New Spam Retaliation Tool

Proxomitron can certainly prevent this (the Disable Scripts filter being the specific one which kills Javascript except for exempted sites) as can any other filter tackling Javascript (Firefox's NoScript extension should be able to manage it as should any personal firewall offering web filtering).

Really, anyone seeing these popups should take this as a wake-up call. Allowing Javascript by default is dangerous nowadays - block it except for sites you trust.

BTW, I'm still running this though not as much as previously. I've been receiving so many "pre-approved finance offers" that I'm now busy filling in all the forms with the intention of collecting enough finance to buy out the Federal Reserve...

 

Thanks Paranoid2000.

So for this purpose (Spur-M-Enator), one would not even need Proxomitron?
Just set Firefox NoScript extension to allow scripts from localhost (so Spur-M-Enator works) and block from everywhere else?
It will still work?

 

That should work - as should just disabling scripts for gborders.com only for those preferring convenience over security.

 

Excellent, then we can all continue. Thank you.

LOL, well hurry up, it's running out fast!

 

Well, I'm now on GenBucks' 403 Forbidden - We're Not Sending You a Card This Christmas list. Their threshold is pretty high since I must have sent over 20,000 orders in total - but now I'm running Spur-M-Enator through Tor (had to slow it down to one order every 25-35 seconds though).

 

Hello Again Herb and Devinco et al:

I am back from eye surgery cataract lens works very well! Now must do other eye since looking through it alone shows me a world as if you are looking through a bucket of p..s, whoops I mean apple juice!

Now to questions on this new exciting spam retaliation tool (sorry to be a johnny come lately)

1. Why do this at all? Aren't we becoming a spammer ourselves?
2. It seems a commercial opportunity for someone to do what you guys are doing individually?
3. Aren't you putting your own PC's at risk by doing it?
4. Why not just have strong spam filters and forget it?
5. If I wanted to join your crusade what do I need?
6. I understand it would be best to use Firefox I have 2.0?
7. What ad ons and filters do i need to guard my PC?
8. Can I run all night or do I have to sit and respond to messages?
   1. How do I know what I have achieved if I join in?

 

Spam = Unsolicited. Response to spam = Solicited. Aside from that, please read the beginning of this thread for a list of reasons.

Only for a company prepared to withstand massive DDoS attacks - read up on Blue Security.

Potentially yes - hence the need to use a non-IE browser and web filtering.

Filters don't discourage spam - spammers just try to devise means to work around them (misspelling, using images instead of text, garbage text to poison Bayesian filters, etc). Since spam is ever increasing, at some point you will end up with 1,000 or more spam for every legitimate email and very few filters are then going to be able to cope satisfactorily with that.

A browser, a mouse, some patience and determination to start with. Then the ability to change IP addresses (easily done with dialup but otherwise you should consider installing and using Tor - see above). Basic Javascript knowledge comes in handy if you wish to customise some of the retaliators (e.g. to specify different sites or change the submission rate).

The version used isn't going to make a great deal of difference.

Discussed above.

Depends on the retaliator - the FormFillers can often be left on automatic as can this Spur-M-Enator. Most of the other order submission tools require some copy-paste work (though this can be automated with the right tools).

Symptoms of success:

• The spam site starts blocking your IP address (you either get a "Forbidden" or "Not Found" message as seems to be the case with this site - in other cases a fake error message like "Bank reports: Your card cannot be authorized." may be given);
• The site changes to try to make things harder like the 1,000 popups this site tries to launch. Other examples have included the addition of CAPTCHA images to make orders harder (Pharmacy Express - this didn't last long presumably since their "real" customers were probably having more difficulties with them than the retaliators were);
• The most important - a reduction in spam for the site concerned.

 

Does this tool work against these scum (who doubtless are not qualified to work as Pharmacists in the UK):

 

Hey there

It is precisely this kind of attitude that I have become so sick of hearing.

I for one am all for "stooping to their level" if it actually means they'll finally stop sending me this crap. Literally nothing else works. And I flatly reject any response to that statement that says either "Just delete it" or "spam filters are pretty good these days." Those are not stopping the spam.

My first retaliation of this type began almost two years ago, and it worked. Not just for me, for several dozen people. At the time it was refi spammers with servers located in Brazil. I was receiving 200 per day to my main account. It was ridiculous. I retaliated using a custom javascript form posting tool and sent them several hundred thousand leads. The spam stopped immediately.

