Interesting People mailing list archives
[linford () SPAMHAUS ORG: MEDIA: Spamhaus article on the 'Sobig'Spamware Author and MCI's hosting of spam gangs]
From: "David Farber" <dave () farber net>
Date: Sat, 5 Feb 2005 10:12:25 -0500
_______________ Forward Header _______________ Subject: Fwd: [linford () SPAMHAUS ORG: MEDIA: Spamhaus article on the 'Sobig'Spamware Author and MCI's hosting of spam gangs] Author: Rich Kulawiec <rsk () gsp org> Date: 5th February 2005 11:31:17 am [ MCI is far, FAR from the only US ISP/host/registrar which is publicly touting its "anti-spam" policy while privately profiting from it. ---Rsk ] ----- Forwarded message from Steve Linford <linford () SPAMHAUS ORG> -----
Date: Fri, 4 Feb 2005 22:17:48 +0000 From: Steve Linford <linford () SPAMHAUS ORG> Subject: MEDIA: Spamhaus article on the 'Sobig' Spamware Author and MCI's hosting of spam gangs To: SPAM-L () PEACH EASE LSOFT COM The Spamhaus Project London, 04 Feb 2005 ------------------------------------------------------------ Article: Should ISPs Be Knowingly Profiting From Selling Service To Known Spam Gangs? http://www.spamhaus.org/news.lasso?article=158 ------------------------------------------------------------ Summary: Since the release of Sobig spammers have released countless virus variants turning millions of private home computers into unwilling spam servers. Crucial in this underground spam world is the stealth bulk spamming software specially written to take control of private computers. Crucial to the distribution are a handful of ISPs knowingly aiding the spam gangs. In this article Spamhaus exposes the author and distributors of the illegal Send Safe proxy hijacking spamware, and exposes one major ISP knowingly hosting the proxy spam gang. ------------------------------------------------------------ Story: Email users are under ever-increasing attack by spammers using subversive illegal methods to get spam into mailboxes. With current spam levels at 75% of all email, and the United Nations estimating the current cost of dealing with the problem at $25 Billion dollars a year, illegal proxy spammers have now once again upped the ante releasing improved versions of their stealth proxy spamming software with new features to increase spam volumes still further. At the current pace, if left unchecked, Spamhaus is warning spam could reach 95% of all email traffic by mid-2006. So where is it all coming from? Over 70% of current spam comes from proxies (PCs infected with viruses/trojans). Since the release of Sobig, the first commercial spam virus designed by spammers to infect PCs turning them into networks of proxies through which spammers then send millions of spams anonymously, spammers have released countless virus variants, mostly variations of the original Sobig code, and have been infecting an estimated 80,000-100,000 new PCs every week. In spammer 'supermarkets', closed online forums hosted mainly in China, Russia and Florida with names such as "Specialham.com", "Spamforum.biz", etc., spam gangs sell lists of "fresh proxies" (newly infected PCs), offer "Bullet-Proof Hosting" (spam service web sites normally based in China), and advise each-other on new spam techniques and which networks are "spam-friendly" (which networks will host spammers and close a blind eye in exchange for the spammers paying for high-priced services they don't need). It is easy to see who some of these ISPs are, one needs look no further than Spamhaus' "TOP 10" list of the world's worst 'spam-haven' ISPs (http://www.spamhaus.org/statistics.lasso). Surprisingly, most are American. Crucial in this underground spam world is the stealth bulk spamming software ("spamware"), specially written to take control of private computers, usually those on the world's broadband networks, and to use them to send out spam for pornography or illegal drugs, without the PC owner's knowledge or permission, by acting as an anonymous "proxy" for the spammer. This proxy spamware is mostly written by Russians, and in particular by two Russians well known to Spamhaus and western law enforcement agencies. By no coincidence, new versions of their proxy spamware appear to be released just as new Sobig virus variants make their appearance, and the proxy spamware coincidentally has features to command the new viruses to operate in new ways. The two Russians are Ruslan Ibragimov, author of the 'Send-Safe' proxy spamware, and Alexey Panov, author of the equally illegal Direct Mail Sender ("DMS") proxy spamware, both packages designed specifically for hijacking of 3rd party computers and illegal anonymous spamming. Both also sell