New Spam Retaliation Tool

Discussion in 'other security issues & news' started by Paranoid2000, Nov 8, 2006.

Thread Status:
Not open for further replies.
  1. herbalist

    herbalist Guest

    Re: Newest Version

    Your newest ones run fine on Sea Monkey with Proxomitron. Most of them reply with the download hard drive popup now.

    Using version D:
    At hxxp://4yz.com/

    Warning: session_start(): Cannot send session cookie - headers already sent by (output started at /home/database/public_html/onse/process.php:4) in /home/database/public_html/onse/redalgo/redalgo.php on line 76

    Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at /home/database/public_html/onse/process.php:4) in /home/database/public_html/onse/redalgo/redalgo.php on line 76

    Warning: mysql_free_result(): supplied argument is not a valid MySQL result resource in /home/database/public_html/onse/process.php on line 341

    At hxxp://database3.com/
    Half the time, window is empty. Half the time contains:

    Warning: session_start(): Cannot send session cookie - headers already sent by (output started at /home/database/public_html/onse/process.php:4) in /home/database/public_html/onse/redalgo/redalgo.php on line 76

    Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at /home/database/public_html/onse/process.php:4) in /home/database/public_html/onse/redalgo/redalgo.php on line 76

    Warning: mysql_free_result(): supplied argument is not a valid MySQL result resource in /home/database/public_html/onse/process.php on line 341

    At hxxp://gborders.com/
    Windows usually empty. Occasionally:

    Warning: mysql_free_result(): supplied argument is not a valid MySQL result resource in /home/gborders/public_html/onse/process.php on line 345

    Rick
     
  2. herbalist

    herbalist Guest

    Re: Newest Version

    Using Version B and C, the opened windows is usually empty. Occasionally it contains the same text as above but far less often. Version A contains the same messages, more often than with B or C.

    To anyone using these scripts and running SSM. The window filter module of SSM can be used to close those "we've downloaded your hard drive" popups. Just open to modules, then window filters. When the popup is visible on your desk, select it from the window list and add it to the filter list. At present, there are 2 different ones, only the site name on the title bar changes.
    Rick
     
  3. EASTER.2010

    EASTER.2010 Guest

    I'm another one of those. Glad for the Window Filter. I usually don't bother to enable that feature but in this case comes in handy. Thanks.
     
  4. spamislame

    spamislame Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    52
    Re: Newest Version

    I guess I was not clear: all versions listed are identical. There is no difference between them. I only named them differently so I could have multiple downloads from mytempdir (since they are suddenly a lot more flaky lately.)

    It won't matter which one you download: they're identical. Any randomly different results probably has to do with which server you're hitting, which is randomly selected.

    Thought that was certainly worth mentioning.

    They've begun banning ip's :) If you use TOR, you'll notice that once in a while you get a permission denied page. Just switch identities. It should alleviate this issue.

    I'm seeing a few new sites being spamvertised but they last so short a time I haven't been able to investigate so I could add them to this tool. Life must be getting more difficult for these idiot spammers. One can only hope.

    Thanx

    SiL
     
  5. herbalist

    herbalist Guest

    Re: Newest Version

    All the same? Interesting that when running "D", I got those messages far more often than with the others, on several runs with each.
    So far, my regular unit is not blocked, and the dialup unit definitely isn't. Packaged the way they are, your scripts work well in my task scheduler.
    I haven't had any success with TOR. Not sure if the problem is TOR or Vidalia, but when I use Vidalia to start TOR, my system resources get depleted to nothing in a matter of seconds, even with everything but the essentials shut off.
    Rick
     
  6. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Re: Newest Version

    I see very high CPU utilisation by Tor when started with Vidalia - possibly due to Vidalia collecting the router information it needs for its network map.

    However there is a new FormFiller retaliator available now for one of the longest-running spammers, MyCanadianPharmacy/InternationalLegalRX, which runs as a FormFiller extension in Firefox (GreaseMonkey required, NoScript and User Agent Switcher extensions strongly recommended along with Tor - this won't work with Proxomitron's filters). See the Pharma KS FormFiller thread for more details and instructions. It does require more attention (you may need to reload a page if you receive a 404/503 error) but otherwise provides an easy method for dealing with one of the worst spammers.
     
