Thursday, April 22, 2010

LowCostLinks.com: Another scumbag forum-spamming operation.

I recently encountered another registration attack against the forums at InBoxRevenge.com. This was one of thousands we see every month.

These registration attacks are executed using automated software such as XRumer, with the hopes that we aren't monitoring registrations, and are automatically approving all new accounts. If that were the case, the process would look like this, all originating from the forum-spamming software itself (usually via a botnet.):

- Visit a topic on the forum. (Usually they choose a fairly low number for the thread id. It's nearly always 1 or 2)
- Visit the registration page
- Agree to the terms
- Create a new registration
- Wait a predetermined amount of time.
- Based on known algorithms used by most forum software, visit the "confirmation URL" which is usually sent to the registration email address.

Because of our particular forum registration requirements, that last portion fails. The software notices this, and often tries a minimum of four times, and (so far) a maximum of on average 14 - 30 times, always using the same username, email address and frequency of registration. Very often the source IP address used in these registrations is dynamic, which very strongly indicates that this software is using a botnet to perform these registrations. This is not always the case, not in every instance, but it is very frequently so.

Yesterday I encountered six such attacks from a domain called LowCostLinks.com, all using bogus email addresses which indicate that whoever it was that was doing this was no fan of either our forum or another well-known cybercrime researcher:

Date Entered / Email
04/20/2010 04:26:24PM / ksforum.inboxrevenge.com.a.dzgrymzusn@lowcostlinks.com
04/20/2010 06:59:33PM / inboxrevenge.com.a.mcdemjtodu@lowcostlinks.com
04/21/2010 06:05:51AM / krebsonsecurity.com.a.twzqlokuvk@lowcostlinks.com
04/21/2010 06:06:01AM / krebsonsecurity.com.a.twzqlokuvk@lowcostlinks.com
04/21/2010 06:06:09AM / krebsonsecurity.com.a.twzqlokuvk@lowcostlinks.com
04/21/2010 06:06:20AM / krebsonsecurity.com.a.twzqlokuvk@lowcostlinks.com

Username in all cases was: soepxozk
IP address for all registration attempts was 207.219.37.17, a home DSL account hosted by Telus, located somewhere in British Columbia.

Clearly they have a bone to pick with Brian Krebs as well. That, I can tell you, means they're probably involved in - or at least "fans" of - far worse things than rinky little forum spamming operations.

LowCostLinks.com is easily one of the most bogus operations I've seen in a while, and their administrator didn't do anything to dissuade me from that opinion, as you'll see below.

LowCostLinks is well aware that they engage in forum spamming. Based on an email discussion I had with their anonymous admin, he didn't care whether it bothered me or anyone else. In fact their convenient "How To Stop Forum Spam" page makes it clear that their "opt out" policy (found here) is to instead tell forum operators that it's up to them to block LowCostLinks. He also rested on the misguided opinion that forum spamming isn't spamming, since it isn't performed via email.

Unfortunately for "companies" (and I use the term loosely) like LowCostLinks, they're woefully uninformed about what their actual platform means from a legal perspective. The same way that an individual can be seen to be "attacking" a website by repeatedly attempting to guess the username and password of a specific third-patry account - without authorization - this repeated attempt to register can be perceived, especially in a court of law, as an attack.

Automated registrations can and have been considered a direct form of "attack" againt any third party website, since by its very nature it ignores the terms and conditions of most forum software on the internet today. In our particular case, we've made a very clear amendment to our terms and conditions for new registrants which specifically describe that we consider any automated registrations to be an actual attack against us. We define it pretty specifically as well:

- Automated attacks are expressly forbidden
- Automated registrations mean that usually no actual human being is even reading the terms and conditions, or performing the registration.
- Automated registrations further mean that only very specific pages of our forum would load, but none of the attendant assets such as images, stylesheets or javascript files. This makes it particularly easy to outline the timestamp of the attacks, since it's very obvious in the server logs, then further reinforced by the data captures I've added in.
- If an automated registration occurs more than once, we can assume that they still agreed to our terms and conditions (since you have to click the "agree" button to continue,) which means that they agree we should pursue all means to get their email and other accounts shut down, since they are not only in violation of our terms of service, but those of their email and hosting provider

But even if we hadn't put these very specific clauses in place, a court of law would still perceive this activity to be unauthorized, malicious, and, in some cases, illegal.

