FANDOM


DescriptionEdit

20080418 spammer economy

A diagram showing the relationships between several entities within a typical spamming operation.

From the bottom to the top of the spammer food chain, here is a list of everyone involved in sending spam, and profiting from spam. A diagram has also been provided to show the interrelationships these entities share with each other. Note that in many cases, each entity is a single individual, acting alone. Exceptions will be discussed within each entity's description.

For the purposes of clarity, this outline is focusing primarily on product-based spamming (pharmaceuticals, "herbal remedies", replica watches, "OEM" software, etc.) as opposed to stock spamming, which differs slightly.






MailersEdit

Mailers are individuals who have purchased Spam Software. Examples include WarpSpeed Mailer [created by "Phantom", Australia], Send-Safe [created by Ruslan Ibragimov, Russia], Dark Mailer [created by Nikhil Kumar Pragji, Australia].

Mailers (whom we all commonly refer to as "spammers") are the final link in the spam food chain. They sign up to affiliate programs offered by one or more Sponsor Organizations, are provided with distinct and unique Bulletproof Domains to use within their spam messages to promote product types offered by the sponsor group. The mailer receives a percentage of the selling price of whatever the spam recipient ends up purchasing, provided they click through their domain to purchase it. These commissions typically range from 30% - 40%, but can go higher depending on the product.

List Providers or Email HarvestersEdit

These are individuals who specialize in the "harvesting" of email addresses via many different methods. Typically, if they are operating illegally (i.e. "non-compliant", in reference to compliance with the CAN-SPAM law,) they will have acquired these email addresses by harvesting them directly from a series of websites, scraping every possible web page they can discover by any means, and adding the email addresses to their lists.

Others acquire them by actively hacking into large databases, or acquiring them from people with access to large databases of known lists from legitimate companies or corporations. There have been several high-profile convictions of employees of companies such as AOL.com who knowingly sold large lists of email addresses in this way while still in their employ.

Sometimes these list resellers will sell very specifically targeted lists to mailers who want only a very specific audience. Those providers tend to operate in a more legal and "compliant" way, as do the mailers they deal with. Some examples of the specificity of the lists provided in these cases include:

  • Lists of consumers of controlled pharmaceuticals (usually strong pain killers such as Vicodin or Hydrocodone, or other drugs like Phentermine.)
  • Lists of homeowners who have requested to be informed about refinancing.
  • Males aged 20 - 35 who are single and looking for new dating sites.
  • Women aged 19 - 35 who are on diets or interested in diet products.

Spam Software DevelopersEdit

Spam Software Developers use nicknames like Phantom, Crypto, Bysin, Caesar, etc. Their products include WarpSpeed Mailer, Send-Safe, Dark Mailer, among others. Some mailers are also developers and may create their own software to send spam via the use of a botnet infrastructure.

There are developers who have created applications for sending large amounts of email to a many recipients using some distributed method, and in a way which is customizable by the user. Features may include:

  • Header randomization or obfuscation
  • "From" or "Reply-to" randomization or obfuscation
  • Specific randomization of sender-agent (the header that tells what program sent the message.)
  • Templates with randomization of either the copy or the layout of the email message
  • Randomized rotation of spamvertised URL
  • Dynamically generated image attachments

These programs sell for the mid-hundreds of dollars. Usually the well-known applications are sold on an invitation only basis, and only via private means. For example, Phantom, a user on the Bulkerforum.biz forum website, has never publicly advertised that his WarpSpeed Mailer product is actively available for sale. Instead he has conducted individual sales via ICQ, private messaging or email only. The product will not work unless Phantom activates the license for the software.

Mailers and other individuals are often seen selling copies, or cracked versions, of several of these programs. Some of them, such as DarkMailer or Nexus, are even offered for free on certain forums. This may be because the message configuration of those mailers is now less effective at getting through many spam filters.

This type of spam software often relies on access to botnets, so that mailing to a large list (millions of recipients) can take place in a relatively short time, using a distributed method of sending.

Other types of mailers are what are known as "direct" mailers. They send from one location or IP address, and send individually to a large list of recipients, directly by acting as their own email gateway.

