One of the least endearing habits that spammers have is forging other people's email addresses on the messages that they send out. For the spammer, having a reputable existing domain in the 'From:' line allows them to pass certain classes of spam tests. For the unfortunate owner of the address or domain in question, the result is a mailbox clogged with non-delivery messages and other chaff.
Address forgery — sometimes called sporgery — is a hallmark of those spammers who don't even make a pretence at legality. These are the same spammers who use botnets — networks composed of other people's computers, turned into spam relays by custom-written malware — to send their spam. Stock spammers are fond of both tactics. So too are pharmacy spammers, whether they're pushing pills to make your penis larger, your waist smaller, or just offering the usual smorgasbord of prescription medicines.
As the administrator of a number of domains, I deal with a fairly constant stream of bounces generated by one major stock spammer who has a fondness for forging other people's domains. However, this morning I received an abrupt reminder that when it comes to fouling other people's nests, the stock spammers are rank amateurs compared to the pill spammers. In a single day, I've received just less than 2,500 bounces resulting from a single spammer's abuse of an address at a domain that I manage.
The messages that this spammer is sending today are promoting a pretended weight-loss pill called Anatrim. According to the informative anatrim.org, this pill is supposed to contain extracts from an imaginary plant called anatrim gordonii (which is, of course, the spammer's old favorite hoodia gordonii after judicious application of global search-and-replace). The websites being pushed by this spammer refer to the 'Anatrim Cactus', which was presumably named by the same botanist who gave the world the Phentermine Tree and the Viagra Bush. It's clear that 'anatrim' is pure snake-oil: a hasty rename of the already-suspect Hoodia intended to dodge spam filters and convince suckers that it's something new, rather than the same old tired sugar pills.
So who's the spammer? The domains advertised are iangorol.net, shloudey.net, vioney.hk, berit.hk, weruntey.net, zearget.com and besud.hk. These confidence-inspiring names all resolve to a single host — 219.232.117.233, in netblock BTDC, owned by the Beijing Telecom Development Co.
The registration details for the domains are all different and all obviously false. However, they all share the same nameservers — ns1.akmusa.com and ns2.akmusa.com. The akmusa.com domain hosts adverts for penis enlargement pills. The registration information for the domain points to a Chinese registrant in Guilin. It's unlikely that the contact details shown are in any way valid, but the rather fractured English text on the Anatrim sites does suggest that the authors aren't native English speakers.
There's depressingly little that can be done about this spammer. There's no reason to imagine that the Beijing Telecom Development Co. would inconvenience their valued customer by terminating their hosting for anything so minor as massive network abuse (TrustedSource records another Beijing Telecom Development Co. netblock as being solidly spammy, so spamhosting looks to be something of a lifestyle choice for them). Experience has shown that few registrars are willing to disable registrations of spamvertised domains and in any case spammers can register new domains faster than registrars can terminate them.
The one bright spot is that — to judge by the number of bounces I'm receiving — spam filtering is working. The advertised domains in their spam-tainted netblock constitute a giant scarlet (or pink) letter pinned to the lapel of any message that mentions them, and blacklist-based filters must be rejecting or trashing the messages by the thousand. I'd doubt that many of the spammer's messages ever reach their target audience of gullible fatties. We haven't yet reached the point where spam filters can stop the spammer getting the fraction-of-a-percent return they need to cover their costs, but is it naive to hope that we might be getting closer?
Perhaps. Whatever the actual success rate of filtering (and realistically, these messages should be low-hanging fruit, so obviously spammy that they can be deleted without a second thought), I can't help feeling that the Great Firewall of China is pointing the wrong way. In a well-run Internet, there would be no need for this spammer's sites to see as much as a single incoming packet from the West.