  7. herbalist

    herbalist Guest

    Re: Newest Version

    I get a high CPU usage initially, but it levells off after a bit. Ends up at 75% unused after a while. It's the available system resources that get pounded on mine. I just tried it again, shutting down everything else except SSM and the firewall. Started at 80% free resources. After about 90 seconds, I was down to 12% and had to shut TOR down. I didn't try to actually use TOR. Just started it up Vidalia. My 98 box doesn't make it easy to see which one is using it up. I'm pretty much resigned to not being able to use TOR.
    Rick
     
  8. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    I just realized that I made a mistake in post #96 of this thread. Since I started hosting the images with Image Shack, I just realized that I do not have the same control over the file name that I'm used to. If a moderator would be so kind as to remove that post of mine that would help clean up my mistake.

    At any rate, this is what I wanted to show:

    http://img482.imageshack.us/img482/2985/countsk6.jpg
     
  9. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
  10. spamislame

    spamislame Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    52
    Newest version, again...

    Well they certainly aren't stopping anytime soon are they? They just switch affiliate id's. Today's is "xproject" (oooo... mysteeeeeerious. Bunch of idiots.)

    So here ya go:

    http://www.mytempdir.com/1113475
    http://www.mytempdir.com/1113477
    http://www.mytempdir.com/1113480
    http://www.mytempdir.com/1113481
    http://www.mytempdir.com/1113484
    http://www.mytempdir.com/1113487
    http://www.mytempdir.com/1113488
    http://www.mytempdir.com/1113489
    http://www.mytempdir.com/1113492

    All are identical, I just post it several times due to the on again / off again nature of mytempdir.

    Again: use FireFox, and make sure you have the NoScript extension. (Read the "whatitdoes.html" file.)

    Thanx

    SiL:thumb:
     
  11. herbalist

    herbalist Guest

    Re: Newest version, again...

    Works good on Sea Monkey with Proxomitron again. Haven't seen any of the previous error messages with this version. Does that "we've downloaded your hard drive" message pop up for real customers too? SSM still closes that popup nicely.
    What is the justincaserator.html file for?
    Rick
     
    Last edited by a moderator: Dec 13, 2006
  12. spamislame

    spamislame Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    52
    Re: Newest version, again...

    It's a verification piece I wrote. One affiliate = one product = one site. Had to verify because they change affiliates every so often and I wanted to make sure I had the right number of each item.

    Thanx

    SiL
     
  13. Andysan73

    Andysan73 Registered Member

    Joined:
    Dec 26, 2006
    Posts:
    1
    hello Guys a great site and topic, i am totally fed up over 100+ spam email now for viagra, fake watches and africans asking for there head kicking in.

    I have tried and used your spurminator, but my question is this, i use osk and mail. when i get a spam email , ~Unnecessary comment removed - Ron~ how do i can the spurminator to attck them back?

    how do i find out the information i need?
    and how do i alter the sperminator to get back at these bastards?

    cheers.

    Andy "balls as big as buckets" san.
     
    Last edited by a moderator: Dec 26, 2006
  14. Red Dwarf

    Red Dwarf Registered Member

    Joined:
    Jan 1, 2007
    Posts:
    9
    3 Pharmacy Retaliators: My Canadian, International RX, US Drugs

    Newest versions of the hands-off fully automated retaliators for 2007

    US Drugs or American Pharmacy
    AutoAP . . . . . http://www.mytempdir.com/1144741

    My Canadian Pharmacy
    AutoCAN . . . . http://www.mytempdir.com/1144745

    International Legal RX
    AutoIRX . . . . http://www.mytempdir.com/1144751


    If you have KS retaliator installed as well, ( http://thecarpcstore.com/phpbb2/viewtopic.php?t=459 ) deactivate it by clicking on the smiling grease-monkey icon. Only one automated form-filler at once shoud be active, or else they will conflict.

    Be sure to read the documentation file before use.

    Download, unzip, browse the unzipped directory, and launch the application. It will have a grey circular icon with a triangle within it.

    Treat these like screen-savers, you can run any one of them overnight.

    Environment - Windows and Mozilla Firefox browser
     
    Last edited: Jan 1, 2007
  15. herbalist

    herbalist Guest

    Re: 3 Pharmacy Retaliators: My Canadian, International RX, US Drugs

    Anyone want to work this site over a little before it's taken down? Bank phish. Already reported it to Bank of America and Pirt.
    hxxp://www.bankofamerica.com.onlinebankingid59489489.sanshi.biz/session.cgi/
    I've given them accounts for Elmer Fudd, Bugs Bunny, and a few other "customers".