This works. I am sick of people saying that we're "as bad as" the spammers. I'm nowhere near as bad as the spammers we're going after. I don't attempt to profit by this abuse. (which they do.) I don't deal in side gigs like child porn while building these tools (which they do). I also don't run this against servers I don't believe have asked me to come to them to place these orders (they spam anyone whether they want it or not.)

I also care that these products are part of a rampant illegal operation and represent a genuine health risk to the public. They clearly do not.

Most importantly: I never lie about any facet of my retaliation tools. I tell everyone up front precisely what it does, and I don't hide my code (though that last part will likely change.) I also describe in detail what the desired effect of these tools would be (costing spammers money.) I outline the risks involved and that the choice to run these tools is entirely up to the user.

In stark contrast: spammers lie constantly!! They claim they're "supported by the BBB", or that they offer secure credit card processing, or even that the drugs they are selling you are legal even though no prescription is required. They lie with every word they put on their servers and they know it. Then when you complain to them, they lie and say that "we don't spam."

I'm nowhere near the depths of these criminals. I'm merely fighting back in a few very simple ways in the hopes that spamming costs them money. It appears to be working.

I completely disagree. Anytime anyone has attempted to monetize this kind of product, it ends up with massive bad publicity and a lot of naysaying from the press in general. ("We're stooping to their level, that is wrong, don't waste your money on this antisocial endeavour", etc....) Witness the make love not spam program from Lycos. And, sadly, Blue Security. Believe me if I could make this my fulltime job and actually make a living from it: I'd do it. Not one single company out there would ever support this. (I've asked, trust me.)

Yes, and in my case: gladly. This is partly why I recommend TOR and the like. I've had my home pc DDOS'd in retaliation to these retaliations. Beyond that I have never suffered any kind of trojan, backdoor or infection. I think for that to remain the case, we all need to be educated about how to secure our systems.

(There's that phrase again, "just use filters"... )

I already do. And I don't buy that as a response to spammers. I read an article recently about different approaches to fighting spam and the author made the statement that using filters is a bit like trying to put your arm over your face when a bully is continually punching you there. It stops your face from getting hit occasionally, but it doesn't stop the punching. My servers get "punched in the face" some 2000 times per hour, every day, for months. It's not stopping. The only thing that slows the punching down is punching back. Why everyone is so afraid to face that reality is beyond me. I've noticed over the last few years that it doesn't even take very many people to launch an effective retaliation, but more certainly makes it effective more quickly.

Also: everyone seems to blatantly ignore that the people behind these messages are outright criminals. In many cases they already have international summary judgements against them and have avoided capture and arrest for at least the past three years. I dunno about you but when it's a known, proven fact that 92% of the email coming to me every single day, filtered or otherwise, is from a gang of criminals, I tend to really dislike that.

It's not merely my crusade. In the case of my retaliatory tools: you need FireFox, TOR, and a deep hatred of these spammers.

2.0 is awesome. Any version will do. But again: that's only for my tools. There are dozens of others out there. It depends how nerdy you want to get about the fight against these miscreants.

If you're not already running a decent firewall and antivirus: do so. And I mean something decent like AVG, not something that merely claims to be like McAfee or Symantec. I've seen both of those completely ignore well-known viruses, or better yet: identify them but claim they can't do anything about it. AVG and ClamAV are both much, much better products in my opinion.

It's worth looking into some of the extensions available for FireFox also. Greasemonkey is awesome. So is Adblock. There are thousands. Worth digging into.

In the case of the stuff I write, I attempt to automate it as much as possible. It's not always possible to automate every step (notice this in the Pharmacy Expressorator.) As to how long to run it: I leave that up to you. In fact I leave the *choice* of running these things up to you. I merely wrote them because I was fed up. Once I sent them out into the world it became clear that I was certainly not the only one. I'm certainly not demanding that anyone run them. It's an option. In my opinion it's a much better option than merely filtering these messages.

The proof I tend to see that it's been effective has varied. Generally I tend to see:

- Either a slowing or a complete stop of the spam in question. In the case of the Spur-M spam: since I launched this tool I haven't seen one single message promoting Spur-M in the past two or more weeks. That's definitely a sign.
- Editing or manipulation of the forms in question. This indicates that they want things to go back to normal. I've seen everything from static renaming of fields, to the inclusion of new extra fields, to dynamic, randomized naming of first and last name fields (almost all of the refi spam websites use that one.) Sometimes they add a captcha, which is usually pathetically easy to get around. That's usually a sign that these are definitely costing them extra time and money.
- Lastly, if you're as nerdy about this as I am, I investigate spammer forums. bulkerforum.biz is pretty stringent about signing up now because of infiltrations by people like me. They don't want anyone monitoring their conversations and they move that site around on an almost weekly basis. It's always hosted on a hijacked server, never on one they own. I've seen complaints about the mass ordering I participate in. They refer to us as "antis" like that's some kind of brand name. An annoyance. In all cases where I've written a specific, customized retaliation, its effects have been talked about on that and other forums. It definitely is hitting them where it hurts (their idiot wallets.)

