how-to block ads
|
 | 
Biggles
Chocks Away Ginger
Premium
join:2003-04-16
sweden
| IF you are generating such a high number of fake adresses from a DB of real streets and zips, I would be worried about the number of real name/adress combinations that can turn up
--
Tarquin Fintimlimbimlimbimwhinbimlin Bus Stop Ftang Ftang Olay Biscuit Barrel | |
| | Sleeve1
join:2005-05-09
Saint Louis, MO
| Re: The Fight - It's Payback Time! That is a valid concern but I have thought of that already. The names are all first names and the streets are fake but the cities, zips and area codes are real. If my Math is correct, it would be less than 1 in a trillion for an exact match. I might as well be generating lottery numbers... | |
| 
Ugly
Fishy Cool Bird
join:2001-12-12
The Meadow
| Sleeve, not to run too far afield, and agreeing at the outset this idea has merit in principle despite not knowing the code author as trusted, please consider another code development.
Many use software, Mailwasher for example, to return as undeliverable undesired spam. In general this has become more of a problem than a solution, only because no one bothers, or more likely few even know, to check and verify there is some evidence the return path will not be to another poached address, thereby creating a new instance of unsolicited mail, i.e. more spam.
Folks selling software do not want to make things complicated for obvious business interest, so they are not helping things right now.
Yet folks who do take the time and make the additional effort to look and make an educated decision on [rare] bouncing might be helped with a refinement or tool which makes header interpretation easy. Something giving a simple result like valid return path appears available vs. bouncing strongly NOT recommended. Consider reporting instead. This would reduce bad bounces and might do good, without doing bad. Let me explain.
The security folks have tools like HijackThis.
I know the comparison is a crude analogy, but rescuing a good idea like bouncing from overuse and abuse sounds worthwhile and does not lower one to doing ourselves what we deplore.
In other words, kindly and with respect, I ask if what is proposed here is not somewhat hypocritical in a small fashion as someone who is "fed up and not going to take it anymore."?
Perhaps such obvious talent might be willing to consider my sincere suggestion, either as an alternative or as an addition to an otherwise fine sounding concept.
I would prefer an incremental approach of returning a message first, only if it looks as a real return path, before launching an assault as massive as this repeat form submittal.
Bravo Sleeve!
Thanks for listening
/rant off
Ugly
--
Oh, I love the smell of fish. Guts, rotten, it's all good. | |
| NormanS
Premium,MVM
join:2001-02-14
San Jose, CA
 ·Pacific Bell - SBC
| It just sounds like a variation on "Spam Vampire". I will pass, thank you. What happens if you activate your script on some site which had the misfortune to be included in a spammer's links? Without consent, or knowledge of what was going on?
--
Norman
~A deam, dream, no dream
~Voices of the night go across the forest
~A dream, dream, no dream
~Good night my good child | |
| 
Steve
Consultant
join:2001-03-10
Yorba Linda, CA
| This looks like an interesting and satisfying approach, but considering that I can't see the source, I'm not sure I could ever recommend that anybody run this software.
I'd be more inclined to build a perl program that could do this: then anybody can inspect for himself that it's doing what is claimed.
This is a general principle, not one directed at sleeve  ; one should be careful about running code from persons not known to be trusted (and I put myself in that "untrusted" category with respect to most members here).
But I certainly (but cautiously) like the idea.
Steve (with security hat on)
--
Stephen J. Friedl • Unix Wizard • Microsoft Security MVP • Tustin, California USA • my web site | |
| | Sleeve1
join:2005-05-09
Saint Louis, MO
| Re: The Fight - It's Payback Time! Good thoughts Steve. I would be happy to post this code, but it does have a high potential for abuse if it got in the wrong hands. This is exactly why I chose NOT to code this in pearl or PHP.
Flash does not access your hard drive or registry directly. Macromedia controls this with utmost care given to security. Virii can be coded in pearl but not in Flash. It is impossible to get around this thus the Flash alternative is as safe as you can get.
Have you run it yet Steve? | |
| | | 
cacroll
Eventually, Prozac becomes normal
Premium
join:2002-07-25
Martinez, CA
1 edit | Re: The Fight - It's Payback Time! Steve has a point there - if the forms are being submitted to a database somewhere, I'd bet that the spammers will have some mechanism for logging ip address, and filtering out any entries coming from any address submitting repeated entries.
Did you have any research done in an open forum, say News.Admin.Net-Abuse.Email, to see if this spammer might be vulnerable to this sort of action?
Any thought to making your Flash app submit forms in an irregular pattern, to lessen the possibility of it being detected by the spammers?
You know what would really rule - if you could somehow hijack a botnet. Imagine the effect of submitting from thousands of different computers worldwide? 
