fly.io, SMS spam, and malware

[Edit 11-Jan-2023] I’ve received a reply from Fly.io; see end of this entry

Ah, a new year has come. Out with the old, in with the new…strategies for phish and malware sites, that is.

And what would phish and malware sites be without complicit webhosts and web service providers?

So today I’m going to dive into an enormous quantity of SMS text message spam I’ve been flooded with over the past couple of months, who’s behind it, and what it’s doing.

It started in mid-November of last ear (2023), with a text message saying “The USPS package arrived at the warehouse but could not be delivered” and a link to a site that was just a random collection of letters and numbers. No biggie, I get these all the time. Standard run of the mill phish attempt. If you visit the link, you’re taken to a site that looks like the Post Office, but it’s a fake, of course. They ask you to type a bunch of personal information, which the people responsible will use to steal your identity, get loans in oyur name, whatever.

Then I got another. And another. And another. And another. And then dozens more, coming in one, two, three, four, sometimes five or more a day.

And they haven’t stopped.

Text message after text message after text message. “You’ve been infected with viruses.” “Your cloud service has been terminated.” “We couldn’t deliver your package.”

All of them with URLs that looked like random strings of letters and numbers.

So my spidey sense was activated, and I looked up all those URLs.

Surprise, surprise, every single one is hosted on the same web service provider, an outfit called fly.io.

And there are a lot of them.

*** CAUTION *** CAUTION *** CAUTION ***
THESE LINKS ARE LIVE AS OF THE TIME OF WRITING THIS. Many of these links will bring you to malware or phish sites. DO NOT visit these links if you don’t know what you’re doing.

I started collecting the URLs from the text messages:

  • http://eonmpxm.com/OR73bg5L
    FakeAV malware site
  • http://wkcetku.com/G1LO5X38
    Fake “government subsidy” site
  • http://nztkspy.com/MK2RVeJg
    FakeAV malware site
  • http://lkxsxef.com/KJeQ09Vp
    FakeAV malware
  • http://klxnitq.com/oxp18G47
    Equifax phish
  • http://epgguli.com/0M37VmkO
    McAfee phish
  • http://yonxutn.com/1MZbOrZv
    FedEx phish
  • http://zveeyou.com/7Xy1E8G8
    FakeAV malware
  • http://mirumbf.com/KJeQ09Vp
    FakeAV malware
  • http://mirumbf.com/KJeQ09Vp
    FakeAV malware
  • http://qjkwmww.com/yng4eExR
    Fake USPS phish
  • http://wnddwet.com/KJe40qm5
    FakeAV malware
  • http://pdxftwt.com/ER39R0rR
    XFinity phish
  • http://plefaas.com/rNzdEAEW
    FakeAV malware
  • http://oitbaon.com/A3B6vBOe
    FakeAV malware
  • http://napiyib.com/nQ0mJKoZ
    FakeAV malware
  • http://kozqtlp.com/vGeO0XmX
    Xfinity phish
  • http://ugokulc.com/KJM89Mem
    USPS phish
  • http://iqbyojt.com/KJeQ09Vp
    FakeAV malware
  • http://sobagiw.com/nQVA0bVp
    Xfinity phish
  • http://oosjrjt.com/GRG8ML9n
    FakeAV malware
  • http://xqzfnuh.com/ZjgL4GbE
    Xfinity phish
  • http://tecvxzo.com/5aannZO7
    Google phish

I notified fly.io’s abuse team about the problem. And notified them. And notified them. And notified them. Each time, I received an identical reply, from a guy calling himself “Matt Braun,” saying only “I have let our customer know. Thanks!”

Matt Braun doesn’t appear to have grasped that their customer is the phisher. And lately, I haven’t even received these replies; they haven’t acknowledged recent abuse reports in days. Meanwhile (of course) all the links remain active because (of course)…their customer is the phisher.


Okay, so how does the scheme work?

I’ve spent some time mapping out the network. The quick overview:

  1. A text message is mass broadcast, advertising a URL on fly.io.
  2. Marks who click on the link in the message are redirected to a site called “track.palersaid.com,” hosted on Amazon AWS. Track.palersaid.com looks at the incoming fly.io URL, the type of computer or smartphone you’re using, and probably other stuff, then sends you on to another site.
  3. This site, track.hangzdark.com, is another tracking and redirection site also hosted on Amazon AWS.
  4. From there, marks are redirected to the actual target site, which might be a fake FedEx page, a fake UPS page, a fake “virus scan” page, or more. There are a lot of these destinations: read.messagealert.com, kolakonages.com, aca.trustedplanfinder.com, and more. Some of these destination sites are, no surprise here, hosted on Namecheap, which is in my opinion one of the scuzziest of malware and spam sewer hosts.

Example destination page

How the network works

This bears a strong resemblance to some of the malware and spam networks I’ve mapped out in the past, though the delivery network (SMS text messages) and the web service provider (fly.io) are different.

If you get these text messages, do not follow the links. If you are also seeing these messages, please let me know in a comment! I would love to know how big this network is. Fly.io seems reluctant to shut down these phishers, which leads me to wonder if they aren’t making quite a bit of money from them.


[Edit 11-Jan-2023] I’ve received a reply from Fly.io’s Abuse team:

Thank you for your patience with us over the holiday, and some follow up details.

Usually, when we have reports of spammer or abuser on our platform, our internal systems have a host of signals that we can look to to verify the report and take the appropriate action. In the vast majority of cases the signals are clear and unequivocal. However, in this instance, the signals were entirely the opposite: all signs pointed to a seemingly-legitimate user.

