[linford () SPAMHAUS ORG: MEDIA: Spamhaus article on the 'Sobig'Spamware Author and MCI's hosting of spam gangs]

["David Farber" <dave () farber net>]

_______________ Forward Header _______________
Subject:        Fwd: [linford () SPAMHAUS ORG: MEDIA: Spamhaus article on the 'Sobig'Spamware Author and MCI's hosting 
of spam gangs]
Author: Rich Kulawiec <rsk () gsp org>
Date:           5th February 2005 11:31:17 am

[ MCI is far, FAR from the only US ISP/host/registrar which is publicly
touting its "anti-spam" policy while privately profiting from it. ---Rsk ]

----- Forwarded message from Steve Linford <linford () SPAMHAUS ORG> -----

> Date:         Fri, 4 Feb 2005 22:17:48 +0000
> From: Steve Linford <linford () SPAMHAUS ORG>
> Subject: MEDIA: Spamhaus article on the 'Sobig' Spamware Author and MCI's hosting of spam gangs
> To: SPAM-L () PEACH EASE LSOFT COM
>
> The Spamhaus Project
> London, 04 Feb 2005
>
> ------------------------------------------------------------
> Article:
>
> Should ISPs Be Knowingly Profiting From Selling Service To Known Spam 
> Gangs?
>
> http://www.spamhaus.org/news.lasso?article=158
>
> ------------------------------------------------------------
> Summary:
>
> Since the release of Sobig spammers have released countless virus 
> variants turning millions of private home computers into unwilling spam 
> servers. Crucial in this underground spam world is the stealth bulk 
> spamming software specially written to take control of private 
> computers. Crucial to the distribution are a handful of ISPs knowingly 
> aiding the spam gangs. In this article Spamhaus exposes the author and 
> distributors of the illegal Send Safe proxy hijacking spamware, and 
> exposes one major ISP knowingly hosting the proxy spam gang.
>
>
> ------------------------------------------------------------
> Story:
>
> Email users are under ever-increasing attack by spammers using 
> subversive illegal methods to get spam into mailboxes.
>
> With current spam levels at 75% of all email, and the United Nations 
> estimating the current cost of dealing with the problem at $25 Billion 
> dollars a year, illegal proxy spammers have now once again upped the 
> ante releasing improved versions of their stealth proxy spamming 
> software with new features to increase spam volumes still further. At 
> the current pace, if left unchecked, Spamhaus is warning spam could 
> reach 95% of all email traffic by mid-2006.
>
> So where is it all coming from? Over 70% of current spam comes from 
> proxies (PCs infected with viruses/trojans). Since the release of 
> Sobig, the first commercial spam virus designed by spammers to infect 
> PCs turning them into networks of proxies through which spammers then 
> send millions of spams anonymously, spammers have released countless 
> virus variants, mostly variations of the original Sobig code, and have 
> been infecting an estimated 80,000-100,000 new PCs every week.
>
> In spammer 'supermarkets', closed online forums hosted mainly in China, 
> Russia and Florida with names such as "Specialham.com", 
> "Spamforum.biz", etc., spam gangs sell lists of "fresh proxies" (newly 
> infected PCs), offer "Bullet-Proof Hosting" (spam service web sites 
> normally based in China), and advise each-other on new spam techniques 
> and which networks are "spam-friendly" (which networks will host 
> spammers and close a blind eye in exchange for the spammers paying for 
> high-priced services they don't need).
>
> It is easy to see who some of these ISPs are, one needs look no further 
> than Spamhaus' "TOP 10" list of the world's worst 'spam-haven' ISPs 
> (http://www.spamhaus.org/statistics.lasso).
>
> Surprisingly, most are American.
>
> Crucial in this underground spam world is the stealth bulk spamming 
> software ("spamware"), specially written to take control of private 
> computers, usually those on the world's broadband networks, and to use 
> them to send out spam for pornography or illegal drugs, without the PC 
> owner's knowledge or permission, by acting as an anonymous "proxy" for 
> the spammer.
>
> This proxy spamware is mostly written by Russians, and in particular by 
> two Russians well known to Spamhaus and western law enforcement 
> agencies. By no coincidence, new versions of their proxy spamware 
> appear to be released just as new Sobig virus variants make their 
> appearance, and the proxy spamware coincidentally has features to 
> command the new viruses to operate in new ways.
>
> The two Russians are Ruslan Ibragimov, author of the 'Send-Safe' proxy 
> spamware, and Alexey Panov, author of the equally illegal Direct Mail 
> Sender ("DMS") proxy spamware, both packages designed specifically for 