The average idiot forum spammer is typically trying to place links within forums for the purposes of boosting the search engine ranking of the site they want our forum, and thousands of others, to link to. This is usually known as "Search Engine Optimization" or "SEO".

Usually, page rank is based on actual useful, valid content. So for example if I write a posting about pharmaceuticals, and it has links to research papers about pharmaceuticals, that means the page rank of those research papers gets a tiny boost, because it's assumed that the content is both related and relevant.

In this case though: we're talking about utter noise: totally unrelated postings on thousands of forums, linking to sites which on its own would not have a very high page ranking at all. Further: we're talking about subverting actual, relevant, content-related search results by flooding forums with totally unrelated links to sites which have no bearing whatsoever on whatever their main focus is.

Now: that part is, just like regular email spam is perceived to be, annoying, and a nuisance, but not by definition illegal.

However the means to make these links appear can most certainly be charged in a court of law as being malicious, unauthorized, and as previously mentioned an actual attack against which the server or servers this scummy operation chooses to execute their auto-registrations.

he administrator of LowCostLinks claimed that my complaint to him would be re-posted on the lowcostlinks.com website because he claimed it would be "great for sales!" Instead I thought I'd post it here to make clear just what type of characters we're dealing with here, and that LowCostLinks is a nuisance about which any forum operator out there should very much be aware.

Date: Wed, 21 Apr 2010 11:05:27 -0400
Subject: Stop auto-registering to my forum!
From: SiL
To: lowcostlinks@gmail.com

Automated registration attempts made at inboxrevenge.com, by date, descending order:

[above-mentioned list of attack entries redacted - SiL]

Explain yourselves!

SiL

Date: Wed, 21 Apr 2010 11:34:29 -0400
Subject: Re: Stop auto-registering to my forum!
From: "LowCostLinks.com" <lowcostlinks@gmail.com>
To: SiL

re:"Explain yourselves!"

I think you of all people must know what's up if you managed to find our gmail address. We create posts on forums for a fee. Simply deny access to the @lowcostlinks.com email domain and you will never hear from us again. We are not trying to post on "live" forums, sorry for the inconvenience.

Nice abuse policy, yes? Completely unacceptable.

Also note that he lies about registering to "live" forums. IBR is most definitely live. So are hundreds or thousands of others out there, all featuring fake profiles created by this idiotic organization.

Date: Wed, 21 Apr 2010 11:55:31 -0400
Subject: Re: Stop auto-registering to my forum!
From: SiL
To: "LowCostLinks.com" <lowcostlinks@gmail.com>

How about instead you stop violating CAN-SPAM law by continuing to allow your scumbag "affiliates" from attempting automated registrations against thousands of forums?

It's pretty clear you're obviously pro-spam, so I'll make sure that my law enforcement contacts know that.

> We are not trying to post on "live" forums, sorry for the inconvenience.

Then what the hell are the automated registrations for?

You should also be aware that under most countries' privacy laws, this constitutes an attack.

SiL

Date: Wed, 21 Apr 2010 11:58:57 -0400
Subject: Re: Stop auto-registering to my forum!
From: "LowCostLinks.com" <lowcostlinks@gmail.com>
To: SiL

Go ahead, call your cop buddies, it's hilarious how little you know about
forum "spamming" ;) Have a nice day SiL.

Date: Wed, 21 Apr 2010 12:00:15 -0400
Subject: Re: Stop auto-registering to my forum!
From: "LowCostLinks.com" <lowcostlinks@gmail.com>
To: SiL

P.S. you might want to take a read here: http://lowcostlinks.com/how_to_stop_forum_spam.php

So clearly he isn't taking any of this seriously. So be it.

Date: Wed, 21 Apr 2010 12:06:28 -0400
Subject: Re: Stop auto-registering to my forum!
From: SiL
To: "LowCostLinks.com" <lowcostlinks@gmail.com>

On Wed, Apr 21, 2010 at 11:58 AM, LowCostLinks.com
<lowcostlinks@gmail.com>wrote:

> Go ahead, call your cop buddies, it's hilarious how little you know about
> forum "spamming" ;) Have a nice day

"buddies" you say.

