Anti-spam campaigner Spamhaus has accused US-based Internet service provider MCI of hosting a Web site that distributes malware used by spammers.
In an article published on its Web site last Friday, Spamhaus alleged that the telecoms giant's servers are home to the Web site of a 'bulk-mailing' programme called Send-Safe.
Spamhaus said that Send-Safe takes remote control of broadband computers. This enables spammers to use these compromised computers, or zombies, as proxy servers to send masses of emails without the owners' knowledge. As reported last week, this can let a spammer evade spam blacklists.
"This for Spamhaus is the crux of the spam problem," the report said. "Because MCI WorldCom not only know they are hosting the Send-Safe spam operation, MCI's executives know send-safe.com uses the MCI network to sell and distribute the illegal Send-Safe proxy hijacking bulk mailer, yet MCI has been providing service to send-safe.com for more than a year."
Later in the report, Spamhaus wrote that MCI executives have refused to stop providing services to spam gangs.
"For over two years Spamhaus has repeatedly informed the same MCI executives that the distribution of 'stealth' anonymous spamware is also illegal in the State of Virginia where MCI UUNet is based," said Spamhaus.
"In other words, we do not simply see MCI's knowingly servicing known spam gangs as highly unethical activity for an ISP to be involved in, we also see it as being illegal in MCI UUNet's home state."
However, MCI has denied that it hosts the Send-Safe Web site, saying that it was hosted by another company that leased a line from it.
"I'm familiar with the allegations," Timothy Vogel, director of MCI's technology and network legal team, told ZDNet UK. "Every Internet provider has spammers on its network. If they send spam, that's a violation of policy and we would take action to take them down.
"At this moment we have no complaints of Send-Safe sending spam. Send-Safe certainly could be used for illegal purposes. But if someone used a crowbar to burgle a house, you don't arrest the hardware store. We take the allegations very seriously."
Spamhaus refuted Vogel's claims, insisting that it had found the Web site to be linked to the telecoms company's network.
Security experts at MessageLabs confirmed that the Send-Safe program was malicious. According to MessageLabs, Send-Safe was behind a recent spate of spam attacks on Internet service provider mail servers. It added that the program was able to manipulate any computer that was infected with versions of the SoBig, Sober and MyDoom viruses, using them to send spam via an ISP's mail server to avoid being blocked by a blacklist of domain names used by known spammers.
"There's a new version of Send-Safe affecting anything with blacklisting capability," said Mark Sunner, chief technology officer for MessageLabs. "Are we going to see more spam because of this? Yes. I don't want to be accused of scaremongering, but we are."
"Here we have a brilliant example of how spammers have found a way of getting around filtering. You can bet your life that service providers are seeing a big increase in traffic on their mail servers."
Spamhaus said that new versions of Send-Safe were being released on the same time frame as new SoBig virus variants, suggesting a link between the program and the virus.
Talkback
The server hosting the offending site has these headers:
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Tue, 22 Feb 2005 18:43:24 GMT
X-Powered-By: ASP.NET
Connection: close
Content-type: text/html
X-Powered-By: Electricity
X-Accelerated-By: GeForce4Ti
Never seen headers quite like those before. Sort of looks like a joke.