The Spamhaus Project
London, 04 Feb 2005

Should ISPs Be Knowingly Profiting From Selling Service To Known Spam 
Gangs?

------------------------------------------------------------
Summary:

Since the release of Sobig spammers have released countless virus 
variants turning millions of private home computers into unwilling spam 
servers. Crucial in this underground spam world is the stealth bulk 
spamming software specially written to take control of private 
computers. Crucial to the distribution are a handful of ISPs knowingly 
aiding the spam gangs. In this article Spamhaus exposes the author and 
distributors of the illegal Send Safe proxy hijacking spamware, and 
exposes one major ISP knowingly hosting the proxy spam gang.


------------------------------------------------------------
Story:

Email users are under ever-increasing attack by spammers using 
subversive illegal methods to get spam into mailboxes.

With current spam levels at 75% of all email, and the United Nations 
estimating the current cost of dealing with the problem at $25 Billion 
dollars a year, illegal proxy spammers have now once again upped the 
ante releasing improved versions of their stealth proxy spamming 
software with new features to increase spam volumes still further. At 
the current pace, if left unchecked, Spamhaus is warning spam could 
reach 95% of all email traffic by mid-2006.

So where is it all coming from? Over 70% of current spam comes from 
proxies (PCs infected with viruses/trojans). Since the release of Sobig, 
the first commercial spam virus designed by spammers to infect PCs 
turning them into networks of proxies through which spammers then send 
millions of spams anonymously, spammers have released countless virus 
variants, mostly variations of the original Sobig code, and have been 
infecting an estimated 80,000-100,000 new PCs every week.

In spammer 'supermarkets', closed online forums hosted mainly in China, 
Russia and Florida with names such as "Specialham.com", "Spamforum.biz", 
etc., spam gangs sell lists of "fresh proxies" (newly infected PCs), 
offer "Bullet-Proof Hosting" (spam service web sites normally based in 
China), and advise each-other on new spam techniques and which networks 
are "spam-friendly" (which networks will host spammers and close a blind 
eye in exchange for the spammers paying for high-priced services they 
don't need).

It is easy to see who some of these ISPs are, one needs look no further 
than Spamhaus' "TOP 10" list of the world's worst 'spam-haven' ISPs 
(TOP 10 Statistics).

Surprisingly, most are American.

Crucial in this underground spam world is the stealth bulk spamming 
software ("spamware"), specially written to take control of private 
computers, usually those on the world's broadband networks, and to use 
them to send out spam for pornography or illegal drugs, without the PC 
owner's knowledge or permission, by acting as an anonymous "proxy" for 
the spammer.

This proxy spamware is mostly written by Russians, and in particular by 
two Russians well known to Spamhaus and western law enforcement 
agencies. By no coincidence, new versions of their proxy spamware appear 
to be released just as new Sobig virus variants make their appearance, 
and the proxy spamware coincidentally has features to command the new 
viruses to operate in new ways.

The two Russians are Ruslan Ibragimov, author of the 'Send-Safe' proxy 
spamware, and Alexey Panov, author of the equally illegal Direct Mail 
Sender ("DMS") proxy spamware, both packages designed specifically for 
hijacking of 3rd party computers and illegal anonymous spamming. Both 
also sell lists of freshly-infected proxies to the spammer community. 
Spamhaus believes Ibragimov and Panov have far too many connections to 
the Sobig virus for these to be coincidences.

Ibragimov's Send-Safe in particular, has a feature called "Use proxy's 
MX" which is causing a large increase in spam for many ISPs. This 
Send-Safe feature instructs its hijacked proxies to send the spam out 
via the upstream ISP's main mail server (instead of the proxy sending 
the spam out from the infected machine itself). This means that billions 
of spam emails now flood the Internet coming from the main mail servers 
of large ISPs.

AOL was one of the first to notice the trend and reports that some 90% 
of AOL's incoming spam now comes from ISP smarthosts and major relays. 
Email filter firm Messagelabs confirms this is also what they've been 
seeing, as do Time Warner Cable and Earthlink.

So where is this stealth proxy spamware sold and distributed from? For 
Send Safe the answer is, www.send-safe.com, hosted by MCI Worldcom.

This for Spamhaus is the crux of the spam problem, because MCI Worldcom 
not only know very well they are hosting the Send Safe spam operation, 
MCI's executives know send-safe.com uses the MCI network to sell and 
distribute the illegal Send Safe proxy hijacking bulk mailer, yet MCI 
has been providing service to send-safe.com for more than a year.

MCI executives have refused to stop providing service to these gangs, 
insisting that the sale and distribution of stealth spamming software is 
"not against MCI's policy".

For more than a year MCI have flatly refused to stop send-safe.com and 
other proxy spam gangs, which has allowed Send Safe to become one of the 
most sold anonymous proxy hijacking bulk mailers on the spam scene, and 
has had ever more spammers flocking to MCI.

It's no surprise therefore that MCI has consistently occupied first 
place in Spamhaus "TOP 10 World Worst Spam Service ISPs" chart, with 
over 200 spammers and spam gangs on the MCI network in full knowledge of 
the security managers and the General Counsel.

For over two years Spamhaus has repeatedly informed the same MCI 
executives that the distribution of 'stealth' anonymous spamware is also 
illegal in the State of Virginia where MCI UUNet is based. In other 
words, we do not simply see MCI's knowingly servicing known spam gangs 
as highly unethical activity for an ISP to be involved in, we also see 
it as being illegal in MCI UUNet's home state.

Spamhaus has for a long time campaigned for ISPs to cease knowingly 
profiting from hosting known spam gangs and aiding the sale and 
distribution of illegal spamware such as Send Safe and DMS. Spamhaus has 
repeatedly uncovered deals between ISPs and spam gangs, in which the 
spam gangs pay a premium for hosting in return for the host turning a 
blind eye, and seen internal memos in which executives of one ISP 
discuss how much revenue they are making from hosting known spam gangs.

We estimate that MCI earns upwards of US$5,000,000 a year from selling 
service knowingly to known spam gangs, incentive enough for MCI Sales 
executives to want to keep the income coming, no matter what havoc the 
paying spam gangs are wreaking to the Internet.

As at the writing of this article, www.send-safe.com is still connected 
to the Internet by MCI as it has been for over a year, still 
distributing the Send Safe stealth proxy hijacking spamware.

MCI Worldcom's official position on the issue is that MCI can't stop 
their spam gangs selling proxy hijacking spamware from MCI's network as 
that would be 'censoring' the distribution and sale of illegal proxy 
hijacking software.

MCI is the only American, and indeed only Western network, where this 
spam support activity is "not against our policy". Spamhaus maintains 
that MCI's 'protected speech' excuses for servicing known spam gangs and 
proxy spamware distribution sites are dishonest and non-sensical in the 
face of the Internet's spam epidemic.

The following are the many known serious spam issues on MCI Worldcom as 
at the writing of this article, causing high economic damage to the 
Internet and misery to millions of Internet users, and known about by 
MCI executives and MCI's General Counsel:

Spamhaus MCI Listings

------
Virginia State Spam Laws

Spamhaus Statistics Page