Our systems are set up for “either you are a customer or you are not”, and banning a customer would mean immediate and irrevocable loss of that’s customers data. That’s is not a risk we take lightly so we were not going to flip the switch and risk blowing away someone’s information without a smoking gun. I expect you and I have both seen dozens of those posts on Hacker News or elsewhere where an innocent user writes “Company has deleted my entire account without warning and I’ve lost years of data”. We don’t want to do that to someone.

So where does that leave us? The apparent reason for the behavior/signal disconnect is that it was our customer’s customer doing the abuse. Our customer has committed to evicting their customer today which should put an end to the redirection through our systems (though, unfortunately, I don’t expect that’ll have any impact on the SMS spam). If it doesn’t resolve things, let us know. We’re back online after the holiday and more in a position to chase things things down.

Additionally, there were two other concerns we need to address internally:
1) We don’t have the ability to suspend users. This is something that I’m going to pursue as we need something more nuanced than our all-or-nothing approach so that we’re able to move on complaints sooner without risk of harming someone innocently caught in the middle of things.
2) We did not follow up with the customer as often as we should have after their initial acknowledgement of the problem and indication that they would address it. That’s a coordination process breakdown exacerbated by people taking time off during the holidays and not having the usual “obviously-abuse” signals. Additionally, we need to come up with an approach to our abuse ticketing system that allows for long-lived cases.

You can email me, personally, if you feel you aren’t getting attention on this (email redacted) and I’m sincerely sorry for the delay in letting you know where things stood or getting things sorted with the customer.

It seems Fly.io is one of the good guys.

The spam stopped for a few days, though it has resumed again. This time, the SMS spam domains are hosted on Alibaba rather than Fly.io.

When unicorns go bad: Salesforce and pump-n-dump scams

About six months ago, I noticed a significant uptick in spam email. But not just any spam, oh no. I found myself flooded with stock pump-n-dump spam, in incredible quantities.

What is pump-n-dump?

A pump-n-dump scam is where a scammer buys a large quantity of a cheap stock, then floods the world with hype to drive up the price of the stock. When it starts to rise, the scammer sells all his shares, the stock collapses, and the scam victims lose their investments.

Occasionally, the companies parasitized in this way can go out of business (small companies will sometimes use their own stock as collateral for loans, with the agreement that if the price of the stock drops below a certain point, the loans come due immediately).

And as I collected examples of this spam, I noticed something interesting: all the pump and dump scam spam originated from Salesforce, the $300 billion American tech giant.

American company Salesforce supports stock pump and dump scammers

So what does Salesforce have to do with penny stock scams, and why on earth would Salesforce be supporting pump-n-dump stock scammers? Hang on, let’s go down the rabbit hole.


When I say I’ve been getting stock scam spam in incredible quantities, I mean it. I’ve received 1,794 examples of stock pump-n-dump scam emails between March 17, when I first started collecting them, and October 30. That’s 1,794 scam emails in 227 days, or an average of about eight a day.

Salesforce stock pump and dump spam emails

There are a lot of them. They come from multiple From addresses and claim to be from various “investment” companies, but they all have some characteristics in common:

  • They all originate from IP addresses owned by Salesforce subsidiary Exact Target
  • They all advertise URLs hosted by Salesforce subsidiary Exact Target
  • While they come from different email addresses, they use similar graphics, language, and promote the same sets of stocks

How many different companies do they claim to come from? Lots. Every time I see an example of one of these spam emails, I build a rule in my mail reader app to route future examples to the Salesforce scam spam folder. Between March and October, here’s a list of the From addresses used in these scam emails:

Salesforce stock pump and dump email rules

Each From address will be used to send anywhere from three to twenty or so scam emails before it’s abandoned and the scammers move on to the next.

What does Salesforce make of all this?

On paper, Salesforce/ExactTarget’s spam policies seem good enough. In practice…

In practice, Spamcop has disabled reporting to Salesforce, because Salesforce (a) doesn’t pay any attention to abuse reports and (b) doesn’t follow spam best practices, specifically by not requiring double-opt-in and not honoring remove requests.

Spamcop disables abuse reports to Salesforce for email spam

This isn’t a new problem, either. Spamcop stopped sending abuse reports to Salesforce/ExactTarget at least as far back as 2011, and maybe earlier.

Unsurprisingly, manual emails to Salesforce and ExactTarget abuse addresses do nothing.


So what’s all this about? What does Salesforce gain by assisting stock pump and dump scammers?

$$money$$

Pump and dump scams require broad reach. They are also extremely profitable when they work. So it’s worth spending money to make sure you can reach as many marks as possible; profit varies directly with the number of gullible dupes you can con into buying the hyped stock.

And Salesforce/ExactTarget isn’t cheap:

Salesforce/ExactTarget pricing for spam

Note those prices are (a) billed annually up front and (b) are per organization. So even the cheapest plan is $4,800 out of pocket at the start, and the spammers are using multiple phony organizations in their spam.

This is, I’ll warrant, a nontrivial source of Salesforce revenue.

So Salesforce has a positive financial incentive to aid and abet these scammers, and thousands of folding, spendable reasons to disregard abuse reports.

The Return of the Spam Tsunami

As regular readers of this blog know, I am an amateur infosec researcher, and I track spam and malware as a hobby. And, as many of you know, there are certain names–ISPs, people, affiliate networks, content delivery networks–that tend to come up again and again whenever you do a deep dive into the seedy, twisted world of spam and malware.

A while back, I wrote a blog post about a prolific spammer named Mike Boehm, who makes money sending spam emails that advertise affiliate links on affiliate Web sites. Every time someone clicks a link in one of his spam emails, they’re redirected through a network of computers, all designed to put distance between the spam email and the final site, until eventually arriving at an affiliate Web site, which pays Mr. Boehm for the referral.