Another example is the "internal mailer," usually used to target a very specific free-mail provider's users (e.g. Gmail, Yahoo, Hotmail, AOL.) These use many automatically-created accounts to act as the "from" address in that system (e.g. deuyeffuygueg@hotmail.com) to send to that specific free-mail provider's users (i.e. hotmail.com addresses only.) These have been prevalent with mailers promoting the "Canadian Pharmacy" property on behalf of the sponsor known as "Spamit" or "Glavmed." These have been created to take advantage of the fact that Hotmail's filters (as an example) have a habit of whitelisting Hotmail accounts, allowing their first messages to always be delivered, thus bypassing Hotmail's spam filters.

Offshore Bank or ATM Account ProvidersEdit

These are quite rare but provide what is arguably an important service to members of the spam community: a means of receiving payment for any number of commissions, be it from pharmacy spamming on behalf of a pharmacy sponsor, or receipt of funds for programming a new type of virus infection for the purposes of increasing the size of a botnet.

Costs involved in the setup of these accounts are quite high, usually several hundreds of dollars. Accounts are set up in such locations as Switzerland, the Netherlands, Mauritius (an especially popular location) and Panama (becoming increasingly popular.)

This is a form of money laundering, providing an indirect link between the payer (e.g. stock sponsor) and the mailer, using an offshore third party to transfer the money to the mailer's actual account.

Botnet Leasers And OperatorsEdit

These are individuals who provide access to a medium or large-scale botnet, or "network of bots" consisting of compromised home and business PC's. For the purposes of the spammer economy, these are primarily leased by the hour and are used specifically for the sending of large amounts of spam email to large lists of recipients. Botnets are used for a wide variety of activities, most of them malicious, such as performing attacks on specified online targets - websites or name servers. Mailers primarily need them so that their Spamming software can quickly send a large number of messages automatically, using the botnet as a distributed method.

Hourly rates for mailers, specifically for the purposes of mailing or spamming, are in the range of $10 - $15 per hour on a moderately sized botnet. Some are rented on a monthly basis for several thousand dollars, usually with very specific restrictions on the desired usage of the botnet during that period.

Owners who promote these services will set up the deal in the manner shown in this thread from December 2006:

[1]

TOPIC: Botnetwork rent

SkyNet

Joined: 15 Sep 2006
Posts: 13

Posted: Mon Dec 18, 2006 10:07 am
Post subject: Botnetwork rent 

Type1
Botnetwork rent, our software for mailing.

800 bots online - $1500
1500 bots online - $3000
3000 bots online - $5000

Type2
Botnetwork rent, your software for mailing.

1000 bots online - $2000
3000 bots online - $5000
5000 bots online - $7000

Type3
Our software for rent, your bots.

1 server - $3000
2 servers - $5000
3 servers - $7000

One server can work with 3000 online bots
In all types: bots with 25 open port are specified, and they are ready for mailing.

With kindest regards,
SkyNet Laboratory
http://skynet-laboratory.com/
skynetlaboratory@yahoo.com
ICQ:888812

Last edited by SkyNet on Mon Jan 08, 2007 11:33 am; edited 3 times in total

20:05, 29 April 2008 (CEST)20:05, 29 April 2008 (CEST)20:05, 29 April 2008 (CEST)20:05, 29 April 2008 (CEST)20:05, 29 April 2008 (CEST)20:05, 29 April 2008 (CEST)20:05, 29 April 2008 (CEST)20:05, 29 April 2008 (CEST)20:05, 29 April 2008 (CEST)20:05, 29 April 2008 (CEST)

jestersback

Joined: 20 Sep 2006
Posts: 27

Posted: Mon Dec 18, 2006 11:15 am
Post subject: 

Can we have that in English?

It seems that everytime I see the word 'botnet', 'installs' or 'proxies' its in Russian, this is getting very frustrating..

Can anyone translate for me?