On Wed, Apr 21, 2010 at 12:00 PM, LowCostLinks.com
<lowcostlinks@gmail.com>wrote:

> P.S. you might want to take a read here:
> http://lowcostlinks.com/how_to_stop_forum_spam.php

That is a bullshit response, and you know it. You're actively encouraging your "affiliates" (why not just call them spammers?) to continue automated registration against forums, then leaving it up to forum operators to do the extra work of blocking your domain.

You will regret this.

SiL

Date: Wed, 21 Apr 2010 12:14:37 -0400
Subject: Re: Stop auto-registering to my forum!
From: "LowCostLinks.com" <lowcostlinks@gmail.com>
To: SiL

SiL, please stop acting so SiLly. Making idle threats doesn't do anybody any good.

Don't create a forum signup form if you do not want people signing up to it. I am sorry, am I missing something?

1. We do not encourage anybody to make our posts for us.
2. We have an opt out program just like any can spam compliant email posting company does. (But we don't post unsolicited emails, so we don't fall under that law anyways.)
3. We do not attempt to hide our identity.
4. We comply with all "do not post" requests.

Good luck finding another one of the thousands of competitors I have that is as genuinely truthful as us.

Don't worry, we have added all of your domains to our black list, you should not receive any more registrations, please provide any more forums you might have.

Again, no hard feelings, have a nice day!

P.S. this entire thread will be posted on our website, they're great for sales!

In that message he incorrectly linked to the url "http://www.google.com/search?q=forum+backlinks+for+sale" when trying to illustrate how much better his site was than his "competitors", which wasn't anything I mentioned in my original message.

But look at the logic. Honestly. Yeah that's the only reason anyone would put together a forum: so that bogus "companies" like LowCostLinks.com can forum-spam it out of existence. Completely obvious isn't it?

Date: Wed, 21 Apr 2010 12:23:20 -0400
Subject: Re: Stop auto-registering to my forum!
From: SiL
To: "LowCostLinks.com" <lowcostlinks@gmail.com>

> Don't create a forum signup form if you do not want people signing up to
> it. I am sorry, am I missing something?

Clearly, you are, see below. hat is one of the stupidest answers I have ever received from anyone, ever.

> 1. We do not encourage anybody to make our posts for us.

Sure you don't.

> 2. We have an opt out program just like any can spam compliant email
> posting company does.

you are defining "opting out" as telling the owner of a forum to block your domain. That's not "opting out."

> (But we don't post unsolicited emails, so we don't fall under that law
> anyways.)
>

Yes you do fall under that law. It doesn't just apply to email. Nice to know that you don't read.

> 3. We do not attempt to hide our identity.

Yes you do:

registrant-firstname: Oneandone
registrant-lastname: Private Registration
registrant-organization: 1&1 Internet, Inc. -
http://1and1.com/contact
registrant-street1: 701 Lee Road, Suite 300
registrant-street2: ATTN: lowcostlinks.com
registrant-pcode: 19087
registrant-state: PA
registrant-city: Chesterbrook
registrant-ccode: US
registrant-phone: +1.8772064254
registrant-email: proxy2145160@1and1-private-registration.com

> 4. We comply with all "do not post" requests.

Sure: by telling me to block any registration attempts. How about I and all my colleagues continually, 24 hours a day, keep trying to log in to your affiliate form. Maybe we should do so as many times per second as we can, from numerous randomized IP's I mean it's just up there waiting for thousands of automated attempts to log in right? If you don't like it, why did you create an affiliate login form?

> P.S. this entire thread will be posted on our website, they're great for
> sales!

Hey it's also great for law enforcement investigations, charges, arrests, indictments, and convictions. My team has led several of those since 2005 against operations just like yours. You are violating computer trespassing laws. You don't seem to care, so I will make you care.

SiL

This last email seems to drastically change his tune:

Date: Wed, 21 Apr 2010 12:39:21 -0400
Subject: Re: Stop auto-registering to my forum!
From: "LowCostLinks.com" <lowcostlinks@gmail.com>
To: SiL

Content-Type: text/plain; charset=ISO-8859-1

We made a few signups to your forum, our apologies for that. Forum signup forms are meant to be signed up on, are they not? I get plenty of false affiliate signups daily, I just figured it was the way of the net.