Anyway, it being Monday and I being too daring for my usual self, I downloaded your app. I ran it thru Avast and A2, then submitted to Jotti and Virustotal, and got back nothing interesting.
I ran it for a minute or so, it claims to have submitted 249 requests with 3 failed loads. Watching my router log, I only saw 6 outgoing packets, to www.xxxxxx.com, during that time.
I did a brief Google on www.xxxxxx.com (address munged), and got a bunch of hits in NANAS, so it's indeed a bad guy.
I may run this overnite after I go to bed, but I would like you to try and explain why I only logged 6 TCP port 80 packets during a period where the app claimed to have posted 246 forms? I want to know I'm not wasting my bandwidth.
--
Cheers,
Chuck
»nitecruzr.blogspot.com/ | |
| | | | Sleeve1
join:2005-05-09
Saint Louis, MO
| Re: The Fight - It's Payback Time! cacroll-
thank you for the feedback. I will do my best to answer your questions.
quote:
Any thought to making your Flash app submit forms in an irregular pattern, to lessen the possibility of it being detected by the spammers?
The current version uses a database of over 36,000 US cities and over 70,000 mixed ethnic names and creates random addresses based on 2 formats with real zip codes and real area codes matched to the city. This kind of realizm is necessary to fool the address verification software some of these spammers use (it works quite well). The script selects random elements in each array to build the data and submits it. How irregular did you have in mind?
quote:
I would like you to try and explain why I only logged 6 TCP port 80 packets during a period where the app claimed to have posted 246 forms? I want to know I'm not wasting my bandwidth.
Try opening up your CMD prompt and doing a 'netstat -n'. You will see that 2 threads are created per target and in this case all 3 targets lead to the same IP address so you should see 6 threads going to the same IP on port 80. This version keeps the sockets open while submitting data because of increased CPU efficiency. Maybe your router log was showing 6 outbound connections and not 6 packets.
You can actually see confirmation files in your "C:\Documents and Settings\%user%\Local Settings\Temporary Internet Files\Content.IE5" folder. These files are served by the webhost after receiving POST data from my Flash app so you can confirm each submit is successful thus being assured that you are not wasting bandwidth. It's actually a double whammy on the spammer because not only does this script submit bogus data which dillutes their database, it also leeches bandwidth from the webhost which can cost them big money if they exceed their limits!
If you are interested, download the trial version of DU meter which allows you to monitor your bandwidth usage in real time. I am on a 5mbit/384k cable connection and I max out after reaching about 40 objects per second. That's 3456000 submits per day! No one can handle that rate for very long.
A known flaw lies in using Mozilla or Netscape. For some reason they are half as fast when submitting data and if the app is left running for a period of 24 hours or longer, Mozilla will go into a 100% CPU usage situation and cease to work. IE 5.5 or higher will work for weeks and weeks without this problem.
Sleeve | |
| | | | |
cacroll
Eventually, Prozac becomes normal
Premium
join:2002-07-25
Martinez, CA
2 edits | Re: The Fight - It's Payback Time! said by sleeve :cacroll- thank you for the feedback. I will do my best to answer your questions. quote:
Any thought to making your Flash app submit forms in an irregular pattern, to lessen the possibility of it being detected by the spammers?
How irregular did you have in mind? quote:
I would like you to try and explain why I only logged 6 TCP port 80 packets during a period where the app claimed to have posted 246 forms? I want to know I'm not wasting my bandwidth.
Try opening up your CMD prompt and doing a 'netstat -n'. You will see that 2 threads are created per target and in this case all 3 targets lead to the same IP address so you should see 6 threads going to the same IP on port 80. This version keeps the sockets open while submitting data because of increased CPU efficiency. Maybe your router log was showing 6 outbound connections and not 6 packets. You can actually see confirmation files in your "C:\Documents and Settings\%user%\Local Settings\Temporary Internet Files\Content.IE5" folder. These files are served by the webhost after receiving POST data from my Flash app so you can confirm each submit is successful thus being assured that you are not wasting bandwidth. It's actually a double whammy on the spammer because not only does this script submit bogus data which dillutes their database, it also leeches bandwidth from the webhost which can cost them big money if they exceed their limits! If you are interested, download the trial version of DU meter which allows you to monitor your bandwidth usage in real time. I am on a 5mbit/384k cable connection and I max out after reaching about 40 objects per second. That's 3456000 submits per day! No one can handle that rate for very long.
I was thinking of the activity pattern, if their database detected a constant stream of requests from the same ip like they did yours. If you sent a half a dozen, then waited a few minutes, then sent a couple more, I'd bet you could fly under their radar.
