How to deal with cybercrime, while extracting good profits

Evil "fights" evil, or how some criminals pretend to fight others

Eli who remembers, in the early 2000s there was a saying: “Salvage triumphs over evil”, which then turned into “Goodness triumphs over salvage”. In our own story, “Evil overcomes good, fighting evil.”



Onse upon e time we decided to create the next schoolhouse hosting company for providing VPS and other dedicated servers for rent. Investors are cautious about the project. They said:

“The idea is, of course, cool, fresh, there’s nothing like it on the market (if Sheldon Cooper reads sarcasm) ... But as a new topic, we’ll give you big money only after we make sure that the project is working.”

And you can understand them, of course. There were so many startups who, after receiving investments and buying cool offices with secretaries, coffee machines and powerful gaming computers, suddenly realized that for some reason nobody wanted their product, and stupid customers do not line up for an ingenious application. We entered into an agreement with the data center (the work of the data center is a separate novel on the topic “how not to build a business in the field of a tele-house”, and maybe I will even write about it later). We bought servers, storage, “tsisk”, bought licenses for software, concluded contracts with upstream services, rented the 22nd network from friends and started working, showing investors how cool the business is in the field of “clouds” and other marketers tales. The servers were fresh, the storages were fast, the prices were affordable and the people went. Everything seemed good. Know buy new blade baskets and increase your market share.

But here came the first call (in the literal and figurative sense). The chief of ours, the largest provider at that time, contacted me and said:

“You have problems there, our“ nocks ”say that you send bundles to spam. Razrilite.

I think:

“What other spam? It seems that we are monitoring traffic, spamming a ban, and in general we are monitoring our network, nothing like this should happen. ”

I contact with nok, and they inform me:

“Abusa on you from Spamhaus. If you don’t settle for two days, we will beat the BGP session with you. ”

And here I understand our first mistake - we took grid 22 from friends. And they forgot to change the contact entry in the RIPE field. And since they did not use the net, and friends are not at all in the subject of telecom, they all safely forgot about it. We look, what claims at Spamhaus to us. We see that we have a complete set of the form there: dirty network, cyber crime, hosting escalation and other delights because of a single client. The record looked like this:

“Cybercrime domains profitmax.org etc. at @ nash.

We enter into correspondence with Spamhaus, find out what we have done. The network, by the way, was freshly received at RIPE, and had never been used by anyone except us before. We are trying to contact the client who rents this ip-address from us. Not getting feedback, blocking the virtual. Unsubscribe to Spamhouse, that all your claims are eliminated, we are good! And in response we get:
')

Hello

This network is rogue and operated by spammers. If it has been returned to RIPE.

Thanks for your understanding.
- Best regards
Thomas morrison

We write to upstream that they have eliminated claims like this, but they do not remove us. We get a temporary respite. Records from Spamhaus begin to arrive in batches:

“Downloader. Pony botnet controller. Spam domain hosting: ytk-garant.ru, etc. And the most important thing: "Spam leading to: trafmarket.ru, memorhost.ru, etc." (the latter appeared later with noticeable regularity).

We block immediately on their first sneeze in our direction. A certain Thomas Morrison sternly asks us:

"How did you get to this life?"

We constantly apologize, and we say that we control our network and ban bathing of villains. But Thomas answers us:

“We have information that you are at the same time with cyberstrike and constantly provide them with new addresses (yeah, we need to earn problems for us because of 65 rubles).”

In general, in such a way a couple of months pass, and we understand that we need additional channels in case of blocking. We are negotiating with the Major Federal Operator TIER1. When there are only a few days before the connection of the Major Federal Operator, our upstream without declaring war puts us BGP. We had a backup channel, of course, and we tested it. But, let's say, when we were still quite small. Since then, our traffic volumes have increased significantly, announcements of ipv6 networks have appeared. In general, when our upstream put us on BGP, our backup channel almost fell off the traffic we generated. No, we worked, of course, but the degradation of the network was quite noticeable. Lost, both in connectivity and in announcements of ipv6 (it turned out that not everyone can work with them normally). But we were saved at the time that the accession of our network to the Large Federal TIER1 operator was almost ready, and we were able to restore everything quickly enough. Lost, of course, some customers, paid compensation and continued to work. Our networks are firmly established in Spamhouse. Than this threatened us, I will describe further.

What are cybercriminals (real and fictional)?

