I have an intellectual property attorney, the wonderful Leonard Duboff of the Duboff Law Group, who I recommend without hesitation to anyone in need of an IP attorney; he’s awesome.
When I first received a demand email from Copytrack, I knew instantly it was a scam; they were complaining about an image that I licensed from Depositphotos, with whom I have a subscription. I informed them I was represented by counsel, gave them my lawyer’s contact information, told them I would not be acknowledging any additional complaints that did not come through my attorney from a lawyer who was a member of the Oregon Bar Association and licensed to practice law in the state of Oregon, and assumed that would be the end of the matter.
David Attenborough voice: “That was not, in fact, the end of the matter.”
Copytrack continued to bombard me with fake copyright claims, in violation of Oregon RPC 4.2, which forbids opposing counsel from contacting anyone represented by an attorney.
Copytrack is clearly, egregiously, grossly, and repeatedly in violation of Oregon RPC 4.2, so I have shifted track.
I sent them a notification that as they were in violation of RPC 4.2, for each individual email they sent me, I would invoice them the sum of $1,800 US.
They emailed me again. I sent them an invoice for $1,800.
This morning, I woke to an email from a Copytrack lawyer telling me he didn’t think they should have to pay me in order to contact me.
I reminded him once again that I am represented by counsel, that by contacting me directly he was in violation of Oregon RPC 4.2, and…
…sent him another invoice for an additional $1,800.
For the record, I’m not joking. It is absolutely my intent to collect on these invoices, using all available avenues to the full extent of the law. If these fuckers think they can scam people out of money with fraudulent copyright requests, I intend to give them a nose full of bees.
A while back, I wrote about a kink website called “Know Your Sins” using a fake DMCA scam to get backlinks and boost their search results. The site’s owners would send out phony copyright claims, saying they owned images they neither owned nor had nothing to do with, and demanding backlinks to their site or they’d sue for copyright infringement. The site’s owners, Samuel Davis (@Samueld_KYS on Twitter) and Olivia Moore (whose Twitter profile has been deleted), engage in copyright fraud to try to boost their Google search results.
It seems fraudulent copyright scams are something of a growth industry.
About a week ago, I received this email from an outfit calling itself CopyTrack, headquartered in Germany (click to embiggen):
CopyTrack claimed I was using images belonging to their “client,” a Norwegian company owned by a Chinese conglomerate called Yay Images that appears only to license images from other stock companies, and demanding €2,168.76 (about $2,500) in “compensation.”
The images in question on my site are licensed from stock agencies (Shutterstock and Deposit Photos, the latter of which I’ve been using for many years).
A quick Google search shows that Copytrack is a scam, and the owner has been running this scam under a variety of names for years.
I am, of course, far from the only person to be hit with this extortion scheme. You’ll find similar tales from the Brutally Honest Blog, Yvan’s Substack, Ben Tasker, molif, and tons of others; a Google search for copytrack scam produces hundreds of similar hits.
I think Copytrack provides a service that could, potentially, be legitimate. However, they don’t put any effort at all into verifying copyright ownership; they’re a more-or-less entirely automated platform anyone can just upload some pictures to and then send threatening letters to other people, hoping for a payout. They may not, themselves, be copyright trolls, but they facilitate copyright trolls with no mechanism to stop them.
I am fortunate in that I am represented by an outstanding intellectual property attorney, Leonard Duboff in Portland. I simply informed Copytrack that I am represented by counsel and would no longer respond directly to them, and needless to say my attorney hasn’t heard a peep from them.
When I wrote about the Know Your Sins scam, a ton of people emailed me to say they’d received similar fraudulent copyright-scam emails. I got so many that I wasn’t able to respond to all of them (but thank you, everyone who messaged me!).
That suggests the scale of copyright fraud is enormous.
If you’ve received a fraudulent email from Copytrack, I’d love to hear about it! Post a comment here, or email me.
I am currently unable to post any comments anywhere on Quora. It seems moderation has suspended my commenting privileges. Buckle up, the reason is a wild ride.