Lately, I’ve found myself buried under a blizzard–nay, dare I say, a tsunami–of spam emails that all have very similar characteristics. They advertise a site, usually with a cheap top level domain that nobody wants such as .stream or .science or .faith. Visiting the site shows a plain white page with an animated “Loading” graphic. Then, after a few seconds, you end up on a completely different site, the one actually advertised in the spam.

These spam emails have some but not all of the characteristics of Mike Boehm spam. It’s been hard to track them, because they use complex JavaScript to attempt to hide how the redirection works, what affiliate network they’re using, and where they redirect to. I’ve been collecting examples, and as the number of these spam emails arriving in my inbox has risen, so too has my blood pressure.

Today, it finally reached the point where I sat down and did the work to take apart the tricky JavaScript redirectors and figure out what’s happening.

Lo and behold, the JavaScript is used to redirect visitors through Clickbank, a favored affiliate network used by Mike Boehm in the past.

The system works like this:

Basically, the spamvertised site contains hidden iFrames and/or hidden divs that have a redirection JavaScript. The redirection JavaScript attempts to conceal where the page is redirecting to. The code on the Spamvertised pages looks like this:

<script type=”text/javascript” src=”hxxp://[spamvertised domain]/ajax/get_js/main/”></script>
<title>Loading…</title>
<meta hxxp-equiv=”content-type” content=”text/html; charset=UTF-8″ />
</head>
<body>
<div style=”position:absolute;top:-1000px;left:-1000px;height:0px;width:0px;”><a href=”hxxp://www.buzsounds.faith/tr11/6/685/416/510/81/26391725/index.htm” style=”border=0;”><div></div></a></div>
<div id=”show_loading”>
<center><br /><br /><img src=’hxxp://[spamvertised domain]/ajax/get_imgl/loading.gif/’ /></center>
</div>
<div id=”content” style=”display:none;”>
<iframe id=”content_window”>
<html>
<body>
<center><br /><br /><img src=’hxxp://[spamvertised domain]/ajax/get_imgl/loading.gif/’ /></center>
</body>
</html>
</iframe>
</div>
<script type=”text/javascript”>
$(document).ready(
function() {
if (ajax._loaded == false) {
var _doc = ajax.getIframeCW(document.getElementById(‘content_window’));
_doc.body.innerHTML = ‘<html><body><center><br /><br /><img src=\’hxxp://[spamvertised domain]/ajax/get_imgl/loading.gif/\’ /></center></body></html>’;
}
}
);
ajax.getMainPage(
param1,
param2,
param3,
param4,
param5,
param6,
param7,
qs
);
</script>

The JavaScript loaded from the script tag assembles a URL from the parameters, then loads the content of that URL.

getMainPage : function(m,l,li,s,u,o,c) {
var _u = “”;

if (u == ”) {
if (o == ” && c == ”) {
_u = host_name+’ajax_m/get_main_page/’+m+’/’+l+’/’+li+’/’+s+’/’;
}else{
_u = host_name+’ajax_m/get_main_page/’+m+’/’+l+’/’+li+’/’+s+’/’+o+’/’+c+’/’;
}
}else {
if (o == ” && c == ”) {
_u = host_name+’ajax_m/get_main_page/’+m+’/’+l+’/’+li+’/’+s+’/’+u+’/’;
}else{
_u = host_name+’ajax_m/get_main_page/’+m+’/’+l+’/’+li+’/’+s+’/’+u+’/’+o+’/’+c+’/’;
}

}

if(qs != ”) {
_u = _u+”qs/?”+qs;
}

$.ajax({
url: _u,
success: function(data) {

if (pg_st == 0) {
var _w = window;
_w.location = data;
}else{
$(‘#show_loading’).css(‘display’,’block’);
$(‘#content’).css(‘display’,’none’);
var _doc = document.getElementById(‘content_window’);
_doc.src = data;
_doc.onload = ajax.flip;
}
}
});
},

The URL that’s assembled contains nothing but a text string to yet another URL. And, as it turns out, that URL belongs–surprise!–to Clickbank.

In the past, Clickbank has been reasonably responsive to spam complaints. I won’t say they’re great (they’re slow and often don’t take action until I’ve complained multiple times), but they do eventually shut down spamming affiliates.

They shut Mike Boehm down multiple times, and for a while, I was seeing very little spam from him.

This new tsunami of spam, accompanied by the sneaky attempts to conceal the Clickbank redirects, suggests that he’s back to his old tricks, but this time trying to prevent anyone from complaining and having him shut down again.

I’ve managed to find the affiliate IDs he’s using and file complaints with Clickbank. I hope they shut him down again.

There’s a degree of entitlement among spammers I rarely see outside abusers.

Bizarre email o’ the day

The email below appeared without explanation in my inbox today, and ranks in the top 10 most bizarre emails I’ve received. I have no idea what to make of this.

Delivery-date: Wed, 07 Sep 2016 18:58:56 -0500
Message-ID: <2B2E98CBC0142E5D8184CD794D1C0DE0@ibcmobile.com>
From: “SAVE US” <sales@ibcmobile.com>
To: <franklin@franklinveaux.com> (and 5 other email addresses redacted)

Subject: They kill with wars, alcohol and abortions. Save us!!!

They kill with wars, alcohol and abortions. Save us!!!

That’s it. No link, no attachment, nothing. Just…that.

Email Spam Re-revisited: How “mainstream” email marketers promote spam

Email spam–defined here as “unwanted, unsolicited commercial email”–is big business, with spam emails producing millions of dollars in revenue for the larger spam kingpins. There’s a huge cost to this spam, though. Google has released a PDF on the economics of spam, that talks about how much cost spam emails externalize onto others. Spam filtering, for example, costs about $6 billion a year, and without it, email would be largely unusuable.

