2007: A Very Bad Year For Illegal Spammers

2007 is winding down, and I thought I'd take a moment to list just how many big achievements were met by the dedicated research and hard work of all the members of the numerous anti-spam forums such as KillSpammers and CastleCops, and organizations such as SpamHaus, the FBI Cybercrime Division, the i-Law Group, IronPort, SecureWorks, Shadowserver, F-Secure and countless others. Just look at how many large-scale arrests, convictions, and media stories regarding cybercrime and illegal spamming came about in the past twelve months.

In this synopsis I will make reference to several key members of what once was the Kill Spammers forum which was DDOS'd out of existence in August, 2007. The loss of that forum has absolutely not diminished or impeded the continued efforts of its members, all of whom continue to investigate and report all manner of illegal spamming, server hijacking and botnet operation. If anything it's only lead to more and more of us banding together via other means.

Make yourself some hot chocolate and join me in a look back at 2007, the worst year so far for any illegal spammers out there.

January 2007:

• Chris "Rizler" Smith is sentenced to 30 years in prison for drug trafficking, witness tampering and illegal spamming practices.


• Many members of the KillSpammers forum report on an illegal / fake charity known as "Save Childs". It appears to be related to a spate of spam for both Discount Pharmacy (Vincent Chan) and My Canadian Pharmacy (Yambo.) After reporting their multiple spammed addresses to law enforcement agencies and hosting companies, all of the sites are eventually shut down.

February 2007:

• Spaminator creates the spamwiki. SiL creates a lengthy report on My Canadian Pharmacy based on a lengthier report which was already widely cirulated to many security companies and law enforcement agencies around the world. Red Dwarf writes and updates numerous sections. A crucial tool for collecting and exposing evidence is made. Law Enforcement and Spamhaus eventually take notice.

March 2007:

• The Vancouver Sun (among many others) publishes a story about the death of Marcia Bergeron of Quadra Island, BC due to fake drugs purchased from a spamvertised source


• SiL begins performing research on the Yambo sites in assistance of the i-law group (Jon Praed) and IronPort (Patrick Peterson.) His research and other data are eventually used in a web seminar covering the a-z of the My Canadian Pharmacy spam group (Yambo Financials) including an indepth look at their supply chain processes, message dissemination, botnet size and implementation, and server hijacks.


• The SEC suspends trading on 35 spamvertised stock symbols in Operation Spamalot. 14 of the stocks are tracable to Vancouver stock traders. International law enforcement is given huge amounts of data on these companies and the illicit trading manipulation that took place.

April 2007:

• After being inundated with spam for Discount Pharmacy, SiL decides to write a synopsis about their known functionality and operations. AlphaCentauri and Red Dwarf assist greatly.


• ILoveCrapfloods creates FsckChickenboners! (a bot for crapflooding spammers' forms) It slowly gains a following and is refined and modified throughout the year, sending thousands of fake orders to illegal pharmacy and replica watch sites, resulting in wasted time and lost profits for several illegally promoted websites selling counterfeit products.

May 2007:

• Renowned bulkerforum member and proxy reseller mcproxy retires from the spam and proxy reselling business after nearly having his personal data exposed by spam-court.com. This indicates that the research posted on that blog is very much on the right track and leads to a lot of illegal DDOS activity against that site on behalf of members of BulkerForum.


• Notorious repeat spammer Robert Alan Soloway is arrested in Seattle after a federal grand jury indicts him on 35 charges ranging from wire fraud to identity theft. The lawsuit against him is ongoing and he remains in prison in Seattle pending commencement of the trial.


• The country of Estonia has its entire computer infrastructure come under a massive DDOS attack. Everything from train schedules to utilities and banking is completely knocked off the grid for several days. The investigation into this attack is still ongoing and thought to lead to Russian and Ukranian sources. Several rumors floated around at this time that the Russian government itself was behind these attacks. None of this has been proven. This event has the effect of raising the awareness of DDOS attacks and the criminal groups behind them.

June 2007:

• SiL posts a lengthy description of the illegal activities of Nick Danger / Marion Lynn to the newsgroup NANAE.


• AlphaCentauri and SiL begin a coordinated series of reports regarding the Discount Pharmacy hijack of Windows 2000 / 2003 servers. This results in the eventual shut down (or cleanup) of several hundred hijacked servers and a great deal more data on the hijacking process for Windows servers on behalf of Vincent Chan. We eventually see a complete stop in any spam runs for this spamvertised product line around August of 2007.


