When SAAS Meets Spam, Managed Services Goes Too Far


Attention jerks and bad guys of online marketing: You now have a much easier way to spam the hell out of the entire globe--and at speeds only possible through botnets. Thanks Russian entrepreneurs and online criminals!

Security blogger Dancho Danchev over at ZDNet has the details of this fully loaded service from what appears to be a Russian company known as SET-X corporation (Dancho translates a good portion of the elevator pitch on its site from Russian to English). This is a great post that includes a few interesting diagrams and images straight from the company. Danchev has been covering spamming closely, especially this bit on it being a managed service (read his post on a recent attack that used spear phishing techniques to send spam from the University of Otago).

Here's a bit of what SET-X is touting as its value proposition, according to Danchev:

The SET-X Mail System in particular, is a typical example of a "one stop spamming shop", which compared to legitimate companies that are able to occupy and serve all the market segments related to their particular product or a service through M&A (mergers and acquisitions) with different companies, has managed to vertically integrate on their own and logically provide anything a spammer could possibly need from a spamming service such as :

* dedicated staff of four people updating the malware binaries and reachable 24/7

* daily introduction of new malware infected hosts

* the ability to purchase recently harvested e-mail databases for a particular country in order to use them in localized spam campaigns, with the translation service for the messages provided by the same vendor

* the option to purchase an unlimited number of automatically registered e-mail accounts at popular Web-based e-mail providers in order to integrate them within the "unique legitimate senders" spamming method

* unlimited support of spam templates also known as macroses

* unlimited number of e-mail databases to integrate and use simultaneously

* low total cost of ownership (TCO) and 99% uptime of the command and control server due to the fact that the malware infected hosts obtain commands dynamically from secondary servers in order to ensure that they never expose the central one

Is it too much to say that is absolutely frightening? I don't know how any government is going to stop this from taking off, let alone persuading the Russian government to cooperate. Oh, what's a sys admin/e-mail manager to do about such insane levels of deception even with spam filtering? Security technology cannot keep up with the levels of sophistication we are seeing here.

This information reinforced something Baseline has been writing about for many years--the serious rise and sophistication of cyber-crime-- and the well-organized criminal groups that are creating real havoc on the freedom to experience the Internet and all its collaborative convenience.

The scary thing here is that spam is only touching the surface of what botnets are accomplishing with our personal information (as in keylogging that tracks what we type to steal our login and password info) and systems seemingly sitting still at home, but actually being drained of all its performance resources. I think sooner rather than later, the Internet will become less and less a democratic experience, and one filtered and controlled more by which countries get blocked and how governments on the allowing end of these botnets are being brought to some justice.

Here's some perspective on what our government is up against. In a 2006 Washingtonpost.com article from Brian Krebs, Nicholas Albright, one of the volunteer members of Shadowcrew--an online Guardian Angel-type group that tracks, fights and reports botnets to infected ISPs and law enforcement-- had this to say about how the U.S. government is dealing with botnets.

Albright said that while federal law enforcement has recently made concerted efforts to reach out to groups like Shadowserver in hopes of building a more effective partnership, they don't have the bodies, the technology or the legal leeway to act directly on the information the groups provide.

"Our data can't be used to gather a warrant," Albright said. "Law enforcement has to view the traffic first hand, and they are limited on what and when they can view."

"It's going to get a lot worse in the next two years. We need a task force or law enforcement agency to handle these types of intrusions ... and that needs to be all they do," Albright said. "Sadly, without more law enforcement support this will remain a chase-your-tail type game, because we won't ever really shut these networks down until the bot master goes to jail, and his drones are cleaned."

It's been two years.