In the past few months, I’ve noticed more and more often that Quora is being used as a platform for malware distributors to ply their wares. I’m increasingly often seeing spam on Quora that doesn’t go to shady pharmacy sites or dodgy penis-pill mongers, but to sites that redirect, often through multiple intermediaries, to malware.
A while back, I found a Quora “SEO spammer” whose spam posts go to a site that, thanks to a malicious JavaScript, redirects to malware. It’s not a consistent redirection; sometimes it shows a banner ad from a shady ad platform, sometimes it tries to drop malware disguised as phony antivirus software.
The ads are posted by Quora user Anafmadi20, who uses a URL shortener to disguise the destination of the ads he posts. The URL shortener redirects to a Google Sites site (which is now down; I filed a report with Google, which terminated the Google Site) that then redirected to a traffic handler that redirected to a site with the malicious JavaScript. This is one of this posts:
The link on this site leads to a terminated Google Sites page, but before his Google Sites account was terminated, it led through several intermediaries here:
Now, I’ve reported all of Anafmadi20’s content for spam, and Quora deleted some of it but allowed him to continue posting more. So, after posting the malware distributor for spam, I also posted a comment warning others not to click on the link because it goes to malware.
Apparently Quora moderation decided that comment was spam, so I’m now unable to post comments at all (even on my own answers).
This isn’t an isolated instance, by the way. There are multiple Quora users who are posting malware links; in fact, on the BlackHatWorld forum[1], an online forum catering to spammers, con artists, scammers, and malware distributors, there is an entire tutorial on how to use Quora to do this. (Yes, I’m serious.)
Quora is one of the favored black hat spam and malware distributors, thanks to a combination of weak technical defenses against spam, permissiveness toward repeat abusers, poor mechanisms to spot serial abusers, and weak moderation.
How embarrassing.
Anyway, there are organized rings for malware distribution operating on Quora.
For example, the History Hist spam gang. These are a group of people who post spam answers copy-pasted from other sites and run through ChatGPT to change the wording slightly, on various topics pertaining to history, often WWII. The things this spam group posts are often wildly inaccurate (that creates engagement in the comments, which feeds Quora’s distribution algorithm), and end in a link that says (Read Full).
The (Read Full) link goes to a Quora space called “History Hist” that then has links blog filled with answers copy-pasted from Quora. The blog site has rigged JavaScripts that display ads and sometimes redirect to malware downloaders.
I have, of course, reported the accounts and posts used by this spam and malware ring, and Quora has, of course, failed to act; the links continue to remain active. (See reference to “weak moderation” above.)
Not all of the History Hist posts have links. This is straight out of the BlackHatWorld tutorial: effective Quora spamming is done by posting content, often with deliberate errors on a subject people feel passionately about, to generate engagement.
Then, after people have started commenting, and the Quora algorithm has started putting the content into wider distribution, edit the content to add the rigged link.
So. Apparently Quora is, if not okay with this, at least tacitly tolerates it.
Why am I writing this?
Two reasons:
I won’t be posting comments any more, apparently. I’m not ignoring you lovely people.
Be very very very careful about any link you click on Quora. Quora has long been filled with spam, but it’s now getting increasingly dangerous as well. I strongly advise not clicking on Quora links unless you’re quite careful and you know what you’re doing.
1. Yes, I read BlackHatWorld, for much the same reason I read incel dot es and other incel forums—it’s nice to keep up with what the shitty people are doing. I’m not linking to the tutorial.
In November of last year, I noticed something interesting.
For the past three years, the #1 source of spam reaching my email inbox has been Salesforce, which bought out a bulk email provider called ExactTarget quite some time ago, and took off all the constraints. ExactTarget customers were, post-acquisition, permitted to spam, and the abuse team stopped enforcing anti-spam policies. Result: spammers flocked to SalesForce (hey, SalesForce needed to make back the $2,500,000,000 they spent on ExactTarget somehow!) and my inbox was flooded with crap.
Starting last November, however, the flood of crap from Salesforce dropped to second place. The new #1? An outfit called Mailchannels.
As near as I can tell, Mailchannels is now the preferred email delivery service of choice for the lowest of the low: scammers, people sending fake phish emails to steal passwords, romance and Nigerian prince fraud, you name it.
Over the past few weeks, 46 of the 48 phish emails I have received (95.8%) came through Mailchannels. 100% of the Nigerian prince scam emails I’ve received? Mailchannels. 100% of the romance scam I’ve received? Mailchannels. 92% of the spam overall? Mailchannels.
I took a screenshot of the Mailchannels emails I’ve received a while back, and the results are rather grim:
Wow, that’s a lot of scam, fraud, and phish emails! With percentages like that, Mailchannels must be so proud.
There’s a particularly delicious irony here. See the highlighted entry at the bottom, the one in blue? I have been reporting all the spam emails to Mailchannels. That is a bounce email, when I reported a computer virus I received through Mailchannels. It bounced.
In other words:
Mailchannels knew the email was malware. They sent it to me anyway, but refused to accept it themselves.
Which really tells you everything you need to know about this organization.
What is Mailchannels?
Mailchannels is an “email delivery company.” In English: You pay them money, you send an email to hundreds or thousands or tens of thousands of email addresses, and they do everything in their power to make sure your emails don’t get flagged as spam.
A list of their services includes:
Sending emails from “clean” IP addresses not in any spam blocklists.
Switching the servers an email comes from should emails start getting flagged as spam
Using scalable cloud servers to send vast quantities of emails
In other words, if you’re sending Nigerian scam or romance scam or password phish emails, which have a very low rate of return, a service like Mailchannels is exactly what you want.
How do they respond to spam reports?
Ah HA ha ha ha ha ha ha ha ha ha.
I’ve sent hundreds (literally) of spam reports to Mailchannels. Every single one received the same reply:
From: Swathi Karun <skarun@mailchannels.com> Re: Spam Hi, Thank you for contacting MailChannels support. I have taken necessary action against the reported abuse activity. Thank you for your time and attention to this matter.
And the spam still rolls in. Every day, often from the same spammer with the same content. They don’t even block phishers who send identical phish emails through their servers over and over again.
It cannot possibly be more clear: Mailchannels is a bulletproof spam service provider, that through deliberate action or negligence permits their service to be used by the lowest criminals on the Internet.
What can you do?
Mailchannels doesn’t care. They know they’re in the spam business; they make money from delivering phish and scam emails. They don’t accept spam reports from spam-fighting services like Spamcop.
And repeated emails to Mailchannels abuse doesn’t do anything. There’s one email phisher in particular who sends out fake emails to Dreamhost customers, trying to steal their webhosting passwords; I’ve received more than two dozen of these phish emails from this same phisher through Mailchannels, reported every one, and they keep rolling in.
Fortunately, emails from Mailchannels are easy to spot. If you view the headers, you’ll always find a line like this near the top:
I strongly recommend setting up an email filter using your email program. If the headers contain the word “Mailchannels,” auto-delete the email. Your inbox will thank you.
Back in March 2016, eight years and one day ago, I published an analysis of a spam ring advertising phony pay-for-play scam “dating sites.” This particular group was responsible for about 90% of the “Hot Lady Wants to F*ck You” spam in circulation. The spam contained links to hacked sites that the spammers placed malicious redirectors on, that would redirect to other sites that redirected to other sites that redirected to a site that would promise sex and ask you a bunch of questions about what you were looking for, then take you to the actual scam site.
I called these guys “the Lads from Cyprus” because invariably the scam dating sites were registered to a shell company organized in Cyprus.
Times have changed, and the Lads from Cyprus have changed with them. While they still do send spam emails, I rarely see them any more—perhaps six or eight times a year, where I used to see them multiple times per day.
Instead, they’ve moved on…to Quora.
The Quora Connection
I spend most of my time on Quora these days. A few years back, I started noticing a certain type of profile: large number of profiles with consistent behavior: a profile pic of a hot woman in a kind of blandly generic Instagram pose, answering questions at an enormous rate (sometimes once a minute or more), with the answers all being a sentence or so that might or might not be related to the question, but that always included a photo of a scantily-dressed woman.
The profiles look like this:
The links (“Latest Nude Videos and Pics,” “Hookup [sic] with me now”) all lead to domains that are registered on Namesilo, usually with ultra-cheap TLDs like “.life,” that—rather amazingly—are still using the exact same templates I saw in 2016.
Go with what works, eh?
Anyway, these sites ask you a bunch of questions, tell you you’re about to see nude photos, then redirect you to a scam dating site—in this case, one called onlylocalmeets.com”—where you will immediately see a direct message request the moment you connect, though of course you’ll need to pay if you want to receive it.
It’s actually kind of amazing to me that they’re still running the same scams essentially unchanged, using the same templates they used eight years ago. They’ve clearly got this down to an art—the redirection sites even do some spiffy geolocation and collect as much information from your browser fingerprint as they can before sending oyu off to the scam site.
There are at least hundreds, possibly thousands, of these fake profiles on Quora, all of which use stolen photos of Instagram models, and all of which link back, through various intermediaries, to the same scam dating site.
I started recording the scam profiles in a Notes file. I deliberately didn’t go out searching for them; instead, I just browsed Quora as I normally do, and made a note whenever I encountered one of these scam profiles (and if I was in the mood, did a reverse image search to see whose photos were stolen for that profile).
There are…a lot of them.
Based on what I’ve seen, I’d say probably 800 on the low end and 1,500 on the high end.
One of them even used stolen Instagram photos of pro golfer and model Paige Spiranac. When I reverse image searched the photos, I looked up the email address of her agent (who was easy to find) and sent an email saying “hey, just so you know, your client’s photos are being used in a catfishing scam, here’s the link.” The profile was banned a few days later, so maybe she or her agent filed a DMCA takedown request.
I find it interesting that this organized spam gang is still at it, still running the same scam they’ve been running for at least ten years, but always looking for new ways to find fresh crops of victims.
I also find it interesting that it works. These scam profiles quickly end up with thousands, sometimes tens of thousands, of followers.
And finally, if you’ve ever wondered what it’s like to be a woman online, just look at the comments to the spam posts, which range from the drearily predictable:
To the completely unhinged:
(And what is it with these people not knowing the difference between “your” and “you’re”? You can be a completely deranged psycho who abuses women online or you can spell, but not, it seems, both.)
To the…well, I don’t know what the fuck this is. I’ve deliberately cropped off this fellow’s username.
Jesus, I do not understand why any woman would ever voluntarily go online.
On the one hand, it’s kinda hard to feel sorry for some of these blokes, who will no doubt be fleeced of all their money. That particular combination of toxic entitlement toward access to women’s bodies and aggressive stupidity makes it really hard to sympathize with the folks being ripped off here.
On the other, any scam is wrong, regardless of the victims it targets.
[Edit 11-Jan-2023] I’ve received a reply from Fly.io; see end of this entry
Ah, a new year has come. Out with the old, in with the new…strategies for phish and malware sites, that is.
And what would phish and malware sites be without complicit webhosts and web service providers?
So today I’m going to dive into an enormous quantity of SMS text message spam I’ve been flooded with over the past couple of months, who’s behind it, and what it’s doing.
It started in mid-November of last ear (2023), with a text message saying “The USPS package arrived at the warehouse but could not be delivered” and a link to a site that was just a random collection of letters and numbers. No biggie, I get these all the time. Standard run of the mill phish attempt. If you visit the link, you’re taken to a site that looks like the Post Office, but it’s a fake, of course. They ask you to type a bunch of personal information, which the people responsible will use to steal your identity, get loans in oyur name, whatever.
Then I got another. And another. And another. And another. And then dozens more, coming in one, two, three, four, sometimes five or more a day.
And they haven’t stopped.
Text message after text message after text message. “You’ve been infected with viruses.” “Your cloud service has been terminated.” “We couldn’t deliver your package.”
All of them with URLs that looked like random strings of letters and numbers.
So my spidey sense was activated, and I looked up all those URLs.
Surprise, surprise, every single one is hosted on the same web service provider, an outfit called fly.io.
And there are a lot of them.
*** CAUTION *** CAUTION *** CAUTION *** THESE LINKS ARE LIVE AS OF THE TIME OF WRITING THIS. Many of these links will bring you to malware or phish sites. DO NOT visit these links if you don’t know what you’re doing.
