How to deal with cybercrime, while making good profit

Evil “fights” evil or how some criminals pretend to fight others

If anyone remembers, in the early 2000s there was such a saying: “Salvage defeats evil”, which later turned into “Good defeats salvage”. In our story, "Evil conquers good by fighting evil."



Once upon time we decided to create another schoolhost hosting company to lease VPS and other dedicated servers. Investors reacted carefully to the project. They said:
“The idea, of course, is cool, fresh, there is nothing of the kind on the market (if Sheldon Cooper - sarcasm suddenly reads) ... But since the topic is new, we will give big money only after we make sure that the project is working.”
And of course you can understand them. How many startups were there who, after receiving investments and buying cool offices with secretaries, coffee machines and powerful gaming computers, suddenly realized that for some reason no one needed their product, and stupid customers were not lining up for a brilliant application. We signed an agreement with a data center (the work of a data center is a separate novel on the topic “How not to build a business in the telehouse area,” and maybe I'll even write about it later). We bought servers, storages, “tsiska”, bought software licenses, entered into agreements with upstream, rented the 22nd network from my friends and started working, showing investors how cool the business is in the field of “clouds” and other inventions of marketers. The servers were fresh, the storage was fast, the prices affordable and the people went. Everything seems to be good. Know

But then the first call arrived (in the literal and figurative sense). Our chief, at that time the largest provider, contacted me and said:
“You have problems there, our“ noki ”say that you send spam in batches. Drive out. ”

I think:
“What other spam? It seems that we are monitoring traffic, we are banning spammers, and in general we are monitoring our network, there shouldn’t be anything like that. ”

I connect with the nocks, and they tell me:
“The abuses from Spamhouse are on you. If you don’t resolve it within two days, we will beat the BGP session with you. ”

And here I understand our first mistake - we took a grid of 22 from friends. And they forgot to change the abuse contact in the RIPE field. And since they did not use the grid, and friends were not at all in the subject of telecom, everyone safely forgot about it. We look at what claims Spamhouse has to us. We see that they have a complete set of views on us: dirty network, cyber crime, hosting escalation and other delights because of any one client. The entry looked like this:
"Cybercrime domains profitmax.org etc. at @ naship. "

We enter into correspondence with Spamhouse, find out what we are guilty of. The network, by the way, was freshly obtained at RIPE, and before that, no one had ever used it except us. We are trying to contact the client who rents this ip-address from us. Having not received feedback, we block a virtualka. We unsubscribe to Spamhouse that all your complaints have been eliminated, we are good! And in response we get:

Hello

This network is rogue and operated by spammers. We won't be able to remove it from DROP unless it has been returned to RIPE.

Thanks for your understanding.
- Best regards
Thomas Morrison

We are writing to the upstream that the claims have been eliminated this way and that, but they do not delete us. We get a temporary respite. Entries from Spamhouse begin to arrive in batches:
“Downloader. Pony botnet controller. Spam domain hosting: ytk-garant.ru, etc. ”And most importantly:“ Spam leading to: trafmarket.ru, memorhost.ru, etc. ”(the latter appeared later with noticeable regularity).

We block immediately by the first sneeze in our direction. A certain Thomas Morrison in a strict tone asks us:
“How did you come to such a life?”

We constantly apologize and say that we control our network and ban the villains. But Thomas answers us:
“We have information that you are at the same time with cybercrime and constantly provide them with new addresses (yeah, we need to earn money for it because of 65 rubles).”

In general, a couple of months pass in this vein, and we understand that we need additional channels in case of blocking. We are negotiating with the Large Federal Operator TIER1. When there are only a few days left before connecting the Large Federal Operator, our upstream without declaring war puts BGP on us. We had a backup channel, of course, and we tested it. But, let’s say so, when we were still very small. Since then, our traffic volumes have grown significantly, and there are announcements of ipv6 networks. In general, when BGP put our upstream to us, our backup channel almost fell from the volume of traffic that we generated. No, we worked, of course, but the degradation of the network was quite noticeable. We lost it, both in connectivity and in the announcements of ipv6 (it turned out that not everyone knows how to work normally with them). But we were saved at that moment that the connection of our network to the Large Federal TIER1 operator was almost ready, and we were able to quickly restore everything. Of course, we lost some of our customers, paid compensation, and continued to work. Our networks are firmly established in Spamhouse. What this threatened us with, I will describe further.

What are cybercriminals (real and fictional)?




