Innocent Bystander webary.com Damaged by Spammers

Webary.com has been and continues to be seriously damaged from being an innocent bystander to criminally fraudulent spammers activities. 

Since early September 2003, a group of these despicable spammers have been sending out their spamvertizing with the mail headers forged so that a novice user would think the spam came from our other domain, terrific.com.  We've been trying to get them to stop with little success, and a set of pages similar to this one documents the problems terrific.com has been having.

Apparently we did get their attention though, as on October 27 they started giving this domain, webary.com, the same destructive treatment.

We are talking about millions of spam messages.  Millions of users who might think webary.com is the domain that sent them the crap, and who we can't begin to contact in order to try and restore our ruined reputation with.  The spammers behind this charge other companies money to send spamvertizing out for those companies, as well as sending their own spams out. 

We can only try to respond to the few hundred who complain to us about getting the various spam messages which they received.  Dealing with just those complaints is a big expensive resource consuming undertaking for a small business like ours, and at best we might restore our reputation with perhaps one person out of each ten thousand or so that have been spammed and complained to us.

The spammers who sent this crap out are going for volume, so their lists have all sorts of email addresses that don't exist, reject spam, have full mailboxes, have users on vacation who reply with away messages, etc, etc.  Since the mail headers were forged to show webary.com as the sending domain name, we have been the ones to receive all those bounced mail messages for the spam that couldn't be delivered.  How many messages regarding undeliverable messages are we talking about?  "Fortunately" these spammers mailing lists are fairly accurate, so the flow of bounced mail messages has peaked here at about seven per minute, or 420 new mails in an hour.  It varies by time of day, at the peak we have gotten just over 5000 bounced mail notifications in a day.

What are we doing about it?  Everything we can.  The spams are really coming from hundreds or thousands of infected user's machines all over the internet that are being used as slaves to the spammers themselves.  Most of those machines are owned by users that don't even know their machines have been hijacked.  A user who doesn't have adequate security defenses on their machine might have clicked on a link in a spam they received out of curiosity - and next thing you know that user's machine has a virus, a worm, a trojan program or an open mail proxy installed on it.  Users typically get tempted by offers of free pornography site passwords, being paid money to fill in surveys, etc.  Even though sensible people know there is no tooth fairy and that nothing is really "free", somehow their human greed gets them to accept one of these loaded free offers.  From that point on, the users machine starts spewing spam in the background under the spammer's control without the user even knowing it.

It falls on us to analyze the headers of all of those thousands of bounced mail notifications and build a database of the user machines that are doing the spamming.  Then we have to write individual complaints to each of those users ISPs or Network Administrators and attach proof that the users machine is a spam spewing nuisance on the internet.  The ISPs or Network Administrators then have to terminate the users account or access, notify the user, and get the user to disinfect their machine of the problem before connecting back up to the internet.  A high percentage of these users are naive or new users barely capable of booting their computer on a good day, many need to pay someone else to disinfect their machine.  The whole process wastes the time and resources of hundreds of talented people.  All this effort and countless unpaid hours just trying to stop the various offers to lengthen penises and con people out of their money could otherwise be spent actually doing the planet some good, its a terrible waste and a moral crime against society that these spammers commit.  (A recent study estimates that 90% of all the spam on the internet is sent by less than 200 people who are a plague on society.  Whether they are criminals gone geeky or geeks gone criminal they need to be stopped for all of our sakes.)

Unless the spammers decide to change and use someone else's domain instead of webary.com in their mail headers, we will continue to suffer as innocent bystanders to their spamming.  (Of course, someone else will be having their domain ruined then instead of us, so the overall problem isn't solved, just the victims changed.)  This problem has happened to us in the past, but on those occasions we were only subjected to the problem for about a week before the spammers moved on and started using somebody else's domain name.  This time, it has gone on steadily and shows no sign of abating any time soon.

The only way to stop being affected is by getting those users' machines disinfected and eliminating them from the spammer's network of spam sending nodes.  If we can get infected machines removed from the internet faster than the spammers can trick more users into letting their machines be hijacked, then the spammers networks could be disassembled and closed down.  Frankly, there are so many of them that we aren't making much of a dent in their network so far.  There seems to be a new user sucker born every minute, and it takes us longer than a minute to eliminate one.

Eventually the spammers might change and use some other domain, if they have a reason to.   The only reason we might give them is that maybe they will someday notice that their network is growing slowly as a result of our activity getting the users machines it consists of disinfected.  Maybe then they will move on to harass some other domain owner that is even less able to defend themselves from the abuse.  Maybe they will change soon just to keep on the move and make it harder for people to filter out their spam.  Of course, by then, we will find that we cannot email to all sorts of places that are filtering based on mail appearing to come from webary.com.  So we can't just sit here and wait for the spammers to make webary.com into an unusable domain name before they move on.

Why have the spammers chosen to do this to webary.com?  We have been writing hundreds of emails to ISPs notifying them of their users infected machines that were spewing spam in the name of terrific.com, and we have been writing to upstream providers to get some of the spamvertized web sites shut down.  Some of the ISPs are making money from the spammers, and are known to be "spam-friendly".  We think they passed our complaints directly back to the spammers themselves.  Those spammers then discovered webary.com by visiting terrific.com and decided to put webary.com on the list of domains they will destroy while selling their penis enlargement scams.  Its a message from them that they feel completely safe and immune from anything we can do about it, and that they will make our lives miserable if we try to defend ourselves from their crap.

The spammers themselves are pretty well untouchable by an organization our size.  Very large companies such as Verizon and AOL with deep pockets and big legal departments have tried in the past to remove particularly despicable spammers from the internet.  They have eventually gotten large judgments in their favor, but the spammers still go on spamming and even such moderate "justice" is only available to those who can afford the expensive pursuit of it.

Governments can pass laws of course, and at least if ours would do so then it would trim back on the spammers operating from the USA.  We are sad to see Congress spending so much time worrying about which bill goes through and who will get the credit for proposing it.  They have over time had many chances to solve the problem or at least solve part of it, but rather than passing a bill they continue to argue over whose bill they will pass instead.

We have started to analyze samples of the spam messages that have been going out with webary.com forged in the headers.  This is in part to help users that think we are responsible for the spams see how to analyze the headers themselves and how to find out where the spams actually come from.  Now and then we manage to track a spammer's site down and get it removed from the internet.  Like a whack-a-mole game, another spam site immediately springs up elsewhere, but at least it feels good to whack one now and then.  This is time consuming work and we must be sure to get it right and not point our fingers at the wrong people.  The links on left of this page will take you to each of the sample analysis's, and we plan to post these in the some of the newsgroups or spew lists so that other spam fighters and spam victims can benefit from the information too.