I started collecting the URLs from the text messages:
http://eonmpxm.com/OR73bg5L FakeAV malware site
http://wkcetku.com/G1LO5X38 Fake “government subsidy” site
http://nztkspy.com/MK2RVeJg FakeAV malware site
http://lkxsxef.com/KJeQ09Vp FakeAV malware
http://klxnitq.com/oxp18G47 Equifax phish
http://epgguli.com/0M37VmkO McAfee phish
http://yonxutn.com/1MZbOrZv FedEx phish
http://zveeyou.com/7Xy1E8G8 FakeAV malware
http://mirumbf.com/KJeQ09Vp FakeAV malware
http://mirumbf.com/KJeQ09Vp FakeAV malware
http://qjkwmww.com/yng4eExR Fake USPS phish
http://wnddwet.com/KJe40qm5 FakeAV malware
http://pdxftwt.com/ER39R0rR XFinity phish
http://plefaas.com/rNzdEAEW FakeAV malware
http://oitbaon.com/A3B6vBOe FakeAV malware
http://napiyib.com/nQ0mJKoZ FakeAV malware
http://kozqtlp.com/vGeO0XmX Xfinity phish
http://ugokulc.com/KJM89Mem USPS phish
http://iqbyojt.com/KJeQ09Vp FakeAV malware
http://sobagiw.com/nQVA0bVp Xfinity phish
http://oosjrjt.com/GRG8ML9n FakeAV malware
http://xqzfnuh.com/ZjgL4GbE Xfinity phish
http://tecvxzo.com/5aannZO7 Google phish
I notified fly.io’s abuse team about the problem. And notified them. And notified them. And notified them. Each time, I received an identical reply, from a guy calling himself “Matt Braun,” saying only “I have let our customer know. Thanks!”
Matt Braun doesn’t appear to have grasped that their customer is the phisher. And lately, I haven’t even received these replies; they haven’t acknowledged recent abuse reports in days. Meanwhile (of course) all the links remain active because (of course)…their customer is the phisher.
Okay, so how does the scheme work?
I’ve spent some time mapping out the network. The quick overview:
A text message is mass broadcast, advertising a URL on fly.io.
Marks who click on the link in the message are redirected to a site called “track.palersaid.com,” hosted on Amazon AWS. Track.palersaid.com looks at the incoming fly.io URL, the type of computer or smartphone you’re using, and probably other stuff, then sends you on to another site.
This site, track.hangzdark.com, is another tracking and redirection site also hosted on Amazon AWS.
From there, marks are redirected to the actual target site, which might be a fake FedEx page, a fake UPS page, a fake “virus scan” page, or more. There are a lot of these destinations: read.messagealert.com, kolakonages.com, aca.trustedplanfinder.com, and more. Some of these destination sites are, no surprise here, hosted on Namecheap, which is in my opinion one of the scuzziest of malware and spam sewer hosts.
If you get these text messages, do not follow the links. If you are also seeing these messages, please let me know in a comment! I would love to know how big this network is. Fly.io seems reluctant to shut down these phishers, which leads me to wonder if they aren’t making quite a bit of money from them.
[Edit 11-Jan-2023] I’ve received a reply from Fly.io’s Abuse team:
Thank you for your patience with us over the holiday, and some follow up details.
Usually, when we have reports of spammer or abuser on our platform, our internal systems have a host of signals that we can look to to verify the report and take the appropriate action. In the vast majority of cases the signals are clear and unequivocal. However, in this instance, the signals were entirely the opposite: all signs pointed to a seemingly-legitimate user.
Our systems are set up for “either you are a customer or you are not”, and banning a customer would mean immediate and irrevocable loss of that’s customers data. That’s is not a risk we take lightly so we were not going to flip the switch and risk blowing away someone’s information without a smoking gun. I expect you and I have both seen dozens of those posts on Hacker News or elsewhere where an innocent user writes “Company has deleted my entire account without warning and I’ve lost years of data”. We don’t want to do that to someone.
