Spamhuntress

I met Anna Vlasova from Kaspersky labs when I went to Holland for the Spam Symposium earlier this year. She was talking about a new law going into effect this summer, so I asked her for a breakdown. She has allowed me to post her e-mail text here, for all of you to read:

Yes, now we have new version of some law articles (valid from july 2006), but it is not ’spam law’. It regulates advertising process, so it covers only some part of the e-mail spam. But in Russia most of e-mail spam is advertising.

In the latest version of the law, the following points are of crucial importance:

1. The introduction of the concept of ‘advertising distributed via electronic networks’. This means that the law applies to advertising sent via email, and spam which is of an advertising nature will be covered by this law. The word ’spam’ itself is not used in the law.

2. The law also legislates the ‘opt-in’ principle (i.e. preliminary agreement to receive messages, or a subscription to messages).

3. It is assumed that an agreement to receive such messages does not exist, i.e. the originator of a mailing (for instance, a spammer) will have to show that the user agreed to receive advertising. Otherwise the advertising will be viewed as not in accordance with the law.

4. Automatic mailings are prohibited. It’s true that the law talks about prohibiting the use of tools which work ‘without human participation’. In such cases, it will be difficult to demonstrate that spam is sent fully automatically.

Here is a comment on the new law:
http://www.spamtest.ru/document.html?pubid=183916209&context=9562

and here is text of the new law (article 18 covers ‘advertising distributed via electronic networks): http://www.brandfabrica.ru/law/adv/ In russian the title of Article 18 is ‘’?????? 18. ???????, ???????????????? ?? ????? ???????????? ? ??????????? ?? ???????? ???????????? .

I created a Gmail account for my mom a few months ago. We gave the address to one other person, and then forgot about it. I found it again today and logged in.

She had 6 messages from her friend, and 46 spam messages (anything from before August 2 had been auto-deleted).
This for an address that’s never been in circulation.

Why? Her username is in the Norwegian dictionary…

I found multiple attempts to reach nonsense addresses on one of our domains this morning. It was so weird, I just had to blog it. I’ve redacted the domain, but kept the attempt count.

As far as I can tell, that domain was used as the from address in a spamrun. These message counts represent the MAILER-DAEMON bounces from misconfigured mail servers. When mail is rejected, they just keep on trying.

And no, I don’t accept bounces for non-existing addresses.

36   dang.anything
34   concocter.breadroot
34   Millerbodhisattva
33   cedillaacademe
30   biconcavecircumvent
24   complyambrosial
18   conantcybernetics
14   barnyarddeneb
10   biconcavecannonball
9   acetate.attention

I found this post via Email spam/Topix:

IronPort Wants To Give Bounce Spam The Boot

In short, IronPort wants to outfit their mailserver appliances with technology to sign outgoing mail, so that when a bounce is sent to it, they’ll know if it originated from their server.

The problem with that, is when an IronPort appliance is used for an environment where some customers are on other ISP’s. It’s customary for an “outside” customer to use the outgoing mail server belonging to his ISP, even though incoming mail is going through a business mail server where his business domain is residing.

In order for IronPort’s technology to work, all outgoing mail needs to go through that server, no matter where the sender is. Otherwise, guess what? No bounces, if you sent through an outside mailserver!

The solution is trivial, but enforcing it may not be:

Use an authenticating outgoing mail server, often used on other ports than SMTP. Just a question: How does that affect e-mail clients on cell phones?

I received spam associated with Leo Kuvayev to two new addresses today. One is a spam trap, and one is a primary address. So one was harvested somewhere (I’ve put it several places on the web), possibly months ago, and the other was harvested from some discussion list, either directly from the server or list, or an archive site.

In other words, Leo and or his people seem to have added a lot of addresses to their spam lists today. Which means a lot of new people will be inconvenienced with a steady stream of pills spam.

Leo’s spam is instantly recognizable. It’s form is on variations on a time. Several names of pills, with the wrong spelling, in several lines. One pill per line, or even one pill broken into several lines. And then some random text at the bottom.

What was unusual this time (I’ve seen a LOT of his spam), is that the link I load (which is the root of the site, with www in front), contains a frame set with an affiliate link. But the frame with this affiliate link, loads a subdirectory on the same domain, and there’s nothing on the payment pages that suggest this is actually an affiliate. So I’m wondering if the affiliate link is a scheme. If you land outside of the rather oddly named subdirectory, you end up with a page asking if you want to have your e-mail removed.

BTW, the copyright line at the bottom now reads:

ED Med Choice Online

But the guys at NANAS seem sure it’s Leo, and the method certainly speaks to that as well.

We’ve been fretting over what to do when an ISP or webhost is spam friendly or a spam supporter.

Here’s what the big guys do, such as Steve Lindford at Spamhaus.

He contacts the NOC, and gets the IP’s nullrouted there. So the downstream providers can promise bullet proof hosting all they want, the server will still go down the moment Steve gets on the horn…

Check out Steve’s post on NANAE

BTW, there’s a lot of hilarious stuff in that thread, so click on the link at the top as well: ironserver.com creamed (again)

That post concerns a spammer I’ve written about before:

Spamhaus and one angry spammer

A friend of mine told me he was making an autoresponder for his main e-mail address. He thought it was a good idea. He was going to use it for a little promotion for his site.

Autoresponders was used a lot years ago. Even I had one. They were a good tool for certain things.

But today the situation is quite different.

Scenario:

1) You’ve got a promotional autoresponder you’re quite proud of. It highlights your website in a beautiful way.

2) The address your autoresponder is hooked up to gets harvested by spammers, and you start receiving spam.

3) One of the spammers favors using the e-mail addresses or catch-all domains belonging to innocent third parties as from addresses.

4) Those third parties receives your beautifully crafted autoresponders

5) One or more of those third parties reports you as a spammer…

I just got an e-mail to a spamtrap requesting a return link from one of my websites to: mybaby.net.au

They’d already added one of my pages to a specified subpage.

The thing is, that e-mail address is not connected with that website at all. …except it’s displayed (on the index page) below an image with this text:

The e-mail address below is a spamtrap. Do NOT e-mail. I feed all e-mail to that address to my spamfilters, unread.

None of my visitors have ever tried e-mailing me there…

So, it’s a scraper site, and should be blocked from Google. They boast PR3-4 and rising, so they (almost) know what they’re doing.

A newsfactor story claims that more and more spammers are abandoning mail spam in favor of webspam, social networking and IM spam.

We were asking exactly this question at the EU Spam Symposium. Would a webspammer graduate to mail spamming? Would a former mail spammer shift his focus to web spamming?

My gut feeling was that it’s more likely a mail spammer will move on to web spamming than the other way around. I’ve so far been unable to show a concrete example of a webspammer becoming a mail spammer. I have seen plenty of examples of earlier reported spam from a guy I’ve identified as a web spammer, though. Often rather sophomoric mail spam, actually.

Aaah, so, the public part of the symposium was over. It was a packed day, and a lot of really good points. Matthew Prince had a map with dots representing locations where harvesting bots originated, and I was surprised to see Oslo had a dot! That’s unreal. I thought our only outrageous spammer was behind bars!

There was a lot of interest connected to SpammerX. He had a fascinating story to tell. He was a spammer up until a year and a half ago, so his information is still timely. He was sketching out a spammer organization, where everybody has specific jobs, and also talked about how some spamming operations distribute funds based on the referrers going to the main site. That’s something I’ve speculated on, but we see little of that with webspammers. With mailspammers, you have a small group of spammers working for a (for instance) pill manufacturer, so it would be possible to do it by referrer.

I have to go get ready. We’ve got some stuff planned for this evening. I’ll blog more later. I met some other interesting people there today that I hope to hear from soon.