Spammers often try to justify their spamming by claiming that email advertising is necessary to keep Web content free. It’s true that advertising is a necessary component of the Web–I wouldn’t be able to pay for all my Web sites without it. But as the Google report says, spamming is not the same as this kind of advertising:

How does spam differ from legitimate advertising? If I enjoy watching network television, using a social networking site or checking stock quotes online, I know I will be subjected to advertisements, many of which may be irrelevant or even annoying to me. Google, Yahoo!, Microsoft, Facebook, and others provide valuable consumer services, such as social networking, news and email, supported entirely by advertising revenue. While people may resent advertising, most consumers accept that advertising is a price they pay for access to valuable content and services. By contrast, unsolicited commercial email imposes a negative externality on consumers without any market-mediated benefit, and without the opportunity to opt out.

The vast majority of spam operations are run by a handful of spammers, the so-called “ROKSO spammers,” extremely prolific email spammers (some of whom are affiliated with organized crime, like Leo “Badcow” Kuvayev, a person involved in spam, malware, fake pharmaceuticals, and child porn and now in prison) who are part of the Register of Known Spam Operations.

There are also a lot of affiliate marketing companies–companies who pay affiliates to promote products. Some of these companies also run email marketing. All of them claim to be opposed to spam. But many are perfectly willing to allow spam, even spam by big-time ROKSO spammers, because of simple economics: it makes money.

I’ve blogged about one of these ROKSO spammers and his connection with “mainstream” affiliate and email marketing companies before. I monitor spam from this person, largely because I get a vast quantity of it to various email addresses. And when I say vast, I mean it–as in 839 examples of spam email in the last 20 days alone.

This particular spammer has a pretty simple modus operandi. He signs up for affiliate codes with “mainstream” email marketers and affiliate sales companies and spams, spams, spams. He tends to go for certain kinds of affiliate accounts: fake diabetes “cures,” quack “heart attack prevention” nostrums, right-wing conspiracy books, weight-loss fad diets, woodworking plans, and “get paid to do surveys” scams are his forté.

He’s worked with a wide range of affiliate companies before: Clickbank, Flex Marketing, and Clickbooth most often.

His spam activities slowed for a while, but recently have redoubled. And this new salvo of spam activities features two affiliate companies in particular: Clickbank and Cake Marketing. To a lesser extent, he’s still Spamvertising through AD1/Flex Marketing, but not as much.

He’s not foolish enough to spam Clickbank or Cake Marketing links directly. Instead, he spam links that are just 301 redirectors to Clickbank or Cake URLs, or open the URLs in a frame, to provide enough distance to shield Clickbank and Cake from direct association and provide a level of plausible deniability.

A few things have changed since I first write about this particular spam system, but the overall shape remains the same. The spammer, Mike Boehm, sends out millions of spam emails containing links to throwaway domain names. These domains used to be redirectors located at Namecheap; nowadays, they’re protected by Cloudflare, a name well known to spam fighters.

These domains are simply redirectors–that is, when you click on one of the links, you just get sent somewhere else. With these new spam runs, you end up either at a traffic redirection site owned by Cake Marketing, or at a domain that opens a Clickbank link in a frame. The new spam affiliate system is a bit different from the old one, and looks like this:

More than 90% of the spam emails–and like I said, there are a lot of them–go through Cake Marketing or Clickbank.

I’ve sent repeated complaints to the Cake Marketing and Clickbank email addresses, and received no reply. The spam affiliate accounts remain active. I expected this from Cake Marketing; to my knowledge, they never acknowledge spam complaints. I’m disappointed in Clickbank. They have terminated this spammer multiple times in the past, but appear disinclined to do so now.

Thereis an interesting postscript to this story: Clickbank has apparently established a reputation in the time since my last blog post on this subject as a spam haven. When I attempted to post this entry on LiveJournal, the following error message popped up:

Namecheap: Why I’m moving away from them

I have a rather extensive collection of Web sites, where I write about everything from photography to transhumanism to sex. As a result, I have rather a lot of domain names, which until recently I’ve registered with Namecheap, as they have in the past been cheap and reasonably reliable.

However, I have begun the painful and expensive process of moving off Namecheap, and I recommend others do the same. There are two interrelated reasons for this, the first having to do with poor support and training (Namecheap employees don’t appear to know the differnce between a domain and a subdomain, which is rather a serious problem when you’re in the business of domains) and the second having to do with support for spam and malware (largely on account of the first).

The story is long and complicated, but it begins many months ago with a spam email advertising life insurance, which was plugging a domain hosted on Namecheap Hosting.

Namecheap, in addition to being a domain registrar (well, technically a reseller for a registrar called Enom), is also a Web hosting company. If you’re a Web hosting company, sooner or later a spammer will host a Web site with you. How you react when you receive abuse reports will determine how popular you are with spammers. If you react quickly, spammers will avoid you. If you allow the site to remain up, spammers will talk, and soon other spammers will flock to you. If you continue to leave spam domains up, pretty soon spammers will start choking out your other customers.

Anyway, it happens. A spammer found Namecheap Hosting. I hadn’t seen much spam on Namecheap before, so I fired off an abuse report and that was the end of it.

Or so I thought. But then things took a turn for the strange.

A couple of days later, I received an email from Namecheap abuse saying “we aren’t hosting this domain, go complain to someone else.” Now, that happens from time to time as well; spammers will sometimes hop from one host to the next, so by the time a host receives a complaint, the spammer’s Web site has been moved and they’re not hosting it any more.

