu.org with Microsoft SMTPSVC(6.0.3790.3959);
    Tue, 8 Apr 2008 13:27:05 -0400
From: "PayPal.com"
Subject: To many wrong attemps
Date: Tue, 8 Apr 2008 20:29:01 +0300
MIME-Version: 1.0
Content-Type: text/plain;
    charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-ID:
X-OriginalArrivalTime: 08 Apr 2008 17:27:06.0036 (UTC) FILETIME=[C42E8F40:01C8999D]
To: undisclosed-recipients:;

Because you have to many wrong attemps on your Paypal login,
we had to put your account on hold.

...
Years ago, when it was still possible to save the public email system, the ACLU carried water for the Direct Marketing (scumbag) Association, convincing Zoe "Clueless" Lofgren (D-CA) that spamming is free speech, not theft of service and illegal conversion of assets. The headers show ACLU runs Microsoft Exchange Server. Of course it got hacked and the criminal is sending phish spam exercising his first amendment rights with it. I wonder if anybody told them yet.

I get more spam from the Herbalking gang than from any other spammer. That's because Herbalking is so confident that he is "bullet proof" that he sends spam to postmaster@ addresses. Those addresses are less heavily filtered than regular users'. Spamhaus seems to think the gang, to the degree that these gangs are based in any particular country, is Indian.

Herbalking sends through botnets. My system rejects spam from most consumer-residential bots, but Herbalking also has bots on compromised web hosts and "small business" and academic servers. Those are the ones that get through here. Every few days I pick one and inform the owner of the compromised server. Unfortunately, hardly anybody else does that. More often than not, the owner's published contact info is wrong, or the reports just disappear. Of the ones who reply, most are grateful. Perhaps a fifth insist that I am wrong, and either the spam could not possibly have come from their equipment or someone else is responsible for that equipment. These people tend to be ignorant of the basics of computer networking and security, and believe that an SMTP sender IP address can be "spoofed" or that their equipment is invulnerable because they bought an "anti virus" product.

Herbalking's "pharmacy" mail order sites are mostly hosted on the rogue ISP "ZBYD" in Beijing. As far as I know, ZBYD is owned and operated by spammers. It's connected to the Internet through Great Wall Broadband Network Service Co., Ltd of Beijing, and its route to North America is through an undersea fiber operated by China Netcom, which terminates in a neutral exchange point in Los Angeles. That's three layers of companies you can't even contact. The only thing that could affect ZBYD would be if the major consumer service providers decided to block traffic from its IP addreses. They won't even talk about doing that. They're lazy and indifferent, and they're not under any real pressure to do it, and recently they've become paranoid about creating the appearance of not offering "net neutrality."

I run a GNU Mailman list for the International Committee of the Green Party of the US. This morning someone forwarded an essay from blackagendareport.com, questioning the motives and veracity of the "Save Darfur" movement. Several African nations are mentioned, and large numbers of dollars spelled out. It triggered three of Spamassassin's ADVANCE_FEE rules, totaling 7.9. My threshhold for adding the ***SPAM*** indication to the subject line is 8.3. The additional 0.4 points came from the HTML-only and "no real name" tests.

The writer makes a good argument that "Save Darfur" is not what it seems. Spammers are making it hard for his message to get out.

If you really want to do something about phishes, don't bother reporting them to your ISP. Millions of people already hit that "this is spam" button. And it's only useful if you do it within a few minutes of your ISP's receiving it.

Instead, open the message source and find the URL of the fake bank site. We call that the payload URL. The whole point of the spam is to get you to go there with a web browser. The fake bank site was created by a dangerous gang of criminals. Don't forget that. Do not visit the URL with a web browser. It probably contains malware and will attack your PC.

Sometimes these are hosted on spammer-friendly ISPs in Eastern Europe or China. Do not report those. But most fake bank or credit union or Paypal sites are hosted on servers that the criminal broke into.

With a little common sense, you can safely figure out where the fake bank site is hosted. Look at the payload URL in the spam message source. You can spot it among the decoys and images because it's the one with "click here" or the domain name of the real bank.

