The Spamhaus Project
BETA

blog

The Spammer Agora

There's been a lot of use of the term "ecosystem" in the e-mail industry lately. It's a good description of the complex environment that has grown up around Simple Mail Transport Protocol; it's no longer simple. But, like any ecosystem, it has many subsystems and niches within it. Among spammers...

by The Spamhaus TeamMarch 16, 20083 minutes reading time
Threat Intelligence
Service Providers
Botnet C C
Spam

There's been a lot of use of the term "ecosystem" in the e-mail industry lately. It's a good description of the complex environment that has grown up around Simple Mail Transport Protocol; it's no longer simple. But, like any ecosystem, it has many subsystems and niches within it. Among spammers in general, the botnet and black market spammers have developed a marketplace all by themselves. Even spammers using static sending IP addresses turn to blackhat suppliers for lots of "snowshoe" domains, or for bulletproof hosting. That subsystem is what I'm calling "The Spammer Agora", a bazaar of sorts, and I'll describe it a bit more, here.

The agora in ancient Greece was the place of general assembly, and it developed into a marketplace commons for the exchange of goods and services. That's exactly what goes on in spammer forums, both open and secret. From the old "Warriors" board of years past, progressing to various "bulker boards" of various degrees of secrecy, and on to completely criminal enterprises controlled by a Mafia-style organization like Carderplanet, those chatrooms are where spammers go to buy and sell various pieces of their product.

An entire marketplace has developed among spammers for the distribution of spam-production factors. Among the basic services are bulletproof hosting, botnet mailers and botnet rental, and some sort of product to mail for such as pharmaceuticals, herbal remedies, mortgage and loan, pump and dump stocks, or adult services. Products are typically marketed as "affiliate programs", with the program paying the various affiliates for clicks or purchases. Affiliates in those programs are often simply "button pushers": the program arranges bulletproof hosting and domains, then pays the affiliates to send the spam blasts. But in the complexity of the spammer agora, either the program itself or the individual button pushers might arrange for the various services they need to send the spam, and there are nearly unlimited combinations of marketplace factors.

Beyond bulletproof hosting and botnets, spammers need a range of other services. All of those are offered in the spammer agora by various specialists. Some of the other services and products offered include domain registration and "aging", payment processors, drop shippers, botmasters, address lists, money mules and money launderers, spam engines and ratware servers, various "back end" hosting services, database management, suppliers of any product to the affiliate program (pills!), CAPTCHA cracker tools and lists of accounts of created just for spammer use (Geocities and Google, for example). That mix of products, bought and sold throughout various spammer-oriented fora, comprise the spammer agora.

Within that marketplace, various spammers do different things at different times. For example Yambo might hire a particular botnet one week and HerbalKing hire it the next. And Kuvayev might buy 10,000 domains from a black market reseller and turn around and sell 2,000 each to Polyakov, Yambo and HerbalKing. And meanwhile, any number of button pushers could be sending for all four of those affiliate programs while leasing botnet and bulletproof hosting time from yet other suppliers.

Marketplaces get very complicated! With black market Internet scams abounding, money is sure to drive even more complexity into The Spammer Agora.