LWD - Spam's Empire

EdisonRex submitted the following "
Chapter 4 – There is Another One, and Revenge and Counter-Revenge

This investigation has had more twists and turns than a Tron game. Although it must be stated that our understanding of contemporary Russian “hacker culture” could probably use more enlightenment, there is plenty of evidence available to paint a picture of the reflexive manner in which this subculture exacts revenge for perceived slights. In the course of researching the ever-widening cast of characters involved with what started as a simple set of spamshots, trying to attract new members to a text-based, on-line, multi-player role-playing game, we are getting quite a social and cultural education.

Pierre Ambroise Francois Choderlos de Laclos (1741-1803) famously wrote “Revenge is a dish best served cold” in his 1782 book Les Liaisons Dangereuses ("La vengeance est un plat qui se mange froid"). Clearly, de Laclos was a second order kind of thinker. In Perestroika-era Russia, chaos and absurdity was common. One can surmise that people who grew up as children in those times, from the 1980s through adolescence in the 1990s, might have had learned to be more focused on the here and now. Perhaps the culture itself drives the thought of revenge in a heartbeat. Clearly, though, it is not simply a Russian problem, as the cycle of revenge and counter-revenge escalates mundane, petty issues into life changing moments. Youths, in general, regardless of culture, are less apt to think through all potential ramifications before committing acts which then cause subsequent, and potentially self-destructive, side effects. In Moscow's computer culture of the late 1990s, what appeared to be a hackers' war involving some Fidonet nodes devolved into a fairly devastating set of attacks and counterattacks on rival nodes. Evidence of what must have been a particularly nasty on-line street brawl exists as well. In summary, crimes of passion are not usually thought out very well.

It is notable to add that the investigations so far do not involve any assistance from law enforcement agencies. While it is conceivable that law enforcement could become involved, the set of parameters which must be satisfied in order to trigger law enforcement action is a rather high hurdle, despite the obvious mischief done. It is clear that several laws have been broken in a number of jurisdictions, and sorting it out is part of our mission. Each of the ISPs involved may be interested as AUPs have probably been violated for at least a few of them. Our server is in California, which has a very strong anti-spam law. The Star's Empire server is in Moscow, as is the bookstore server which was used in a number of the attacks (and at least one interrogatory run, it appears). Being a global community, we have preserved evidence across numerous jurisdictions, mirrored in multiple countries, and there are now over 15 members of LittleBlackDog working on separate activities related to this matter. With that said, we continue the story.

There is another one!

By the afternoon of Sunday, March 18th, London time, several members had spent their morning and afternoon on a wild chase throughout the underbelly of the Internet, trying to identify which spamshots EdisonRex was involved in, and which ones LonelyK was involved in. It quickly became clear that there was another nick involved. It was too coincidental, and one member found the original owner of the nick fairly quickly. EdisonRex, the doppelgänger, was a “member” at that spammed website, and the other spam-mule member's nick matched, but it was obvious that this was a real person's nick from the post count. A new account was registered and a message was posted explaining the situation along with a request for help locating the IP address for the spam posts of LonelyK and EdisonRex. As the timestamps matched what we already knew by then, we were certain that one was from chtivo.ru, but we didn't know where the other was from. To our satisfaction, we had a response within an hour, from both the doppelgänged member, but also one of the moderators of the spammed forum site. Within another few hours, the site administrator for their forum site had checked in, confirming one of the addresses and adding a new IP address for the second EdisonRex spamshot, which was a hijacked Austrian system from an architectural firm.

Revenge, and Counter-Revenge

The story of the other website, however, is notable because it echoes the Moscow Fidonet war, and possibly provides an explanation for the identity theft of EdisonRex as well. Incensed by the inappropriate, impersonal and rude spam message left by LonelyK in their forum, two members of that forum decided, on their own, to confront the Star's Empire management at the support forum of Star's Empire. A two week long “argument” ensued, during which the admin of Star's Empire's forum repeatedly attempted to ban the two from discussing the subject of why LonelyK was spamming the world on behalf of Star's Empire. The two would simply reregister and start again, and were finally halted when someone apparently clued the admin into how the user activation sequence on phpBB can be made administrative only.

Shortly after this action was suppressed, on or about March 12th, the nick of one of the attacking forum members was used in a fairly wide spamshot. It was subsequently discovered from searching logs that my household's server, which hosts part of the family website, was visited by none other than chtivo.ru on March 14th, at about 10:02 pm. Very shortly after that visit, the first spamshot containing the EdisonRex nick went out, attracting our attention to the entire matter.

It isn't clear what caused LonelyK to misappropriate my nick, but it is clear that the practice of ruining nicks for revenge is part of the Moscow subculture. It was claimed in the Star's Empire forums that the LonelyK doing the spamming is not Oleg Karabanov, the owner of Star's Empire. The defense seems weak given the substantial evidence, but in one of the more intriguing connections in this twisting investigation, the behaviours of a subculture connect another person to this set of events.

The Amazon of Russia?

Chtivo.ru is the website of what looks to be an impressive on-line Russian-language bookstore. On the front page it proclaims “Today 25.03.2006 in the united catalog 463 917 unique publications. Price-sheet contains 1 894 100 positions from 25 Internet stores and 144 to off-line distributors.” Hosted with a large hosting company, very well composed, and informative, chtivo.ru looks very much like a going concern. Certainly, it looks like an e-commerce site. It acts like an e-commerce site too. What reason would it have to be spreading spam, especially if it had once been blacklisted for doing so? And, certainly, why would a Russian on-line bookstore be looking at my local domain's website at well after midnight Moscow time?

The owner of record of the domain chtivo.ru is a gentleman named Andrey Radomanov. Andrey has quite a history working with php programming, and has owned chtivo.ru for quite a while (the domain was registered in 2001). Mr. Radomanov is exceptionally prolific and active on multiple programming forums. By all accounts, Mr. Radomanov has been working for a few years on php and does not appear to be happy with spammers at all. On February 1st, 2006, Mr. Radomanov posted to the SPEWS antispam blackhole warning system's mailing list, pleading with them to drop the listing number S409 (old indeed) against their host. The request was denied, as the ISP, mtu.ru, has accommodated no less than four current mail spammers operating from their address ranges. Mr. Radomanov once also operated the Crazy Rollers Fidonet node. The Crazy Rollers are a street hockey team, and were one of the participants (or victims) in the online defacing of sites mentioned in the earlier period. It would not appear that Mr. Radomanov would be happy to know that chtivo.ru has been sending out spam via port 80.

For the record, mail was sent to Mr. Radomanov on March 19th. It bounced from the address of record. Should Mr. Radomanov wish to comment on events, we would be most pleased to hear from him.

Next – Beware the Google Cache, and what are all these people doing? "


Telling it like it is...