Unsecured backup exposes global spam farm
Mon 6 Mar 2017
A notorious spamming organisation responsible for the sending of up to a billion unwanted messages a day has inadvertently revealed its entire operation by failing to secure a network-available backup of its operations.
A cooperative effort between Mackeeper’s Security Research Centre, CSOonline and Spamhaus took place last month when Chris Vickery, one of Mackeeper’s operatives, discovered an unsecured and publicly exposed repository of company backup files containing damning information about the practices of River City Media (RCM) – an initiative led by notorious spammers Matt Ferris and Alvin Slocombe.
According to Mackeeper, RCM positions itself as a legitimate marketing company, subject to the regulations around mailshots, while surreptitiously approaching 1 billion illegitimate spam mails daily.
The researchers noted the presence of incriminating logs, including the following – one of many chat exchanges exposing the hacks and workarounds that kept RCM stuffing users’ inboxes with spam:
The method in the exchange describes how malfeasants can open the maximum possible number of connections whilst staggering their own response packets in a haphazard way, preventing conventional protections against such spamming operations for as long as possible – a twist on the Slowroris attack, which is designed to cripple a web server rather than subvert it in this manner.
The researchers report that details about RSM’s operations have been sent to Apple, Microsoft, Salted Hash and other concerned parties, and that their approach to law enforcement agencies has been met with great interest.
The database exposed contains 1.4 billion user details, including (but not limited to) full names, IP addresses and, in many cases, real-world addresses. Many of the entries are ‘legacy’ in nature, deriving from information gathered over many years, and often out of date. But Mackeeper’s cursory investigations on social media reveal that a great proportion of the entries appear to be valid.
Subsequent to the discovery, Spamhaus – an open repository of information about domains sending spam – will blacklist RCM. Since Spamhaus is one of the critical nodes in the internet’s anti-spam defences, this alone is likely to be crippling to RCM’s further operations.
The availability of the information that RCM has unintentionally made public has been ascribed to a faulty Remote Sync (Rsync) backup.