Back in June I wrote about a ruling against Sanford Wallace, who is one of the most well known spammers. As of today, the case as been settled and “California awarded Facebook $711 million in damages against Sanford Wallace”. Additionally, Wallace now faces possible jail time. Despite the massive settlement, it’s unlikely Wallace will ever show up in California again, or pay the settlement.

Instead, Sanford Wallace is probably moving from country to country, trying to avoid the authorities and living off money stashed in offshore accounts. Despite Sanford’s decision to hop around the world avoiding authorities, Facebook is hailing this judgment as a big win:

    The ruling is the result of tireless effort by our Security and Legal teams, which work to find, expose, and prosecute the sources of spam attacks. As Sam O’Rourke, Associate General Counsel for Facebook, has stated, “We’ll go to the ends of the Earth to protect our users from spam and make sure those who send it are held accountable.” These efforts complement the sophisticated technical systems we continue to develop to limit the impact of these attacks, and where possible, block them altogether.

Facebook is currently dedicated to building advanced spam fighting systems and pursuing those individuals who attempt to scam users on the site. One of the early issues with MySpace was an overload of spam which caused people to go running from the site. Facebook in contrast has aggressively pursued spammers, and while many have slipped through the cracks, most issues are resolved quickly.

This is just one more settlement against Sanford Wallace who has already filed for bankruptcy, however it’s a big win for Facebook who has been working on this case for months now.

Today Facebook obtained a ruling against noted spammer, Sanford Wallace. While a formal ruling has not been posted yet, Facebook has told us that “Judge Fogel agreed that there were grounds for criminal contempt and that the US Attorneys office should investigate Wallace. Wallace filed for bankruptcy, which is not unexpected and only delays our judgment temporarily.” It’s not surprising to see one of the more well known spammers bankrupt.
Then again, Sanford Wallace probably has a lot of money sitting in off shore accounts distributed around the world. Facebook has aggressively pursued spammers since early on. Whether it’s spammers that are trying to dupe users out of their email addresses and Facebook passwords or attempts to get users to download spyware, it all damages the overall user experience. Facebook has also provided the following statement:

“We see Fogel’s ruling as a strong deterrent against spammers. Spammers feel that they are immune from criminal prosecution. Fogel’s ruling demonstrates that judges will enforce restraining orders and spammers who violate them face criminal prosecution. This appears to have had an impact on Wallace who was in court today. To our knowledge, he has not appeared in any of the many previous cases against him.”

While Sanford Wallace has never appeared for a court appearance in his life, at least Facebook is aggressively pursuing the spammers. This ruling appears to be more of a statement than anything else: Facebook will not put up with any spammers anywhere on the site. Have you continued to see spam across the site or has the volume been decreasing for you?

Spammers knocked offline two weeks ago when their hosting company, McColo Corp., are finally coming back online, security researchers said on Wednesday.

San Jose, Calif.-based McColo was believed to be responsible for up to 75 percent of all spam, according to Brian Krebs of The Washington Post, who broke the initial story.

Spam volumes, which dropped about 80 percent when McColo was shut down on November 11, remained relatively flat since then until a few days ago when they started climbing up, said Matt Sergeant, senior antispam technologist at MessageLabs, now owned by Symantec.

Since Sunday, the spam volume has risen to about 37 percent of what they were before McColo was unplugged, MessageLabs said.

McColo was hosting command and control servers that were being used to send instructions–like send spam or Trojans–to bot software that has been planted on PCs, mostly in the U.S., according to Sergeant. “With no work orders to process, the machines simply stopped spamming,” he said.

Some of the botnets, with names like “Srizbi,” “Asprox,” “Rustock,” and “Mega-D,” are back up after connecting to different domains, Sergeant said. Some are connecting to ISPs outside the U.S., which will make it very difficult to shut them down again, he said.

“The problem now is that it was a lot easier to get a U.S.-based ISP shut down than it will be to get, for example, this Estonian ISP shut down,” Sergeant said.

“We’ve stunted the spammers for a couple of weeks, which is a good thing for the Internet,” he said. “We’ve increased their costs and, hopefully, that might put some spammers out of business.”

Researchers are collaborating on the matter and providing information to U.S. law enforcement agencies, said Paul Ferguson, an advanced threat researcher at Trend Micro.

Some of the bots are programmed to connect to a new domain after a certain amount of time of inactivity, he said.

Researchers have been able to get some registrars to suspend some domains being used and have filed abuse complaints with some ISPs that appear to be unwitting hosts, Ferguson added.

Internet hosting site McColo disappeared on Tuesday. Along with it went thousands of pieces of spam, thanks, in part, to investigative work by Washington Post reporter Brian Krebs.

For about four months, security experts have been collecting data about McColo Corp., a San Jose, Calif.-based Web hosting service that may have been used by by the cyber underground, according to the The Washington Post. Krebs said that the McColo hosting company had been responsible for up to 75 percent of all spam spent.

Security vendor MXLogic said it was seeing about a 50 percent decline in spam volume as a result on Wednesday.

