Under mounting pressure from spam-fighting groups, MCI has booted a company known for programs that use Trojan horse-compromised computers to spread spam—and just days after that, a variant of Bagle whose payload attacks security programs has been detected.
Send-Safe.com was notorious for offering software tools enabling spammers to use computers infected by mass worms and Trojans like Sobig to conduct massive spam. But a campaign led by spam-fighting group Spamhaus finally compelled MCI to give the company the push.
Send-Safe spent the weekend on a Russian-based host but then moved to a Lycos Tripod network host until Lycos booted them, too. But even though the company is now without a Web host its software tools can still be operated, Spamhaus said.
However, on February 28 a new Bagle was detected that doesn’t self-propagate but has to be opened directly by the recipient. E-mails containing the new Bagle, known as BagleD1-L, include zip-file attachments that have to be opened themselves to show doc_01.exe or prs_03.exe programs that have to be run manually to infect the recipient computer.
The new Bagle is believed able to compromise computer security programs but no malicious payload has actually been found through the Trojan—yet.
"Any Trojan horse which turns off your antivirus or firewall can open you up to further attack, even by very old viruses," said a statement from Sophos senior technology consultant Graham Cluley. "This Trojan horse is aiming to take advantage of people's reflex reaction when they receive an executable file via email. Users who want to install software on their computer should be receiving it from their IT department, not from friends at other companies or potentially dangerous spam mailings."
The timing of the new Bagle to the isolation of Send-Safe holds relevance to security and anti-spam analysts because over 70 percent of the world’s spam, they believe, comes by way of computers infected with Trojans and other malicious programs. The most recent version of Send-Safe’s software lets a spammer use such hijacked proxy computers to spam by way of upstream Internet service providers’ main mail servers instead of right from the infected machines, according to Spamhaus.
MCI isn’t exactly off the hook yet just because they dumped Send-Safe. Spamhaus and other anti-spam groups and workers say the telecom dumped the company not because it’s had any change of heart—MCI has long enough been accused of offering too much safe haven to too many spammers, a charge the company has long denied—but because it felt the heat.
“The amount of heat it was getting was too much to handle,” said Spamhaus director Steve Linford. “Nobody else in the West will host Send-Safe but we still expect to be fighting its developers for years.”
"We take all allegations of illegal or abusive conduct on our network seriously and do not comment on specific enforcement actions,” said MCI in a statement. “MCI vigorously enforces our Acceptable Use Policy (AUP) and violators are subject to corrective action up to and including termination of MCI services. MCI also works with the appropriate law enforcement agencies to enforce anti-spamming laws.”
Send-Safe, for its part, has no intention of going gently into that good gray cybernight. "Due to antis pressure our site is down,” said a message at its URL. “We are going to make Send-Safe for free, you will be able download free unlimited Send-Safe Standalone version here at March 7 2005."