Since at first we got off with a slight fright, we did not sue our upstream1, but simply rolled up our sleeves and continued to work. As practice has shown, it’s very vain. Did our hosting use real (and which are other than “real” ones, I will also write below) cybercriminals? Yes, of course. During our work, we learned how to calculate them quickly enough, and the fight against them does not cause any significant trouble. So what methods did we use?

The first is the analysis of all traffic


We analyzed all traffic, and with the help of certain triggers on the analyzer that generated alerts about anomalies, we made a decision. It was either a warning, or immediately blocking (in the case of especially abusing clients). What did it look like in practice? Suppose a sniffer sees that there are a large number of SMTP packets from a specific host - most likely this is spam (although sometimes there are completely legal mailings of large online stores). We block the port and ask the client to explain this activity. Most legal clients explain their actions without any problems, and in the future we simply make exceptions for them. There are times when a DDoS attack is performed on our client, characterized by large flows of incoming traffic (there are often cases when 10 Gbit / s was pouring onto the virtual machine). In this case, we simply inform the client and merge all traffic going to him into the Black Hole. Today we are working on a DDoS protection service and now it is in a beta test stage.

Second - customer analysis


Practice has shown that if the customer’s name looks like Vera F. Talbott, Alice Grimes, Darinka Korten or Lena Miro and the word blog appears in the host name, then most likely the blog of this cute girl will be no different from the page of a famous foreign bank or the start page paypal.com pages. Apparently, these are some new trends in modern blogging, but for some reason banks and paypal do not like them, and so do we. We have nothing against bloggers (we actually have, but against individual trends), but we believe that we need to work more carefully on the uniqueness of the blog design. Therefore, we do not even activate such customers and do not refund payment. Although, to be honest, no such client has yet applied for compensation.

Third - Copyright Complaints


Often we receive complaints about the placement of content that falls under copyright laws. In this case, we enter into correspondence and ask to remove illegal (according to the fighters for copyright) content from the site. But, most importantly, from the entire list of criminals there were only a couple of times complaints from Spamhouse, and often after the client was already blocked. Nevertheless, Spamhouse was in no hurry to delete these ip from his database, and wrote something like our requests
"We see that this ip-address is available, we demand to block it and write to us what measures have been taken."
We, of course, wrote in response:
“Yes, it was like that, but the site has long been deleted, the client is blocked.”
After a long correspondence, Spamhouse deleted a separate entry. But all of our networks continued to remain in their database with formidable inscriptions “such-and-such network is listed on the Don't Route or Peer List” and “is listed on the Spamhaus Block List”.

Fourth - imaginary criminals


The biggest category. We regularly ended up on lists with the wording “Neurevt Cybercrime domains de-conflict.ru, profitmax.org etc.”. It was simply impossible to track such customers. In appearance, an ordinary client orders a VPC, and almost immediately after ordering, or after a maximum of one day, we received an abuse from Spamhouse. Blocked and entered into a long correspondence. By the way, the last type of Spamhouse removes quite reluctantly. They simply ignore our messages that the client is blocked. But, nevertheless, such records appear at least 2-3 times a month. Somehow I can hardly imagine a person who will buy a virtual machine 2-3 times a month on the same hosting, knowing in advance that it will be deleted literally in an hour or, at most, a day without any compensation.

After thinking about it and applying the old Roman principle “Cui prodest?” We realized that it could be beneficial to only one organization. Namely - to this very Spamhouse. What is their profit? I will write about this below.

Large Federal Operator


We continued to work with a major federal operator, from time to time receiving letters from their security service asking them to respond to Spamhouse complaints, to which we reacted immediately with lightning speed at any time of the day or night. Spamhouse introduced this operator to its blacklist due to alleged complaints. Moreover, those complaints that were deleted from us have been hanging by the operator for months (and still hang). We talked a lot with the support of the operator, forwarded correspondence with Spamhouse and proved that we are good, and we are not engaged in any such activities. In the end, they received an official letter from them asking them to also formally respond. We officially replied that we had never been engaged in any illegal activity and that we did not plan to do it in the future, and Spamhouse is an organization of international cyber fraudsters, and on the territory of the Russian Federation does not have any power, as there is a corresponding letter from Roskomnadzor, and their actions are illegal. They received assurances that everything is fine and that the Operator’s employees are already aware of this, but they don’t plan to block us on this far-fetched occasion. We, of course, taught by bitter experience, began to negotiate with another Large Federal Operator TIER1, but did not have time ...

Karma


In our company, we use such a convenient chat as Slack (not advertising) for communication between employees, since there are many remote employees, and it is not possible to collect them all in one place for communication. And then one evening, chatting, we discussed the question of whether it is worth blocking a small client, because of the problems of which other clients suffer, bringing companies much more profit? Those. experts were unambiguously for blocking with the wording:
"Yes, there are only problems from him, he just does not know how to use Linux, let him learn to deal with botnets, lamer."