20:05, 29 April 2008 (CEST)20:05, 29 April 2008 (CEST)20:05, 29 April 2008 (CEST)20:05, 29 April 2008 (CEST)20:05, 29 April 2008 (CEST)20:05, 29 April 2008 (CEST)20:05, 29 April 2008 (CEST)20:05, 29 April 2008 (CEST)20:05, 29 April 2008 (CEST)20:05, 29 April 2008 (CEST)


Spyda

Joined: 17 Dec 2006
Posts: 56

Posted: Mon Dec 18, 2006 4:12 pm
Post subject: 

NO Abla English!?

J/k c'mon jester translate that for me Smile

20:05, 29 April 2008 (CEST)20:05, 29 April 2008 (CEST)20:05, 29 April 2008 (CEST)20:05, 29 April 2008 (CEST)20:05, 29 April 2008 (CEST)20:05, 29 April 2008 (CEST)20:05, 29 April 2008 (CEST)20:05, 29 April 2008 (CEST)20:05, 29 April 2008 (CEST)20:05, 29 April 2008 (CEST)


Crypto

Joined: 15 Sep 2006
Posts: 267

Posted: Mon Dec 18, 2006 5:11 pm
Post subject: hmm 

Here u go:

........................
Dear members

Skynet Mailer + BotNet

We have created a system for SkynetMailer for windows wich will work with botnets

Skynet Mailer starts a server to accept connections. Bot connects to the server where skynet mailer is installed
and takes pools of letters ready for dispatch and electronic addresses
 
Functions/Futures:
 
1. work with any botnet(via loading of our botmailer aka spambot)
loader 3.5Kb-> bot mailer 120kb
(option to do exe install's by yourself)

2.Option to automaticly connect servers
(On windows server is not recomended to hold more than 3000 of mailers online !)

3. hmm theres no option 3, let's pass to 4 :)

4. Option to work with image morphing (creation of random images)

5. and many other futures

With respect,
SkyNet Laboratory
http://skynet-laboratory.com/
ICQ:888812
--------------------------------------

2007 will be an intresting year, btw spamhaus prepares some presents for mailers with botnets.

PS:who other from here, speaks russian also except skeynet :)

Botnet Install Sales (iframemoney, etc.)Edit

These are people who specialize in signing up individuals to place infections or exploit code on either their own websites, or hacking into other people's websites and placing them on pages of those websites, for the purposes of infecting as many unsuspecting users as possible with botnet code. This type of infection is known as a "drive by" install by antivirus vendors and security experts.

Commission is based on the location of the infection, and the quantity. Typically the US, Canada, and the UK are the highest paying infection locations, often commanding anywhere from $30 - $50 per 1,000 infections. Affiliate programs known to have been behind these operations include:

  • iframemoney.com [also .org, .biz, .us]
  • kamilet.info

Here is a thread from bulkerforum.biz dating from October, 2007 in which a member of the forum is attempting to sign up individuals to perform infections: [2]

TOPIC: Botnet Installs/up to 20k per day/$50 per 1k/492-804-072

cyborg

Joined: 22 Jul 2007
Posts: 33

PostPosted: Fri Oct 19, 2007 11:25 pm
Post subject: Botnet Installs/up to 20k per day/$50 per 1k/492-804-072

Virgin exclusive loads

Usa - $50 per 1k
Jp - $25 per 1k

Also have alot of adult traffic installs.

All diff countrys contact me for more info 492-804-072

Note the use of the term "loads". In the spammer community, this is a euphemism for "an infected Windows PC." Sponsors and mailers often post that they are "looking for loads," meaning that they are looking for freshly-infected PC's to use in their mailing runs or for other purposes.

These are also referred to as "Peas" or "p's," (short form for "IP's" or "eye peas".)

Proxy Providers or ResellersEdit

These are at the opposite end from the above-mentioned "Botnet Install" resellers, but are often related. While the previous group seeks people to perform the "drive by install" of their particular infection, the Proxy reseller is the one (sometimes the same person) selling the availability of already-infected Windows PC's, again mainly for the purposes of sending large amounts of spam.

These are usually referred to as "proxies", or as above "peas". They are sold in terms of "slots," where a "slot" is a single available space, comprising some portion of the bot network for the exclusive use of the individual who purchases time on the botnet.

