Re: Tinurl being abused by spammers.. (leo/badcow)

[Matt Kettler <mk...@evi-inc.com>]

Igor Chudov wrote:
> On Tue, May 02, 2006 at 02:29:09PM -0400, Matt Kettler wrote:
>> Igor Chudov wrote:
>>> On Tue, May 02, 2006 at 02:08:23PM -0400, Matt Kettler wrote:
>>>> It looks like tinyurl is now being abused by spammers the same way geocities
>>>> was. I just got a porn spam using it.
>>> Hm, is geocities no longer abused by spammers? 
>> I haven't seen as many, but it is still ongoing.
>>
>>> Have they done anything about it?
>> Geocities has done a LOT about this, however it is largely a game of
>> whack-a-mole for them. They've taken many proactive measures to try to block
>> these before they get posted, but each time they implement one, Leo mutates and
>> comes right back. There's only so much they can do short of manually moderating
>> every upload to their site.
> 
> Thanks. (I wonder who is Leo). 

Leo Kuvayev, apparent head of a spam gang currently attributed as the third
largest source of spam in the world.

http://www.spamhaus.org/statistics/spammers.lasso

> In any case, I think that they could do
> something very simple, which is to set up several secret spam traps,
> and watch for geocities addresses appearing in them, and they could
> then quickly remove those pages that are mentioned in the spams, if
> they meet some other criteria (such as having javascript or external
> links).

Yes.. and are you saying they haven't done this? Geocities is not so stupid as
to not have already done this.

I'm fairly certain geocities is using all of:

1) pre-emptive filters to attempt to flag suspicious registrations and uploads.

2) filters to auto-group abuse reports and auto-suspend accounts with high
complaint volume.

3) use of spamtraps to auto-suspend accounts.

However, the above is not 100% effective. Also 2 and 3 do absolutely nothing to
inhibit spam from being sent with a registered redirector. They're both purely
reactive measures that only serve to shorten the useful life of the redirector.

Spammers all play the numbers game. They even  if 99% of their emails arrive
after the redirectors have been pulled they will continue. Just as they will
continue even if 99% of their mail is caught in spam filters. That 1% is enough
when you're sending millions of emails a day, every day, with dozens if not
hundreds of new redirectors created every day.

This abuse is NOT a small scale operation by a high-school kid out of his
basement. It is massively large-scale, organized and distributed. Badcow is
operated by a highly determined spam gang with sufficient people and stolen
resources (botnets, abused proxies, etc) to carry out this kind of abuse from
tens of thousands of sources that change constantly. There is evidence to
suggest that this spam gang's members collectively have a wide variety of
expertise in hacking, virus writing, trojan horses, browser exploits, backdoors
and spam generation. This wide expertise causes the collective organization to
present a relatively sophisticated threat, and their large-scale attacks are
quite prone to rapid mutation to avoid containment.