Federal authorities say two men accused of running a spam campaign in Columbia Missouri that targeted college students reaped in the profits to the tune of over $4 million.  Investigators say Amir Shah, Osmaan Shah, and Paul Zucker began their spamming activities in 2004. They created programs designed to harvest the email addresses of students at over 2,000 colleges, starting with those at the University of Missouri at Columbia.

The spam messages hawked products such as tooth whiteners and a social networking site called Noog.com and claimed to be from officially authorized campus representatives and alumni owned businesses. To avoid detection they used a bullet proof hosting company in China that ignored take down requests and bought proxies. They also faked the headers and reply-to addresses in their messages, a blatant violation of CAN-SPAM laws. When a college complained, the addresses of their students were simply taken off the list.

The men made their money by both selling the products they offered in their spam messages and by affiliate marketing, using their spam to inflate their referrals. They tried to hide their profits by buying properties and funneling it to overseas accounts.

The Shahs and Zucker were indicted on 35 counts of fraud in connection with email, 6 counts of fraud in connection with a computer, and 1 count of conspiracy. All three charges are felonies and they face over 60 years in prison if convicted. Zucker pleaded guilty last week. The Shahs had originally entered a not guilty plea but were expected to change that to a guilty plea last week, but cancelled their hearing after Zucker pled guilty.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Feds Say Missouri Spam Operation Netted Over $4 Million

Rand’s suggestion is the blocking of TCP port 25 (the port used for SMTP, or email, communications between servers on the internet), making contact with customers who they suspect may be the source of spam outbreaks, as well as stronger government legislation.

The legislation idea has merit, after all the lack of cooperation between government agencies is how many international spam operations manage to go unpunished.  The blocking of SMTP on the other hand is impractical and costly to implement, both from a technical and a service perspective.

The basis of the idea is this.  Customers send mail using SMTP, therefore by blocking SMTP and requiring that customers send mail via the ISP’s mail servers allows close monitoring of email traffic and detection of spam.

The solution is problematic though because many ISP customers, both home users as well as businesses, have perfectly good reasons to not send their email via their ISPs mail servers.  These customers would need to be unblocked from using SMTP, and hence cannot be closely monitored.

The monitoring itself also presents two problems – firstly customers object to having their email correspondence inspected by other parties including their ISP.  Secondly, any false positives could have disastrous consequences if important emails were blocked.  ISPs do not want the exposure to liability if they block an email that results in monetary loss for the sender or recipient.A serious issue is also that of costs.  A higher email load combined with more thorough monitoring means more costs to the ISP for servers and software to do those jobs.  The human resource costs also increase, both in the management of the systems as well as the teams who need to contact and support customers who are suspected of sending spam.

Although email is currently the largest source of spam on the internet there are other forms of spam that are quickly becoming very common that would not be addressed by this solution.  Social networks such as Facebook and Twitter have become rich hunting grounds for spammers and phishers who are able to target victims with highly personalized attacks thanks to the open nature of these networks.

In a world where ISPs block spam email from customers the focus of botnets would simply shift to exploiting social networks and identity theft for the same outcomes.  Because these networks run simply as interactive websites they become impossible to block at the protocol level, and blocking them on a site by site basis would immediately outrage customers.

The British ISP heads who commented are correct in their view that businesses and email administrators need to take the responsibility of blocking spam that is sent to them, rather than expect ISPs to do all the work for them.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

ISPs Don’t Want to be Spam Cops

A look at the year’s major spam event shows some consistent trends.

• Season spam such as Valentine’s Day and Christmas remains predictable
• Spammers quickly move to exploit any major global news events such as celebrity deaths and wars
• Spam networks are becoming more distributed and resistant to shutdown attempts
• Social networking spam is on the rise as spammers attempt to exploit the perceived trust between people and their online “friends”
• Human error continues to be a big part of the spam landscape, both through inadvertent data exposure and through people falling victim to social engineering

Here is a look at some of these major events throughout the year.

January

Scams promising free money from US government grants attempts to exploit the news of corporate bailouts and the increase in unemployment.

Fake CCN news alerts take advantage of a clash between Israel and Hamas.

Global spam volume begin returning to normal levels after the McColo shutdown of November 2008.

The inauguration of US President Barack Obama leads to a wave of spam spreading rumours that his inauguration is invalid or that he resigned and attempts to trick users in downloading malware.

Spammers also get a head start on Valentine’s Day with malware-carrying love letters.

February

Human error at Google marked the entire internet unsafe (is it really that far from the truth?).

The poor economy continues to cause unemployment to increase, leading to a new wave of fake job spam.

Microsoft offeres a $250,000 reward for information leading to the arrest and conviction of the Conficker worm creators.

March

Citibank falls for a Nigerian 419 scam to the tune of $27 million, but is saved when the transfers fail due to invalid account numbers provided by the scammers.

The BBC gets itself into hot water when it buys a botnet to research a story and then uses it to send messages to potential victims.

April

Security vendor PGP exposes hundreds of customer email addresses by not using the BCC field for a broadcast email.

Global spam volume makes a complete return to the level it was at prior to the McColo shutdown.

Researchers discover the first ever SMS virus in the wild, capable of spreading between mobile phones via text messages.

Twitter suffers its first major malware outbreak due to a cross-site scripting attack by a bored teenager.

