There are some interesting developments going on with the Send-Safe spamming tool. Together with tools like "Mailerboy" and "Darkmailer", Send-Safe is one of the most popular tools used by spammers to send spam. Send-Safe even includes a built-in support for sending the spam via home machines infected with viruses like Mydoom, Bagle and Sobig.
Various antispam organizations and authorities have tried to fight the company behind Send-Safe with little results. The company is run by Mr. Ruslan Ibragimov, operating just outside downtown Moscow.
Especially our friends at Spamhaus have aggressively tried getting the website www.send-safe.com shut down. Suprisingly, the site has apparently been hosted by MCI Worldcom - one of the largest service providers in the world.
But now something is finally happening, as the website has disappeared.
Previously, www.send-safe.com used to look like this:
This morning it looked like this:
And in fact, after that Tripod has taken the redirect site offline totally (kudos for them).
We've run into Send-Safe various times before - for example, in last October in our weblog posting about who wrote Sobig.
To illustrate how professional these tools really are, here's a screenshot of Send-Safe in action. Especially notice the text in the bottom about using "527 proxies" to send spam. These are the infected zombie home computers being used without the owner of the computer having the slightest clue his machine is sending out viagra spam.
One last thing: Send-Safe has a feature to "call home" with an encrypted SSL connection every time it starts up; this checks that the user has a valid (and expensive!) license before allowing spamming. When we heard the website was down, we were hopeful it would also break this function, effectively shutting down all copies of the tool.
Unfortunately, this is not the case. The program calls home by making a https connection to 18.104.22.168, which belongs to a netblock owned by Race Telecom Ltd near Ural, and which is still fully operational.