Thursday, November 19, 2009

The DDoS is still going on at a low level, so members with dynamic IP addresses may have difficulty getting access. Contact an admin through the forum email address (see below), or submit as a comment here if you don't get email notifications for forum posts.

For those of you who aren't members and are wondering what got the spammers so pissed off at us, the public areas of the site are still available via Google cache. Just do a search on

site:inboxrevenge.com

with or without additional search terms.

Areas of the forum only visible to registered members won't be available that way, but apparently even the public areas were good enough to earn the spammer seal of disapproval.

Tuesday, November 17, 2009

InboxRevenge.com currently up with limited access

The attack on IBR has slackened, so the forum is available on a limited basis. Still, there is a high likelihood members will find themselves blocked or that the attack will ramp up again.

You can contact an administrator about problems with access by replying to the same email address your forum notifications come from. Otherwise, you can post a private comment to this blog to request assistance. (Comments are moderated and won't appear if you ask us not to post them.)

DDoS against InboxRevenge.com continuing

We obviously weren't surprised the DDoS would start up again. We've had plenty of experience with attacks, both against our forum and Castlecops.com. In those instances, they kept coming back, week after week, each time the forums reappeared.

But the intensity of this attack is a bit of a puzzle. They're conducting a much heavier attack this time. IBR just went off line the last time when hit with the smaller attack. So regardless of how much traffic they send, they're still not striking any target. They do allow us to collect more IP addresses during brief periods of data collection. But there's not much point going nuclear when we were perfectly happy to go off line and wait during the less intense attack.

On the other hand, I do hope law enforcement is noting that these attackers are a serious threat and should be addressed aggressively. Not all websites have the luxury of conducting their operations offline whenever needed. What would a bunch of criminals like these guys be doing with that botnet when they aren't attacking us? I'm sure they're not using it to sell Girl Scout Cookies.

Monday, November 16, 2009

InboxRevenge.com again under DDoS

InboxRevenge.com members who are trying to log in are getting time outs. Another DDoS has been going on for several hours now. Our server is off line for now, so they are attacking nothing.

As before, our strategy has not been to try to weather the attack head on. The reason we have accomplished so much in fighting internet crime is that we are patient and take the long view. We will can go off line and come back as often as necessary. Meanwhile this blatantly criminal attack exposes the attackers to greater scrutiny from law enforcement.

The best strategy for our members is to continue submitting reports on illegal websites to registrars, and to continue to get the word out about the fraudulent nature of spamvertised websites. As long as there is a person on the planet who thinks "Canadian Pharmacy" and "My Canadian Pharmacy" are in Canada, our work is not done.

Tell some friends about the following sources of information, put some links on your own websites, consider becoming a reviewer for SiteAdvisor or WebOfTrust to make sure anyone who tries to research a domain mentioned in a spam will find accurate information in the top search engine results:

The Spamwiki -- If possible, mention specific spamvertised brands and link to their spamwiki pages. This is an opportunity to educate people that buying from spammers means sharing your personal and credit card information with criminals:
http://www.spamtrackers.eu/wiki/index.php/Main_Page

Blogs and information sites including this blog. They can't shut them all down:
http://spamitmustfall.blogspot.com/
http://ikillspammers.blogspot.com/
http://garwarner.blogspot.com/
http://twitter.com/inboxrevenge
http://inboxrevenge.blogspot.com/
http://inboxrevenge.spaces.live.com/
http://inboxrevenge.wordpress.com/
http://spamtrackers.org/

SiteAdvisor and WebOfTrust-- many IBR members are highly rated reviewers for these:
http://www.siteadvisor.com/analysis/reviewercentral/
http://www.mywot.com/

Other antispam and security forums that many of our members participate in:
http://spywarehammer.com/simplemachinesforum/index.php
http://www.cybercrimeops.com/forums/index.php

Sites that accept forwarded spam/phish:
http://knujon.com/
http://www.spamcop.net/

Information on reporting active phishing sites, from IBR on Google cache:
http://bit.ly/238Ges

Wednesday, November 4, 2009

Here are some more fresh spammer URL's to report:
ceyanfk.cn
bacydfhh.cn
www.danceraise.com
legacyback.com
rodriguezqan81.chat.ru
feedproxy.google.com/~r/CraigslistBolognaAllJobsSearch/~3/nlnRHliBpBY/
pearwatches.cn
rigojeb.cn

Still getting lots of spam for
awakehim.com and now danceraise.com
-- high value targets

domains already down:
hqasqwe1.me.uk
cegixbj.cn
ersd12wh.eu
doneswim.com

hanging by a thread:
pharmsstockmeant.com -- look at these nameservers:
ns3.whichdaring.com [59.63.157.207] 211.20.210.74 237ms
ns1.coolexcite.com [61.61.61.61] (Blackhole)
ns2.coolexcite.com [61.61.61.61] (Blackhole)
ns4.whichdaring.com [211.20.210.74] Timeout

