If your interested in learning how to take down a spammer, read on.  The information that will be provided in this article will only get you started.  Over the years we have had several people ask us to help them deal with a spammer or or bot master.  Most of what we do is investigative work.  By that we mean actually pulling apart the emails or decompiling the bots that we catch.  Granted decompiling is a job that most users cannot do themselves, but the pulling apart emails, you can.

First off, you need to copy your entire spam email message over to plain text file.  An example in how to do this using Microsoft Outlook Express.  The easiest way to do this is to right click on message in the top window, above the preview window, and click on properties.  Then click on details.  After that, you can now see the full raw email with headers.  Right click in that window and select all and the right click again and select copy.  Now your ready to paste that over to a blank text file.  Open up windows explorer and either find a directory that is suitable or create one to place all your investigative work in. 

If your like everyone else, you not immune to the phishing tactics of the scammers or spammers that send you daily junk that tots messages about your banking services being updated.  We have decided to take one such phishing email apart and show you just how crafty these criminals really are.  We start off by receiving the spam message in our inbox like the one below.

If your curious about the bad effects that rouge online pharmaceuticals have, then you must read this report from KnujOn.  They go into depth on the how the criminals are getting away with breaking the laws.  Let us know what you think, by posting your comments in the forums.

News Alert

http://www.icann.org/en/announcements/announcement-07aug09-en.htm

GNSO Fast Flux Hosting Working Group Publishes Final Report

7 August 2009

The Fast Flux Hosting Working Group has just submitted its final report to the GNSO Council.

In May 2008, the GNSO Council launched a Policy Development Process (PDP) that tasked a Working Group to answer a number of questions related to fast flux hosting. Fast flux hosting is a technique that utilizes short Time To Live settings and frequent updates of DNS records to increase a domain’s resiliency. It has legitimate uses, but is widely known as a tactic cybercriminals use to enhance their phishing and pharming gains. The questions the Working Group addressed included:

As more and more spammers and scammers are creating fake sites on the internet these days, its getting even more difficult to know where to report these problems to.  We here at Spacequad AntiSpam Services are more than happy to help out in forwarding your legit complaint thru to the proper channels.  In order for us to help you, we must have some information from you:

Your real full name

Working email address

Mailing postal address (Optional) 

A raw copy of the spam mail that includes:

All header information in tact without modifications or removals

The body of the spam mail

Any of the above information missing or scrambled, will not be processed.

Forward your mail on to spam@spacequad.com and we will also make available all copies on the website  minus any personal identifiable information leading back to you.  Any comments or problems , you can contact us thru our link in the menu above.

MSN was recently attacked on July 13th by a group of Chinese hackers.  This band of miscreants were able to successfully infiltrate MSN's WebMail server to send thousands of emails to various victims around the world using the Hotmail mail servers.  When reporting this this abuse to the Hotmail team, we were rerouted to a help group forum.  This is not good practice to be shunned by turning away a report that was just to notify them of the problem.  Read the full article for more.

It seems that there are a few spammers out there that like to consider themselves above average when it comes to sending illegal email.  These spammers are using a mail server that has been altered to change the header information to suit their needs.  Plus now they are feeling pretty confident that these bogus email, also known as backscatter email, are getting through to the intended recipient.  Trust me, that is the farthest from the truth.  These backscatter email are being trashed or in some cases, not even allowed to connect here.  So do us and every other person that has an email account some place in this world a favor, stop wasting your time, because we'll never see them.  See below for more information and how these creeps make the bogus email work.

Spacequad has now implimented OpenID for easier login capabilities.  So if you have an OpenID account, this means that you can now use it here. 

As of February 12, 2009, Spacequad AntiSpam Services will now start keeping records of websites that host spam.  We are doing this now to allow website owners the opertunity to check this list everyday if they wish, to be alerted that their website has been compromised.  Once put on this list, the URL will not be removed until the spam has been removed from that website listed.  To be removed, the spam messge must be removed, along with the website being secured against further spam postings.  If you are running Snitz Forum software, you are strongly encouraged to update your files, as spammers have discovered security holes that allow them to spam your website.  To be removed, the above conditions must be met and you must contact us with a request.  Only then, once verified, will we remove your domain URL.  To check if your on this list, click here.

Update:

All spam postings made to Spacequad will also be copied and sent to Knujon for further processing.  From there, it will most like put more pressure on the sites hosting the spam within the forums to clean it up.  It could also result in the end domain thats being advertised to be terminated.

Livesearcher.com, a known spammers domain has now been suspended due to excessive spam activities. For almost a year now, the owners of the domain were using techniques such as hacking into forum boards around the world to lay the ground work for their advertising. They would either hack the domain server or just upload their content onto open unprotected sites and display their spam messages. These messages in turn would have a hyperlink associated with their spam messages that would either reroute the visitor back to livesearcher.com or thru to another compromised website that would have the links on that site, then linking back to livesearcher.com.

A recent article that was put out by ICANN reads as follows. The article was mirrored here to allow readers to fully digest and get the story. We wish everyone that is interested in it, please send in your comments or Comments on the Initial Report should be sent to fast-flux-initial-report@icann.org. Original artical can be seen at ICANN. Public comments sent to and received by ICANN, can be accessed at http://forum.icann.org/lists/fast-flux-initial-report

Background

Fast flux refers to rapid and repeated changes to A and/or NS resource records in a DNS zone, which
have the effect of rapidly changing the location (IP address) to which the domain name of an Internet host
(A) or name server (NS) resolves. Although some legitimate uses for this technique are known (see
below), it has within the past year become a favorite tool of phishers and other cyber-criminals who use it
to evade detection by anti-crime investigators.

As we enter into a new year of 2009, spammer are still trying to use websites to advertise their junk.  Any where from pharmaceuticals to pornographic materials are the top favorites.   These miscreants have been hacking into websites, to post their links to other websites, that advertise further.  The end website that actually displays the content, is what the spammer want you to see.  

Over the years, spammers have always used websites to convey their message to some degree or another.  This infiltration into the site owners property and hosting environment has by far been the most intrusive that a spammer or hacker can do to someone, and they do it without regard or remorse to whoever it hurts along the way.  Everyone is effected in one way or another, from the internet providers that the end user is browsing the net, to the host provider of the website, then all the way down to the website owner.  All of this ends up costing us all dearly, while the spammer has next to nothing to pay for while they use your equipment and services for free, to peddle their junk.

We are opening this site up to world wide participation in all supported languages.  If you wish to participate, and have difficulties in English, please post in your native language with a note at the bottom what language it is.  This way others can if needed, translate what you wrote.  We will make all attempts to translate your message into the English standard.

Recently I went thru my logs to clean them up as I do each end of month.  Good thing I noticed this spammer hitting my system at that very same time I was reviewing.  After comparing notes with a few other logs, I noticed a pattern emerging.  This dirty spammer was racking up almost 10 thousand page hits a day.  So I decided to actually go deeper into what they were doing, good thing I did.  They were trying to post to the site using various arguments to try and get by either the captchas, SLV, trackback or firewall.  This went on for several days.

So I decided enough was enough.  I looked at a good majority of the IPs involved and it turned out to only be two blocks located over in Belgrade Serbia.  Below are some of the details.

01/02/09 16:23:00 - Error, invalid username: 'Hypephishit' - IP: 92.48.114.82
01/02/09 16:23:30 - Error, invalid username: 'Hypephishit' - IP: 92.48.114.82
01/02/09 16:23:42 - Error, invalid username: 'Hypephishit' - IP: 92.48.114.82
01/02/09 16:23:49 - Error, invalid username: 'Hypephishit' - IP: 92.48.122.34
01/02/09 16:24:10 - Error, invalid username: 'Hypephishit' - IP: 92.48.122.34
01/02/09 16:24:24 - Error, invalid username: 'Hypephishit' - IP: 92.48.122.34

CastleCops terminates it services and shut down on Tuesday 23 December, 2008.  As written by a contributor of Slashdot.org, Fortran writes:

"Volunteer-powered anti-malware site CastleCops appears to have closed shop. As of Tuesday, December 23, the CastleCops home page notes: 'You have arrived at the CastleCops website, which is currently offline. . . . Unfortunately, all things come to an end.' It was reported back in June that Paul Laudanski, founder of CastleCops and its parent Computer Cops LLC, was taking a full-time job with Microsoft and was 'looking for new management' for CastleCops. The site has also long had problems with funding and with [2]hostile action from spammers. The actual shutdown seems to have taken the security community by surprise; as late as Tuesday evening Brian Krebs was still recommending CastleCops on his Security Fix blog."

Have you often wondered where the spam is being generated now, since the shut down of  McColo.com's internet access by their upstream providers?  Here is a great location to look at for a strong possibility.  We've traced a good chunk of it coming out of the Hollywood Interactive network located at  600 W. 7th Street, Ste. 360, Los Angeles, CA 90017.  They have the IP information:

With the downfall a few weeks ago of the major spammer hub on the internet, the spammers have come back with a vengeance.  They have been working relentlessly to fill up as many forum websites with as much spam postings as they can.  This also unfortunately leaves the website operators vulnerable to many different attacks after the spammer/hacker has infiltrated the website.   We have compiled a short lists of domain names that should be shut down.  The host providers should also terminate their accounts for the same reason as hosting a spam site.

1. ipafeed.com
2. ipadirectory.com

There are other domains that are affiliated with this group.  As we find more, they will be posted here as well as on our master list at http://www.spacequad.com/staticpages/index.php/KnownSpammerDomains