Cynical security experts often dismiss anti-spam activists as grumpy idealists with a singular, Sisyphean obsession. The cynics question if it’s really worth all that time and effort to complain to ISPs and hosting providers about customers that are sending junk email? Well, according to at least one underground service designed for spammers seeking to avoid anti-spam activists, the answer is a resounding “yes!”
Until recently, this reporter was injected into one of the most active and private underground spam forums (the forum no longer exists; for better or worse, the administrator shuttered it in response to this story). Members of this spam forum sold and traded each other many types of services catering to the junk email industry, including comment spam tools, spam bots, malware, and “installs” — the practice of paying for the privilege of uploading your malware to machines that someone else has already infected.
But among the most consistently popular services on spammer forums are those that helped junk emailers manage gigantic email address lists. More specifically, these services specialize keeping huge distribution lists “scrubbed” of inactive addresses as well as those belonging to known security firms and anti-spam activists.
Just as credit card companies have a derisive nickname for customers who pay off their balances in full each month — these undesirables are called “deadbeats” — spammers often label anti-spam activists as “abusers,” even though the spammers themselves are the true abusers. The screen shot below shows one such email list management service, which includes several large lists of email addresses for people who have explicitly opted out of receiving junk messages (people who once purchased from spam but later asked to be removed or reported the messages as spam). Note the copyright symbol next to the “Dark Side 2012″ notation, which is a nice touch:
This service made for spammers helps them scrub email distribution lists of addresses for anti-spam activists and security firms.
The bottom line shows that this service also includes a list of more than 580,000 email addresses thought to be associated with anti-spam activists, security firms and other “abusers.” This list included a number of “spamtrap” addresses created specifically for collecting and reporting spam. The note in the above entry — “abusers_from_severa” — indicates that this particular list was provided by an infamous Russian spammer known as Peter Severa. This blog has featured several stories about Severa, including one that examines his possible identity and role in the development and dissemination of the Waledac and Storm worms.
These lists include known antivirus industry honeypots and IP addresses of malware scanners to avoid.
The second list from the top in the image directly above reads “[TheCC_crew]_AV_IP_drop”. The administrator of the the spammer-friendly forum thecc[dot]bz is the same miscreant who claimed responsibility for sending this reporter a gram of heroin ordered off the Silk Road earlier this year.
Chris Barton, senior director of security research and operations at anti-spam provider Cloudmark Inc., said established spammers are keen to avoid mailing anyone they suspect may try to disrupt their business or make it more expensive.
“Many of the list names indicate that the data is sourced from suppression lists,” Barton said. “We know these suppression lists are regularly traded about so it’s interesting to see that there is also an underground market for them.”
Want to make life more difficult for spammers? Avoid clicking unsubscribe links in the junk emails; for the really spammy stuff, this could get you in trouble (unless it’s an email list you signed up for previously, and then you really should unsubscribe). Rather, consider signing up to report abuse through entities like SpamCop. About.com has compiled a decent list of resources for those interested in reporting spam, either through SpamCop or by going it alone.