Thursday, June 14, 2007

DDOSing And Spammers: More Than Just An Annoyance, A Terrorist Threat

I posted this today to Castlecops, who graciously approved it as a story. I'm reposting it here for posterity (and to spread the word.)

We consistently hear about DDOS attacks, but only as a byline story, or only within the tech media. There is a lot of evidence to suggest that these attacks are much more than merely an annoyance or a purely technical threat.

Yesterday, a forum which discussed the methods employed by illegal spammers of every stripe came under attack via what is known as a "Distributed Denial of Service", or DDOS, attack. The forum (www.thecarpcstore.com/phpbb2) wasn't nearly as popular as some of those attended by the technical community. It had a membership of only several hundreds of users. Yet someone out there felt that it was enough of a threat to demand that someone attack it. As I write this, the site is still down. Nobody can be sure when it will return to active service.

A few weeks ago, several very public anti-spam organizations were similarly targeted for a number of days: Spamhaus was targeted, as were several of the routinely used blocklists SURIBL and URIBL.

Spamhaus reported the attack on the usenet newsgroup news.admin.net-abuse.email.

The other attacks were reported by a relatively small sector of the tech media.

This makes it appear as though these types of attacks are not "big news", and has the effect of making them appear to be purely technical in nature, and therefore not of any concern to traditional news media, or ordinary citizens.

Contrast this with the very large-scale attacks against several sites fundamental to the government and other infrastructure of Estonia which commenced on April 27th, reported in The New York Times and CNet News, two very large media entities.

Those attacks were very large scale, and relentless, and had the effect of taking out pretty much any online functionality for any citizens within the country of Estonia. They attacked everything, essentially rendering the entire country helpless to do everyday things like banking, or taking trains (banking and rail services were suspended since all of their infrastructure relies on network services.)

This also never made front-page news, although it did get quite a bit of international attention.

Clearly: criminal groups who choose to attack a site, currently do so with relative impugnity. Attacking a little spam forum like they chose to do yesterday, or spamhaus as they did a few weeks ago, may not look like that big a deal. But how long will it be before they choose to target, say, New York City's JFK airport and their network infrastructure? Or the White House? Or CNN? They appear to want to limit any speech that doesn't meet with their personal view of how things should be. This is obviously unacceptable, but it's not seen as a large enough issue on its own.

The general public still has a long way to go in terms of understanding the implications of their own lack of technical knowledge. The FBI reported yesterday that they have identified one million compromised PC's, all of which could be used for any illicit purpose these criminals desire.

Most of those PC's are in homes of people who bought the computer, and never properly secured it, and probably have no idea that they're being used in these arguably illegal acts. Something has to change regarding this, and it will probably be quite some time before significant change takes place.

Today, it's merely sites that these spammers dislike due to the exposition of their identities or operating procedures. Tomorrow it could be your bank, or your local transit system, or your television stations which are targeted. And it can go on from there. What is it going to take for law enforcement to really seriously investigate and act on these attacks? Merely stating that there are one million PC zombies is nice to know, but it's not solving the problem of what these zombies are doing, and the effect it is having on free speech and other fundamental rights. We as citizens who wish to maintain the existing uses of the Internet and other networks should work more diligently to make sure our governments and law enforcement representatives take this issue seriously, and treat this type of terrorism no differently than they would that of Al Qaeda, Islamic Jihad, or Hezbollah, all of whom could easily make use of these resources.

At the moment the only barrier to taking action against these organizations seems to be the lack of will to do so. I and many others are hoping it won't take the cyber equivalent of a 9/11 to make someone take notice.

SiL / IKS / concerned citizen

Wednesday, June 13, 2007

The Attack Continues...

Well the other shoe just dropped, I guess is the saying.

My old stomping grounds, thecarpcstore.com/phpbb2, was knocked offline this morning by (you guessed it) a DDOS attack.

Given the staggering amount of evidence present here and elsewhere on the web, who do you think it could be that would want to perform that kind of attack? Who would have access to the resources needed to do so? Why members of that old stalwart: bulkerforum.biz of course.

I expect it will be a very small number of days before the boasting begins on that selfsame web forum, and elsewhere.

But what does this accomplish, ultimately? All of the individuals who contributed to that forum: they still hate getting all the spam that these idiots keep sending. They hate that despite asking numerous times to stop sending all of it to them, these spammers haven't stopped. And they hate that not only do they continue to get these unwanted messages, very often they get them twice as much.

How is this good for anyone's business? How hard is it for these moron spammers to recognize that they should just clean their lists? Clearly they don't seem to understand that they're consistently targeting - and thereby abusing - the wrong audience for their so-called "products", and they're wasting a huge amount of people's time, energy and money. They're also ruining the whole experience of the internet in the process.

Spammers love to blame people like me because we "can't find the delete key." That completely misses the point: I didn't want it in the first place, and you just confirmed that you KNEW I didn't want it. That makes you, the spammer, doubly stupid.

Attacking sites which take on the task of compiling data regarding their operations, and reporting and exposing their underlying personnel, only further exposes how tenuous your "business" is in the first place. If all it takes to piss you off is bring more attention to how you operate, doesn't that make it that much more probable that we'll make sure that the same info gets into the hands of someone with more tangible tools to take you down? DDOS'ing our little forum is proof that we've been on the right track for a while, and it's further proof that the spammers somehow think that this information is "dangerous" to have in the public eye. Knocking that forum down won't stop the information from being made available. Nor will it stop those of us who have collaborated so closely over the past year and more to make sure we tell even more people about these scumbags.

Many members on bulkerforum.biz like to make the claim that (a) we're just jealous because they can profit from spamming and (b) that they are only making an "honest" living, and that we hate them for that. ("The terrorists hate our freedom")

They fail to provide any answer at all when it's pointed out that the "drugs" that they are promoting via their spam comes from sites that lie; they're not secure, they have absolutely no support or endorsement from the Better Business Bureau, or Visa, or VeriSign, and the drugs that they sell are fake.

They don't have any answer when we point out that stock spam is indeed an illegal and fraudulent act, which carries with it some very high fines and sentences. How is that an "honest" business.

Fake diplomas: how "honest" is that as a product? That's not legal either. How is it an honest way to make a living? Would you trust a guy to build your house if he had a fake engineering degree? How about your lawyer? How about your doctor? We're supposed to be envious that this is how they make a living? That's total bullshit.

Selling mortgage leads collected via spam may be profitable, but that doesn't make it any more legitimate when you're spamming it to people who aren't even in the US to begin with (easily more than half these idiots' lists are full of peoplle from Canada and overseas, none of whom are supposed to be offered these mortgages in the first place. The spammers know this, yet they don't clean them from their lists, and further to that: they ban the ip addresses for overseas users.

How is any of that "honest" or legitimate? And why on earth would any of us be envious of any spammer who said that they profited from it? People have already started dying from taking some of the fake drugs sold by these illegal pharmacies. What else will it take?

DDOS'ing our forum won't stop that information from getting out, and it won't stop even more people from remaining angry as hell at the people who continue to send this crap out.

There have been not one but two very high profile actions in the past few weeks in the courts regarding illegal spammers. I fully expect that this is only the beginning of a long line of arrests, convictions and guilty pleas still to come. The only question is when, not if, more will take place.

SiL / IKS / concerned citizen

Friday, June 8, 2007

The Attack Begins...

Interesting that "suddenly" both Spamhaus and several of the spam Blocklist sites are all under a large-scale and sustained DDOS attack. Probably the same one that Nick Danger was threatening to undertake (with help from others.) Could this be "the treatment" he had in mind?

A reader posted in a comment on my previous posting that Nick Danger / Marion Lynn is now being lambasted by his fellow comment-posters on ljworld.com.

I'd just like to add that since I'm nowhere near that region, nor do I care to bother with it, I am not a member of that site, and I'm not doing any posting there at all. (It looks like I didn't have to anyway.)

Marion made the following posting:
5 June 2007 at 12:13 a.m.

Marion (Marion Lynn) says...

Oh yare not only getting ready to help with the sales of my book but to bring down Spamhaus and Spam-Court; both of which have malingned me with out proof but with malice aforethought.


Note the date. June 5th. I'm not the only one who did.

On June 8th, a contributor named "Guntrainer" posted the following:
8 June 2007 at 6:25 a.m.

GunTrainer (Anonymous) says...

Compare that with the June 7 news item at http://thespamdiaries.blogspot.com/
"Thursday, June 07, 2007
Spamhaus, uribl, surbl under DDOS attack

This has been ongoing for a couple of days now. Spamhaus and two other major blocking list providers have been under a distributed denial-of-service (DDOS) attack."

I wonder if Nick's buddies realize just how much self incrimination is going on here? How did Nick Danger / Marion Lynn know about this attempt to "bring down Spamhaus" as he puts it, at the very moment it began?

This turkey is asking for an early Thanksgiving.
Indeed!

