Wednesday, December 13, 2006
dirty bird award to Yahoo Inc
You already knew Yahoo Mail is the Nigerian advance fee fraud gang's favorite drop-box provider. Just look at where those thousands of widows of the late dictator want you to send your bank information. criminal@yahoo.com. They're easy to create, and, to put it politely, Yahoo isn't very good at discovering them and taking them down.
Most of the spam I've got in the last couple of years has been for pills and scams. The porn spammers have been avoiding me. They're smart enough to know that I file accurate complaints to the right places, and they just don't need the grief. Unlike the pills and other scams, porn is a legitimate business, and they know the value of a suppression list.
But for the last week or so, I've started getting porn spam again, and it's all been from one "company," the Webfinity/Python Video/Dynamic Pipe/Global Media spam gang. The reason I'm seeing it is they're sending it to my postmaster address. That address isn't as heavily guarded as the others, because it needs to accept spam reports from blocked addresses with filter-triggering content. (That's complying with the letter and spirit of IETF RFC2142.)
This gang has a special modus oparandi. They break into people's servers to send their junk. They get better delivery rates that way, compared to sending from bot-nets in consumer broadband country. But lots of spam criminals are doing that these days. Python's trick is they use compromised consumer Microsoft PCs (on cable TV or DSL) to host a special layer of servers.
Most spammers just use "bullet-proof" web hosting in China or Romania or Russia (or on Yahoo Small Business). These Python Video guys ultimately send you to their bullet-proof Web site. It's hosted, right now, on an entity called Rackco.com which is connected to the Internet through oblivious Internet company Teleglobe. I suspect Rackco is just another name for Python Video. It's a pretty common ploy. The spammer pretends to be a hosting company who is struggling with a series of badly behaved (spamming) customers. They could stall Teleglobe that way for years.
But the URL in the Python spam is always hosted on five compromised broadband Microsoft PCs. If you're stupid enough to click on the link in your graphical email program, you get sent to one, chosen at random. This morning, four of them are on Proxad in France, and one is in South Korea. Yesterday it was Comcast and SBC/AT&T. They move around quickly. They support that by using special name service, with a "short time-to-live", and that name service is also hosted on consumer broadband Microsoft PCs. Spamhaus.org calls that technique "fast flux." This morning all four name servers are on Proxad. In the last week, these special "servers" have been hopping around on Time Warner Road Runner, Cox, Optimum Online (Cablevision), Aliant, Bell Canada, Comcast, Eastlink, Cablegalicia (Spain), Cable Bahamas, and Le Groupe Videotron.
The special web servers send a 404 HTTP response, "page not found", but the 404 page comes with a refresh directive that sends you to another page on the same "server", with links to Python's bestiality porn sites in Russia. I guess the 404 is to throw the search engines off or something.
It doesn't do a lot of good to report the compromised Microsoft PCs to the cable companies. They don't care, and even if they were to do something, Python would just rotate in the next set, from an endless supply. Python is in Canada. Canada will bust you for selling High Times magazine, but they don't give a damn about Python's ongoing computer crime and exposing minors to bestiality porn. That's business. The porn hosting companies in Russia are part of the gang, untouchable.
The one place where Python's operation touches ground is at its domain name registrations. They churn through dozens or hundreds of domain name registrations per day, at ten bucks a pop. They have to use new names every day to stay ahead of the "seen in spam" block listing. Guess who they use. YAHOO DOMAINS, every time. Think Yahoo Inc doesn't know?
UPDATE Feb. 26 '07 : For the last couple of weeks, the Python gang has been registering its throwaway porn domains with Tucows and Register.com. But the "remove" domains are still on Yahoo.
Most of the spam I've got in the last couple of years has been for pills and scams. The porn spammers have been avoiding me. They're smart enough to know that I file accurate complaints to the right places, and they just don't need the grief. Unlike the pills and other scams, porn is a legitimate business, and they know the value of a suppression list.
But for the last week or so, I've started getting porn spam again, and it's all been from one "company," the Webfinity/Python Video/Dynamic Pipe/Global Media spam gang. The reason I'm seeing it is they're sending it to my postmaster address. That address isn't as heavily guarded as the others, because it needs to accept spam reports from blocked addresses with filter-triggering content. (That's complying with the letter and spirit of IETF RFC2142.)
This gang has a special modus oparandi. They break into people's servers to send their junk. They get better delivery rates that way, compared to sending from bot-nets in consumer broadband country. But lots of spam criminals are doing that these days. Python's trick is they use compromised consumer Microsoft PCs (on cable TV or DSL) to host a special layer of servers.
Most spammers just use "bullet-proof" web hosting in China or Romania or Russia (or on Yahoo Small Business). These Python Video guys ultimately send you to their bullet-proof Web site. It's hosted, right now, on an entity called Rackco.com which is connected to the Internet through oblivious Internet company Teleglobe. I suspect Rackco is just another name for Python Video. It's a pretty common ploy. The spammer pretends to be a hosting company who is struggling with a series of badly behaved (spamming) customers. They could stall Teleglobe that way for years.
But the URL in the Python spam is always hosted on five compromised broadband Microsoft PCs. If you're stupid enough to click on the link in your graphical email program, you get sent to one, chosen at random. This morning, four of them are on Proxad in France, and one is in South Korea. Yesterday it was Comcast and SBC/AT&T. They move around quickly. They support that by using special name service, with a "short time-to-live", and that name service is also hosted on consumer broadband Microsoft PCs. Spamhaus.org calls that technique "fast flux." This morning all four name servers are on Proxad. In the last week, these special "servers" have been hopping around on Time Warner Road Runner, Cox, Optimum Online (Cablevision), Aliant, Bell Canada, Comcast, Eastlink, Cablegalicia (Spain), Cable Bahamas, and Le Groupe Videotron.
The special web servers send a 404 HTTP response, "page not found", but the 404 page comes with a refresh directive that sends you to another page on the same "server", with links to Python's bestiality porn sites in Russia. I guess the 404 is to throw the search engines off or something.
It doesn't do a lot of good to report the compromised Microsoft PCs to the cable companies. They don't care, and even if they were to do something, Python would just rotate in the next set, from an endless supply. Python is in Canada. Canada will bust you for selling High Times magazine, but they don't give a damn about Python's ongoing computer crime and exposing minors to bestiality porn. That's business. The porn hosting companies in Russia are part of the gang, untouchable.
The one place where Python's operation touches ground is at its domain name registrations. They churn through dozens or hundreds of domain name registrations per day, at ten bucks a pop. They have to use new names every day to stay ahead of the "seen in spam" block listing. Guess who they use. YAHOO DOMAINS, every time. Think Yahoo Inc doesn't know?
UPDATE Feb. 26 '07 : For the last couple of weeks, the Python gang has been registering its throwaway porn domains with Tucows and Register.com. But the "remove" domains are still on Yahoo.