Jose Nazario of Arbor Networks, a company that monitors botnet activity, speculated that McColo vanished at around 9 a.m. Eastern time on November 10. Botnets are frequently used to relay spam, and McColo may have hosted some of the command and control servers necessary to coordinate spam campaigns.

Adam O’Donnell, writing on the ZDNet Zero Day blog, speculates that the spammers might regroup in Eastern Europe.

The Post credits Benny Ng, director of marketing for Hurricane Electric, an upstream provider for McColo, for pulling the plug on the company. Another provider, Global Crossing, declined to comment, telling Krebs the company “communicates and cooperates fully with law enforcement, their peers, and security researchers to address malicious activity.”

Something similar happened in September when another hosting site, Intercage/Ativo, was shut down by its upstream providers.

The Internet Corporation for Assigned Names and Numbers (ICANN), the non-profit who oversees the management of domains names and IP addresses, has dropped the accreditation for EstDomains, essentially ending their ability to process new domain orders for any Top-Level Domain.

ICANN is the authority when it comes to domain names and IP addresses. Nothing happens on the Internet without their having some role in it. If a company allows registrations of new domain names, or transfers, then they must be accredited by ICANN to do so. If an ISP issues new IP addresses, ICANN will have a role to play in this as well.

EstDomains, with almost 300,000 domains, is the 49th largest domain registrar online. The bulk of their business is domain registrations, but the company also offers managed DNS, SSL Certificates, and E-Mail services. They have a reseller program as well, for customers to buy and sell bulk domain addresses.

Washington Post reporter Brian Krebs started an investigation that linked EstDomains to several websites, numbered in the thousands, that host malicious software, Spam, and in general named them as a haven for criminals online. The investigations into EstDomains started in September.

Around that time, Krebs discovered evidence that the President of EstDomains, 27-year-old Vladimir Tsastsin, was found “…guilty of entering illegal data into card payment systems of Internet stores for the purpose of material gain, creating forged documents, using forged documents, and money laundering.”

“I wondered why would a company like EstDomains keep a chief executive on who was sent to prison for cyber fraud…I asked that very question of Hillar Aarelaid, team director of the Estonian Computer Emergency Response Team (CERT Estonia). Aarelaid maintains that Tsastsin long ago ceded control of EstDomains to organized cyber criminals in Russia,” Krebs wrote in one of his articles on the subject.

“To understand EstDomains, one needs to understand the role of organized crime and the investments coming from that, their relations to hosting providers in Western nations and the criminals who ply their trade through these services,” Aarelaid said.

Indeed, according to both the investigations by Krebs and other security company’s, EstDomains has been a long bedfellow of the RBN (Russian Business Network), the premier collective of organized criminals online.

EstDomains called Krebs and his reports “Yellow Journalism” and one spokesperson for the company, Konstantin Poltev, told the Security Fix reporter, “I sincerely hope that you will [choose] Google for your further investigation and gather the information without using the sources you have indicated as reliable. I assume that the independent investigation shall definitely show you that the person, who granted us the ‘cybercrime registrar’ title, has made a mistake.”

However, the constant pressure from security experts and journalists like Krebs and the team from The Register caused EstDomains’ ISP Interchange (Atrivo) to be shut down; leading to, among other things, a severe drop in some types of Spam, and the reported death of the Storm network.

The investigations, the bad press, and the pressure from several sources have all led to the announcement Tuesday that ICANN de-accredited EstDomains.

“Dear Mr. Tsastsin,” the letter starts, “Be advised that the Internet Corporation for Assigned Names and Numbers (ICANN) Registrar Accreditation Agreement (RAA) for EstDomains, Inc. (Customer No. 919, IANA No. 832) is terminated. Consistent with subsection 5.3.3 of the RAA, this termination is based on your status as President of EstDomains and your credit card fraud, money laundering and document forgery conviction. This termination shall be effective within fifteen calendar days from the date of this letter, on 12 November 2008.”

The letter adds that ICANN is seeking, “Expressions of Interest from Registrars to Receive Bulk Transfer of Names from De-Accredited Registrar EstDomains.”

“I never thought I’d see the day! ICANN found it’s dentures down the back of the sofa and [has] taken a bite out of the [criminal’s] domain registration empire. ESTDomains will no longer be a registrar as of Nov 12th,” wrote McAfee’s Chris Barton in an Avert Labs blog post. “So I’ve got a question… Who’s got the balls to take on ESTDomains problems customers?”

“This is almost 2 years too late and took far too much media attention to shake their tree. The worst of the criminals left EST for other registrars after the “defecation meets the rotary oscillator” in August, but never the less, that (so I’m told) this is quick for ICANN…”

Another security pundit, Gadi Evron, said, “I believe this is a very positive step from ICANN, showing it is indeed an active part in shaping the Internet, as well as responsible to its constituents. While I am sure this can not be an easy move to make, it is warranted in this case and I believe it to be a brave one. While such decisions must not be made rashly, it is my deepest regret WHOIS information is the only way to reach such ends.”

This is good news for security companies who fight malicious domains, Spam and other crimes online. Yet, for a company that makes a bulk of its money from domain sales, the future is bleak at best. EstDomains made no comment on ICANN’s actions and has defended its business model when faced with negative press.

Incoming search terms: