Microsoft now employs 100 people with a budget of $10 million dollars (Ok, if you do the math, the average salary is a bit low if they also have benefits or any equipment) to track down people attacking Microsoft's Hotmail service, online fruad, identity theft and spyware. The Direct Marketing Association pays 15 detectives $500,000 (even a lower salary) to work with FBI agents (which are paid government salaries). http://www.iht.com/articles/522553.html "Initially you start to work backwards from the e-mail and find that to be a very frustrating route," said Daniel Larkin, chief of the FBI's Internet Crime Complaint Center, the unit that is coordinating Project Slam Spam. "that doesn't lead to a live body. We have collectively realized you have to go the other way and follow the money trail."
On 05/30/04, Sean Donelan <sean@donelan.com> wrote:
Microsoft now employs 100 people with a budget of $10 million dollars (Ok, if you do the math, the average salary is a bit low if they also have benefits or any equipment) to track down people attacking Microsoft's Hotmail service, online fruad, identity theft and spyware.
Some of us are even on this list. (I actually have no idea if I was counted in that 100, but my salary is indeed a bit low.) -- J.D. Falk "be crazy dumbsaint of the mind" <jdfalk@cybernothing.org> -- Jack Kerouac
At 09:58 PM 30/05/2004, Sean Donelan wrote:
"Initially you start to work backwards from the e-mail and find that to be a very frustrating route," said Daniel Larkin, chief of the FBI's Internet Crime Complaint Center, the unit that is coordinating Project Slam Spam. "that doesn't lead to a live body. We have collectively realized you have to go the other way and follow the money trail."
No doubt it is easier to follow the money... Although not impossible I find it frustrating that when I do find who is controlling the spam proxies, there is no one really to report it to. I feel sorry for the FTC as they no doubt get deluged with useless spam complaints, just like we do. (My fav's are "one of your users is abusing us. Stop them!"... No IP, no date, nothing!)... So how do you separate the useless complaints from the ones that are actually actionable. On a number of occasions, I watched in real time as a spammer nailed up a connection to one of our infected users and started spamming out via them. I reported the info complete with tcpdumps of the entire session to the large colo provider in the US with no response / results. Yes, it could just be yet another compromised computer, but somehow I doubt it was. The rwhois info did look rather suspicious (PO box, phone # bogus, email contact bounced) and no public services what so ever on the /28 allocated to the group of servers. This was back in the deep dark days of 2000-2001 when times were tough for many such hosting companies and the temptation no doubt great to make a quick buck. ---Mike
Mike Tancsa wrote:
On a number of occasions, I watched in real time as a spammer nailed up a connection to one of our infected users and started spamming out via them. I reported the info complete with tcpdumps of the entire session to the large colo provider in the US with no response / results. Yes, it could just be yet another compromised computer, but somehow I doubt it was. The rwhois info did look rather suspicious (PO box, phone # bogus, email contact bounced) and no public services what so ever on the /28 allocated to the group of servers. This was back in the deep dark days of 2000-2001 when times were tough for many such hosting companies and the temptation no doubt great to make a quick buck.
There are quite a few hosting providers who specialize offering platforms for spammers and charge double or triple the going rate for hosting. As with other marginal products, if there is a market, there will be a seller at the right price. And as stated previously, until the "big guys" start cutting these operations off their backbones instead of taking their money, hardly any real progress will happen. Pete
Sean, I'm looking at a different problem, spam-over-http. Here's one event, 406 inserts of the URL paxil-medication.info from a single attack node in a weblog. The insert times and numbers of inserts/minute are below. 07:17 1 09:22 4 09:23 45 09:24 30 09:25 32 09:26 38 09:27 22 09:28 24 09:29 8 09:30 20 09:31 14 09:32 32 09:33 31 09:34 32 09:35 22 09:36 34 09:37 17 The targeted site (my wife's political weblog) is provisioned at 128kb/s, on a dual-processor 1GHz PIII running Freebsd 5.2.1, so the rate limiting factor is b/w, and the upper-bound on the number of writes is the number of posts with "open" comments. The attack node is 151.42.235.185 (IUnet, Italy dhcp-spam-swamp). The Afilias whois data for paxil-medication.info is redily available, the salient points are: a. the registrant Jerry Buckheimer claims domicile in American Samoa, and is the tech-c and admin-c, b. the registrar is Wild West Domains [R213-LRMS], c. the nameservers are ns{1,2}.dataextend.com, [67.15.0.{62,191}] The registrant Tunahan Korkmaz claims domicile in Turkey. These servers are in the address block [CIDR: 67.15.0.0/18] allocated by ARIN to Everyones Internet of Houston TX, and the registrar is NameSecure.com (also tech-c). As a class (I've got more, I'm sure everyone who hosts blogs has too), the attack node(s) are not interesting. Some blogware vendors offer the bandaide of ip address (/32) blocking, and "wait" times between comments to foil robo insertion engines, and so on. More interesting is the benefitting URL, and the NS and registration providers that provide the persistant infrastructure for this form of theft-of-advertizing. The economics of the registration and ns/webhosting business are not so different from the access-isp market, leading to the abuse-desk-vacant syndrome, or worse -- I've got three complaints of this size or larger out to my competitors and they are taking the fill-in-the-web-form approach to this. Other folks with data, or insight, drop me a line. I'll summarize. Eric
participants (5)
-
Eric Brunner-Williams
-
J.D. Falk
-
Mike Tancsa
-
Petri Helenius
-
Sean Donelan