• Darrel and Jack Uselton are arrested for "hijacking personal computers across the country to send mass e-mails and inflate prices on at least 13 stocks."

July 2007:

• SiL is interviewed in Forbes Magazine for an article about Patrick Peterson from Ironport Systems. The article covers Peterson's investigation of the My Canadian Pharmacy operation, run by Yambo Financials.


• E360 files numerous motions against Spamhaus for labelling them as spammers. All of these charges would later be either withdrawn or dismissed.


• The FBI's Operation Bot Roast identifies over one million computers as being under the control of illegal botnets. This is the first of two such investigations which later results in several arrests directly related to illegal hacking and owning or operating botnets generally.

August 2007:

• Several anti-spam and anti-fraud websites come under a huge, unrelenting DDOS attack. Sites attacked include the Kill Spammers forum (whose domain has remained down since then,) CastleCops, 419eater, thescambaiter, and countless others. Kill Spammers operator KyferEz mitigates the attack on the KS forum to the best of his abilities, but the domain eventually folds. Several of us take up temporary residence in CastleCops (many of us stay active there also.) The criminals behind these attacks idiotically think this will slow us down.


• In what is arguably one of the bigger blows against spammers everywhere, Red Dwarf introduces his diabolical Complainterator™ application for the automated reporting of illegally hosted domains. Over the next several months, several people start using it and it undergoes numerous upgrades and improvements. Use of this tool leads to even some of the more highly unresponsive domain registrars taking notice and removing several thousand offensive domains from their registries.


• Members of the CastleCops Phishing Incident Reporting and Termination Squad (PIRT) as well as their other Termination Squads for spam (SIRT) and malware (MIRT) begin joining the KillSpammers forum.


• Red Dwarf releases the AutoSA application for automated reporting of malware phishing and spamming sites to Site Advisor. He inevitably gets several other sites to provide extended services for users of this tool, notably dnsstuff.

September 2007:

• Red Dwarf begins automating a method of monitoring, researching, collating and ultimately reporting the existence of hijacked PC's using what would eventually become the Botnet scanner. Over a few months he single-handedly reports several tens of thousands of infected IP's, resulting in more of a significant response from ISP's than most of us probably expected.

October 2007:

• Several news stories from October to November 2007 track the Russian Business Network (RBN), exposing its ties to Russian politicians, their multiple shifts in locations from Russia to China to disappearing completely, and interviewing its so-called representative.


• Porn spammers Jeffrey Kilbride and James Schaffer are sentenced to five years in prison, convicted of "conspiracy, money laundering, fraud, and transportation of obscene materials".


• Greg King, 21, of Fairfield California is arrested for performing a DDOS attack on CastleCops in February of 2006. He faces a maximum sentence of ten years in prison and a $250,000 (USD) fine.

November 2007:

• Spaminator creates numerous international domains for the spam wiki and attempts (where possible) to get several large-scale sections of it translated and duplicated into these mirror sites. This proves to be very helpful in its use as evidence against illegal spam operations, and leads to big changes at several previously spammer-friendly domain registrars.


• Marion Lynn creates a blog (spamgossip.blogspot.com) which exposes the identity of several known, high-level spammers who were members of bulkerforum.biz, including Phantom (Norman Holmes), Lizza (Steve Joseph), Dollar (Christopher Brown) Dave (David Oleg Barsky), bigjohnson (Igor Shaposhnikov) and others. Notable omissions are Crypto and moneyminters. It's unclear what prompted this sudden need to tell the world about the identity of these spammers, but he did it. SiL works with members of Spamhaus in collecting whatever is posted on spamgossip and sending it back to them (and law enforcement), and correlating it to the already massive amount of collected information on the members of bulkerforum.biz.


• While we're at it: several other members of bulkerforum.biz begin exposing each other in a spate of scammer outcries on the forum. We didn't even have to do anything.


• SiL transcribes a lot of the content from the spamgossip blog into his own blog (which you are now reading) which has the curious effect of reaching higher page ranks than Marion's blog. Marion later takes down quite a bit of personal data without any explanation.


• Jason Michael Downey is arrested for running a botnet consisting of 6,000 compromised PC's.


• New Zealand law enforcement break up a major international botnet and arrest its ringleader.