Examples of attempts to promote the availability of "proxies" on bulkerforum.biz:

[3]

TOPIC: proxy slots available

MastaP

Joined: 16 Mar 2007
Posts: 87

PostPosted: Sun Mar 09, 2008 12:57 pm
Post subject: proxy slots available

I got some free proxy slots at the moment. 3-5k connects updates 3 mins honeypot scanned etc.

hit me for free sample & prices

icq: 277819069
skype: p1tb0ss

[4]

TOPIC: Very reasonable proxy

Bulkhaven

Joined: 15 Sep 2006
Posts: 28

Posted: Mon Dec 17, 2007 2:41 pm
Post subject: Very reasonable proxy

I have 2 slots open on the master list I will let go at a good discount just to keep the slots full

Catch me at : Bulkhaven2@aol.com

Thanks

20:05, 29 April 2008 (CEST)20:05, 29 April 2008 (CEST)20:05, 29 April 2008 (CEST)20:05, 29 April 2008 (CEST)20:05, 29 April 2008 (CEST)20:05, 29 April 2008 (CEST)20:05, 29 April 2008 (CEST)20:05, 29 April 2008 (CEST)20:05, 29 April 2008 (CEST)20:05, 29 April 2008 (CEST)

kibble

Joined: 13 Nov 2007
Posts: 100

Posted: Mon Dec 17, 2007 7:07 pm
Post subject:

Good Prices.
_________________
eeeeeeeeeeeeeeeee!

Bulletproof Domain RegistrationEdit

These are individuals who act on behalf of a sponsor company (see below) who require mailers to promote their products. Using automated means, they will register several thousandsup to tens of thousands of domain names for the purposes of being promoted via spamming.

These disposable domains typically have a very short lifespan, which is why so many are required.

The domains are often registered using stolen credit cards or stolen PayPal accounts. Invariably these domains are registered using 100% fake contact information im breach of ICANN requirements for domain registration.

In the past, certain sponsors have been associated with a subset of known fake contacts, including the "Gary Reed", "Gregory William" and "Paul Gregoire" registrant information. These were as the registrant of domains of notorious spamvertised properties between 2005 and 2007. Three examples:

Name:           paul    gregoire
Address:        175 Montreal Road
                304
                vanier, on  K1L 6E4
                CA
Email Address:  gregoirep@coldmail.ca
Phone Number:   (613)255-2162
Registrant Contact:
  bphosting
  gregory william (gregwill@coldmail.ca)
  +1.6047678695
  Fax: +1.5555555555
  1808 Bowen road
  nanaimo, BC V9S 5W4
  CA
gary reed garyr@coldmail.ca
3495 Cambie Street
150
vancouver
BC
V5Z 4R3
CA
Phone: +1.6047678695

These have since been retired.

In early 2008, fake Chinese contact information has been used predominantly for domains registered for VPXL and "Canadian Pharmacy", during the registration of several million domain names:


Administrative Contact:
LiMing
        Li Ming
        NO.38,YongFeng street,Tianchange City,Anhui Province
        Tianchange Anhui 239355
        CN
        tel:  550 2400568
        fax:  550 2400568
        yayun22@163.com

Technical Contact:
LiMing
        Li Ming
        NO.38,YongFeng street,Tianchange City,Anhui Province
        Tianchange Anhui 239355
        CN
        tel:   2400568
        fax:   2400568
        yayun22@163.com

Billing Contact:
LiMing
        Li Ming
        NO.38,YongFeng street,Tianchange City,Anhui Province
        Tianchange Anhui 239355
        CN
        tel:   2400568
        fax:   2400568
        yayun22@163.com

Despite being harder to investigate or report due to unfamiliarity with Chinese regional addresses, they are invariably fake, and attached to domains which have been registered using a stolen credit card or PayPal account.

Registrars who have approved the automated registration of millions of these so-called "bulletproof" registrations include:

XIN NET / Paycenter remains the top provider of these throwaway domains. Despite receiving thousands of complaints from consumers around the world, they have only shut down a tiny number of these domains, often incompletely.

