Saturday, July 19, 2014

Spam

I noticed recently that Brian Krebs, well known (infamous among hackers) security blogger, is writing a book called Spam Nation which is available for pre-ordering on Amazon:

Spam Nation: The Inside Story of Organized Cybercrime-from Global Epidemic to Your Front Door

Then I ran across this interesting blog post about stock spam and the spam kings:

http://krebsonsecurity.com/2012/01/pharma-wars-google-the-cutwail-botmaster/

Spam is what started me down this whole security path. I wondered why the heck I was getting 900 spam messages per day. I started correlating the headers and I figured out that the same messages are coming out of servers of large companies like HP and Microsoft as well as smaller companies. I started reporting the spam but no one would do anything about it. I wasn't sure if anyone was really even paying attention to the emails so eventually I stopped reporting and just blocked IPs sending spam from my servers and blogged about it.

I wonder if this stock spammer noted in the post above was responsible for the spam being generated on my server in 2006 which I wrote about in these blog posts:

http://randominternet.blogspot.com/2006/10/stock-spam.html

http://randominternet.blogspot.com/2006/07/port-25-check-it.html

When I reported that my server was hacked to my hosting company in 2006 because it was generating traffic on port 25 that wasn't from any my systems, they didn't believe me (Rackspace). I was running an online hostel booking system for someone I met in Australia that was clearly hacked. I pinned down anomalous traffic and order patterns. Whenever I restarted my web server, it would get hit in quick succession by five random IP addresses - and it was a very low volume web server. I would then get one small order and no more. I was able to stop the malware initially by turning of my mail server. Miraculously shutting down my mail server and blocking traffic on port 25 resulted in a huge increase in bookings. Then an odd thing happened. My "customer" in Australia who purchased the business from the original customer complained they were getting too many bookings and wasn't getting emails. My next step was to turn off the services one by one until I determined which one was sending the spam. Suddenly my "customer" called and cancelled the web site after the bookings increased once again. It was all very odd.

Now I'm pretty sure that the hack was somehow tunneling through SMTP or at least using SMTP to send messages related to the attack. I have never believed that spam is just spam. There is no way that many people are buying Viagra from a random email. Given that hackers used ICMP traffic to send data between systems in the Target breach I have even more inclination to believe that spam is being used for covert communications that is not all spam or possibly used in some other way to infiltrate systems or remove data.

I had to fight to get my outbound firewall logs turned on to show me all the GOOD traffic back in 2006. I was told not to worry, I have a firewall. It's all just noise. The first sys admin wouldn't do it for me. I called back later in the evening when I knew a different person would pick up the phone and had a better idea what to ask for so I sounded like I knew what I was talking about. (I was a bit clueless then trying to figure things out with no help from anyone).

When I was able to pinpoint the malicious activity and showed my hosting company the traffic on port 25 that wasn't mine, no one would believe me. They said they ran a virus checker and everything was fine. In fact, I got the boot from RackSpace. They paid me to go away.

Do you believe me now?

Not that I care anymore. 

I'm just really curious what the book will say and if it will give me any additional insight.