My position as the head of the company was unequivocal - it doesn’t matter which client, large or small. The client trusts us, as he brought us his money. And this, I believe, is the foundation of any business. The most important person in any company is not the technical genius or director, but the person who believed in the company and brought it his hard-earned rubles, dollars or yuan. And the whole business is built on customers, they are the most important people and solving customer problems - this is the most important thing, due to which the company lives and develops. If there are no people who bring their money to the organization, there will be no programmers, system administrators, directors and secretaries.

However, I was distracted. My position was to help the client, even if it’s free. And teach him the basic safety basics. And where is karma? And despite the fact that the Large Federal Operator did not think so. And, literally, the next day, standing in a traffic jam on Sadovoye, I saw a bunch of messages from the bot in Slack that our entire infrastructure is down (to control the infrastructure we use Zabbix, which in case of problems immediately writes messages to the Slack common channel about what exactly and where it fell). I immediately dialed our manager at the operator with the question:
“Have you blocked us?”
To which I received an answer:
"No, everything is fine, I see - your order is active."
I called the support provider, they also assured me that everything was fine, but they created a ticket and promised to call back. Of course, we, as in the first case, had a reserve. And we saw that the announcements from us go to the backup channel, and everything seems to be fine as it should. BUT half of the Internet did not see us. The manager called back and said that they still blocked us at the direction of their vice president personally, and he could not do anything. I asked to give us at least a few days to connect another uplink, in which he promised to try to help. But the question remained - why does the backup channel work so crookedly?

It turned out that in addition to the fact that the Operator put us a BGP session, he also completely blocked all IP transit from other networks with our AS. That is, all those traffic exchange points in which the operator participated simply did not pass traffic from our networks. And since half of the traffic in the country goes through this operator, half of the country and almost half the world just did not see us. After long negotiations, the operator nevertheless restored ip transit to us, provided that we provide a new AS within three days. But, I think that as soon as this new AS starts the announcements of our networks, we will immediately receive a bunch of escalations from Spamhouse to this AS. So now we are in intensive mode working on connecting to the Federal Operator TIER1 No. 2

Who are Spam House?


Now I will return to the headline - how can you still make millions in the fight against cybercrime. I studied a lot of information on the question of who the Spamhaus non-profit organization are and what their profit and methods of pressure are all the same. The most competent article that I came across is here .

I’ll briefly tell you: Spamhouse is a crook (you can not tell further). Of course, they, under the guise of combating spam, are engaged in extortion and racketeering by coaxing small and medium hosting companies, as well as Internet service providers. What is their “business model"? Yes, everything is very simple - you are blacklisted, it’s almost impossible to get out of it, and they begin to press you through your upstream, forcing you to buy a package of services from a company affiliated with Spamhouse.

It would seem, well, what's the problem - some Thomas has blacklisted you. The problem is that many large mail services and companies (as the author of the article writes, often for kickbacks) use black lists from Spamhouse and mail from your customers will not reach the recipients of those who use Spamhouse lists.

Many large operators have not responded to Spam House for a long time. For example, in China, an arrest warrant has been issued for Stephen John Linford, who is the head of Spamhouse. The spam house at one time completely blocked countries such as Latvia and Turkey, completely blocked the Google network and still have the entire Chinese network blocked, and beeline.ru is none other than spamer webhosting , as well as many Rostelecom networks on their listsand such large foreign hosting companies as, for example, OVH .

What do we intend to do next?


Well, by and large, we don’t have much choice. Either, as they write, take their networks back to RIPE, or pay them money (moreover, you will have to pay all the time), or sue them. The court does not work well with them. In the USA, they have already lost a number of courts, but announced that the courts were hijacked by cybercrime and they are not subject to US jurisdiction. You can, of course, try to turn to the magistrate’s court of the Zyuzino council (I have nothing against this beautiful region and the magistrate’s court) and try to win the case with the request to block the site spamhaus.org in the Russian Federation and unlock pornhubHowever, I don’t even guess how this could affect their lists. In general, the question remains open today. But the most important thing that I would like to say with this article is that scammers will use hosting companies and operators until someone uses their so-called blacklist, TIER1, the Large Federal Operator, said the main problem is that the mail from their networks and quite a lot of system administrators still uses Spamhouse lists to filter mail! I would like to ask the community - what is the point of blacklisting for e-mail in 2016?

Also popular now: