Tech Reporter Pursues Spammer 183
girish writes "Technology reporter extrordinaire, Mike Wendland, is at it again tracking down spammers. Wendland conducted the infamous interview with Alan Ralsky, the alleged mega-spammer, a few years ago. That article spawned a lively discussion on Slashdot and eventually resulted in hundreds of pieces of junk postal mail flooding Ralsky's million-dollar home. Now Wendland is using a new tool from a service called Project Honey Pot to track email address harvesters. He posted on his technology blog this morning about catching a company that is holding itself out as a legitimate bulk mailer, but appears in fact to be sending to harvested addresses and conducting on the side some other seemingly seedy businesses. Interesting stuff."
spamtraps... (Score:4, Informative)
In a nutshell, it sets up spamtrap e-mail addresses, and any IP that sends mail to that address is automatically added to the blacklist, and further mails from it are rejected at SMTP level. A false positive can be easily removed from the blacklist manually (example, PSBL [surriel.com]).
Re:I have no fear of spammers (Score:5, Informative)
Re:Does it really take that much effort? (Score:5, Informative)
Sure it can.
Creepy spammer approaches creepy trojan writer. Creepy trojan writer rents creepy spammer access to 10,000 compromised PC's on DSL and cable. Creepy spammer commands each compromised PC to send three emails per minute from 11PM to 7AM. Creepy spammer has now sent 1.44 million pieces of email without an obvious flood anywhere and without an obvious IP address to block.
Postfix can help, even with no Spamassassin (Score:3, Informative)
The Postfix Spam Controls [postfix.org] have reduced my spam by 95% without using compex spam filters like Spamassassin.
Spam from Media Dreamland, now from Big Time Fiber (Score:3, Informative)
I added rules in my .procmailrc file to block all e-mails from the IP range of this company, this has worked very well for me (100%/0% positives/negatives)
Interestingly, since a few days I was again receiving quite similar spams, and this time they originate from the IP range of a company called Big Time Fiber. It turns out that the spams from Media Dreamland abruptly stopped after 10 november (spammer kicked out?) and after a few weeks the spammer apparently found a new hosting service.
I put the following lines in my .procmailrc:
* ^Received:.*\[204\.9\.24[0-7]\.
{
LOG = "[!!!! Big Time Fiber] "
}
and just this morning I found the following entries in my procmail log:
[!!!! Big Time Fiber] From rolffarris@newssign.net Sun Nov 21 00:16:08 2004 /dev/null 1550 /dev/null 1705 /dev/null 1739 /dev/null 1565 /dev/null 1623 /dev/null 1563
Subject: Would you like to stop smoking?
Folder:
[!!!! Big Time Fiber] From benniemilburn@minisaver.net Sun Nov 21 01:55:43 2004
Subject: Apple 17" iMac G5 Desktop!
Folder:
[!!!! Big Time Fiber] From rhettsmallwood@bigtopsavings.com Sun Nov 21 03:36:04 2004
Subject: Mortgage interest rates are at their lowest point ever.
Folder:
[!!!! Big Time Fiber] From bruce.tillery@e-goodstuff.com Sun Nov 21 05:20:55 2004
Subject: Women, something to rock your world
Folder:
[!!!! Big Time Fiber] From donovanragland@e-goodstuff.net Sun Nov 21 07:06:03 2004
Subject: Test & Keep an IBM Laptop - Product Testers Wanted
Folder:
[!!!! Big Time Fiber] From gilcolvin@bigfoodsavings.com Sun Nov 21 08:46:04 2004
Subject: You can be smart! Folder:
As you can see from the type of domain names these spams are probably from one spammer.
In the past I have received spams using the same trick from Webhostplus, Pharmakon and Aphrodite Marketing, but the spammer (now) operating from Big Time Fiber IP range appears by far the most active.
See also http://ws.arin.net/cgi-bin/whois.pl (fill in "204.9.240.164" in the search box)
I read the article. (Score:3, Informative)
So this clown is either stupid and someone really has hacked his box and it's a zombie, or he's playing dead, and has set up the box to appear hacked, and is happily harvesting email addresses anyway. Either way, boxes like these should be shut down. Who leaves an unprotected IIS box exposed to the internet?
