A short cynical Become a Spammer Tutorial
Submitted by eazrael on Sun, 28. Apr 2019 01:22:50
Developing my own spam filter is one of my hobbies so I do a lot of spam analyses and I always see the same names, techniques and schemes. This tutorial is written from the view of spam recipient and reporter.
Starting a successful spamming business is quite easy. So what do you need?
1. Some way to generate revenue
In the end you want to make money, so what options do you have?
-
Start your own business like selling fake gucci handbags, cheap potency-enhancing drugs (or just some dextrose bonbons), logos for your victims' websites or whatever you can imagine. You just need some web space. Recommended are hosting companies in Ukraine, Russia or other 2nd or 3rd world shithole countries who do have anti spam laws or do not enforce them. If you need first class hosting, go for western lage hosting companies like Amazon Web Services, 1&1, OVH, Hetzner, Softlayer an so on. You can create a Virtual Machine almost instantaneous, quite anonymously and very cheap. What about abuse reports? If the companies react at all, you have plenty of time before they do so. And if you want some extra time, use the free services of Cloudflare. Cloudflare is for incoming traffic almost the same as anonymous VPN is for outgoing traffic.
And no need to buy commodities. Your "customers" do not expect to receive anything -
The easier way is something called "Referral marketing" where you promote goods and services from 3rd parties. Your customer (not the spam recipient) will give you a special link which you can send to your "subscribers" (US legal term for "UCE recipient") and when your happy subscriber click on the link and buy or order from your partner you will get a commission. Becoming a partner is easy, mostly automated without any need of authentication and as a bonus, these partners do not care much for spam as in the end you will drive new customers to them. It also helps to have some intermediaries, as the grade of responsibilty diminishes with each level of indirection. If necessary you can also create intermediaries yourself, just in case you get into trouble you can proclaim that your intermediary already terminated the partnership with bad evil spammer. Just invent a new name and start again. From my personal experience, Indiegogo and Kickstarter are good intermediaries, not taking responsibility for anything.
More dubious partners like illegal gambling sites operating from Panama or Belize or binary options trading sites are even more problem-free. - Feeling creative? Pretend to be a nigerian prince and offer a huge reward for a small up-front fee.
2. Recipients for your advertisements
How do you find happy "subcribers" and future customers?
- Harvest the internet for public email addresses. You need a crawler and harvester which will search for email addresses on web sites. There are ready to use solutions which can be bought for a few bucks. Or ask your neighbors' kid. He will develop one for 20€.
- Buy a list. Usually you will get emailed an offer of 1 million verified company contact information for 100$ every 2 days or so. Of course all the recipients on these lists consented to receive junk mails, like you, or did you expect to be exempted from this list?
- Download a list generously made public domain by some benevolent hacker. Sometimes ideals publish personal data they liberated from evil corporations. These lists are usually named after the evil corporations, so fire up google, search for the corporate name, add the terms "hack" "leak", "download" or "torrent" to the search and download the list you want. A catalog of known public lists is avalaible from HaveIBeenPwned.com. Choosing the best list for your business is important. If you want to "promote" a indiegogo or Kickstarter project, the "Kickstarter 2014" list may be wisest choice as people who backed crowdfunding projects before are more likely to invest in future projects.
3. Send out millions of newsletters
Sending out millions of mails needs a lot of bandwidth, usually more than your DSL line and your VPN can provide. Possible solutions:
- Rent your own world wide mail cluster. Your neighbors' kid can help you by installing mail relay agents on computers around the world to make use the unused bandwidth of their internet uplinks. This works without manual interaction of the owners. These large mail grids can also be rented for a small fee. The darknet has many offers. One downside is that dial-up connections may be either firewalled by the internet provider or listed as untrusted mail sender on public blacklists.
- Rent a small cheap VPS. VPS are virtual server can be rented for a s little as 3€/month from the same hosting companies mentioned in the first step. The registration is automated without any authentication, the setup is automatized and after paying the first monthly it takes only a few minutes until you can start sending out your mails. Of course you need some Linux or Windows administration skills.
- For your first time I recommend to use professional services. Sendgrid and Mailchimp offer mail services, even for free and seemingly without any serious authentication or verification. Send out a lot of mails and benefit from their "good reputation". Not sure how they handle spam complaints internally, but my observation is "> /dev/null". It took me a lot of mails to get one of my email addresses blacklisted a mailchimp. Unfortunately shortly after that one legit sender tried to mail via mailchimp. Bad luck. AFAIR sendgrid was blacklisted for spam reporting on SpamCop.
This should be all you need to start a successful spam company. Of course every can be optimized. You may want to use anonymizing VPNs (google..), Anonymous Prepaid Credit Cards (Wirecard in Germany), anonymous Mail addresses for registrations, anonymous mobile phones (still available in europe), bitcoin wallets and so on.
The Internet is for porn spam
Why I am writing this? I am really pissed. Why I am pissed is described above. This works really great and too often. All the participants are named. I get spam mails for projects on Kickstarter or Indiegogo, usually sent via the named mail services in 3) or via the hosters in 1). The links in the mails are usually tracking links hosted by the companies listed in 1) optionally protected by cloudflare. These are only redirects to some intermediaries as listed in 1), after one or two redirects you end up with a referral link to Indiegogo or Kickstarter. And the target mail address was the address used on kickstarter in 2014.
I report this backwards to all participants.
- support@ or abuse@ kickstarter/indiegogo is like a black hole. No answer, no reaction. Even kickstarter seems to not care that the address was leaked from their own site.
- These intermediaries deny any responsibily for the actions of their partners or "boosters" as one called his partners. Some take some "actions" with the only result that the next mail comes from a company with a sligthly changed name. Maybe the people behind this operations are the same.
- Cloudflare never reacts on any mail sent through spamcop. Even malware gets protected by them
- Mailchimp and Sendgrid are annoyances at best. On the one hand, what can they do if creating a new account is almost effortless? And on the other hand how serious are their actions when after forwarding the spam mail in full to their abuse addresses you get the request to upload the headers via a web form. Or you get a ticket link for your report, but you can read the ticket as you do not have an account there??
Time taken for this text: 3h. No proof reading. Sorry.
Rubrik:
Add new comment