Spamhuntress

Search Engines Web complained about Google giving the wrong signals on Matt Cutts’ post on the Jagger update.
Prstorm was on top of the second page of what could include any number of bad Adwords advertisers on the search term Link Popularity.

Matt, can you PLEASE get a top Adwords exec to take your call?

I don’t agree with SEW’s conclusion that Google should stop banning for linkspamming, but I do think they should stop taking spammers’ money!

It’s been a while since I’ve busted a spamming operation. I’ve had limited time, and busting takes time. I processed some spam today, and came upon an operation a little bigger in scale than some.

Adsoft Development is a webdesign company headed by Andrew Kartashov from Russia.

This company designed the pages, and e-mail addresses from a domain they own are used in the whois info of most of these domains. It looks to me like fake whois info apart from the e-mail addresses, but I haven’t checked.

I’ve seen forum posts from Andrew more or less admitting to linkspam, so chances are good he’s the spammer.

Some routers have good firewalls. Mine has the ability to set the destination address of ports or port ranges. That means I can set the router to not allow mail to be sent to any other mail server than the one my ISP runs.

If more people would do that, then there would be less zombies succeeding - even if you get infected. I know my ISP would contact me quickly if I were to send thousands of spam messages through their mail server.

OK, so my router has a firewall a little better than most. But for those of you who are security conscious, check if your router has that capability. And next time you buy one, look for a router that can do that.

Remember, outgoing mail is on port 25. You’d need to find the IP number of your ISP’s mail server(s) and set the destination to that IP number. You can set the netmask to 255.255.255.0 or less. The firewall is probably already set to let outgoing traffic through on that port.

I won’t name brands and models here, but I’ve seen routers with firewalls that can’t be controlled by the user…

What could break?
Authenticated mail going to servers other than your ISP. Ideally you should know this ahead of doing the changes to the router. I imagine this trick would be used by corporate IT guys setting up home networks for employees, and geek friends setting up networks for clueless people. That question should be asked. Also consider putting a sticker on the modem with the username and password (changed from the default).

As I wrote below, Microsoft purposely infected a machine, turning it into a zombie.

But they assured us they’d fixed it so it didn’t ACTUALLY send out any spam.

So, how did they do that? Any guesses?

I’ve got one guess, but I’m sure there are other methods.

Let’s say they use a router. Disable NAT (to make it easier for those controlling the zombies), but instruct the router to drop connections on port 25. Put a packet logger on either the same machine or another machine hooked up so it can log promiscuously. The packet logger gets all the data the machine tries to send.

Any other ideas?

Another idea may be to do some fancy dns or port manipulation. Any request to port 25 gets sent to a mail server that does all the handshakes necessary, but doesn’t actually send out any messages. Rigging a mail server to receive but not send messages is easy.

I’m continuing the coverage on trojans/zombies and similar problems.

One machine was caught sending spam. Obviously a zombie. Except it turns out that wasn’t a regular machine. It was a server set up as a router. A very secure system, set up in such a way that I don’t see how it could have been hijacked.

But wait, it could have been used as a proxy. I tested it myself, and it was not an open proxy. It was however set up to be a proxy for machines on the inside of that network. So, if a machine on the inside of said proxy had somehow gotten infected with a trojan, this very secure server would happily ferry requests back and forth between the infected machine and the internet at large.

How?

Basically, a good firewall is usually doing stateful inspection. Which means if someone on the outside is sending you a request, it’s denied unless the router is configured to send on requests on a specific port to a specific machine. But an infected machine will send out a request FIRST, and the connections from the bad guys are responses. So a previously infected machine will cut through any firewall relying on NAT and stateful inspection.

But many firewalls are set to block many dangerous ports. Enter the new breed of trojans. They configure the trojans on the infected machines to be working on random high ports. Ports that apparently weren’t blocked in this case, and probably aren’t in most cases.

So system administrators may have mysteries on their hands - routers that are reported to be spamming, yet the real culprit is one of the users inside the network. To the outside world, the machine on the inside is never visible, except in some cases the headers will show a private network IP address.

And how can a computer on the inside of a corporate network be “previously infected”?

How many laptops are used on a typical network? How many of those laptops are wielded by clueless users, who connect anywhere and everywhere they can find a connection to the internet? I’d say quite a few. And if some of those laptops are slightly older, chances are they’re running Windows 2000, or even unpatched versions of Windows XP. Parasite city…

We’ve heard over and over that the reason computers are slowing down, is that they’re full with spyware, adware, viruses and trojans. That is quite often true, but it’s not always the whole truth.

Cheaper computers are still sold with only 256 MB RAM. That’s the internal memory of the computer, and the requirements for running Windows XP is 256 MB. But wait, that’s a base install, with no extras!