As a followup: Spam-court.com appears to be back so my previous (lengthy, so apologies) posting on its demise was premature.

DDOS attacks always remind me of a three year old having a tantrum. "Spammer doesn't get what he wants, spammer cries. Spammer want!!"

I would love it if someone would instantiate a "turn off your pc day", where everyone - no matter where they were - HAD to turn off their computer or disconnect it from the internet. Make it some kind of grassroots operation so it fed into the promotion of greenspaces or a music festival of some sort.

Even half of one day with all the infected zombies in the world off the network would sincerely damage these criminals' ability to perform these attacks.

I don't know what it would take to do it but I for one would donate to such a cause.

My thoughts go out to the diligent crews behind these blocklists. People around the world have no idea how much effort they put in to reduce the flood of unwanted crap email that we would all literally be buried under. The term "just delete it" doesn't even come close to solving this obvious problem. Spammers want every one of us to have 10,000 copies of their messages every single day. They get mad when it's "only" 20 or 30 copies a day. Then they throw a tantrum.

I hope this leads to several arrests, since a lot of eyes are watching this one. Nick Danger may not be actively participating in this attack (and in fact it's highly unlikely) but it's clear he and others have been in touch with several individuals, either on bulkerforum.biz or via other means, who could make sure it happened.

SiL

P.S. This has further exposed that Marion Lynn is also involved with a non-profit called "Computer Waste Solutions", who I'm sure would not be happy to learn of his unscrupulous beliefs regarding the treatment of homeless people or operating as a trader of stocks, not to mention the charming company he keeps over on bulkerforum.biz. (Whether he spammed or not, ever in his life, he definitely has a very skewed view of what constitutes fair trading in the stock market.)

It's also brought up that he appears to be a militant pro-lifer with a new book which is about to be published. I'll try researching that one as well, but as I say I'm kind of done with him. I could never have dreamed that the ljworld community would take this and run with it as they have. :)

Thursday, June 7, 2007

Spam-Court - Gone but not forgotten.

Well there we have it. The members of Bulkerforum.biz have successfully managed to bully spam-court off the grid:
spam-court.com is currently under maintenance, has crashed, gone to pieces or whatever. ddos or hacking are also possible explanations. But we have no idea what the specific reason may be. We could be back shortly or not at all. Thank you for your eternal patience. Now do something useful, like hunt down a spammer.
Contact DucksInTwoRows@gmail.com if you have any questions.
This is likely due to their ISP receiving some manner of frivolous lawsuit. If you go over to bulkerforum.biz you will see a lot more bluster from Nick Danger a.k.a. Marion Lynn. I find his whole approach to all of this interesting. In sequence, the following events took place to get us to here. See if you can follow his "logic":


  • spam-court and I both began discovering a series of interesting links which made it clear that Nick Danger was very likely to be Marion Lynn.

  • We slowly began exposing that information, largely because the man is an unconscionable windbag with no moral fibre whatsoever. That seemed to hit a nerve.

  • Nick Danger posted a threat directed at spam-court:

These fuckers need the TREATMENT!

"Spamhaus, Junior"!

SOMEONE needs to do a "Blue Security" on them, like RIGHT THE FUCK NOW!

If this post reads as though I am calling for open warfare on these bastards; that is EXFUCKINGZACTLY what I am doing!.

  • Spam-court correctly assumed that that must mean some manner of DDOS attack, since that is precisely what happened to Blue Security.

  • His DDOS threat was removed by the admins of bulkerforum.biz, and Nick Danger suddenly started backpedalling, stating on the forum that he would send a cease and desist letter, implying that spam-court had somehow stated things which he had not said, or had stated things which were untrue. He never backs any of this up with actual proof.

  • He starts posting statements that spam-court are "are going nuts over there just as I predicted." Why he feels this way is beyond me. (Or anyone else for that matter.)

  • He then begins posting on bulkerforum that he is, as we assumed, Marion Lynn, and that in general we have been right on the money.

Well, by now nearly everyone on the planet knows that my given name is "Marion".

"HI!"

Oh, well.

Big Fucking Deal.

What they do not know is ME!

  • This is an odd thing to say when you're in the midst of telling someone else to cease and desist from doing so. He further confirms that he does indeed have indepth knowledge of how to cover his tracks and how to profit from an illegal market manipulation like stock spamming. But that the knowledge of the act and performing the act are two different things.