I looked at the domain. Still hosted on Namecheap. I wrote back saying “no, it’s definitely hosted by you guys; here’s the IP address, 162.255.119.254. That address is in your space.”

And got back a second email: “We’re not hosting this site.”

“Huh,” I thought, “that’s strange. Maybe the site is hosted on many IP addresses?” That’s another spam tactic, putting a Web site on a bunch of hosts and then changing the IP address constantly. But no, the site had only ever been hosted by Namecheap.

I replied and said “no, here’s the DNS entry, ere’s the history for the site, you’re definitely hosting it.” And got back yet another reply: “no we’re not.”

And then something even weirder happened.

I started getting tons of spam advertising domains pointing to Namecheap’s IP address space. Tons. Spam advertising life insurance, promoting Bitcoin schemes, advertising phony “cures” for diabetes. Spam pitching window replacement services, Amazon gift cards, Russian dating sites, and home refinancing.

And I’d seen this spam before. It was word-for-word and image-for-image identical to spam from well-known, infamous spam purveyors that had always, until now, advertised sites hosted in Russia, Columbia, and the Ukraine–places that tend to permit spam hosting.

I started getting multiple pieces of this spam a day. Then dozens. All of it advertising domains on Namecheap IP addresses.

  
Left: Old spam advertising a site hosted in Eastern Europe. Right: Recent spam advertising a site on Namecheap.

I sent spam reports to Namecheap…and Namecheap’s abuse team kept sending responses saying “we aren’t hosting these sites.”


This is the point where I learned that Namecheap, a company that sells domain names, does not understand how a domain name works.

A typical domain name has three (or more) parts. The parts are separated by periods. Let’s look at an example:

www.morethantwo.com

Going from right to left: The last part is called a “top level domain,” or “TLD”. It’s things like “.com” or “.net” or a country-specific code like “.ca” (for Canadian sites). The UK uses “.co.uk” for various historical reasons.

The part before the TLD, in this case morethantwo, is the domain name.

The part at the very beginning, in this case www, is a subdomain. The subdomain “www” stands for “World Wide Web” and it’s the most common subdomain by far. But you can make a subdomain be anything you want. You could set up your Web site at “polyamory.morethantwo.com” or “groupsexisawesome.morethantwo.com” or anything else you like.

And here’s the important part:

You can put a subdomain on a completely different server, hosted by a completely different Web host.

For example, morethantwo.com is hosted by Incubus Web hosting. But if I wanted to, I could put “polyamory.morethantwo.com” on Dreamhost and “groupsexisawesome.morethantwo.com” on Softlayer–each subdomain can get its own IP address and its own Web server, if you want.

Now you might not know that, and you can be excused for not knowing that. It’s not necessary to understand how the Internet works in order to use it.

But Namecheap should know that. They sell domain names. This is what they do.

It’s okay if a person who owns a car doesn’t know that a car’s engine has more than one spark plug in it, but no professional mechanic should ever be ignorant of that simple fact. It’s okay if a person who uses the Web, or even a person who owns a Web site, doesn’t know that subdomains can be hosted on one IP address. It’s unforgivable that a domain registrar doesn’t know that.

In this case, the spammer is using domain names that look like

view1.gnrlbshomes.us

“view1” is a subdomain, hosted by Namecheap. The main domain,gnrlbshomes.us, is hosted elsewhere. Namecheap’s abuse team doesn’t know how that works. When they received the spam complaint, they didn’t look at view1.gnrlbshomes.us, they only looked at gnrlbshomes.us.

When I figured out what was happening, a light dawned. I fired off a reply explaining that view1.gnrlbshomes.us and gnrlbshomes.us were hosted at differnt IP addresses, and they were hosting the actual spamvertised URL, view1.gnrlbshomes.us.

Problem solved, right? They simply missed the subdomain, right? Wrong.

Elena, it seems, didn’t talk to Kate. Namecheap has a systemic problem. This isn’t someone not noticing the subdomain, this is someone not knowing how domains work.

And I got a lot of these emails, from all different people: “The domain ‘blah blah blah’ isn’t hosted by Namecheap.”

At this point, I was convinced the problem was incompetence…and a bizarre incompetence, an incompetence on the level of a professional auto mechanic not understanding that an engine has more than one spark plug.

But then, things took a turn for the even weirder.

I patiently replied to each of the emails, showing the IP address of the main domain and the subdomain, and that the subdomain was in fact on Namecheap IP space.

And then I started getting replies like this:

Essentially, what this says is “if you don’t actually send email from a Namecheap server, you’re welcome to spam a domain that lives in Namecheap space and we’re A-OK with that.”

Now, spammers almost never send emails from the same servers their Web sites live on. Usually, spammers send emails from home computers that are infected with viruses without their owner’s consent (a lot of computer viruses are written for profit; the virus authors infect computers with software that allows them to remotely control the computers, then sell lists of infected computers to spammers, who use the infected computers to send spam email.) Sometimes, the spam emails are sent from “bulletproof” spam mail servers in places like the Ukraine. But they almost never come from the same computer that’s hosting a site.

So Web hosting companies want to see a spam with full headers when you report spam, so they can verify that, yep, this is a spam email, and shut down the Web site that’s being spamvertised.

But not Namecheap. Namecheap will knowingly and willingly allow you to spam domains on their servers, provided the spam email doesn’t actually come from the same server.

I asked if their policy was to permit spam that doesn’t originate from the same server as the Web site, I received this reply:

Which to me looks like a “yes.”