December 2007:

• The FBI's Operation Bot Roast II results in the arrests of 8 individuals who owned or operated large-scale criminal botnets.


• Secureworks investigates spamming runs in relation to US presidential candidate Ron Paul and discovers a connection with known porn spammer and botnet operator "nenastnyj", aka Andrew Nenastnyj, known on bulkerforum as "Nena".


• Justin Daniel Medlin is sentenced to 72 months in prison in connection with pump-and-dump stock spam runs he committed during 2004.


• Akhil Bansal is sentenced to thirty years in prison for illegally distributing medications without any prescription. This followed a lengthy investigation dubbed "Operation Cyberchase", documented in a multi-part investigative series in the Philadelphia Inquirer.


• BBC 4's "The Investigation" do some digging into the group behind the rampant spam for "Elite Herbals", leading to a very thorough investigation of GenBucks, Tulip Lab, and one of their spammers, Shane Atkinson. Burgeoning illegal spam blog Spam In My Inbox is also consulted for this story, and much of his evidence matches that of the BBC. This eventually leads to a police raid in Christchurch, New Zealand, resulting in the seizure of "22 computers and boxes of documents from four Christchurch addresses", including that of Atkinson.

Definitely a very active year for people who fight online crime in all its facets, and absolutely a very bad year for illegal spammers.

This kind of activity will only continue. As long as people like myself continue to be on the receiving end of unwanted illegal spam from asshole criminals like the ones listed above, we'll continue to do everything we can to get to the bottom of it. There is a difference between general commercial email, and spam for products that are illicit, fake, counterfeit, or outright illegal - and in some cases lethal. We are not going to stand for this any longer, and this year's numerous arrests prove that.

SiL / IKS / concerned citizen

Nick Danger's Mouth Rides Again (by night)

So as I mentioned, Nick Danger (aka: Marion Sidney Lynn) has been blabbing away on NANAE regarding the alleged treasure trove he claims to have regarding the personal data of several high-ranking members of Bulkerforum.biz.

On Sept. 15th, he created what appears to be a very crude site outlining the personal data and recent malicious activity of bulkerforum member "lizza", who he claims is actually named Stephen Joseph. He posted a new entry to NANAE featuring a link to his glorious creation. I thought I'd take a gander and outline some of the details of the posting here in the event it all goes down (which these things have a nasty habit of doing.)

As I mentioned before: Nick Danger is both a gasbag and a small fry, and my subsequent research, tempered with his own blatherings, has borne out that he probably hasn't ever sent email 1 for promotional purposes. This doesn't preclude him from acting illegally of course. Aggravated identity theft and fraud, not to mention stock manipulation, are still very serious crimes -- at least: the last time I checked. He's still never disavowed performing any of those acts despite boasting loudly on bulkerforum about alllll the sordid instructions concerning how to do so and never get caught.

So. First off, here's a screenshot of the site as he created it (oh and of course, this is definitely NSFW, knowing mr. Danger's prowess with the profanity):

[Edit, June 2008: Due to changes at HideBehind, this screenshot is missing. It will be re-uploaded momentarily.]

Note: it's rather long. This is Marion Lynn we're talking about. The man needs to hire an editor. I have an entire copy of the page should anyone require its full contents. I have not altered a single line of it.

In the lengthy one-pager, he outlines where Lizza / Joseph lives, and that on a certain night between 1:13 AM and 1:21 AM, lizza boasted about ddos'ing or otherwise attacking the bulkerforum website, at ip address 201.0.8.247. That IP address is in Brasil, and is one of five ip addresses which the forum has routinely bounced between since I started doing my own research on them (Sep. 2006.)

He lists some very non-threatening personal details such as where he went to highschool, and what his MySpace identity is. Not much anyone can dig up from that.

He alleges that Joseph lives in Chula Vista, California. How does he know this? Likely from a variety of lengthy conversations they may have had via a variety of means. It sounds like Marion and Steve had some kind of close contact in the past while. I'm not sure what that would be regarding but it certainly seems to point that way.

He also divulges one of lizza's email addresses (steve_joseph87@yahoo.com). I'm sure by now even lizza doesn't even use email for any legitimate communication, thanx to the damage done to that medium by scumbag spammers like him.