  • He posts another tersely-worded entry on bulkerforum.biz stating that he has never spammed, and that (for example) he might know how to build an atom bomb, but that doesn't mean that he is actively making one. The line was edited by one of the admins mere moments after being entered. He also claims he sent what he thinks was a threatening image to someone at spamhaus. (From the description he gave it sounds really ridiculous, not threatening.)

  • In the same posting he claims he mistakenly left his real name when he registered to bulkerforum.biz. What he's completely missing is that that is NOT how any of us discovered his real name. It was painfully obvious that he was the same person posting on numerous other forums. (ironically: something that "anyone" genuinely could discover with a little Googling.)

  • A few posts later he claims that he's always been interested in spamming and that he can't wait to get started doing so, calling it "both the best thing going and the real future of advertising on the internet."



If he's trying to clear his name, he's certainly not going about it the right way at all.

If you are claiming that someone is defaming you, that has to be because:

a) What they are saying about you is not true and could never be proven.
b) What they are claiming you said or did has never been said or done by you.

He clearly HAS said these things. And if he "has knowledge" of how stock spamming works, especially to the level that he seems to, he would have to have acquired that knowledge from someone else who was that much more advanced in performing this (illegal, did I mention?) act.

And what better place to find such a person than on a forum specifically tailored to large-scale spamming, especially of illegal content such as stock spamming?

And now he's re-confirming - on bulkerforum.biz - that he said all of this, and that he is who we thought he is, but that suddenly it's "no big deal." This is thoroughly confusing.

Lynn has since re-countered (at length, ad nauseum) on the NANAE news group that "anyone" could have found out the same information by merely performing a few google searches, and he provided three links to very basic top-level descriptions of what a pump-and-dump stock scam looks like. I know for a fact that that's complete bullshit. It was impossible to discover ANYTHING regarding how stock sponsors work in a stock spam operation, nor did any of these news websites he listed point to any further detailed information regarding the timing of the spam run, when to buy, when to sell, and how to cover your tracks while doing all of this. I know this because I was mad enough about the deluge of stock spam I receive every day that I read everything I could possibly find on the subject, and no major news website covered it to that level of detail.

The only place I ever saw any of this information - all of which can be covered under the charge "conspiracy to commit fraud" - was in his postings on Bulkerforum.biz.

And now he's saying that he DID say these things. So which is it? If you're going to sue someone, you tend to need to stick to your story. I know that spam-court was aware of this, and they let their ISP know that this guy was probably going to be all bluster and hellfire, serving some ridiculous cease and desist.

Marion Lynn should just learn to shut up. After awhile: if you talk enough about performing a criminal act, the cops won't even care that you actually carry it out: they'll just ask you why you're mouthing off about it so much. I get the feeling that day will fast be approaching, and it won't even take a blog posting like mine (or spam-court) to make it happen.

But as you probably all know: I'd certainly love to help it along. :)

I honestly could care less about Marion Lynn anymore, and as such I don't plan on posting anything more about him (unless he starts piping up about this site also.) :) The man has no scruples, and he doesn't care who he pisses off. He should. Because if any legitimate businesspeople discovered he liked to hang around with the likes of the other charming members of a massive spamming forum, I imagine they wouldn't want much else to do with him.

One can always hope.

My thanks go out to the owners of spam-court wherever they are. Hopefully you can come back online someday. Meantime we'll continue to expose these fraudsters and criminals for what they really are.

SiL / IKS / concerned citizen

Wednesday, June 6, 2007

Yambo And Badcow: Even Other Spammers Hate Them

It appears that there are some spammers who even supposed "fellow spammers" despise.

I'm basing this on anecdotal evidence from publicly-posting members of several pro-spam forums, but it seems like both the Yambo Financials and Badcow spammers are pretty much lambasted by many in the bulk email community. This is an interesting development from my point of view. (Yambo and Badcow are the names tossed around in most anti-spam literature regarding the message types, the manner of sending and the types of sites being promoted via spam.)

Most of the people who want to join and communicate on these forums do so because they either want to learn something, or because they want to make deals with other people in the community. Several of them actually ARE what could be considered "good" spammers: they de-dupe their lists, they don't mess with headers, they are what they term to be "compliant" senders, meaning that since CAN-SPAM was passed in the US, they attempt to follow that law's guidelines. I don't doubt that this is true for many users of these forums. There are others who definitely seem to have a weird interpretation of "compliant": they'll still use botnets (which is illegal), or they'll still harvest email addresses and ask around for better ways to do that (not kosher, but unfortunately not illegal). That is not "compliant". But that's nitpicking.