The moment you start to load it up with more stuff, you’re screwed. Anti-virus, anti-this and that, printer drivers and lots of other stuff is memory resident, meaning they eat a chunk each of that internal memory, until there’s less available than the machine needs. When that happens, the computer starts doing what we call “swapping to disk”. It’s writing down part of what it needs to keep in the internal memory down to the hard drive, then reading it again later, while writing something else there instead.

The hard drive is way slower than the internal memory, so that means the computer gets slower and slower as you use it and install more and more programs (and pick up a few parasites along the way).

To run Windows XP today, you ACTUALLY need a minimum of 512 MB RAM. So if your computer has less, you need to think about getting more, today. And don’t buy a new computer with less, no matter how cheap it is. Unless you already have an upgrade lined up, and have verified for sure that you can upgrade it… Adding memory later is often more expensive than adding it up front, just keep that in mind.

Each time Microsoft comes out with a new version of Windows, the real memory requirements go up. And they’re always too optimistic with regards to how much is needed. The computer that seems snappy in the store may end up barely moving once you’ve used it for a while. Even if you’re well within the official hardware requirements for that version of Windows…

Over time I’ve seen many machines that barely move. Examples are:
16 MB - Windows 95
64 MB - Windows 2000
256 MB - Windows XP

Also keep an eye on your C disk, so it doesn’t fill up. You need at least 500 MB of free space on it, otherwise it may start slowing down. For really old windows versions, the free disk space requirement is lower, but you still need to keep an eye on it.

At a party, a friend was complaining about his machine. It had suddenly gotten so slow. Turns out his nephew had upgraded it from Windows 98 to Windows XP. Sure, he’d upgraded the hardware too, but even so, those machines were never meant to run Windows XP. I’ll help him if he asks. As long as I can get the modem to work, I’ll switch him to a lightweight Linux…

Just for a lark, boot these machines with Damn Small Linux, and see the difference. A lightweight operating system can make slow machines fly! And no, booting from CD won’t damage your windows machine. Check out the hardware requirements: 16 MB, and a 486DX! That was quite a few years ago!

If you need some heavy duty Windows rescue, you should check out the full Knoppix CD, and this article on various rescue tricks.

———–

Update: What are the odds? Yahoo had an article entitled What’s Slowing Down Your PC? on that same day. Found it through Katemonkey, who also linked to a few posts from my blog.

——–

2nd update: Some computers are slow because they are filled with adware and spyware. Some are also trojans - participating in sending out spam, attacking other machines and a host of other things. All without the knowledge of the user. If you even SUSPECT this is the case with your machine, start all over: A fresh windows install. Not a rescue install. Backup all your data, then remove the partition windows was on and make a new partition.

Caught this little nugget at Spam Kings.

Microsoft is suing a bunch of John Doe spammers, responsible for misusing a computer Microsoft intentionally infected.

Guys, make sure you listen to that MP3 file where Microsoft explains what they did and what happened next. The numbers were especially interesting. Imagine how many computers are out there spewing out millions of spam e-mails!

Suing John Does is a common legal tactic. The name John Doe is a place holder for names they will discover through the use of subpoenas.

I was searching for info on a specific motherboard today. And one of the hits high up in Google was a scraper site. So OBVIOUSLY a scraper site. It had an on topic file name and heading, and then Adsense taking up much of the window. The bottom half of the screen was some generic nonsense about computers. It’s as if they’d used mail merge in Word to get the name of the motherboard in there, in a generic generated text. At the bottom there SEEMED to be the typical scraper links. Except they’d switched the real links for links to that SAME page.

Grrrr….

How many times have we heard scraper site/search engine spammers say they think their pages add value to search results? Exactly how dumb do they think we are?

And just so we can compare oranges to oranges, here’s the page:
computer-infocentre.com/intel-ga-6zma.html

When I handle comment or trackback spam that use trampolines, I routinely check for the sites the trampolines redirect or link to. Then I add those sites to the list of domains to be blacklisted on Google too. The whole reason the spammers use trampolines, is that they’ve “lost” a good number of domains to blacklisting of various forms, and don’t want to lose any more. By checking for the money sites, you’ll hurt them a little bit more.

But why should we treat sploggers any differently? If the goal is as Joe says to get PR for their money sites, then we should get those blacklisted too.

But slow down a little: Reporting the money sites isn’t as easy as counting all the links on a splog. I’ve seen few splogs, but those I’ve seen have mixed legitimate sites into the links. And I’ve seen affiliate links. So if you want to report the money sites, you need to know what you’re seeing before you start reporting.

Update:
Another term widely used is feeder sites. That’s probably a better term.

—————

Had a new commenter here who’s commenting on black and white SEO. He had a new (for me) term for freebie sites and dyndns subdomains:

Trampolines

Rathamahata, I should probably tell you that there Google DOES ban subdomains and folders as well. Not just whole sites. It’s just that the volume of those trampolines make it difficult to catch all of them. This has been going on for a long time. But your term is good, so I’ll appropriate it.