Since we got off at first with a slight fright, we did not sue our upstream1, but simply rolled up our sleeves and continued to work. As practice has shown - very vain. Did our hosting use real (and what else besides “real”, I will also write below) cybercriminals? Of course, yes. During our work, we learned to calculate them quickly enough, and the struggle with them does not cause any significant troubles. So what methods did we use?

The first is the analysis of all traffic.

We analyzed all traffic, and with the help of certain triggers on the analyzer, which created alerts about anomalies, made a decision. It was either a warning or immediately blocked (in the case of particularly abusive clients). How did it look in practice? Suppose a sniffer sees that there is a large number of SMTP packets from a specific host — most likely, this is spam (although sometimes there are completely legal mailings from large online stores). We block the port and ask the client to explain such activity. Most legal customers without any problems explain their actions, and in the future we simply make exceptions for them. There are times when a DDoS attack on our client, characterized by large incoming traffic flows (it is not uncommon for 10 Gbit / s to be sent to the virtual server). In this case, we simply notify the client and all traffic going to him, merge into Black Hole. Today, we are working on the DDoS protection service and now it is in the beta test stage.

Second, customer analysis

Practice has shown that if the client’s name looks like Vera F. Talbott, Alice Grimes, Darinka Korten or Lena Miro and the word blog appears in the host name, then most likely the blog of this nice girl will be no different from the page of a well-known foreign bank or starting pages paypal.com. Apparently, these are some new trends in modern blogging, but for some reason they don’t like the banks and the paper, and so do we. We have nothing against bloggers (we actually have, but against individual trends), but we believe that it is necessary to work somehow more carefully on the uniqueness of the blog design. Therefore, we do not even activate such clients and at the same time do not return the payment. Although, to be honest, no such client has yet applied for compensation.

Third - Copyright complaints

Often we receive complaints about the placement of content that falls under copyright laws. In this case, we enter into correspondence and ask to remove the illegal (in the opinion of the fighters for copyright) content from the site. But, most importantly, of all this list of criminals, only a couple of times were complaints from Spamhaus, and often already after the client was already blocked. However, Spamhaus was in no hurry to delete these ip from his database, and wrote something like our requests

"We see that this ip-address is available, we demand to block it and write to us what measures have been taken."

We, of course, wrote back:

"Yes, it was, but the site has long been deleted, the client is blocked."

After a long correspondence, Spamhouse deleted a separate entry. But all of our networks continued to remain in their database with terrible inscriptions “such a network is listed on the Spamhaus Block List”.

Fourth - alleged criminals

The largest category. Regularly we got into the lists with the wording “Neurevt Cybercrime domains de-conflict.ru, profitmax.org etc.”. It was simply impossible to track such clients. It looks like a regular customer orders a VPC, and almost immediately after ordering or a maximum of one day we received an abuz from Spamhaus. Blocked and entered into a long correspondence. By the way, the latter type Spamhouse removes quite reluctantly. They simply ignore our messages that the client is blocked. But, nevertheless, such records appear at least 2-3 times a month. I somehow can hardly imagine a person who, 2-3 times a month, will buy a virtual machine on the same hosting, knowing in advance that it will be removed literally in an hour or, maximum, a day without any compensation.

After thinking about it and applying the old Roman principle “Cui prodest?”, We realized that it could be profitable only for one organization. Namely - this very Spamhouse. What is their profit? I will write about it below.

Major Federal Operator

We continued to work with a major federal operator, occasionally receiving letters from their security service asking them to respond to Spamhaus's complaints, to which we already responded lightning-fast at any time of the day or night. Spamhouse introduced this operator into his blacklist because of imaginary complaints. Moreover, those complaints that were removed from us, the operator hung for months (and still hang). We talked a lot with the support of the operator, forwarded correspondence with Spamhaus and argued that we are good, and do not do any "such" activity. In the end, we received from them an official letter asking them to also officially respond. We officially replied that we had never engaged in any illegal activity and did not plan to engage in it in the future, and the Spamhouse is an organization of international cyber fraudsters, and in the territory of the Russian Federation it has no authority, and there is a corresponding letter from Roskomnadzor, and their actions are illegal. Received assurances that everything is normal and the Operator’s employees already know this, and they do not plan to block us on this contrived reason. We, of course, taught by bitter experience, began to negotiate with another Major Federal Operator TIER1, but we didn’t have time for a bit ...

Karma

In our company, we use such convenient chat as Slack (not advertising) for communication between employees, as there are many remote employees, and it is not possible to gather them all in one place for communication. And one evening, while chatting, we discussed the question of whether to block a small client, due to the problems of which other clients suffer, bringing companies much greater profit? Those. The experts were clearly in favor of blocking with the wording:

“Yes, there are only problems from him, he just doesn’t know how to use Linux, let him learn to fight with botnets, lamer”.