Forums are created to post messages on, we post our messages on forums, if the owner deletes the message, or asks us to stop, we do not post anymore. That is basically what we do. Good luck with your future fights, and congratulations on stopping so many spammers out there!

We do not require forum owners to block our email domain to stop posting, it is only an additional option. As well as deleting the very first message, that is another way to stop our posts as well.

Those are not the only opt out methods however, a simple email telling us to "stop posting" will do the trick. I have proof of numerous, kindly worded messages to and fro from such situations, should law enforcement ever find the need to get involved.

Basically we have 3 opt out policies, you took care of two of them, you have already been added to our opt out list, and should not receive anymore registrations.

So suddenly now that I've clarified that we go after operations like his, he's apologizing. He's also suddenly saying that my request was now all I had to do.

He's a liar! (Surprise.)

Also: welcome to the brain of a forum spammer. If they didn't have the internet, they'd just as soon use your bedroom wall or perhaps your car's front seat to plaster thousands of posters announcing where people could get porn for $12, or promoting fake Viagra pills. After all: why else did you buy your house or your car? Your house has a prominent front door which faces the street. It's OBVIOUSLY there for me to put posters on.

Subject: Re: Stop auto-registering to my forum!
From: SiL
To: "LowCostLinks.com" <lowcostlinks@gmail.com>

On Wed, Apr 21, 2010 at 12:39 PM, LowCostLinks.com
<lowcostlinks@gmail.com>wrote:

> We made a few signups to your forum, our apologies for that. Forum signup
> forms are meant to be signed up on, are they not? I get plenty of false
> affiliate signups daily, I just figured it was the way of the net.

Registration to a forum, by a human being who reads our terms and conditions - which expressly forbid automated attempts - is certainly allowed, with the idea that the human being has a brain, and will recognize that repeated automated attempts will have a habit of looking like an automated attack.

That registration is also assumed to be made by a human being who will actually contribute to said forum. This is true of any forum. Forums don't exist purely for you and your affiliates to auto-register at so you can promote whatever bogus links you want.

Especially since my forum is very clearly against this type of automated promotional activity, especially since it has a habit of being run by organized criminals, it's especially telling that your affiliates chose specifically to auto register to it, since it's extremely clear we disallow that exact type of illicit activity.

> Forums are created to post messages on,

By human beings, for the purposes of contributing to specific topics of discussion.

> we post our messages on forums,

Automatically, using software such as Xrumer or several others.

> if the owner deletes the message, or asks us to stop, we do not post
> anymore.

That is unacceptable. You're in violation of your hosting company's terms of service, which specifically disallows automated attacks against other servers, or unauthorized access to other servers. You are performing both of these acts, which I remind you are also against computer trespassing laws in the US, Canada, the UK, Japan, Hong Kong, China, and several other countries.

> That is basically what we do. Good luck with your future fights, and
> congratulations on stopping so many spammers out there!

You really, really need to investigate other alternatives to what you do.

> We do not require forum owners to block our email domain to stop posting,
> it is only an additional option. As well as deleting the very first message,
> that is another way to stop our posts as well.

That is not what you said in your first reply to me. I'll quote it back to you since you conveniently forgot all about that:

"Simply deny access to
the @lowcostlinks.com email domain and you will never hear from us again. We
are not trying to post on "live" forums, sorry for the inconvenience."

Funny how you never mentioned:

1) Yes, right away, sorry to bother you.

2) We take this email seriously, and will acknowledge your request for us to stop doing this.

Your reply was basically: too bad, it's up to you to block us.

> Those are not the only opt out methods however, a simple email telling us
> to "stop posting" will do the trick.

See above! You did not do that, and you are lying to me now about this being your policy.

> I have proof of numerous, kindly worded messages to and fro from such
> situations, should law enforcement ever find the need to get involved.

Oh so it needs to be "kindly worded". I notice that isn't anywhere on your "how to stop forum spam" message either.

> Basically we have 3 opt out policies, you took care of two of them, you
> have already been added to our opt out list, and should not receive anymore
> registrations.