Sorry to babble. You raised questions I keep seeing over and over again. I think the time for sticking our head in the sand and relying on either filters or (pathetically) the delete key is past me. I'm sick of these assholes and I am not going to take it anymore. I don't think anybody else should either, but I can only take responsibility for my own actions.

Thanx (and again apologies for length.)

SiL

P.S. I hope your eyes are alright.

 

No but I am working on one. That's the Discount Pharmacy outfit, another one believed to be related to Leo Kuvayev.

You'll notice that they don't even want you to know the real location of that site. It presents framesets using heavily obfuscated javascript.

I have a semi-working GreaseMonkey script which is not complte yet. Believe me I'll let you know when it's working.

Interesting side note: you tend to see one of those for every 8-10 stock spams featuring attached gifs. Same group is sending both, without fail.

Additionally: I've received several 419 or date scam emails with reply addresses based at their Discount Pharmacy or Pharma Shop domains. So they're diverse criminals.

SiL

 

Isn't Discount Pharmacy covered here?

 

I would just like to report back that NoScript DOES indeed work with this utility.

Also: I no longer see that mysql_free_result error, which means that the javascript they put in place may have inhibited posting.

https://addons.mozilla.org/firefox/722/

By default it is inhibited. But you will have to enable the local file to run javascript.

Nice!

Thanx Para

SiL

 

Glad to help out a little - keep up the good work.

 

I very much appreciate what you are doing.

The Pharmacy Express spammers are using my domain name as the From
address in their spams. I get thousands of bounces a day. I run a business and cannot have these criminals filling my mailbox space, and making it look like my company is spamming.

I and my company will support you in any way you need.

 

The CastleCops thread So, how are we going to deal with these joe-jobs? has some useful tips for this. The best advice is to forward all such misdirected bounces to SpamCop - I include the following note:

Spam (with forged sender address) bounced to third party (see http://spamlinks.net/prevent-secure-backscatter-fake.htm http://www.spamcop.net/fom-serve/cache/329.html#bounces and http://www.spamhaus.org/faq/answers.lasso?section=ISP%20Spam%20Issues#109 ) - actual source was xxx

If you are receiving a lot of these, you won't obviously have time to identify the real source (it requires manual analysis) so just miss the last part. However by reporting to SpamCop, you increase the likelihood of the mail servers being added to their blocklist - and it seems that that is the only thing which gets many mailserver administrators to actually fix the problem.

 

Spur-M-Enator(TM) - New Version!

New Spur-M-Enator(TM)

Newest version with several modifications. Before downloading and running I would recommend reading this first:

1: They definitely don't want us running this despite spamming us on a daily basis for these products, so they continue to use a javascript retaliation on their page output.
2: To get around this, I recommend running this ONLY in Firefox, and ONLY while also running the NoScript extension:

https://addons.mozilla.org/firefox/722/

Install that while in FireFox, restart FireFox, then load the kill.html file. You'll notice that it says it's prohibiting JavaScript. Click on the "Options..." button and select the "Allow file:\\" item. Then reload.

The window that pops will also be prohibiting JavaScript. We want that.

If you ever see anything but a blank screen on the popped / ordering window, that means they've modified something else. Please report that here if so.

Here are all the mirror download links:

http://www.mytempdir.com/1098424
http://www.mytempdir.com/1098430
http://www.mytempdir.com/1098432
http://www.mytempdir.com/1098433
http://www.mytempdir.com/1098438
http://www.mytempdir.com/1098440
http://www.mytempdir.com/1098443
http://www.mytempdir.com/1098447
http://www.mytempdir.com/1098448

I also noticed something else that's interesting:

Code:

Warning: session_start(): Cannot send session cookie - headers already sent by (output started at /home/database/public_html/onse/process.php:4) in /home/database/public_html/onse/redalgo/redalgo.php on line 76

Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at /home/database/public_html/onse/process.php:4) in /home/database/public_html/onse/redalgo/redalgo.php on line 76

Warning: mysql_free_result(): supplied argument is not a valid MySQL result resource in /home/database/public_html/onse/process.php on line 341

That's what appears when we attempt to order a product while using an incorrect product name. That never used to happen before. This tells us two things. 1) They are definitely tied directly to GenBucks, because there are several forum postings all over the internet (many in Russian specifically) recommending the use of that "redalgo" script for session tracking. 2) They now are being very specific about order id's, something they weren't doing previously.