    Rick
     
  16. gerardwil

    gerardwil Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    4,750
    Location:
    EU
    Re: 3 Pharmacy Retaliators: My Canadian, International RX, US Drugs

    I don't understand this answer :doubt:

    Gerard
     
  17. spamislame

    spamislame Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    52
    Re: 3 Pharmacy Retaliators: My Canadian, International RX, US Drugs

    It's a phishing site. So that user sent them fake information. :)

    I've written retaliation scripts for phishing sites which automate that process. The idea is: get lots of people to send as many fakes as possible so that the criminals behind the site have to weed through (literally) hundreds of thousands of fake entries before finding anything that's actually real. It's quite effective and I know for a fact that it pisses these spammers off. They make drastic but very rough modifications to their forms in an attempt to stop this from occuring.

    This site is already down, btw.

    SiL
     
  18. gerardwil

    gerardwil Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    4,750
    Location:
    EU
    Re: 3 Pharmacy Retaliators: My Canadian, International RX, US Drugs

    Hi SiL,

    I know what's up, I ordered a lot so far ;), I just didn't understand the post made by Herbalist regarding this.

    Gerard
     
  19. herbalist

    herbalist Guest

    Re: 3 Pharmacy Retaliators: My Canadian, International RX, US Drugs

    That one came down quick. Just got the e-mail late last nite.
    Gerard,
    I get these phish e-mails quite regularly. Sil put together a nice script earlier that made a Sears phish I received easier to attack. I realize that this isn't related to the pharmacy spam many of us get in abundance, but these phishers are as criminal as any spammer and deserve the same treatment. Besides, this phish came as spam e-mail too. Sure, we can report them to all the usual places and wait for them to get taken down, but these scum know that's going to happen. By the time they're taken down, they've already made money deceiving the unwary. But if it's targeted by enough people, it takes some of the profit out of it for them. I just post targets when I get them for anyone else who enjoys hitting them. Judging by this thread, several of us enjoy it.
    Rick
     
  20. EASTER.2010

    EASTER.2010 Guest

    I'm always busy doing something screen-front so i definitely enjoy crowding out those ridiculous and annoying spammer-brains. Sort of like performing multi-tasking duties and checking every so often during the day/night how many fammy whammers went into their orders forms.
     
  21. Red Dwarf

    Red Dwarf Registered Member

    Joined:
    Jan 1, 2007
    Posts:
    9
    Re: 3 Pharmacy Retaliators: My Canadian, International RX, US Drugs

    Updated Jan 8th version has fixed a small bug that caused the automater to stop running occasionally. We can't have that :eek:
     
    Last edited: Jan 9, 2007
  22. latot

    latot Registered Member

    Joined:
    Feb 1, 2007
    Posts:
    1
    Hello to everyone and thanks for the info that i have gotten here. I was getting a lot of spam so i searched for a place for help. This is were i wound up. I down loaded the Spur M Enator and sent over 5000 orders, I hoped this choked them a little bit, I know it cut back on my mail. Now it is coming in where you have to click on an address and I dont think I am hurting these people. I will Keep searching ways to Kick these guys in the pants so Thanks for all the help. I have a question about Firefox and Tor, I go to a sight that you have to sign in but they always say (welcome back your last visit was). How do they know that it is my computer signing in if the ip is changing when i use Firefox and Tor? Just curious because if the spammers know my ip everytime also then they are probably banning my orders. Thanks again.
     
  23. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    5,833
    tried to download it but no links work

    but thanks
     
  24. Red Dwarf

    Red Dwarf Registered Member

    Joined:
    Jan 1, 2007
    Posts:
    9
  25. Red Dwarf

    Red Dwarf Registered Member

    Joined:
    Jan 1, 2007
    Posts:
    9
    Complainterator V8

    Complainterator Version 8

    Version 8 of the automated complaint generator is now available

    When you get a spamvertized site name, like c987fhj4rf8r.example.com/?oijoiufq
    you can use the Complainterator to request the registrar who provides the name servers to remove them.
    That takes down the spamvertized site, as well as any others registered under the same name servers.
    Just fire up the Complainterator, key in the example.com and watch it do its thing. *puppy*

    You can find it at this location
    and also at the download section of the European Spam Wiki

    This tool and its method has been in use since August 2006 and has resulted in the removal of 250 name sesrvers from 12 different registrars, shutting down over 3,000 spammed sites.
     
    Last edited: Mar 1, 2007
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.