Peter Bennett first suspected his own Web site might have been turned into a spam-spewing zombie on the night of Nov. 11, when he discovered that a tiny program secretly uploaded to his site was forcing it to belch out ads for rogue Internet pharmacies.
Bennett’s site had been silently “infected” via an unknown (at the time) vulnerability in a popular e-commerce software package. While most site owners probably would have just cleaned up the mess and moved on, Bennett — a longtime anti-spam vigilante — took the attack as a personal challenge.
“Spammers always know it is me attacking their resources in whatever form that takes,” Bennett said. “In other words, I make myself a target because I have a clue or two about server security and defense and just love taunting them to crank them up.”
And taunt them he has. For years, the New Zealand resident was part of a ragtag band of anti-spam activists, or “antis,” that helped to bring down infamous pill spammer Shane Atkinson and other junk e-mail purveyors. After taking a break from anti activity in 2007 to pursue other professional goals, Bennett – now 50 – seems eager to jump back into the fray.
In the interim, however, spammers have been refining their techniques. Like reluctant conscripts in a global guerilla army, hundreds — sometimes thousands — of legitimate Web sites are now enslaved each month and sold to criminals who use them to blast out spam and host spam sites. The attackers Bennett is tracking mainly pick on orphaned Web sites running Linux with insecure, unpatched software packages (Bennett says his site was hacked thanks to a zero-day bug in OScommerce, a popular e-commerce software program).
Bennett found that his Web site was part of a larger botnet of at least 1,200 compromised sites that was being used to send roughly 25 million junk e-mail messages each day, although he said it appears the botnet is used for spam runs only intermittently.
“They only run the botnet once a week or so at a time, and then shut it off,” Bennett said.
An ad soliciting EvaPharmacy affiliates.
The hacked sites in the botnet Bennett identified mainly advertise one of three types of rogue pill sites: MyCanadianPharmacy, Canadian Family Pharmacy, and Canadian Health&Care Mall. The latter has been tied to a pharmacy affiliate program called EvaPharmacy, one of the few remaining pharmacy affiliate programs that pays members to promote fly-by-night pill sites via spam.
Continue reading →