> hijacking of 3rd party computers and illegal anonymous spamming. Both 
> also sell lists of freshly-infected proxies to the spammer community. 
> Spamhaus believes Ibragimov and Panov have far too many connections to 
> the Sobig virus for these to be coincidences.
>
> Ibragimov's Send-Safe in particular, has a feature called "Use proxy's 
> MX" which is causing a large increase in spam for many ISPs. This 
> Send-Safe feature instructs its hijacked proxies to send the spam out 
> via the upstream ISP's main mail server (instead of the proxy sending 
> the spam out from the infected machine itself). This means that 
> billions of spam emails now flood the Internet coming from the main 
> mail servers of large ISPs.
>
> AOL was one of the first to notice the trend and reports that some 90% 
> of AOL's incoming spam now comes from ISP smarthosts and major relays. 
> Email filter firm Messagelabs confirms this is also what they've been 
> seeing, as do Time Warner Cable and Earthlink.
>
> So where is this stealth proxy spamware sold and distributed from? For 
> Send Safe the answer is, www.send-safe.com, hosted by MCI Worldcom.
>
> This for Spamhaus is the crux of the spam problem, because MCI Worldcom 
> not only know very well they are hosting the Send Safe spam operation, 
> MCI's executives know send-safe.com uses the MCI network to sell and 
> distribute the illegal Send Safe proxy hijacking bulk mailer, yet MCI 
> has been providing service to send-safe.com for more than a year.
>
> MCI executives have refused to stop providing service to these gangs, 
> insisting that the sale and distribution of stealth spamming software 
> is "not against MCI's policy".
>
> For more than a year MCI have flatly refused to stop send-safe.com and 
> other proxy spam gangs, which has allowed Send Safe to become one of 
> the most sold anonymous proxy hijacking bulk mailers on the spam scene, 
> and has had ever more spammers flocking to MCI.
>
> It's no surprise therefore that MCI has consistently occupied first 
> place in Spamhaus "TOP 10 World Worst Spam Service ISPs" chart, with 
> over 200 spammers and spam gangs on the MCI network in full knowledge 
> of the security managers and the General Counsel.
>
> For over two years Spamhaus has repeatedly informed the same MCI 
> executives that the distribution of 'stealth' anonymous spamware is 
> also illegal in the State of Virginia where MCI UUNet is based. In 
> other words, we do not simply see MCI's knowingly servicing known spam 
> gangs as highly unethical activity for an ISP to be involved in, we 
> also see it as being illegal in MCI UUNet's home state.
>
> Spamhaus has for a long time campaigned for ISPs to cease knowingly 
> profiting from hosting known spam gangs and aiding the sale and 
> distribution of illegal spamware such as Send Safe and DMS. Spamhaus 
> has repeatedly uncovered deals between ISPs and spam gangs, in which 
> the spam gangs pay a premium for hosting in return for the host turning 
> a blind eye, and seen internal memos in which executives of one ISP 
> discuss how much revenue they are making from hosting known spam gangs.
>
> We estimate that MCI earns upwards of US$5,000,000 a year from selling 
> service knowingly to known spam gangs, incentive enough for MCI Sales 
> executives to want to keep the income coming, no matter what havoc the 
> paying spam gangs are wreaking to the Internet.
>
> As at the writing of this article, www.send-safe.com is still connected 
> to the Internet by MCI as it has been for over a year, still 
> distributing the Send Safe stealth proxy hijacking spamware.
>
> MCI Worldcom's official position on the issue is that MCI can't stop 
> their spam gangs selling proxy hijacking spamware from MCI's network as 
> that would be 'censoring' the distribution and sale of illegal proxy 
> hijacking software.
>
> MCI is the only American, and indeed only Western network, where this 
> spam support activity is "not against our policy". Spamhaus maintains 
> that MCI's 'protected speech' excuses for servicing known spam gangs 
> and proxy spamware distribution sites are dishonest and non-sensical in 
> the face of the Internet's spam epidemic.
>
> The following are the many known serious spam issues on MCI Worldcom as 
> at the writing of this article, causing high economic damage to the 
> Internet and misery to millions of Internet users, and known about by 
> MCI executives and MCI's General Counsel:
>
> http://www.spamhaus.org/sbl/listings.lasso?isp=mci.com
>
>
> ------
> Other links:
> http://www.spamlaws.com/state/va.html
> http://www.spamhaus.org/statistics.lasso

----- End forwarded message -----

-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/