This current version is targeting the affiliate id "theman" which started being used immediately after the first Spur-M retaliation. Same spammer. New ID. Same products.

Enjoy, and spread the word.

SiL

 

spamislame,
I like what you are doing, but I had stopped using your tool because I could not get it to work properly. However, since your most recent post outlining the proper instructions, I have started running it again. Keep up the good work!!!

One word of caution that I'm sure you're well aware of. The "bad guys" usually tend to stay a step ahead of the "good guys." That is evident in the fact that you’ve entered the sort of cat and mouse game of defeating their countermeasures. It seams usual war has begun.

My concern is that they are going to find an effective way of filtering the bogus orders that your tool generates from the legitimate ones and do it in a way that keeps you from realizing that it is being done. For example, couldn’t they simply accept orders from clients that allow scripting? (Keep in mind that I’m not as educated on this stuff as you are, so my specific question should be interpreted more broadly to include other possible means of filtering)

 

First: thanx for your kind words. I love this stuff.

I am well aware that they attempt to counter this and as if I needed proof, today I suddenly saw two email messages arrive in my gmails spam folder with three urls, one each for HerbalKing, Vigramax and Wonderspurm (formerly Wondercum.)

Obviously they're seeing the new orders come in. Which is fine. That's the desired effect.

The fact that I discovered this particular exploit of their db servers means that they will be very careful in their future site setups. The only reason I was even able to discover the gborders.com domain (etc.) was due to them abusing a hijacked public server (they don't own any of the servers these are hosted on) which had not yet had PHP configured. It exposed all their script code which showed me where the orders actually get posted. That is unlikely to happen again anytime soon.

In the meantime I have built numerous other retaliators which I maintain over time. So has a guy named Karlston on thecarpcstore site. He's gone as far as creating actual firefox extensions which work like a hot-damn.

Fact is: I fully expect them to attempt to stop accepting based on referring url (all the My Canadian Pharmacy sites do that now. They sure didn't used to. ) But the good news is that in the meantime: every order we send them is costing them money. So I say: send as many as possible. The whole reason spammers continue to do this is that it allegedly "costs them nothing." I want that part to change. They don't.

Babbling again.

Thanx

SiL

 

Just wanted to let you know that since you've developed and released your tools here on Wilders, I've done around 50,000 orders (approximately). I am posting a screenshot of my count since last reboot (I'm going to update the image occassionally to reflect the current status). I want to see how many order I can rack up if I let it run for a few days.

 

Looks like your postman is going to be kept pretty busy with all those packages.

However for security reasons, I would recommend that those using retaliators like this don't provide any personal details or any information that could link back to an email address (including personal domains or websites). It is quite possible for the spammers to view this thread and do research to find targets of their own.

As long as retaliators remain "one in a crowd" though, there should be little to fear.

 

Thank you Paranoid2000. You have earned your name and I have changed my ways.

http://img206.imageshack.us/img206/2240/countbu0.jpg

 

Want another target? How about one for Fifth Third Bank?
"Fifth Third Bank reminder: account secure confirmation procedure"
hxxp://www.53.com.bankingportal.id63783784580.aslosinsite.jp/sbcbconfirm

 

Hey: they wanted us to shop even more for the Xmas season. We're just giving them EXACTLY what they asked for.

Nice work!

SiL

 

I am also running through TOR now. I like TOR, but I do not think it is fast enough to use for every day surfing. However, it is perfect for this application.

 

Newest Version

Latest edition, mirrored:

http://www.mytempdir.com/1103967
http://www.mytempdir.com/1103969
http://www.mytempdir.com/1103971
http://www.mytempdir.com/1103972
http://www.mytempdir.com/1103973

There ya go.

New affiliate id "bb" is reflected on all products (not giving up on "theman" though.)
New order id types for the manxl product type.

I am noticing that gborders now disallows me from loading that page. I'm wondering if that is their most recent modification.

If so this may be the end of the line for this specific retaliation. Lemme know.

I hate this asshole so much! I'm sure all of you do too.

Thanx again people.

SiL