[IP] [linford@xxxxxxxxxxxx: MEDIA: Spamhaus article on the 'Sobig'Spamware Author and MCI's hosting of spam gangs]
_______________ Forward Header _______________
Subject: Fwd: [linford@xxxxxxxxxxxx: MEDIA: Spamhaus article on the
'Sobig'Spamware Author and MCI's hosting of spam gangs]
Author: Rich Kulawiec <rsk@xxxxxxx>
Date: 5th February 2005 11:31:17 am
[ MCI is far, FAR from the only US ISP/host/registrar which is publicly
touting its "anti-spam" policy while privately profiting from it. ---Rsk ]
----- Forwarded message from Steve Linford <linford@xxxxxxxxxxxx> -----
> Date: Fri, 4 Feb 2005 22:17:48 +0000
> From: Steve Linford <linford@xxxxxxxxxxxx>
> Subject: MEDIA: Spamhaus article on the 'Sobig' Spamware Author and MCI's
> hosting of spam gangs
> To: SPAM-L@xxxxxxxxxxxxxxxxxxxx
>
> The Spamhaus Project
> London, 04 Feb 2005
>
> ------------------------------------------------------------
> Article:
>
> Should ISPs Be Knowingly Profiting From Selling Service To Known Spam
> Gangs?
>
> http://www.spamhaus.org/news.lasso?article=158
>
> ------------------------------------------------------------
> Summary:
>
> Since the release of Sobig spammers have released countless virus
> variants turning millions of private home computers into unwilling spam
> servers. Crucial in this underground spam world is the stealth bulk
> spamming software specially written to take control of private
> computers. Crucial to the distribution are a handful of ISPs knowingly
> aiding the spam gangs. In this article Spamhaus exposes the author and
> distributors of the illegal Send Safe proxy hijacking spamware, and
> exposes one major ISP knowingly hosting the proxy spam gang.
>
>
> ------------------------------------------------------------
> Story:
>
> Email users are under ever-increasing attack by spammers using
> subversive illegal methods to get spam into mailboxes.
>
> With current spam levels at 75% of all email, and the United Nations
> estimating the current cost of dealing with the problem at $25 Billion
> dollars a year, illegal proxy spammers have now once again upped the
> ante releasing improved versions of their stealth proxy spamming
> software with new features to increase spam volumes still further. At
> the current pace, if left unchecked, Spamhaus is warning spam could
> reach 95% of all email traffic by mid-2006.
>
> So where is it all coming from? Over 70% of current spam comes from
> proxies (PCs infected with viruses/trojans). Since the release of
> Sobig, the first commercial spam virus designed by spammers to infect
> PCs turning them into networks of proxies through which spammers then
> send millions of spams anonymously, spammers have released countless
> virus variants, mostly variations of the original Sobig code, and have
> been infecting an estimated 80,000-100,000 new PCs every week.
>
> In spammer 'supermarkets', closed online forums hosted mainly in China,
> Russia and Florida with names such as "Specialham.com",
> "Spamforum.biz", etc., spam gangs sell lists of "fresh proxies" (newly
> infected PCs), offer "Bullet-Proof Hosting" (spam service web sites
> normally based in China), and advise each-other on new spam techniques
> and which networks are "spam-friendly" (which networks will host
> spammers and close a blind eye in exchange for the spammers paying for
> high-priced services they don't need).
>
> It is easy to see who some of these ISPs are, one needs look no further
> than Spamhaus' "TOP 10" list of the world's worst 'spam-haven' ISPs
> (http://www.spamhaus.org/statistics.lasso).
>
> Surprisingly, most are American.
>
> Crucial in this underground spam world is the stealth bulk spamming
> software ("spamware"), specially written to take control of private
> computers, usually those on the world's broadband networks, and to use
> them to send out spam for pornography or illegal drugs, without the PC
> owner's knowledge or permission, by acting as an anonymous "proxy" for
> the spammer.
>
> This proxy spamware is mostly written by Russians, and in particular by
> two Russians well known to Spamhaus and western law enforcement
> agencies. By no coincidence, new versions of their proxy spamware
> appear to be released just as new Sobig virus variants make their
> appearance, and the proxy spamware coincidentally has features to
> command the new viruses to operate in new ways.
>
> The two Russians are Ruslan Ibragimov, author of the 'Send-Safe' proxy
> spamware, and Alexey Panov, author of the equally illegal Direct Mail
> Sender ("DMS") proxy spamware, both packages designed specifically for
> hijacking of 3rd party computers and illegal anonymous spamming. Both
> also sell lists of freshly-infected proxies to the spammer community.
> Spamhaus believes Ibragimov and Panov have far too many connections to
> the Sobig virus for these to be coincidences.
>
> Ibragimov's Send-Safe in particular, has a feature called "Use proxy's
> MX" which is causing a large increase in spam for many ISPs. This
> Send-Safe feature instructs its hijacked proxies to send the spam out
> via the upstream ISP's main mail server (instead of the proxy sending
> the spam out from the infected machine itself). This means that
> billions of spam emails now flood the Internet coming from the main
> mail servers of large ISPs.
>
> AOL was one of the first to notice the trend and reports that some 90%
> of AOL's incoming spam now comes from ISP smarthosts and major relays.
> Email filter firm Messagelabs confirms this is also what they've been
> seeing, as do Time Warner Cable and Earthlink.
>
> So where is this stealth proxy spamware sold and distributed from? For
> Send Safe the answer is, www.send-safe.com, hosted by MCI Worldcom.
>
> This for Spamhaus is the crux of the spam problem, because MCI Worldcom
> not only know very well they are hosting the Send Safe spam operation,
> MCI's executives know send-safe.com uses the MCI network to sell and
> distribute the illegal Send Safe proxy hijacking bulk mailer, yet MCI
> has been providing service to send-safe.com for more than a year.
>
> MCI executives have refused to stop providing service to these gangs,
> insisting that the sale and distribution of stealth spamming software
> is "not against MCI's policy".
>
> For more than a year MCI have flatly refused to stop send-safe.com and
> other proxy spam gangs, which has allowed Send Safe to become one of
> the most sold anonymous proxy hijacking bulk mailers on the spam scene,
> and has had ever more spammers flocking to MCI.
>
> It's no surprise therefore that MCI has consistently occupied first
> place in Spamhaus "TOP 10 World Worst Spam Service ISPs" chart, with
> over 200 spammers and spam gangs on the MCI network in full knowledge
> of the security managers and the General Counsel.
>
> For over two years Spamhaus has repeatedly informed the same MCI
> executives that the distribution of 'stealth' anonymous spamware is
> also illegal in the State of Virginia where MCI UUNet is based. In
> other words, we do not simply see MCI's knowingly servicing known spam
> gangs as highly unethical activity for an ISP to be involved in, we
> also see it as being illegal in MCI UUNet's home state.
>
> Spamhaus has for a long time campaigned for ISPs to cease knowingly
> profiting from hosting known spam gangs and aiding the sale and
> distribution of illegal spamware such as Send Safe and DMS. Spamhaus
> has repeatedly uncovered deals between ISPs and spam gangs, in which
> the spam gangs pay a premium for hosting in return for the host turning
> a blind eye, and seen internal memos in which executives of one ISP
> discuss how much revenue they are making from hosting known spam gangs.
>
> We estimate that MCI earns upwards of US$5,000,000 a year from selling
> service knowingly to known spam gangs, incentive enough for MCI Sales
> executives to want to keep the income coming, no matter what havoc the
> paying spam gangs are wreaking to the Internet.
>
> As at the writing of this article, www.send-safe.com is still connected
> to the Internet by MCI as it has been for over a year, still
> distributing the Send Safe stealth proxy hijacking spamware.
>
> MCI Worldcom's official position on the issue is that MCI can't stop
> their spam gangs selling proxy hijacking spamware from MCI's network as
> that would be 'censoring' the distribution and sale of illegal proxy
> hijacking software.
>
> MCI is the only American, and indeed only Western network, where this
> spam support activity is "not against our policy". Spamhaus maintains
> that MCI's 'protected speech' excuses for servicing known spam gangs
> and proxy spamware distribution sites are dishonest and non-sensical in
> the face of the Internet's spam epidemic.
>
> The following are the many known serious spam issues on MCI Worldcom as
> at the writing of this article, causing high economic damage to the
> Internet and misery to millions of Internet users, and known about by
> MCI executives and MCI's General Counsel:
>
> http://www.spamhaus.org/sbl/listings.lasso?isp=mci.com
>
>
> ------
> Other links:
> http://www.spamlaws.com/state/va.html
> http://www.spamhaus.org/statistics.lasso
----- End forwarded message -----
-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-people/