I'm curious if anyone is able to resolve that IP address to a street address. It has to be static. Get someone over to that address, see what's going on with this clown.
Re:Spam from Media Dreamland, now from Big Time Fi (Score:3, Informative)
www.bigtimefiber.com resolves to 69.42.98.5 which resolves to host-98-5.approvednews.com.
A lookup on approvednews.com shows that it is owned by:
This can easily be defeated (Score:2, Informative)
Tracking down a spammer in my home state (Score:5, Informative)
A few months back, when the free iPod craze started - a company in my state started sending out emails from:
Product Test Panel
Consumer Research Corporation
Subscriberbase.com
Saying, "Product Testers Wanted". They would go from hot product to hot product. Sometimes, not even released products - like the Nintendo DS was advertised almost 2 months ago - claiming immediate shipment.
I found that they were in my state by reading the actual email and seeing a location in my state and then by confirming it with whois information.
I then sent off an email to the contact. I got an email from a guy named Brian Benehaley. In typical fashion, all of my accusations were denied.
Turns out, if you Google this guy's name - he has written a well respected piece [respected amongst bulk emailers] about how the Can Spam Act will bring a new renaissance in email marketing.
I have since written the Better Business Bureau about him, found the record for the company is now in the 1000's of complaints
I have contacted my state attorney general which is conducting thorough investigation
I contacted the host ISP - Exodus - they have over 12000 complaints lodged against Subscriberbase.com
I have written a piece that has gotten into Google searches [blogspot.com] - that receives a few emails and comments each week.
More info about Product Test Panel [adzoox.com]
It has been quite fun to research this guy and put various internet tools to my disposal.
This was a good story to see what techniques Mr. Wendland used.
Google, Whois, MY BLOG, The BBB online, My attorney general all helped me
How I stay spam free (Score:5, Informative)
This is how I keep spam from ruining my email while also catching spammers in the act:
I have a domain (examancer.com) and a cheap hosting company that allows unlimited email accounts. Every time I give out an email address I make up one that will remind me why I gave it out (like slashdot@examancer.com, nytimes@examancer.com, someotherservice@examancer.com, etc...). I don't actually have to set up each account because I have all undeliverable mail sent right to my main account. If I start receiving spam, I just look at which address its sent to and I know right away which company sold my address or which online forum my email was harvested from. If the spam gets too bad, I actually go and create a real mailbox for that address and route it to a black hole... viola, no more spam.
Re:Education? (Score:3, Informative)
Spammer sends out millions of emails touting an unbelievably low "m or tga ge | r ate". Are you interested in a 30 year, no points fixed 1% interest rate? If you're shopping for a loan, then absolutely.
Suckers check it out. "Want information? Someone will be contacting you shortly. Just give us a little information.. name, phone number." The average person on the street - even SPAM haters - will think "This is probably too good to be true, but I'll check it out with a critical eye... I probably won't finance through this scum, but I better know what the going rate is, so I don't get screwed by my local bank...", and they submit their personal information
Now spammers have a huge list of people shopping for a mortgage. This list is transferred to a semi-legit shell company, who sells it to a completely legit Fortune 500-sized major banking institution. The major banking institution has no idea that these names are collected via SPAM. Under inquiry, the semi-legit company can claim that they "purchase lists of people shopping for mortgages and aggregate them".
Customer gets a call from some Fortune 500 size bank coincidentally asking if they are shopping for a loan, which they are. The Fortune 500 Bank has no clue that there was an offer of 1% 30 year loan, and the sucker has no idea how the major bank got their name. No one's pissed except the 99,999,999 people that were annoyed by the email. And the system continues.
You'll never rid yourself of that problem with education, unless we educate the major companies to consider their sources when buying lists! And even then, since the lists tend to work for the big companies, the problem won't go away anytime soon!
Re:Education? (Score:3, Informative)
I have a slightly better version. (Score:4, Informative)
Re:How I stay spam free (Score:3, Informative)
I use a subdomain, but otherwise do the same thing. It works well, because the sub-domain doesn't get directory harvest attacks, only the main domain (and I only have a couple valid addresses there). Certainly doesn't keep me spam free, but helps to filter out a lot of it.