A spamming vendor known as the SET-X Corporation, has recently launched the distributed SET-X Mail System, a sophisticated managed spamming service available for rent on a monthly basis starting from $2000, promising to achieve "spamming speed" of 5000 to 7000 emails per minute and over 1 million spam messages per day, courtesy of the 5000 bots it comes preloaded with.
Let's analyze the spamming service, what makes it tick, and discuss some of the emerging trends related to the overall outsourcing of each and every segment of cybercrime.
The market segment for managed spamming services is still in its introduction stage, with several unique providers of such managed services whose do-it-yourself systems and zero complexity mentality are poised to empower many new entrants into the spamming business. The SET-X Mail System in particular, is a typical example of a "one stop spamming shop", which compared to legitimate companies that are able to occupy and serve all the market segments related to their particular product or a service through M&A (mergers and acquisitions) with different companies, has managed to vertically integrate on their own and logically provide anything a spammer could possible need from a spamming service such as :
- dedicated staff of four people updating the malware binaries and reachable 24/7
- daily introduction of new malware infected hosts
- the ability to purchase recently harvested email databases for a particular country in order to use them in localized spam campaigns, with the translation service for the messages provided by the same vendor
- the option to purchase an unlimited number of automatically registered email accounts at popular web based email providers in order to integrate them within the "unique legitimate senders" spamming method
- unlimited support of spam templates also known as macroses
- unlimited number of email databases to integrate and use simultaneously
- low total cost of ownership (TCO) and 99% uptime of the command and control server due to the fact that the malware infected hosts obtain commands dynamically from secondary servers in order to ensure that they never expose the central one
Speaking of vertical integration, SET-X Corporation's current inventory of harvested email addresses available for sale to customers of its spamming service seems to have been anticipated as a possible revenue source, aiming to further develop the business relationship with the current customers. Their current inventory :
"Russia (private citizens) - 16 000 000 emails Ukraine (commercial) - 3 300 000 emails U.S.A (private citizens) - 118 000 000 emails Western Europe (private citizens) - 13 000 000 emails Europe (private citizens) - 46 000 000 emails"
How sophisticated is in fact the service? SET-X Corporation has extensively described the spamming service in their marketing pitch, translated from Russian to English as follows :
"- Flexible and convenient Web based interface, detailed statistics while sending, changing any settings (mail databases, texts, macros)
- User-friendly web based interface - start spamming from day one
- Automatic "spamming capabilities" assessments of the bot allowing you to think about your business and not about the technical details behind it
- Daily malware updates, four programmers allocated for every server, sending automatic ICQ notifications whenever the malware gets updated
- Automatic optimization of the spam campaign by first allocating the bots with clean IP reputation
- Optional is the option to chose whether or not a dedicated "spamming engineer" should be allocated to your server
- His responsibilities include introducing a higher number of bots if requested, ensuring that dead bots get disconnected from your server, and providing personal advice on optimizing your campaigns and bypassing anti-spam filtering through the built-in multi RBL checking feature
A brief description of the system:
1. The system is automatically harvesting the outgoing and incoming email addresses on the infected hosts and the associated accounting data, supporting the following clients : - Mozilla Thunderbird - Outlook Express - MS Outlook - The Bat - Opera
2. The bot automatically defines its MX and PTR records, if they are present it switches to Direct SMTP mailing which means that it can send the spam directly to the recipients using the MX and PTR DNS records of the bot, enforcing direct sending even without MX and PTR records is also possible
3. The bot automatically defines its MX and PTR records, if they are present it switches to Direct SMTP mailing which means that it can send the spam directly to the recipients using the MX and PTR DNS records of the bot, enforcing direct sending even without MX and PTR records is also possible
4. The central control server automatically assigns different regional servers to the bots, and rotates them periodically for security purposes
5. All the information about the spam campaigns and the bots can be exported and syndicated with another regional server as requested, with the regional server dynamically establishing links with other regional servers so that it never really knows the address of the central command server
6. There are several different ways of sending spam using this service :
1) Direct spamming from the legitimate email accounts of the infected computers, with the system automatically syndicating all the available legitimate emails whose accounting data naturally stolen due to the malware infection is again, automatically integrated in a "unique legitimate senders" database. Full support for web based email accounts in the form of domain:username:password
2) Sending via Direct SMTP: send messages directly using the MX and PTR records of the infected host's gateway
3) Sending to direct recipient
4) Sending through open relays and socks servers, both of which can provided at an additional cost
7. SET-X Mail System is highly modular, with unique features easily coded and implemented as requested by the customer
The average speed from one server is 5000/7000 emails per minute, over 1 million emails per day, and if requested you can purchase as many servers as you would like. The price of rent per month is $2000 with additional $1000 for each additional server if the servers are ordered at the same time."
An inside look of the system obtained on 2008-08-12 indicates that they are indeed capable of delivering what they promise - speed, simplicity and 5000 malware infected hosts. Moreover, the attached screenshot demonstrates that 20 different email databases can be simultaneously used resulting in 16,523,247 emails about to get spammed using 52 different macroses. Furthermore, what they refer to as a dynamic set of regional servers aiming to ensure that the central server never gets exposed, is in fact fast-flux which depending on how many bots they are willing to put into "regional server mode" shapes the size of the fast-flux network at a later stage.
Spam is definitely not going away, especially nowadays when the whole process that used to require a decent investment of time and resources, has matured into an emerging market for managed service providers of spamming services whose web based interfaces successfully mimic the look and feel of anti-spam appliances. And whereas for the time being each of managed spamming services outperforms the other on different fronts, in the long-term the natural market competition forces will result in more extensive development of these systems next to the plain simple theft of intellectual property in the form of integrating a competing system's unique features within another service.