At the moment, I am currently receiving 11 spam emails a day advertising domains that resolve to Namecheap IP addresses. There are about half a dozen products being spamvertized; each day’s crop of spam messages are word for word and image for image identical to the previous day’s, but the domains are different. Clearly, the spammers feel they’ve found a good home in Namecheap.

So I took a look at that IP address, 162.255.119.254. It’s quite a mess.

Domains on 162.255.119.254 are all forwarded; that is, 162.255.119.254 is a pass-along to other IP addresses. If you want to put up a Web site and you don’t want anyone to know who’s really hosting it, you can put it there, and visitors will be invisibly passed along to its real home.

Now, can you guess what sort of thing that’s useful for?

If you said “spam and malware!” you’re absolutely right. A Virustotal analysis of 162.255.119.254 shows that it’s being used to spread a lot of bad stuff:

And it’s not just Virustotal. A Google search for 162.255.119.254 shows that it has a reputation as a bad neighborhood in a lot of places. It’s listed as a bad actor in the Cyberwarzone list:

and as a virus distributor in the Herdprotect list:

At this point, I got tired of making screenshots, but basically this Namecheap server has a bad reputation everywhere.

So whether through gross incompetence or active malice, Namecheap is running a server that’s a haven for spammers and malware distribution.

Which is why I’ve begun pulling my domain name registrations from them. I can not in good conscience spend money to support a company that’s such a menace to the Internet, and I spend about $500 a year in registrations.

Now, interestingly, I’m averaging about 11 spam emails a day advertising domains on Namecheap’s IP space, but I’m averaging 20 spam emails a day that are word for word identical to these but aren’t advertising a domain on Namecheap.

The ones that are advertising domains not on Namecheap are advertising domains hosted by a company called Rightside.co, a Web host I’m not familiar with.

As I mentioned before. Namecheap is a reseller for a registrar called Enom. And Rightside.co, well…

The fact that the same spammer is using Namecheap and Rightside, and they’re both front-ends for Enom, is interesting. Stay tuned!

Cloudflare: The New Face of Bulletproof Spam Hosting

…or, why do I get all this spam, and who’s serving it?

Spammers have long had to face a problem. Legitimate Web hosting companies don’t host spam sites. Almost all Web hosts have policies against spam, so spammers have to figure out how to get their sites hosted. After all, if you can’t go to the spammer’s website to buy something, the spammer can’t make money, right?

In the past, spammers have used overseas Web hosting companies, in countries like China or Romania, that are willing to turn a blind eye to spam in exchange for money. A lot of spammers still do this, but it’s becoming less common, as even these countries have become increasingly reluctant to host spam sites.

For a while, many spammers were turning to hacked websites. Someone would set up a WordPress blog or a Joomla site but wouldn’t keep on top of security patches. The spammers would use automated tools capable of scanning hundreds of thousands of sites looking for vulnerabilities and hacking them automatically, then they’d place the spam pages on the hacked site. And a lot of spammers still do this.

But increasingly, spammers are turning to the new big thing in bulletproof spam serving: content delivery networks like Cloudflare.


What is a content delivery network?

Basically, a content delivery network is a bunch of servers that sit between a traditional Web server and you, the Web user.

A ‘normal’ Web server arrangement looks something like this:

When you browse the Web, you connect directly to a Web server over the Internet. The Web server takes the information stored on it and sends it to your computer.

With a content delivery network, it looks more like this:

The CDN, like Cloudflare, has a large number of servers, often spread all over the country (or the globe). These servers make a copy of the information on the Web server. When you visit a website served by a CDN, you do not connect to the Web server. You connect to one of the content delivery network servers, which sends you the copy of the information it made from the Web server.

There are several advantages to doing this:

1. The Web server can handle more traffic. With a conventional Web server, if too many people visit the Web site at the same time, the Web server can’t handle the traffic, and it goes down.

2. The site is protected from hacking and denial-of-service attacks. If someone tries to hack the site or knock it offline, at most they can affect one of the CDN servers. The others keep going.

3. It’s faster. If you are in Los Angeles and the Web server is in New York, the information has to travel many “hops” through the Internet to reach you. If you’re in Los Angeles and the content delivery network has a server in Los Angeles, you’ll connect to it. There are fewer hops for the information to pass through, so it’s delivered more quickly.


Cloudflare and spam

Spammers love Cloudflare for two reasons. First, when a Web server is behind Cloudflare’s network, it is in many ways hidden from view. You can’t tell who’s hosting it just by looking at its IP address, the way you can with a conventional Web server, because the IP address you see is for Cloudflare, not the host.

Second, Cloudflare is fine with spam. They’re happy to provide content delivery services for spam, malware, “phish” sites like phony bank or PayPal sites–basically, whatever you want.

Cloudflare’s Web page says, a little defensively, “CloudFlare is a pass-through network provider that automatically caches content for a limited period in order to improve network performance. CloudFlare is not a hosting provider and does not provide hosting services for any website. We do not have the capability to remove content from the web.” And, technically speaking, that’s true.

Cloudflare doesn’t own the Web server. They don’t control what’s on it and they can’t take it offline. So, from a literal, technical perspective, they’re right when they say they can’t remove content from the web.

They can, however, refuse to provide services for spammers. They can do that, but they don’t.


History

CloudFlare was founded by Matthew Prince, Lee Holloway, and Michelle Zatlyn, three people who had previously worked on Project Honey Pot, which was–ironically–an anti-spam, anti-malware project.

Project Honey Pot allows website owners to track spam and hack attacks against their websites and block malicious traffic. In an interview with Forbes magazine, Michelle Zatlyn said:

“I didn’t know a lot about website security, but Matthew told me about Project Honey Pot and said that 80,000 websites had signed up around the world. And I thought ‘That’s a lot of people.’ They had no budget. You sign up and you get nothing. You just track the bad guys. You don’t get protection from them. And I just didn’t understand why so many people had signed up.”