If the payload URL is something like http://www.podunk-realtor.com/images/.hideme/bankofamerica.com/, you can be pretty sure it's a break-in, and the Podunk Realtor and his ISP or web design firm have no idea they are supporting large scale felony fraud. If it's more like http://www.cheaphosting.com/~someguy/bankofamerica.com/, it's probably a shared hosting account at a giant web hosting company, purchased with a stolen credit card. If it's http://www.paypaI.com/ (a subtle misspelling), the hosting company and the Registrar are probably in on it, and there's no point in reporting those. Some web hosting places are so careless that they might as well be in on it.

If it's in eastern Europe or China, leave it to the professionals. Stop here. You do not want to provoke the Russian mafia.

Copy the domain name of the fake bank site out of the message source and trace it (with "tcptraceroute" on unix or "tracert" on MSWindows, or use Samspade.org) to its hosting.

The output of the traceroute starts at your PC (or at Samspade) and shows the route to the fake site. The last item is the compromised server. It may have a domain name that belongs to the ISP, or to one of his customers. With a little practice you'll know which is which at a glance. Look up the IP address in Whois. ISPs generally own their own IP addresses. Even if they don't, it gives you a pretty good clue as to what company owns or controls that end of the route. In the case I called Podunk Realtor, it is probably safe to look at the front page of the Realtor's site with a browser, and find some contact info that way. Look up the domain name on the server, in Whois. That will give you more contact info, of the Podunk Realtor or his ISP or both.

Report the break-in to the owner of the server and his ISP. Out of the hundreds of thousands who received that phish run, you may be the only person to report it properly. Do not include a copy of the spam. That will probably prevent the victim from receiving it. Just tell them the IP address of the compromised server, and the URL you found in the spam.

You can look up contact addresses of a well-run ISP at www.abuse.net. Or just send to abuse@example.net where, of
course, example.net is the ISP's domain name. (If that bounces, report the ignorant ISP to RFC-Ignorant.org.)

Do that with one phish a week and you're doing more than all the times you ever hit "this is spam."

When we started seeing SMTP callbacks, aka "Sender Address Verification," several members of news.admin.net-abuse.email, including myself, said it was a Bad Idea.

It's trivially easy to get around SAV. The spammer just puts known deliverable addresses in his envelope-sender. Of course he needs to use thousands or millions of those in each spam run, to evade statistical filters. I'm surprised it took until now for them to figure that out. And because they have to be deliverable, it takes a higher quality list for the fake senders than for the spam recipients.

Meanwhile, there are still a lot of "anti-spam appliances" and other broken SMTP servers that accept and return messages to bad addresses, rather than refusing them. But you can't return spam once you've accepted it into your queue. You don't have an address for the spammer, and he isn't interested anyway. So the returned spam messages become a new form of spam known as "backscatter." Until recently, the Barracuda appliance in its default configuration sent backscatter. They've fixed that. Qmail-1.03 sends backscatter. There are patches for that. One popular Qmail backscatter patch is called "chkuser."

Two unforseen consequences combine for another harm. 1. SAV is becoming popular. 2. Backscatter. The backscatter used to go to the same poor quality address lists the spammers send to. So most of it never got delivered; it stuck in the Barracuda appliance or Qmail queue. But now it's getting delivered, adding to the spam load and degrading the statistical filtering results.

Not only are spammers destroying the public email system, but misguided Final Ultimate Solutions (FUSSPs) are damaging it too.

Big news, Robert Soloway busted for wire fraud, credit card fraud, CAN-SPAM violations, and using a bot-net.

Big deal. The prosecutor isn't even asking for prison time. That's the strongest signal yet that the US Government doesn't actually regard spamming and creating and running bot-nets as criminal behavior. It shows how successful US spammers have been at positioning themselves as persecuted entrepreneurs, not as criminal gangs. You can thank the Direct Marketing Association, the American Civil Liberties Union, and corrupt, stupid congresscritters like Zoe Lofgren for that.

And you can thank the US "news media" for spiking the story as systematically as they have blacked out anything in the Project Censored Yearbook.

Creating and using a bot-net is one of the most destructive computer crimes. A single bot-net operation can cause hundreds of millions of dollars of economic loss to consumers and businesses. Imagine if some criminal invented an automatic way to break into a hundred thousand people's cars and misuse them. Now imagine the DMA and the ACLU said that's okay, it's free speech!

Why is that so hard to understand? Because computers are "technical" and cars aren't?