Thursday, May 22, 2008

I love getting spam!!!

OK, not really, but I have been looking forward to getting it the last two weeks. Why?

At the Ohio HTCIA spring conference Greg and I sat in on a talk entitled Illicit Distribution Networks: Spam Tactics of Online Criminals by Garth Bruen of Knujon (no-junk spelled backwards). Garth had a fascinating presentation on spam networks and how we should be targeting the web sites and domains selling spam instead the ones sending the spam.

The theory behind this is if we shut down the illicit domains selling spam products, those hiring spammers will make less money and go out of business, thus putting the spammers out of business. Sounds solid to me.

The way Garth's organization, Knujon, works is that it has people send them all the spam they can. Unlike other anti-spam orgs, Knujon is only interested in the spam body not the headers. They parse the body and use it to contact registrars and force the shutdown of illicit spam domains.

Garth gave alot of great statistics such as 90% of all spam domains are set up through just 20 registrars (out of 800+). Brian Krebs recently covered more of this on his blog.

Signing up for an account on their site is easy. There are also alot of plugins to mail programs which can be used to speed up the process. I've been using one for Thunderbird and have probably sent Knujon close to 300 spam a day. I have not received any reports back yet, but once I do I'll post the results.

1 comment:

gbruen said...

Thanks for the posting. It is important to understand the context of the 20 registrars where 90% of the nastiness is happening.

Consider the Spam Balloon.

Knowing that a minority of companies control most of the sites advertised in spam helps put the junk email problem into better perspective. To illustrate this consider a typical spam campaign. The emails are generated by tens of thousands of malware compromised machines and networks on the Internet. They send millions of spam messages to millions of victims. Sounds like a big problem, right? Not exactly. Because the number of actual websites advertised in those millions of messages is rather small in comparison the derivative of a spam campaign is seriously reduced. Reducing the true size even further is the fact that these real websites are held by one or maybe two registrar companies per campaign. Imagine that a spam campaign is a balloon. A balloon is actually made of a very small amount of real material, it only appears bigger because it's full of hot air. The huge volume of sent spam messages is the hot air that pushes the boundaries the Internet's resources, making the problem look bigger than it is. However, the air only stays in the balloon because it is knotted at the bottom. The registrars are this knot.

Graphic here:

Thanks again and Cthulhu ftagn