And it took repeated back-and-forth emails to get this simple answer out of you.

This does not excuse your behavior, and reports have already been sent to numerous authorities outlining not only this offense, but many others by your organization which are not hard to find at all.

Too bad you didn't just take my first email seriously. Oh well.

SiL

So there we have it. Further proof that spammers lie, as usual, all the time. And further proof that spammers essentially see any online entity, no matter who actually owns or operates it, as their own personal promotion vehicle.

I'd like to add that searching for lowcostlinks.com routinely turns up all kinds of bot-monitoring sites which list many, many automated registrations.

How any of this is "great for sales!" is baffling.

I have yet to receive a response from their hosting company, the infamous "1and1.com", who routinely are found to be providing hosting to all manner of spamvertised properties, phishing operations and numerous other unsafe and unsavory properties. Doesn't mean it won't happen.

Forum spamming is just as bad as any other form of spamming, but affiliates who join these programs should be aware: they are an accessory to computer trespassing and unauthorized attacks against forums.

SiL / IKS / concerned citizen

Sunday, April 18, 2010

Marmeladies.com and Lady-Marmelady.com - Updates on this Russian Dating Scam


Just a quick update that I made a brief addendum to my January posting regarding the by-now-well-known "Lady Marmelady" Russian dating spam setup.

In a nutshell:

Marmeladies.com appears to be a fairly recent additional property spammed in precisely the same way.

The URL "littledatenow.com" is a very heavily spammed URL. As with previous "Lady Marmedlady" spam, it never divulges where you will end up, but the confirmation email inevitably leads there should you foolishly complete a registration. (And why would you do that? It was received via spam. Use your brain!)

When the spammers promoting this are not spamming that particular URL, the link in the spam message is nearly always (yet again) an MSN Live Spaces URL, or that of some other free-redirection url. That started in March, but especially in the recent two weeks has instead changed back to the "littledatenow.com" URL. A few hours after I posted that domain, I started receiving notice from numerous recipients that the new domain being spammed is "dateyourgirl.com".

The MSN Live Spaces urls typically redirect or link to an unpronouncable domain name, passing one of a series of affiliate ID's. The domain at the current time is redactjuri.info, and they pass affiliate ID's 132, 134, 135 and 136 (that I have seen or been informed of.)

Here's a list of all the domains that these MSN Live Spaces locations redirect to:

http://united-states-russian-dating.ru/
http://sexy4sex.info/
http://redactjuri.info/index.php?idAff=###
http://pornorate.ru/index.php?idAff=###
http://jink.ru/index.php?idAff=###
http://pove.ru/?idAff=###
http://gerl-007.ru/index.php?action=3
http://sexualmeet.ru/

(Where "###" is any of the aforementioned "affid" values of 132, 134, 135 and 136.)

redactjuri.info is again registered via GoDaddy using totally fake - and, I might add, incomplete - contact information. Hosted on IP address 111.148.252.71, provided by "North Star Information Hi.tech Ltd. Co." in (of course) Beijing, China.

littledatenow.com was registered via Regtime LTD. on April 5th 2010, just in time to be spammed to millions of recipients. It features questionable contact information claiming to be in Russia. The site is hosted on IP address 219.232.228.204 courtesy of course of "CNCITYNET" in Beijing, China. dateyourgirl.com was registered today (April 19th, 2010) using different but more than likely still fake Russian contact information, registered at Regtime.net. It's hosted on the exact same IP address in China.

[I wonder why the sudden change? Possibly reading this blog? Keep it up. I hear from hundreds of angry recipients of your spam, Marmeladies.]

Nobody from Marmeladies has responded to numerous requests into why they continue to use criminal spam operations to promote their service, but their "service" appears to be a 100% scam anyway based on the multiple messages I've received from the victims of their ongoing financial swindling.

Stay far, far away. Marmeladies.com is a complete and utter scam, more than likely run by criminals.

SiL / IKS / concerned citizen

[Edited 04/19/2010 9:23:09 AM to include MSN Live Spaces redirection information.]

[Further edited 04/19/2010 2:34:16 PM to include newer spammed domain, dateyourgirl.com]

[Further edited 04/20/2010 10:32:23 AM to include further MSN Spaces redirection URLs.]