Yambo and Badcow: they don't care who gets their messages. They don't strip anyone from their lists, ever. They don't de-dupe, and they send to the same lists several times a day. They are relentless and they are a total scourge on the Internet at large. Most interestingly: Many other spammers, even rampant ones with their own list issues, hate these guys.

They also seem to add new email addresses to their lists every single day, apparently by doing some form of MX record scans. As an experiment, I set up threee test gmail accounts a while ago to see how long it would take before they all started getting spam. I sent no mail to anyone from them, and I told absolutely nobody about their existence. Then I waited.

Approximately three weeks after signing up, one of the accounts (which started with the letters "aa") began receiving stock spam, and spam for My Canadian Pharmacy. Six weeks from signup date, an account starting with "cd" began receiving spam for Pharmacy Express and different stock spam. The third one, which started with the characters "zd", has yet to receive anything.

This led me to believe that the spammers behind these organizations tend to focus on alphabetically-, or possibly alphanumerically-sorted addresses once they verify that an MX record exists. It's a hunch on my part, but it's not impossible. MX records signify that an address exists and can receive mail. This saves them the trouble of sending to lists containing:

aaaaaaaa@gmail.com
aaaaaaa@gmail.com
etc.


Instead, they just run some form of brute force email address checker against Gmail, or Yahoo, or Hotmail, and then add the "verified" ones to their lists.

I've done similar tests on each of those services, with very similar results.

I'm pretty sure that there must be some kind of custom-written code out there to do verification of valid free-web-mail service addresses, using either a straight brute-force approach or some other method. It wouldn't surprise me.

It's hard to fathom what their return on investment is in continuing to knowingly send so much spam to addresses who absolutely will never respond. It can't be that great. However: both of those groups are known to be run by Russian crime gangs, and I'm sure they honestly don't care. Their numbers must be ridiculously large, not just in terms of the people behind them, but also the sheer volume of data, and the technical infrastructure.

Yambo (responsible for My Canadian Pharmacy, International Legal RX and dozens more) is a group I've been investigating for some time now. They have custom-written unix infections to do their web hosting and DNS serving for thousands of web and DNS domains. They likely have others for consumer-level bot infections.

Badcow (responsible for Pharmacy Express among many others) is most definitely responsible for a wide array of consumer-side windows infections which turn a user's pc into a spam-sending, DDOS-ready zombie. They appear to have some automated method of registering tens of thousands of new domains per day, all with unpronounceable names. Those domains in turn get used to either host new windows infections (for download by one or more bots) or to host the Pharmacy Express (etc.) websites themselves, or be used as supporting DNS domains.

In both cases, they definitely appear to have lots of minions doing their mailing for them. That last part is the hard one to track down obviously.

If I spoke or read Russian, or possibly Romanian, I'd probably be able to get somewhat closer to finding out what possible reasons these goons have for emailing anyone on the planet with their stupid rogue pharmacy scams. Til then I just go after the website domains and their ordering process, which I know has definitely upset some of them.

It was estimated some time ago that since most illegal spammers are using botnets which run without a PC user's consent, their sending is "free", so even seeing a single sale means that "enough" profit is made by the spammer. In the case of both of these groups, their DNS, web hosting and domain name registration processes are also "free" (since they all take place without any of these PC user's consent or knowledge.) They therefore spam everyone twice or three times as hard. How much profit could they possibly be making?! It just doesn't make any sense to me.

If you are one of the many hapless individuals who has purchased "drugs" from any of these sites, you should be aware (as mentioned previously) that this activity can not only hurt people, it can kill them. It already has. We as a society should consider standing up and saying that we don't want these criminal gangs to continue to do this to us.

Recently, Russia has been making louder-than-usual noises about wishing to join the World Trade Organization. One of the first things that international industry focused on was that the popular music website allofmp3.com was not operating above-board in terms of repayment of profits to the appropriate partner companies around the world, and that failure to do something about that website could have a direct impact on their eligibility for WTO membership.

While that's possibly as good a place to start as any, with this much continual spamming of what are known to be illegal fake pharmacy operations right out there in the open, I personally believe that at least one of the member countries (oh, say, the US?) should make some kind of statement along the lines of "when will your country shut down this internationally illegal activity?" and have THAT apply directly to their eligibility to joing the WTO. It's much more tangible, it's much more blatant activity, and there is a lot of documentation out there showing clear connections between these spammers and Russian criminal gangs.

I'm not sure what the straw will be that will break this particular camel's back but I would hope that that kind of action would be a good start. I could be wrong.

SiL / IKS / concerned citizen