My position as the head of the company was unambiguous - no matter what kind of client it is, large or small. The client trusts us because he brought us his money. And this, I believe, is the basis of any business. The most important person in any company is not a technical genius or director, but the person who believed in the company and brought her his hard-earned rubles, dollars or yuan. And the whole business is built on customers, they are the most important people and the solution to customer problems - this is the most important thing, due to which the company lives and develops. If there are no people who bring their money into the organization, there will be no programmers, system administrators, directors and secretaries.

However, I digress. My position was to help the client, even if it is free. And teach him the basic basics of security. And here is karma? And despite the fact that the Major Federal Operator did not think so. And, literally, the next day, standing in traffic on Garden, I saw a bunch of messages from the bot in Slack, that our entire infrastructure is down (to control the infrastructure, we use Zabbix, which in case of problems immediately writes messages to the general Slack channel, that and where exactly fell). I immediately dialed our manager with the operator with the question:

“Didn’t you block us?”

To which I received the answer:

"No, everything is fine, I look - your order is active."

I called the support of the provider, they also assured me that everything was fine, but they created a ticket and promised to call me back. Of course, we, as in the first case, had a reserve. And we saw that the announcements from us go to the backup channel, and everything seems to be as good as it should be. But we have not seen half of the Internet. The manager called back and said that we were still blocked at the direction of their vice-president personally, and he cannot do anything. I asked to give us at least a few days to connect another uplink, in which he promised to try to help. But the question remained - why does the backup channel work so crookedly?

It turned out that in addition to the fact that the Operator gave us a BGP session, he also completely blocked all un transit from other networks with our AS. That is, all those traffic exchange points in which the operator participated simply did not allow traffic from our networks. And so, as half of the traffic in the country goes through this operator, half of the country and almost half the world we simply did not see. After long negotiations, the operator still restored the un transit to us on condition that we provide a new AS within three days. But, I think that as soon as this new AS starts announcements of our networks, we will immediately receive a bunch of escalations from Spamhaus to this AS. So now we are working on connecting to Federal Operator TIER1 # 2 in enhanced mode.

Who are spam houses?

I will now return to the heading - how can I still make millions in the fight against cyberstrike. I studied a lot of information on the question of who such Spamhaus non-profit organizations are and what their profit and pressure methods are all about. The most competent article that I came across here .

Briefly retell: Spamhouse is a crook (you can not tell further). Of course, under the guise of combating spam, they are engaged in extortion and rekelling by shaking small and medium-sized hosting companies, as well as Internet service providers. What is their "business model"? Yes, everything is very simple - you are blacklisted, to get out of which is almost impossible, and they begin to put pressure on you through your upstream services, forcing you to buy a package of services from a company affiliated with Spamhouse.

It would seem, well, what's the problem - some Thomas was blacklisted by you. The problem is that many large mail services and companies (as the author of the article writes, often for kickbacks) use blacklists from Spamhaus and mail from your clients will not reach the recipients of those who use Spamhaus lists.

Many large operators do not respond to Spamhouse for a long time. For example, in China, an arrest warrant has been issued for Stephen John Linford, who is the leader of the Spamhouse. Spamhaus once blocked all such countries as Latvia, Turkey, completely blocked the Google network and still blocked the entire Chinese network, and beeline.ru was none other than spamer webhosting , as well as many Rostelecom networks in their lists major foreign hosting companies such as OVH .

What do we intend to do next?

Well, we have no choice, by and large. Or, as they write, they’ll take their networks back to RIPE, or pay them money (and they’ll have to pay them all the time), or sue them. The court against them works poorly. In the US, they have already lost a number of courts, but announced that the courts were seized by cybercrime and they do not submit to US jurisdiction. You can, of course, try to appeal to the world court of the Zyuzino council (I have nothing against this beautiful area and the world court) and try to win the case with the request to block the site spamhaus.org in the territory of the Russian Federation and unlock the pornhub , though I don’t even think how it can affect on their lists. In general, the question today remains open. But the most important thing that I would like to say with this article is that scammers will use hosting companies and operators as long as someone uses their so-called blacklist, Major Federal Operator TIER1 said, the main problem is that the mail from their networks and a lot of system administrators still use Spamhaus lists to filter mail! I would like to ask the community - what's the point in blacklisting for e-mail in 2016?