Providing these spammable domains to mailers is a primary service that a sponsor provides, and shutting down these domains goes a long way towards impacting the profitability of a sponsor company or organization. The mailer in this case is typically unaffected by the shutdown of several thousand domains, because the sponsor can easily reassign several thousand new ones for use in the mailer's next spam run.

Bulletproof Hosting ProvidersEdit

This is related to the above-mentioned Domain registrations.

"Bulletproof hosting", or "BP hosting", is hosting which will remain active and stable despite a high number of complaints. Research has shown that this is actually not always the case, since in the experience of consumers who have managed to complain to hosting providers, it typically takes only a handful of complaints to have hosting shut down. Consequently there has been a rise in botnet-supported or "Fast flux" hosting. Here, a large botnet of infected PC's acts as the active IP address for a set of domain names for a short period of time. This is evidenced by performing the unix command "dig" against a given domain name. A standard, legitimate website typically is hosted at one single IP address. A large corporate site may expand to 3 or 4 addresses:

%dig amazon.com

; <<>> DiG 9.3.3 <<>> amazon.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10578
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 6, ADDITIONAL: 5

;; QUESTION SECTION:
;amazon.com.                    IN      A

;; ANSWER SECTION:
amazon.com.             60      IN      A       72.21.203.1
amazon.com.             60      IN      A       72.21.206.5
amazon.com.             60      IN      A       72.21.210.11

;; AUTHORITY SECTION:
amazon.com.             86400   IN      NS      pdns1.ultradns.net.
amazon.com.             86400   IN      NS      pdns2.ultradns.net.
amazon.com.             86400   IN      NS      pdns3.ultradns.org.
amazon.com.             86400   IN      NS      pdns4.ultradns.org.
amazon.com.             86400   IN      NS      pdns5.ultradns.info.
amazon.com.             86400   IN      NS      pdns6.ultradns.co.uk.

;; ADDITIONAL SECTION:
pdns3.ultradns.org.     84313   IN      A       199.7.68.1
pdns4.ultradns.org.     84313   IN      A       199.7.69.1
pdns4.ultradns.org.     84313   IN      AAAA    2001:502:4612::1
pdns5.ultradns.info.    84313   IN      A       204.74.114.1
pdns6.ultradns.co.uk.   170713  IN      A       204.74.115.1

A botnet hosted domain name will usually have between a hundred and several thousand addresses, all of which rotate after a set period of time ranging from several seconds to several minutes:

%dig xtmidwest.com

; <<>> DiG 9.3.3 <<>> xtmidwest.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36780
;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 4, ADDITIONAL: 0

;; QUESTION SECTION:
;xtmidwest.com.                 IN      A

;; ANSWER SECTION:
xtmidwest.com.          180     IN      A       24.183.216.62
xtmidwest.com.          180     IN      A       75.178.34.175
xtmidwest.com.          180     IN      A       81.84.140.124
xtmidwest.com.          180     IN      A       86.101.255.253
xtmidwest.com.          180     IN      A       89.212.77.46
xtmidwest.com.          180     IN      A       89.228.129.74
xtmidwest.com.          180     IN      A       98.227.5.125
xtmidwest.com.          180     IN      A       193.77.231.46

;; AUTHORITY SECTION:
xtmidwest.com.          180     IN      NS      ns1.aotheholiday.com.
xtmidwest.com.          180     IN      NS      ns2.aotheholiday.com.
xtmidwest.com.          180     IN      NS      ns3.aotheholiday.com.
xtmidwest.com.          180     IN      NS      ns4.aotheholiday.com.

This represents a fast-flux botnet of 8 addresses refreshing every 180 seconds (3 minutes).

This hosting is considered "bulletproof" because there is no single Internet Services Provider (ISP) to complain to. The IP addresses are usually hacked or hijacked Windows PC's, or else hijacked Unix servers.

Well known spam operations that use hijacked or botnet systems for hosting include:

There are others, primarily from the Spamit / Glavmed series of spamvertised properties.

High Risk Merchant Account ProvidersEdit

These are individuals, or (increasingly) companies, who offer precisely what the name implies: credit card merchant accounts which can be attached to commercial activity likely to generate many complaints, or "heat."