And as for the whichdaring.com, anyone think this is a valid whois?
Domain Name.......... whichdaring.com
Creation Date........ 2009-08-03 03:30:42
Registration Date.... 2009-08-03 03:30:42
Expiry Date.......... 2010-08-03 03:30:42
Organisation Name.... Cheng sixixa
Organisation Address. Nan guang qu chong qing lu bai huo da lou B1 lou
Organisation Address.
Organisation Address. Nanguanqu
Organisation Address. 130025
Organisation Address. BJ
Organisation Address. CN

Admin Name........... Chengsixixa
Admin Address........ Nan guang qu chong qing lu bai huo da lou B1 lou
Admin Address........
Admin Address........ Nanguanqu
Admin Address........ 130025
Admin Address........ BJ
Admin Address........ CN
Admin Email..........
chengyudanyuaner@163.com
Admin Phone.......... +86.4315685301-0
Admin Fax............ +86.4315685301

Tech Name............ zeng xiwu
Tech Address......... wanbaodadao
Tech Address.........
Tech Address......... Changsha
Tech Address......... 410000
Tech Address......... HN
Tech Address......... CN
Tech Email...........
agent19535@agent.dns.com.cn
Tech Phone........... +86.7312259236
Tech Fax............. +86.7312259236

Bill Name............ zeng xiwu
Bill Address......... wanbaodadao
Bill Address.........
Bill Address......... Changsha
Bill Address......... 410000
Bill Address......... HN
Bill Address......... CN
Bill Email........... agent19535@agent.dns.com.cn
Bill Phone........... +86.7312259236
Bill Fax............. +86.7312259236
Name Server.......... ns4.whichdaring.com
Name Server.......... ns3.whichdaring.com

Continued recognition of our anti-spam efforts

As of the current time we're back off line due to continued DDoS. We're definitely getting lots of attention from spammers. You rock, folks! We're small but get the job done.

Here are some domains to report while you're waiting. There are phishing sites, scam pharmacies, "replica" sites, etc. You know what to do :)

http://feedproxy.google.com/~r/Cr454rAndBear45utaii/~3/91kzfjex8tI/
http://pharmsstockmeant.com/?said=MED-22-3
http://rolexll.com
http://www.rxcomputing.cn
http://d55ad0.cegixbj.cn/
http://www.ifleads.com
http://www.facebook.com.hqasqwe1.me.uk/globaldirectory/LoginFacebook.php
http://ripuvat.cn
http://9ZTWIR.ittjbity.cn
http://PNQ.ittjasos.cn
http://awakehim.com
http://crowduntil.com
http://www.rxunimplemented.cn

Post a comment and let us know how you've made out with these.

Tuesday, November 3, 2009

Difficulty accessing the forum?

The forum is up and running normally. There has been continued attack activity, but most has been blocked. Our hosting service, Servint, has done an outstanding job blocking a lot of the traffic before it even hits our server. The remainder has not been enough of an issue to slow anything down.

If you are still unable to access the forum, your IP address may have been included in a block of troublesome addresses. Let us know, so we can try to troubleshoot the problem. You can reply to the administrative email address for the forum (the one where your forum notifications come from). Or you can post it as a comment to this blog.

Sunday, November 1, 2009

Continued DDoS attacks on InboxRevenge.com

The DDoS attack from yesterday continues. Blocking a few troublesome IPs brought the traffic down to a level that was not a serious inconvenience, so the site came back on line this morning. You can expect it to go up and down or be slow intermittently for now. The server will be up at times even during a heavy attack to collect IP addresses of attacking bots for evidence.

If you're a regular member and not able to get on at all, please email us to make sure your IP isn't blocked. The easiest way is to reply to one of the emails you have received notifying you of forum post replies.

Good news -- DDoS attacks not over

Members may have noticed another recent outage for several hours. It was another confirmed DDoS, via a method called "syn flood." In the past, these sorts of attacks have gone on for weeks. We just roll with it.

Why is it good news? It lets us know our efforts are worthwhile, because making internet crime less profitable is exactly what we're trying to accomplish. If we weren't making criminals want to attack us, we'd have to wonder what we were doing wrong. We never expect to achieve the amazing level of spammer ire that Blue Security suffered in it's famous 2006 attack, but then we aren't planning to try to keep the site on line during the attacks. We just fall back to the alternate methods of spreading information. If our attackers would like to try to simultaneously take down Google, Microsoft, Twitter, Wordpress, and all the other sites we've established a presence on, they'll get themselves a lot more law enforcement attention than they're currently planning on.

Comments are open for this blog, though they have to be approved by a moderator. And if you have a comment that seems to merit its own "thread," we can repaste it as a blog post that can get its own comments.

Remember that SiL also has his two blogs, which also accept moderated comments:
http://ikillspammers.blogspot.com/
http://spamitmustfall.blogspot.com/

And we have our other sites for announcements:
http://twitter.com/inboxrevenge
http://inboxrevenge.wordpress.com/
http://inboxrevenge.webs.com/
http://spamtrackers.org
http://inboxrevenge.spaces.live.com/

As always, the best response to retaliation is to continue to do the reporting you were doing before -- but to do more of it.