It was then that Prince suggested creating a service to protect websites and stop spammers. “That’s something I could be proud of,’” Zatlyn says. “And so that’s how it started.”

So Cloudflare, which was founded with the goal of stopping spammers by three anti-spam activists, is now a one-stop, bulletproof supplier for spam and malware services.


The problem

Cloudflare, either intentionally or deliberately, has a broken internal process for dealing with spam and abuse complaints. Spamcop–a large anti-spam website that processes spam emails, tracks the responsible mail and Web hosts and notifies them of the spam–will no longer communicate with Cloudflare, because Cloudflare does not pay attention to email reports of abuse even though it has a dedicated abuse email address (that’s often unworkakble, as Cloudflare has in the past enabled spam filtering on that address, meaning spam complaints get deleted as spam).

Large numbers of organized spam gangs sign up for Cloudflare services. I track all the spam that comes into my mailbox, and I see so much spam that’s served by Cloudflare I keep a special mailbox for it.

Right now, about 15% of all the spam I receive is protected by Cloudflare. Repeated complaints to their abuse team, either to their abuse email addres or on their abuse Web form, generally have no effect. As I’ve documented here, Cloudflare will continue to provide services for spam, malware, and phish sites even long after the Web host that’s responsible for them has taken them down; they kept providing services for the malware domain rolledwil.biz, being used as part of a large-scale malware attack against Android devices, for months after being notified.

One of the spam emails in my Cloudflare inbox dates back to November of 2013. The Spamvertised domain, is.ss47.shsend.com, is still active, nearly a year after Cloudflare was notified of the spam. A PayPal phish I reported to CloudFlare in March of 2014 was finally removed from their content delivery network three months later…after some snarky Twitter messages from Cloudflare’s security team.

(They never did put up the interstitial warning, and continued to serve the PayPal phish page for another month or more.)

Cloudflare also continues to provide services for sites like masszip.com, the Web site that advertises pirated eBooks but actually serves up malware.

In fact, I’ve been corresponding with a US copyright attorney about the masszip.com piracy, and he tells me that Cloudflare claims immunity from US copyright law. They claim that people using the Cloudflare CDN aren’t really their concern; they’re not hosting the illegal content, they’re just making a copy of it and then distributing it, you see. Or, err, something.

I am not sure what happened within Cloudflare to make them so reluctant to terminate their users even in cases of egregious abuse, such as penis-pill spam, piracy, and malware distribution. From everything I can find, it was started by people genuinely dedicated to protecting the Internet from spam and malware, but somehow, somewhere along the way, they dropped the ball.

I wonder if Michelle Zatlyn is still proud.

Spam network: Hold on to your networks!

I get, as most folks do, a lot of spam in my inbox. A lot of spam.

And, as most folks who follow my blog know, I dedicate some time to tracking down that spam, especially when it involves hacked Web sites.

Lately, I’ve been getting a tremendous amount of spam that all looks pretty similar. It usually offers phony lose-weight-quick products, miracle hair regrowers, and other health and beauty scams, and the emails all tend to look pretty much the same. Here’s an example:

Pretty bog-standard stuff.

These emails invariably contain URLs that are either hacked sites or sites that have no content at all on the home page. The hacked sites are straightforward; the spammers hack the site, put in a new subdirectory, and put an index file that redirects to another site. The sites that have no content on their top level are a puzzler; it’s not clear if the spammers are setting up these sites themselves, using fake or stolen credit card information, or are hacking into sites that have been reserved and configured for hosting but have never had any content placed in them.

Where it gets interesting is in what happens after that.

Clicking on the URL in a spam email takes you to the hacked or blank site, and leads to a redirector. The redirector leads to another, and another, and another, and another, until you finally end up at the spam site. The chain of events looks like this:

The first stop on the chain is ow.ly, a URL shortener used by Hootsuite, the social media company that lets you manage multiple Twitter, LinkedIn, Facebook, and other social media accounts.

Hootsuite is a large, rapidly-growing company that is filled with bright, ambitious programmers who appear to know very little about security and nothing at all about abuse prevention. I wrote a blog post a while ago with a flowchart of Web 2.0 startups; Hootsuite appears to be somewhere in the early stages of the Loss of Innocence part of the chart, having not yet keyed into the fact that their URL shortener is becoming popular with malware droppers and spammers. (The poor naive dears are still so innocent, they have no mechanism at all for reporting ow.ly spam! I predict that’s going to bite them in the ass in an ugly way, soon.)

After that, things get more interesting.

click here for technical stuff!

Spam of the day: With heat showers!

Most of the spam I get these days is in Spanish. Sometimes, it’s in English. Occasionally, it’s in Russian. Very occasionally, it’s in Arabic. And every so often, it looks like it’s in Russian that was translated into English via Google Translate.

Take, for example, this spam, which I reproduce below for your viewing pleasure unedited save for the reply email:

Subject: You I really liked

Hello Solitary heart!!!

I am a girl with beautiful name Julia, me 27 years. Dream to find the person for serious and long relations! I have interested your profile, since I seem that you search for such relations! Now I shall tell little about itself. I very cheerful and communicative, attractive girl. My growing forms 170 cm, my weight forms 57 kilograms. Much love to read the books, listen the classical music, walk on autumn wood and communicate with interesting people. If I have interested you, that anxiously waits your letter and photographies on my e-mail : m———c@yandex.ru With heat showers! Julia.

Best wishes,
Juliya

I am grateful for Juliya’s concern for the well-being of my romantic life, since truly do I search for such relations, it must be said.

