<<<
Monday, February 28, 2005
>>>
 
Case Send-Safe Posted by Mikko @ 16:25 GMT

There are some interesting developments going on with the Send-Safe spamming tool. Together with tools like "Mailerboy" and "Darkmailer", Send-Safe is one of the most popular tools used by spammers to send spam. Send-Safe even includes a built-in support for sending the spam via home machines infected with viruses like Mydoom, Bagle and Sobig.Whois info of send-safe.com

Various antispam organizations and authorities have tried to fight the company behind Send-Safe with little results. The company is run by Mr. Ruslan Ibragimov, operating just outside downtown Moscow.

Especially our friends at Spamhaus have aggressively tried getting the website www.send-safe.com shut down. Suprisingly, the site has apparently been hosted by MCI Worldcom - one of the largest service providers in the world.

But now something is finally happening, as the website has disappeared.

Previously, www.send-safe.com used to look like this:

What www.send-safe.com used to look like.

This morning it looked like this:

What www.send-safe.com looks like now.

And in fact, after that Tripod has taken the redirect site offline totally (kudos for them).

We've run into Send-Safe various times before - for example, in last October in our weblog posting about who wrote Sobig.

To illustrate how professional these tools really are, here's a screenshot of Send-Safe in action. Especially notice the text in the bottom about using "527 proxies" to send spam. These are the infected zombie home computers being used without the owner of the computer having the slightest clue his machine is sending out viagra spam.

Screenshot of Send-Safe
One last thing: Send-Safe has a feature to "call home" with an encrypted SSL connection every time it starts up; this checks that the user has a valid (and expensive!) license before allowing spamming. When we heard the website was down, we were hopeful it would also break this function, effectively shutting down all copies of the tool.

Unfortunately, this is not the case. The program calls home by making a https connection to 213.24.113.222, which belongs to a netblock owned by Race Telecom Ltd near Ural, and which is still fully operational.
Fake SSL certificate used for the SSL connection of Send-Safe






<<< W32/Mytob.A - a mix of Mydoom and a Bot
|
Bagle / Mitglieder case >>>