So where does that leave us? The apparent reason for the behavior/signal disconnect is that it was our customer’s customer doing the abuse. Our customer has committed to evicting their customer today which should put an end to the redirection through our systems (though, unfortunately, I don’t expect that’ll have any impact on the SMS spam). If it doesn’t resolve things, let us know. We’re back online after the holiday and more in a position to chase things things down.
Additionally, there were two other concerns we need to address internally: 1) We don’t have the ability to suspend users. This is something that I’m going to pursue as we need something more nuanced than our all-or-nothing approach so that we’re able to move on complaints sooner without risk of harming someone innocently caught in the middle of things. 2) We did not follow up with the customer as often as we should have after their initial acknowledgement of the problem and indication that they would address it. That’s a coordination process breakdown exacerbated by people taking time off during the holidays and not having the usual “obviously-abuse” signals. Additionally, we need to come up with an approach to our abuse ticketing system that allows for long-lived cases.
You can email me, personally, if you feel you aren’t getting attention on this (email redacted) and I’m sincerely sorry for the delay in letting you know where things stood or getting things sorted with the customer.
It seems Fly.io is one of the good guys.
The spam stopped for a few days, though it has resumed again. This time, the SMS spam domains are hosted on Alibaba rather than Fly.io.
About six months ago, I noticed a significant uptick in spam email. But not just any spam, oh no. I found myself flooded with stock pump-n-dump spam, in incredible quantities.
What is pump-n-dump?
A pump-n-dump scam is where a scammer buys a large quantity of a cheap stock, then floods the world with hype to drive up the price of the stock. When it starts to rise, the scammer sells all his shares, the stock collapses, and the scam victims lose their investments.
Occasionally, the companies parasitized in this way can go out of business (small companies will sometimes use their own stock as collateral for loans, with the agreement that if the price of the stock drops below a certain point, the loans come due immediately).
And as I collected examples of this spam, I noticed something interesting: all the pump and dump scam spam originated from Salesforce, the $300 billion American tech giant.
So what does Salesforce have to do with penny stock scams, and why on earth would Salesforce be supporting pump-n-dump stock scammers? Hang on, let’s go down the rabbit hole.
When I say I’ve been getting stock scam spam in incredible quantities, I mean it. I’ve received 1,794 examples of stock pump-n-dump scam emails between March 17, when I first started collecting them, and October 30. That’s 1,794 scam emails in 227 days, or an average of about eight a day.
There are a lot of them. They come from multiple From addresses and claim to be from various “investment” companies, but they all have some characteristics in common:
They all originate from IP addresses owned by Salesforce subsidiary Exact Target
They all advertise URLs hosted by Salesforce subsidiary Exact Target
While they come from different email addresses, they use similar graphics, language, and promote the same sets of stocks
How many different companies do they claim to come from? Lots. Every time I see an example of one of these spam emails, I build a rule in my mail reader app to route future examples to the Salesforce scam spam folder. Between March and October, here’s a list of the From addresses used in these scam emails:
Each From address will be used to send anywhere from three to twenty or so scam emails before it’s abandoned and the scammers move on to the next.
In practice, Spamcop has disabled reporting to Salesforce, because Salesforce (a) doesn’t pay any attention to abuse reports and (b) doesn’t follow spam best practices, specifically by not requiring double-opt-in and not honoring remove requests.
This isn’t a new problem, either. Spamcop stopped sending abuse reports to Salesforce/ExactTarget at least as far back as 2011, and maybe earlier.
Unsurprisingly, manual emails to Salesforce and ExactTarget abuse addresses do nothing.
So what’s all this about? What does Salesforce gain by assisting stock pump and dump scammers?
$$money$$
Pump and dump scams require broad reach. They are also extremely profitable when they work. So it’s worth spending money to make sure you can reach as many marks as possible; profit varies directly with the number of gullible dupes you can con into buying the hyped stock.
And Salesforce/ExactTarget isn’t cheap:
Note those prices are (a) billed annually up front and (b) are per organization. So even the cheapest plan is $4,800 out of pocket at the start, and the spammers are using multiple phony organizations in their spam.
This is, I’ll warrant, a nontrivial source of Salesforce revenue.
So Salesforce has a positive financial incentive to aid and abet these scammers, and thousands of folding, spendable reasons to disregard abuse reports.