There are several dozen such organizations around the world. They are usually located outside of North America, and tend to support spammed properties whose main target is citizens of North America.

These are notoriously shadowy organizations, and little is known about which specific high-risk merchants are associated with which sponsor organizations.

Edit

[See also Category:Spam Sponsoring Companies]

These are the big fish, the ones who profit the most from email spamming. Sponsors are the ones who:

  • Procure large amounts of product at very low cost.
  • Set up and maintain accounts with high-risk merchants to process credit card orders on their behalf.
  • Register thousands of disposable and "bulletproof" domain names - web locations to promote their products.
  • Find and sign up mailers (spammers) to promote their products.
  • Assign bulletproof domains to their mailers.
  • Provide email templates and sometimes website templates for mailers who wish to host their own bulletproof domains.
  • Often provide bulletproof hosting for the disposable domains.
  • Often provide Geocities / Google Pages / Blogspot redirectors for use in a mailer's campaigns.
  • Maintain statistics and reporting for the mailers and affiliates.
  • Pay out a commission to the mailers and affiliates, in as timely and discreet a fashion as possible.

This list shows that the sponsors are the ones who absorb most of the risk in these illegal spam operations. They also profit the most, since they are the ones who procure the product, arrange the shipping, (which can cause its own issues, see below) and employ the mailers to spam to millions of recipients on their behalf, all the while trying to avoid revealing any clear ties to show who is actually behind the spammed products.

Web DevelopersEdit

These are individual developers who provide programming services for a wide range of solutions which either sponsors or mailers would require. These include

  • list deduping,
  • direct mailing software,
  • OCR cracking,
  • captcha cracking,
  • individual web applications or templates for a specific product.

They hire themselves out on a project basis, being paid either by the project or by the hour, and usually display a high level of technical knowledge.

Application DevelopersEdit

These are separate and distinct from Web Developers, and focus on writing desktop or server-level applications. These can cover a broad range including some of the above-mentioned projects which Web Developers might also build (in an online format), except these would remain desktop applications. Sometimes they specialize in writing botnets, or botnet command and control infrastructures. Others write Mailers (either direct or botnet-supported.) Others write list management programs, or "forum blasters". The options are limitless. They charge a sliding scale depending on the scope of the project.

DesignersEdit

As with Web Developers, these are individuals who offer design services. These can cover entire websites, or individual banners or email templates. Their numbers are declining.

Drop Shipping ProvidersEdit

These are individuals who provide drop-shipping into a distinct territory, or in some cases very specific regions of one territory. (i.e. The Eastern Seaboard of the US.) They provide these services on a one-off basis for large shipments, usually for the shipment and delivery of high-risk products such as Ambien, Vicodin and Hydrocodone, known as controlled substances, or "controlled" in the spammer community. These are highly sought-after products because of the high risk of shipping them illegally to a country with specialized laws or bylaws restricting their shipment. The US, UK and Canada all have strict shipping regulations for these drugs.

Drop-shippers for replica watch and handbag products exist but are less prevalent.

Clandestine Pill ManufacturersEdit

These are independent manufacturers of generic or fake versions of several well-known pharmaceuticals.

Many of these exist throughout the world, creating fake / knockoff versions of Viagra and other drugs. Some of these exist in the continental US or Central and South America. High numbers of them are found within China, Taiwan, South Korea, Vietnam, Ukraine, and Romania. A documentary which aired on PBS entitled "Illicit: The Dark Trade" went into quite a bit of detail regarding this topic. [5]

Clandestine Fake Watch ManufacturersEdit

These are independent manufacturers of knock-off versions of highly coveted designer watches, handbags, sunglasses, and - most recently - shoes. China is still the most frequent source.

Proxy pharmacistsEdit

These are individual pharmacists who may or may not be licensed in their own territory, and are usually unlicensed in any other territory. They act in the capacity of "rubber-stamping" prescriptions on behalf of the sponsor company or sponsor organization. They are paid a high salary for this service. Note that not all spamvertised pharmacies even use a pharmacist of any sort. This process has been widely publicized in documentaries and also in the coverage of the trial of Christopher "Rizler" Smith in 2006. [See also: [6] and [7]]

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.