I'm not interested in doing any DOS, and with my bandwidth, that's not gonna happen. I'm just thinking of the database poisoning, that's only going to happen with a sustained attack over a long period of time. If they become aware of our activity, they'll start filtering it before much happens. If we vary the attack, and they don't filter it, we're more likely to get their database well poisoned. Of course, that will happen much easier with more action from here.
Remember Slammer in January 2003? Imagine how long Slammer might have run, if it had been coded to throttle itself. Of course, it wouldn't have infected any more computers, but it could have been out there for a very long time before being detected.
You're right, I'm looking at connections. Oddly, the 6 are all different connections at my end, all going against port 80 on the spammer end.
I have DUMeter, so I will watch it the next time I run it. Could be I didn't see anything cause of the other stuff was happening here.
And I'm running this from Opera, my browser of least privilege. Gives me an ugly black and white set of boxes, but I'm not looking for pretty here.
Anyway, so far I'm at 9 Failed Loads / 298 Total Requests. Will let you know what else I get. Probably not going to be a lot (dang PacHell DSL).
-------
I let it run for 1/2 hour or so, now at 1798 / 82. I was watching the data fly by (not so quickly as for you) and noted a number of 4 and 6 character zip codes. Surely the spammer's server will catch those?
-------
And another full hour, and now at 6300 / 137. | |
| | | | | | Sleeve1
join:2005-05-09
Saint Louis, MO
| Re: The Fight - It's Payback Time! Yes, the spammer will catch those. Thank you for the heads up on that one. I'll have to see why that is happening.
Did you notice that the websites are no longer available? I wonder if the server gave up?
I have some new targets if anyone is interested. This time it's several fake pharmacies trying to obtain CC info from victims in order to clean out their account and then steal their identity. E-mail me if you are interested. Shadowboxer156@hotmail.com | |
| | |
Steve
Consultant
join:2001-03-10
Yorba Linda, CA
| said by sleeve :Have you run it yet Steve? No: I don't ever run code from random people on the internet. Ever. I don't know enough about Flash to trust it when I don't know what it does.
This is not any reflection on you, but a security paranoia that has served me well for a long time.
The potential for abuse is a fair concern, and I'm not sure how one could release DoS tool but see that it be used only for good. So I guess I'll be left with waiting for some of the spam in question and rolling my own in perl. I did this some time ago for an unrelated web-form-submittal purpose, so modifying the code should be straightforward.
This whole approach is less useful when the webform saves the entry in a database along with IP - easy to DELETE FROM spamee WHERE IP = '10.1.1.3'.
But if it's a mailform that generates one email per submission, it sounds like a positively lovely idea.
Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft Security MVP • Tustin, California USA • my web site | |
| Sleeve1
join:2005-05-09
Saint Louis, MO
| The Fight - It's Payback Time! Hello-
I have a proof of concept that I want people to know about...
I am a site op for a small company that absolutely gets bombarded by spam. 90% of it is from these fake mortgage webistes that harvest personal info for the purpose of either ID theft, or list selling to direct mailers or lenders. I traced one back to a site that has over 700 subdomains used for spamming and/or a landing site for victims. They are based in China or Korea usually but say they are an American company. One of the domains are »www.fibvmt.com if you are interested in checking in to it. They must be on just about every blacklist in the U.S.
Upset at their nefarious intentions and the ungodly amount of spam we receive from them, I decided to fight back by giving them what they want...names and addresses...and a LOT of them!
I created the first ever FORM FILLER that generates FAKE names, addresses phone numbers and email addresses and then SUBMITS the data directly to the data harvesting pages MILLIONS OF TIMES PER DAY! This will prevent them from distinguishing the fake names from the real names, thus preventing victims, and it will use HUGE amounts of process time and resources on their server. No real US companies are going to like buying fake names from the spammers so if we destroy their lead system by pounding it with fake info, we also destroy their market thus making it a far, far less profitable affair to spam people. It's time to FIGHT BACK!
I got up to 15 MILLION FORMS successfully submitted before they k-lined me. I need some help to beta test this app and to take down the worlds biggest spammer. After they are gone, we will take down the second biggest spammer and so on.
The software is Flash based and is NOT an executable. If you know anything about Flash, it cannot directly access your registry, hard drive or memory. It is absolutely incapable of viral-like doings.
You can find it here: »bdonner.coconia.net/
HELP me test it and KILL THE SPAMMERS! Post your stats/comments/question to this thread and spread the word. Lets FIGHT BACK and let the spammers know that we will not tolerate this anymore!
I am in the very early stages of development and if this works, I will be further developing it and accepting other spammers/scammers for consideration as targets. e.g fake software sites, fake pharmacy sites, fake banks and any other evil entities. E-mail me at shadowboxer156@hotmail.com with any questions.
Regards,
Sleeve
Reply With Quote | |
| | | |
|
·
·