The more interesting stuff is in the variety of postings which Marion has posted below that. It's a lengthy re-posting of what appear to be forum postings from a variety of members. I'm not sure if this is from bulkerforum or what, but there are conversations between a variety of members. It's possible that these are even private messages from bulkerforum, or another forum. I can't be sure. The members which are quoted include:

• lizza


• icanspam


• Third Eye

How did he get this information? And who gave it to him?

He also divulges that lizza (on bulkerforum) also goes by the usernames "Flores9xxx" and "nugs". In the previous NANAE posting he also lists the usernames "proyboy", and the nick names "Stevie" or "shorty". He also claims (apparently erroneously) that lizza also went by the name "seven" at one point.

Then "Nick Danger" claims to be quoting a pm between lizza and himself, but using the username "Third Eye". He goes into a great deal of detail about lizza's connection to a company called Lead Point (leadpoint.com. lizza claims that's a red herring but who knows? This is either good research or a massive, meandering wild goose chase.

Also: Does everyone on bulkerforum have this many usernames and aliases?! It's a bit ridiculous event to me. You'd think this was the Lucchese crime family family for god's sake.

Finally: the geocities site makes it clear that bulkerforum appears to be a leaky boat at the very least, and that several higher-up members seem to be sharing private member information in a very loose fashion. Nick Danger wants to make it sound like a problem of some urgency ("IS PHANTOM GIVING OUT YOUR INFO?", etc.) but again: since phantom barely ever says anything on there lately, it's hard to be sure whether Nick is on the right track or not. But clearly: somebody got this info via some means unknown to members of that forum, and it somehow made its way to Marion Lynn. I guess only he will know who gave it to him, or when, or why. I don't personally care. As long as law enforcement are watching all of this it's just fine by me. :)

Since the chat transcript makes it at least semi-clear that lizza is willing to perform a cyber attack against a forum he's already a member of (!!), this makes him a pretty prime target for folks like me whose forum is currently under an anonymous sustained attack (week #5, and my threat still stands.) As I mentioned, this is only one of several attacks currently underway.

So I have handed all of this over to law enforcement in the event it turns out to be useful. :)

I personally feel that the sustained attacks against all of the spam and fraud research sites are being coordinated from Russian sources, and I am narrowing down a list of who that might be. I'll obviously post more as I get it. (Though not before notifying several legal channels first.)

I've also begun several investigations into the background of Steve Joseph / flores99x / nugs / lizza in the event anything can be turned up in that regard. He probably knows enough shady scumbags to pull off one or more of these types of events.

Lizza has always struck me as easily the most paranoid of the bulkerforum members (a close second would be phantom or Crypto, but they now post so seldom it's impossible to tell anymore.)

An aside: a representative of spamhaus named Susan responded to Nick Danger's NANAE posting (linked above), referring to bulkerforum member phantom as "the Australian megalomaniac". That's tantalizing. He rarely gives up any information whatsoever, so I'm digging into that also. (And handing whatever I find over to Spamhaus and Australian law enforcement, if that's where he truly is located.)

This is a bad year to be a spammer of any sort. By my count there have been 7 major arrests just since March of 2007, and three very large-scale court cases (two of which are still pending.) On a daily basis we see new news items of several investigations discovering new suspects and illegal operations, all fed by spam. It's a zero-sum game which just appears to be taking longer than usual to be taken down from the inside out. Why on earth would anyone knowingly become an email spammer in this climate? Why would anyone want to keep doing it? The profits are outweighed by the obvious risks. Apparently nobody in that community appears to be aware of any of this.

Which is a good thing, ultimately. I hope they lock up the whole lot of them and throw away the key. I've never in my life been bombarded on such a frequent basis by illegal advertisements from such a huge group of idiot scum in my entire life.

Keep it up, spamming morons. You'll see exactly where it gets you.

SiL / IKS / concerned citizen.

DDOS Attackers = Whiny, Spoiled Little Children

One would have to assume that the recent arrests, convictions, charges, domain and DNS reporting, and general retaliation against several hundred spam operations has finally had the desired effect on these scumbag's bottom line.

As I write this, numerous websites are under sustained attacks from a botnet numbering in the hundreds of thousands (very likely the Storm Worm botnet.):

• Castlecops


• KillSpammers


• Spamnation


• aa419.org


• 419eater.com


• spamhaus.org

Several of them are mitigating the attacks, some with a great deal of success.

Whoever it is that's doing this, you sure are exposing yourself by attacking so many anti-spam websites in one go. But since you're an idiot, you probably didn't think about covering your tracks very well.