May

The Swine Flu outbreak gives spammers a new hot topic to exploit in their latest scams, with fake drugs and “survival guides” offers flooding mailboxes.

The Cutwail botnet, previously seen during the Valentine’s Day spam season, makes a fresh start pushing fake weight loss products, and Acai Berry scams appear all over the internet.

June

Air France flight 446 crashed in the Atlantic ocean, giving spammer a new tragedy to exploit.

A UK furniture company makes a major PR blunder by using Twitter hashtags for the Iranian conflict to promote their products.

Michael Jackson dies, nearly causing an internet meltdown as search engines, social networks and news websites struggled to copy with the unprecedented burst in traffic.  Spammers quickly jumped on the public thirst for details about Jackson’s death with new spam messages.

July

The ZBot Trojan appears in a new attack that uses a fake Microsoft update notice to trick users.

A botnet launches a major DDoS attack against US government websites to coincide with the July 4^th holiday.

Spammers begin using free URL shortening services to bypass spam filters.

August

Another Twitter phishing/spam combo attack appears causing disruption for users.

Twitter, Facebook and other sites were all knocked offline for several hours due to a targeted DDoS attack against a pro-Georgian blogger.  The event was so prominent in the news that spammers began exploiting it with email and search engine keyword spam to cause further denial of service and compromise more computers.

Another spammer ISP is shutdown but this time the effect is nowhere near as successful as when McColo was taken offline, suggesting spammers are building more resilience into their networks.

September

A South Australian woman shares her experience of being the victim of identity theft when her Facebook account is hacked and used to scam money from her friends.

Popular blogging software WordPress becomes the target of a new worm that attempts to insert spam links in thousands of blogs.

A new Koobface worm variant appears targeting Facebook users.

October

A court order leads to an innocent Gmail user losing their email account when Google is forced to close it down.  The court order was granted after a bank employee accidentally emails customer information to the Gmail account.

A list of over 50,000 email addresses and passwords for major online web and email services appears on the internet.

A thriving marketplace of open source malware is uncovered by security researchers.

Geocities shuts down, taking with it thousands of spammer’s websites.

Facebook wins a massive $711 million judgement again one of the world’s biggest spammers.

November

The first Christmas season spam starts to appear to exploit the rising trend in online shopping.

Researchers successfully kill the Mega-D botnet.

Twitter job spam starts appearing promoting “get rich quick” schemes to exploit high unemployment rates.

An Australian amateur programmer writes an iPhone virus that causes relatively harmless infection on jailbroken iPhones.  His code is quickly repurposed by people with more malicious intent, and a security vendor is criticized by the wider community for rewarding him by offering him a job.

December

A New Zealand man is fined $15 million by the US FTC for operating a worldwide spam gang.  The same man faces charges in Australia soon after.

The Koobface worm adds a Christmas theme to its Facebook phishing attempts.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

2009, The Year in Spam

While the Supreme Court does not provide reasons when it declines to hear a case, experts said the state’s decision was constitutionally sound, and Internet law experts said it is not likely the absence of the law will cause spam rates to rise in Virginia due to the CAN-SPAM Act and pointed out that most spammers operate from outside the country, making it nearly impossible to locate and prosecute them anyway.

Virginia’s District Attorney says he still plans to draft a brand new anti-spam law and promises it will address any constitutional concerns.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Rejection of Virginia’s Anti-Spam Law Stands After Supreme Court Declines Appeal

I have no idea why Canada has chosen to ignore the problem of unsolicited commercial emails for so long, but it’s something which may change in the not too distant future. Senator Yoine Goldstein has introduced an anti-spam bill, known as S-220, An Act respecting commercial electronic messages (the Anti-Spam Act), which is now on its second reading and, if passed, will provide Canadian authorities with some much-needed powers to deal with spam.

The bill, the full text of which can be read here, would make it illegal to send commercial emails without the prior consent of the recipient. Furthermore, all commercial emails would have to provide an unsubscribe facility (which must be acted upon within 30 days),  contain accurate header and routing information and accurate contact details for the sender. The bill also contains anti-phishing provisions and would make the supply or use of address-harvesting applications (or harvested email addresses) an offence.

While Canadian anti-spam legislation is certainly long overdue, it’s good to see that the current bill is proposing some pretty stiff penalties. First time offenders would face fines of up to $500,000 and/or 2 years prison time while repeat offenders would face fines of up to $1.5 million and could spend up to 5 years in the chokey. Additionally, ISPs would be able to refuse to provide service to anybody convicted of an offence under the Act.

Realistically, this new piece of legislation will probably do little if anything to stem the flow of spam but that does not mean that such legislation is pointless or worthless. On the contrary, the more countries that implement anti-spam laws, the more difficult it shall be for spammers and scammers to operate.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Canada Plays Catch-Up (Maybe!)

          The Facebook case is just the latest illustration that government inaction has had an impact. Companies anxious to target Canadian-based spammers have been forced to turn to other countries to do the job, while international law enforcement investigations into criminal spam run the risk of stalling in Canada since authorities may lack the requisite investigatory powers.

Canada is the only G7 country with no anti-spam laws, and more and more spammers are taking advantage of that. They rank 5th worldwide as a source of email based spam, behind only Iran, Nigeria, Kenya, and Israel. It’s clear Canada must wake up and inact anti-spam legislation soon!

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Is Canada a Spam Haven?