I’m not quite sure, though, what “with heat showers” means. Google Translate renders this back into Russian as “С тепло души,” though of course I haven’t the foggiest notion what that might mean either.

I imagine it to be part of a lengthy blessing of travel in ancient Russian folklore, a ritual to prepare the hero for a journey of particularly perilous peril: “With this ox blood and this stone ax I bless thee, my son. Now go, and bring honor upon our clan, with heat showers.”

reCAPTCHA is Toast

Over the past six weeks or so, one o my email accounts has been flooded with spam advertising phony Internet “pharmacy” sites and penis pill sites.

It still blows my mind to this very day that people actually give money to these folks and actually believe they are getting real drugs, rather than corn starch and food coloring, in return, but that’s a whole separate issue.

The spam I have been getting differs from the ordinary, garden-variety junk “pharmacy” spam I get in that all of it advertises URLs belonging to social networking sites. Each URL is a phony profile of a bogus user, whose user information is nothing but a redirector to a spam site.

I’ve seen this happen before. Usually, it happens when some naive person decides to set up a niche social networking site of some sort, like a social networking site for professional engineers who work in Third World countries or a site for some obscure band or something, but doesn’t know anything about security.

The Russians love people like that. Nearly all Internet pharmacy sites, even (especially) the ones that claim to be Canadian, are run by Russian organized crime. The various crime gangs use bots–computer programs that automatically scan through hundreds of thousands of Web sites per day, searching for small social networking sites. When they find one, they attempt to create phony users. If they succeed, the bot software will start setting up thousands, or even tens of thousands, of bogus users, all automatically, and stuff those bogus user profiles full of ads for the phony pharmacy sites.

So you’ll end up with some Web site that’s dedicated to fans of some Brazilian soccer team or something, and it will have 27,498 users with names like “BuyCheapTramadolHere.” Whenever you visit the user profile page for the site, you get redirected to the fake pharmacy. The spammers then advertise the URL of the Brazilian soccer team site in their spam emails.

This is why it is absolutely essential that anyone who sets up a Web site that allows users to sign up and create profiles must, absolutely must, use some kind of system to prevent bot software from creating phony profiles.


Enter the CAPTCHA–those weird squiggly lines of text that you have to type in in order to fill out many Web forms. The idea behind a CAPTCHA is that a computer program can’t read the words, so computer programs can’t be used to fill out the form.

Organized crime has spent a huge amount of money and time in trying to figure out ways to break CAPTCHAs. Some of the most cutting-edge work in computer optical character recognition is coming from Eastern European organized crime. (Some Web services, such as Gmail, are worth so much to organized crime–mail sent from a Google mail server is almost never blocked by spam filtering software–that organized crime gangs have been known to pay unemployed Third Worlders a penny or so apiece to sit in front of a computer typing in CAPTCHA codes all day.) Another strategy that criminals have used to defeat high-value CAPTCHAs is to do things like set up phony Web sites offering free porn to people if they type in CAPTCHA codes first.

In the past, whenever I have received spam advertising a URL or a redirector hosted on a social networking site, the social networking site isn’t using a CAPTCHA. That makes it trivial for the spammers to create phony accounts to act as redirectors to their spam sites.

CAPTCHAs are such a mandatory part of good Web practice that there are businesses whose sole business is providing CAPTCHA generation software or services to Web owners. One such business is a company called reCAPTCHA, which provides free CAPTCHAs for Web site owners. Hundreds of thousands of Web sites, including many high-profile sites like Craigslist, use CAPTCHAs generated by reCAPTCHA.

And that’s where things get interesting.


Back to my inbox.

Like I said, it’s been flooded lately. I’ve seen literally thousands of bits of spam all advertising bogus profiles on various social networking sites.

Unsurprisingly, many of them are hosted by Ning, the failed and woefully insecure social networking platform cofounded by ex-Netscape cofounder Marc Andreessen, and which today seems to serve primarily as a platform for spammers (as I’ve detailed here). The URLs in the spam look like this:

http://scaryguy.ning.com/profiles/blogs/detrol-detrol-la-homeopathic
http://myjumpspace.ning.com/forum/topics/zocor-zocor-similar-products
http://igotittoo.ning.com/profiles/blogs/cialis-professional-cheapest
http://morecoffee.ning.com/forum/topics/acai-fit-com-now-foods-acai
http://onelion.ning.com/forum/topics/desyrel-buy-cheap-desyrel
http://tvsbrasil.ning.com/profiles/blogs/namenda-tapering-namenda-buy
http://cincinnatiown.com/profiles/blogs/omeprazole-marijuana-and

So in other words, about par for the course for Ning; it’s a sewer of spam, and since it recently fired most of its staff, it’s unlikely ever to improve.

But a lot of the other URLs I’ve been seeing aren’t hosted on Ning:

http://celexa108s.mysoulspot.com/
http://www.design21sdn.com/people/52077
http://community.sgdotnet.org/forums/t/28066.aspx

Those three sites (mysoulspot.com, design21sdn.com, and sgdotnet.org) have been hit particularly hard which each of them currently hosting literally thousands or even tens of thousands of spam profiles.

I visited these and other social networking sites that kept popping up in my spam, expecting to see that they were not using CAPTCHAs to protect themselves from bot software signups.

But that isn’t what I found at all. Instead, what I discovered is that every one of the sites I’m seeing that’s being attacked, including the Ning sites and the social networking sites not related to Ning, are using reCAPTCHA as their CAPTCH provider.

All of them.

Which suggests very strongly to me that reCAPTCHA has been busted. Organized crime has written, I suspect, software that is effective enough at breaking reCAPTCHA protection that it is effectively useless.