As regular readers of this blog know, I am an amateur infosec researcher, and I track spam and malware as a hobby. And, as many of you know, there are certain names–ISPs, people, affiliate networks, content delivery networks–that tend to come up again and again whenever you do a deep dive into the seedy, twisted world of spam and malware.
A while back, I wrote a blog post about a prolific spammer named Mike Boehm, who makes money sending spam emails that advertise affiliate links on affiliate Web sites. Every time someone clicks a link in one of his spam emails, they’re redirected through a network of computers, all designed to put distance between the spam email and the final site, until eventually arriving at an affiliate Web site, which pays Mr. Boehm for the referral.
Lately, I’ve found myself buried under a blizzard–nay, dare I say, a tsunami–of spam emails that all have very similar characteristics. They advertise a site, usually with a cheap top level domain that nobody wants such as .stream or .science or .faith. Visiting the site shows a plain white page with an animated “Loading” graphic. Then, after a few seconds, you end up on a completely different site, the one actually advertised in the spam.
These spam emails have some but not all of the characteristics of Mike Boehm spam. It’s been hard to track them, because they use complex JavaScript to attempt to hide how the redirection works, what affiliate network they’re using, and where they redirect to. I’ve been collecting examples, and as the number of these spam emails arriving in my inbox has risen, so too has my blood pressure.
Today, it finally reached the point where I sat down and did the work to take apart the tricky JavaScript redirectors and figure out what’s happening.
Lo and behold, the JavaScript is used to redirect visitors through Clickbank, a favored affiliate network used by Mike Boehm in the past.
The system works like this:
Basically, the spamvertised site contains hidden iFrames and/or hidden divs that have a redirection JavaScript. The redirection JavaScript attempts to conceal where the page is redirecting to. The code on the Spamvertised pages looks like this:
The JavaScript loaded from the script tag assembles a URL from the parameters, then loads the content of that URL.
getMainPage : function(m,l,li,s,u,o,c) {
var _u = “”;
if (u == ”) {
if (o == ” && c == ”) {
_u = host_name+’ajax_m/get_main_page/’+m+’/’+l+’/’+li+’/’+s+’/’;
}else{
_u = host_name+’ajax_m/get_main_page/’+m+’/’+l+’/’+li+’/’+s+’/’+o+’/’+c+’/’;
}
}else {
if (o == ” && c == ”) {
_u = host_name+’ajax_m/get_main_page/’+m+’/’+l+’/’+li+’/’+s+’/’+u+’/’;
}else{
_u = host_name+’ajax_m/get_main_page/’+m+’/’+l+’/’+li+’/’+s+’/’+u+’/’+o+’/’+c+’/’;
}
}
if(qs != ”) {
_u = _u+”qs/?”+qs;
}
$.ajax({
url: _u,
success: function(data) {
if (pg_st == 0) {
var _w = window;
_w.location = data;
}else{
$(‘#show_loading’).css(‘display’,’block’);
$(‘#content’).css(‘display’,’none’);
var _doc = document.getElementById(‘content_window’);
_doc.src = data;
_doc.onload = ajax.flip;
}
}
});
},
The URL that’s assembled contains nothing but a text string to yet another URL. And, as it turns out, that URL belongs–surprise!–to Clickbank.
In the past, Clickbank has been reasonably responsive to spam complaints. I won’t say they’re great (they’re slow and often don’t take action until I’ve complained multiple times), but they do eventually shut down spamming affiliates.
They shut Mike Boehm down multiple times, and for a while, I was seeing very little spam from him.
This new tsunami of spam, accompanied by the sneaky attempts to conceal the Clickbank redirects, suggests that he’s back to his old tricks, but this time trying to prevent anyone from complaining and having him shut down again.
I’ve managed to find the affiliate IDs he’s using and file complaints with Clickbank. I hope they shut him down again.
There’s a degree of entitlement among spammers I rarely see outside abusers.
The email below appeared without explanation in my inbox today, and ranks in the top 10 most bizarre emails I’ve received. I have no idea what to make of this.
