Wednesday, June 6, 2007

Yambo And Badcow: Even Other Spammers Hate Them

It appears that there are some spammers who even supposed "fellow spammers" despise.

I'm basing this on anecdotal evidence from publicly-posting members of several pro-spam forums, but it seems like both the Yambo Financials and Badcow spammers are pretty much lambasted by many in the bulk email community. This is an interesting development from my point of view. (Yambo and Badcow are the names tossed around in most anti-spam literature regarding the message types, the manner of sending and the types of sites being promoted via spam.)

Most of the people who want to join and communicate on these forums do so because they either want to learn something, or because they want to make deals with other people in the community. Several of them actually ARE what could be considered "good" spammers: they de-dupe their lists, they don't mess with headers, they are what they term to be "compliant" senders, meaning that since CAN-SPAM was passed in the US, they attempt to follow that law's guidelines. I don't doubt that this is true for many users of these forums. There are others who definitely seem to have a weird interpretation of "compliant": they'll still use botnets (which is illegal), or they'll still harvest email addresses and ask around for better ways to do that (not kosher, but unfortunately not illegal). That is not "compliant". But that's nitpicking.

Yambo and Badcow: they don't care who gets their messages. They don't strip anyone from their lists, ever. They don't de-dupe, and they send to the same lists several times a day. They are relentless and they are a total scourge on the Internet at large. Most interestingly: Many other spammers, even rampant ones with their own list issues, hate these guys.

They also seem to add new email addresses to their lists every single day, apparently by doing some form of MX record scans. As an experiment, I set up threee test gmail accounts a while ago to see how long it would take before they all started getting spam. I sent no mail to anyone from them, and I told absolutely nobody about their existence. Then I waited.

Approximately three weeks after signing up, one of the accounts (which started with the letters "aa") began receiving stock spam, and spam for My Canadian Pharmacy. Six weeks from signup date, an account starting with "cd" began receiving spam for Pharmacy Express and different stock spam. The third one, which started with the characters "zd", has yet to receive anything.

This led me to believe that the spammers behind these organizations tend to focus on alphabetically-, or possibly alphanumerically-sorted addresses once they verify that an MX record exists. It's a hunch on my part, but it's not impossible. MX records signify that an address exists and can receive mail. This saves them the trouble of sending to lists containing:

Instead, they just run some form of brute force email address checker against Gmail, or Yahoo, or Hotmail, and then add the "verified" ones to their lists.

I've done similar tests on each of those services, with very similar results.

I'm pretty sure that there must be some kind of custom-written code out there to do verification of valid free-web-mail service addresses, using either a straight brute-force approach or some other method. It wouldn't surprise me.

It's hard to fathom what their return on investment is in continuing to knowingly send so much spam to addresses who absolutely will never respond. It can't be that great. However: both of those groups are known to be run by Russian crime gangs, and I'm sure they honestly don't care. Their numbers must be ridiculously large, not just in terms of the people behind them, but also the sheer volume of data, and the technical infrastructure.

Yambo (responsible for My Canadian Pharmacy, International Legal RX and dozens more) is a group I've been investigating for some time now. They have custom-written unix infections to do their web hosting and DNS serving for thousands of web and DNS domains. They likely have others for consumer-level bot infections.

Badcow (responsible for Pharmacy Express among many others) is most definitely responsible for a wide array of consumer-side windows infections which turn a user's pc into a spam-sending, DDOS-ready zombie. They appear to have some automated method of registering tens of thousands of new domains per day, all with unpronounceable names. Those domains in turn get used to either host new windows infections (for download by one or more bots) or to host the Pharmacy Express (etc.) websites themselves, or be used as supporting DNS domains.

In both cases, they definitely appear to have lots of minions doing their mailing for them. That last part is the hard one to track down obviously.

If I spoke or read Russian, or possibly Romanian, I'd probably be able to get somewhat closer to finding out what possible reasons these goons have for emailing anyone on the planet with their stupid rogue pharmacy scams. Til then I just go after the website domains and their ordering process, which I know has definitely upset some of them.

It was estimated some time ago that since most illegal spammers are using botnets which run without a PC user's consent, their sending is "free", so even seeing a single sale means that "enough" profit is made by the spammer. In the case of both of these groups, their DNS, web hosting and domain name registration processes are also "free" (since they all take place without any of these PC user's consent or knowledge.) They therefore spam everyone twice or three times as hard. How much profit could they possibly be making?! It just doesn't make any sense to me.

If you are one of the many hapless individuals who has purchased "drugs" from any of these sites, you should be aware (as mentioned previously) that this activity can not only hurt people, it can kill them. It already has. We as a society should consider standing up and saying that we don't want these criminal gangs to continue to do this to us.

Recently, Russia has been making louder-than-usual noises about wishing to join the World Trade Organization. One of the first things that international industry focused on was that the popular music website was not operating above-board in terms of repayment of profits to the appropriate partner companies around the world, and that failure to do something about that website could have a direct impact on their eligibility for WTO membership.

While that's possibly as good a place to start as any, with this much continual spamming of what are known to be illegal fake pharmacy operations right out there in the open, I personally believe that at least one of the member countries (oh, say, the US?) should make some kind of statement along the lines of "when will your country shut down this internationally illegal activity?" and have THAT apply directly to their eligibility to joing the WTO. It's much more tangible, it's much more blatant activity, and there is a lot of documentation out there showing clear connections between these spammers and Russian criminal gangs.

I'm not sure what the straw will be that will break this particular camel's back but I would hope that that kind of action would be a good start. I could be wrong.

SiL / IKS / concerned citizen

1 comment:

Anonymous said...

I'm pretty sure that there must be some kind of custom-written code out there to do verification of valid free-web-mail service addresses, using either a straight brute-force approach or some other method. It wouldn't surprise me.

I have used the non intrusive non E-Mail sending tool at , I am sure it can be automated and sped up.