lists of freshly-infected proxies to the spammer community. Spamhaus believes Ibragimov and Panov have far too many connections to the Sobig virus for these to be coincidences. Ibragimov's Send-Safe in particular, has a feature called "Use proxy's MX" which is causing a large increase in spam for many ISPs. This Send-Safe feature instructs its hijacked proxies to send the spam out via the upstream ISP's main mail server (instead of the proxy sending the spam out from the infected machine itself). This means that billions of spam emails now flood the Internet coming from the main mail servers of large ISPs. AOL was one of the first to notice the trend and reports that some 90% of AOL's incoming spam now comes from ISP smarthosts and major relays. Email filter firm Messagelabs confirms this is also what they've been seeing, as do Time Warner Cable and Earthlink. So where is this stealth proxy spamware sold and distributed from? For Send Safe the answer is, www.send-safe.com, hosted by MCI Worldcom. This for Spamhaus is the crux of the spam problem, because MCI Worldcom not only know very well they are hosting the Send Safe spam operation, MCI's executives know send-safe.com uses the MCI network to sell and distribute the illegal Send Safe proxy hijacking bulk mailer, yet MCI has been providing service to send-safe.com for more than a year. MCI executives have refused to stop providing service to these gangs, insisting that the sale and distribution of stealth spamming software is "not against MCI's policy". For more than a year MCI have flatly refused to stop send-safe.com and other proxy spam gangs, which has allowed Send Safe to become one of the most sold anonymous proxy hijacking bulk mailers on the spam scene, and has had ever more spammers flocking to MCI. It's no surprise therefore that MCI has consistently occupied first place in Spamhaus "TOP 10 World Worst Spam Service ISPs" chart, with over 200 spammers and spam gangs on the MCI network in full knowledge of the security managers and the General Counsel. For over two years Spamhaus has repeatedly informed the same MCI executives that the distribution of 'stealth' anonymous spamware is also illegal in the State of Virginia where MCI UUNet is based. In other words, we do not simply see MCI's knowingly servicing known spam gangs as highly unethical activity for an ISP to be involved in, we also see it as being illegal in MCI UUNet's home state. Spamhaus has for a long time campaigned for ISPs to cease knowingly profiting from hosting known spam gangs and aiding the sale and distribution of illegal spamware such as Send Safe and DMS. Spamhaus has repeatedly uncovered deals between ISPs and spam gangs, in which the spam gangs pay a premium for hosting in return for the host turning a blind eye, and seen internal memos in which executives of one ISP discuss how much revenue they are making from hosting known spam gangs. We estimate that MCI earns upwards of US$5,000,000 a year from selling service knowingly to known spam gangs, incentive enough for MCI Sales executives to want to keep the income coming, no matter what havoc the paying spam gangs are wreaking to the Internet. As at the writing of this article, www.send-safe.com is still connected to the Internet by MCI as it has been for over a year, still distributing the Send Safe stealth proxy hijacking spamware. MCI Worldcom's official position on the issue is that MCI can't stop their spam gangs selling proxy hijacking spamware from MCI's network as that would be 'censoring' the distribution and sale of illegal proxy hijacking software. MCI is the only American, and indeed only Western network, where this spam support activity is "not against our policy". Spamhaus maintains that MCI's 'protected speech' excuses for servicing known spam gangs and proxy spamware distribution sites are dishonest and non-sensical in the face of the Internet's spam epidemic. The following are the many known serious spam issues on MCI Worldcom as at the writing of this article, causing high economic damage to the Internet and misery to millions of Internet users, and known about by MCI executives and MCI's General Counsel: http://www.spamhaus.org/sbl/listings.lasso?isp=mci.com ------ Other links: http://www.spamlaws.com/state/va.html http://www.spamhaus.org/statistics.lasso
----- End forwarded message ----- ------------------------------------- You are subscribed as lists-ip () insecure org To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- [linford () SPAMHAUS ORG: MEDIA: Spamhaus article on the 'Sobig'Spamware Author and MCI's hosting of spam gangs] David Farber (Feb 05)