Email spam–defined here as “unwanted, unsolicited commercial email”–is big business, with spam emails producing millions of dollars in revenue for the larger spam kingpins. There’s a huge cost to this spam, though. Google has released a PDF on the economics of spam, that talks about how much cost spam emails externalize onto others. Spam filtering, for example, costs about $6 billion a year, and without it, email would be largely unusuable.
Spammers often try to justify their spamming by claiming that email advertising is necessary to keep Web content free. It’s true that advertising is a necessary component of the Web–I wouldn’t be able to pay for all my Web sites without it. But as the Google report says, spamming is not the same as this kind of advertising:
How does spam differ from legitimate advertising? If I enjoy watching network television, using a social networking site or checking stock quotes online, I know I will be subjected to advertisements, many of which may be irrelevant or even annoying to me. Google, Yahoo!, Microsoft, Facebook, and others provide valuable consumer services, such as social networking, news and email, supported entirely by advertising revenue. While people may resent advertising, most consumers accept that advertising is a price they pay for access to valuable content and services. By contrast, unsolicited commercial email imposes a negative externality on consumers without any market-mediated benefit, and without the opportunity to opt out.
The vast majority of spam operations are run by a handful of spammers, the so-called “ROKSO spammers,” extremely prolific email spammers (some of whom are affiliated with organized crime, like Leo “Badcow” Kuvayev, a person involved in spam, malware, fake pharmaceuticals, and child porn and now in prison) who are part of the Register of Known Spam Operations.
There are also a lot of affiliate marketing companies–companies who pay affiliates to promote products. Some of these companies also run email marketing. All of them claim to be opposed to spam. But many are perfectly willing to allow spam, even spam by big-time ROKSO spammers, because of simple economics: it makes money.
I’ve blogged about one of these ROKSO spammers and his connection with “mainstream” affiliate and email marketing companies before. I monitor spam from this person, largely because I get a vast quantity of it to various email addresses. And when I say vast, I mean it–as in 839 examples of spam email in the last 20 days alone.
This particular spammer has a pretty simple modus operandi. He signs up for affiliate codes with “mainstream” email marketers and affiliate sales companies and spams, spams, spams. He tends to go for certain kinds of affiliate accounts: fake diabetes “cures,” quack “heart attack prevention” nostrums, right-wing conspiracy books, weight-loss fad diets, woodworking plans, and “get paid to do surveys” scams are his forté.
He’s worked with a wide range of affiliate companies before: Clickbank, Flex Marketing, and Clickbooth most often.
His spam activities slowed for a while, but recently have redoubled. And this new salvo of spam activities features two affiliate companies in particular: Clickbank and Cake Marketing. To a lesser extent, he’s still Spamvertising through AD1/Flex Marketing, but not as much.
He’s not foolish enough to spam Clickbank or Cake Marketing links directly. Instead, he spam links that are just 301 redirectors to Clickbank or Cake URLs, or open the URLs in a frame, to provide enough distance to shield Clickbank and Cake from direct association and provide a level of plausible deniability.
A few things have changed since I first write about this particular spam system, but the overall shape remains the same. The spammer, Mike Boehm, sends out millions of spam emails containing links to throwaway domain names. These domains used to be redirectors located at Namecheap; nowadays, they’re protected by Cloudflare, a name well known to spam fighters.
These domains are simply redirectors–that is, when you click on one of the links, you just get sent somewhere else. With these new spam runs, you end up either at a traffic redirection site owned by Cake Marketing, or at a domain that opens a Clickbank link in a frame. The new spam affiliate system is a bit different from the old one, and looks like this:
More than 90% of the spam emails–and like I said, there are a lot of them–go through Cake Marketing or Clickbank.
I’ve sent repeated complaints to the Cake Marketing and Clickbank email addresses, and received no reply. The spam affiliate accounts remain active. I expected this from Cake Marketing; to my knowledge, they never acknowledge spam complaints. I’m disappointed in Clickbank. They have terminated this spammer multiple times in the past, but appear disinclined to do so now.
Thereis an interesting postscript to this story: Clickbank has apparently established a reputation in the time since my last blog post on this subject as a spam haven. When I attempted to post this entry on LiveJournal, the following error message popped up:
