Feeds

Spam fighters infiltrate spam clubs

Tales from the underground

  • alert
  • submit to reddit

SANS - Survey on application security programs

Spam fighters are gaining vital clues in the battle to keep in-boxes clean of junk mail by infiltrating spammer clubs.

Online spammer forums like the Pro Bulk Club the Bulk Club and bulkmails.org have been gatecrashed by activists from organisations like Spamhaus. Steve Linford of Spamhaus said spammers know this already but they don't know who amongst their number is working for the other side. In theory the members-only forums of these sites is accessible only by invitation and only to individuals who have a proven track record in spamming. Apart from playing with the paranoia of spammers, the undercover investigation cast light on the latest spammer techniques.

Instead of using open mail relays or unscrupulous hosts (so-called 'bullet-proof' hosting - in reality, ISPs in developing countries who pull the plug on spammers when enough complaints are received by their upstream provider), spammers are using compromised machines to get their junk mail out. Viruses such as My-Doom and Bagle surrender the control of infected machines to hackers. This expanding network of infected, zombie PCs can be used either for spam distribution or as platforms for DDoS attacks, such as those that many online bookies have suffered in recent months.

Trade in PCs for DDoS attacks typically happens in more anonymous IRC channels, but spammers are tapping into the same resource.

Lists of virus-infected PCs ('fresh proxies' in spammer parlance) are commonly traded in spammer clubs along with spamware (bulk mailing software), according to Linford. He explained that software like Dynamic Mail Sending is specifically designed to send spam through proxies.

"This software rotates through a list of addresses, perhaps sending 10,000 messages from each machine," Linford explains. Spamhaus has established an Exploit Black Lists of compromised hosts, often broadband users, but the latest spam software checks this and goes on the next address if a machine is blacklisted. "With thousands of machines on a list its easy to abandon a few," said Linford.

He explained that traders sell lists, which they try to clean using automated software, to many people. The lists aren't generally exclusive. PCs compromised by MyDoom and the like contact their authors by email or over IRC.

"People selling these fresh proxies are either the virus writers themselves or someone very close to them. I don't know how ties between spammers and virus writers was first forged but there is clearly a strong link there," he added. ®

Related stories

Phatbot arrest throws open trde in zombie PCs
The illicit trade in compromised PCs
Mafia recruiting spammers, crackers, AV chief warns
Big US ISPs set legal attack dogs on big, bad spammers

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.