If you think we won't find you: you're wrong.

If you think international law enforcement isn't watching this: you're wrong.

I will start releasing VERY personal data on known spammers very soon if this attack doesn't stop, one way or another. Damaging personal information which will make life very very difficult for several known spammers and their business interests. It might be here on this blog, or on any number of other blogs, or it might just be via clandestine messages to private individuals who you likely do not want this information getting to.

If you think I'm kidding around: you're wrong.

Keep it up. For all the stealth you're employing during this attack, you might as well walk into the middle of a public square, drop your pants and scream out: "Look at me! I'm a DDOS attacker! I am so dangerous!" What kind of childish idiots are you?

One day, very soon, your profits are going straight into the toilet. We all know this. You can cry about it via DDOS'ing all you like: it changes nothing.

Spammers are idiotic little brats.

SiL / IKS / concerned citizen

The Attack Begins...

Interesting that "suddenly" both Spamhaus and several of the spam Blocklist sites are all under a large-scale and sustained DDOS attack. Probably the same one that Nick Danger was threatening to undertake (with help from others.) Could this be "the treatment" he had in mind?

A reader posted in a comment on my previous posting that Nick Danger / Marion Lynn is now being lambasted by his fellow comment-posters on ljworld.com.

I'd just like to add that since I'm nowhere near that region, nor do I care to bother with it, I am not a member of that site, and I'm not doing any posting there at all. (It looks like I didn't have to anyway.)

Marion made the following posting:

5 June 2007 at 12:13 a.m.

Marion (Marion Lynn) says...

Oh yare not only getting ready to help with the sales of my book but to bring down Spamhaus and Spam-Court; both of which have malingned me with out proof but with malice aforethought.

Note the date. June 5th. I'm not the only one who did.

On June 8th, a contributor named "Guntrainer" posted the following:

8 June 2007 at 6:25 a.m.

GunTrainer (Anonymous) says...

Compare that with the June 7 news item at http://thespamdiaries.blogspot.com/
"Thursday, June 07, 2007
Spamhaus, uribl, surbl under DDOS attack

This has been ongoing for a couple of days now. Spamhaus and two other major blocking list providers have been under a distributed denial-of-service (DDOS) attack."

I wonder if Nick's buddies realize just how much self incrimination is going on here? How did Nick Danger / Marion Lynn know about this attempt to "bring down Spamhaus" as he puts it, at the very moment it began?

This turkey is asking for an early Thanksgiving.

Indeed!

As a followup: Spam-court.com appears to be back so my previous (lengthy, so apologies) posting on its demise was premature.

DDOS attacks always remind me of a three year old having a tantrum. "Spammer doesn't get what he wants, spammer cries. Spammer want!!"

I would love it if someone would instantiate a "turn off your pc day", where everyone - no matter where they were - HAD to turn off their computer or disconnect it from the internet. Make it some kind of grassroots operation so it fed into the promotion of greenspaces or a music festival of some sort.

Even half of one day with all the infected zombies in the world off the network would sincerely damage these criminals' ability to perform these attacks.

I don't know what it would take to do it but I for one would donate to such a cause.

My thoughts go out to the diligent crews behind these blocklists. People around the world have no idea how much effort they put in to reduce the flood of unwanted crap email that we would all literally be buried under. The term "just delete it" doesn't even come close to solving this obvious problem. Spammers want every one of us to have 10,000 copies of their messages every single day. They get mad when it's "only" 20 or 30 copies a day. Then they throw a tantrum.

I hope this leads to several arrests, since a lot of eyes are watching this one. Nick Danger may not be actively participating in this attack (and in fact it's highly unlikely) but it's clear he and others have been in touch with several individuals, either on bulkerforum.biz or via other means, who could make sure it happened.

SiL

P.S. This has further exposed that Marion Lynn is also involved with a non-profit called "Computer Waste Solutions", who I'm sure would not be happy to learn of his unscrupulous beliefs regarding the treatment of homeless people or operating as a trader of stocks, not to mention the charming company he keeps over on bulkerforum.biz. (Whether he spammed or not, ever in his life, he definitely has a very skewed view of what constitutes fair trading in the stock market.)

It's also brought up that he appears to be a militant pro-lifer with a new book which is about to be published. I'll try researching that one as well, but as I say I'm kind of done with him. I could never have dreamed that the ljworld community would take this and run with it as they have. :)