SAN FRANCISCO, 8 MAY2009 - It's a great deal, if you're a spammer.
You pay US$700 to use a server in China that lets you send all the spam you like. It's called bulletproof hosting, and to the people who fight spam and cybercrime it's becoming a big problem.
Cybercriminals use these services not just to host servers, but also to register Internet domain names that they use for spam and online attacks. In a three-month period this year, researchers at the University of Alabama at Birmingham traced more than 22,300 domains, all used to send online pharmaceutical spam, to just six bulletproof computers hosted in China, said Gary Warner, director of research in computer forensics at the university.
The Waledac Trojan, which uses clever social-engineering techniques to spread itself, has been using bulletproof domain names to keep itself alive, Warner said. "We had over 70 domains that the entire community worked their butts off and tried for four months to try to shut," he said. "Because we can't shut down the domain names we can't shut down the spread of the virus."
Bulletproof domain-name registration is even cheaper than bulletproof servers. A criminal can anonymously register a bulletproof domain for $100.
Several dozen bulletproof hosting services operate worldwide, but the "vast majority" of them are in China, Warner said. Even scammers from countries considered soft on spam use the services because they are so reliable, he added. "Even the Russians use the Chinese bulletproof registrars."
The providers are upfront about what their services are used for.
Here's how one company, Tecom, promotes its service: "Usually, your web hosting provider will shut down your web site within days, or even sooner, if they find out you are sending bulk e-mails and directing people to your site on their server. Bullet-Proof Web Hosting helps you to direct customers to your web site, and you won't have to worry about being shut down because of spam complaints."
Tecom says its services, which are hosted in "major cities in China," cannot be used for online gambling or pornographic material, however. China's Ministry of Public Security has cracked down on Internet pornographers since the mid-1990s.
When a domain is being used for spam or to spread malicious software, security researchers usually use an established protocol to report the domain to its registrar, who can then remove it from the Internet.
That doesn't work with bulletproof domains, because the registrars simply ignore the take-down requests. "I think there's some confusion about how the Internet community needs to work together," Warner said. "There are just these grey spaces [for Chinese companies] ... 'Should I have to terminate a domain because an American company told me to?'"
China has recently toughened its cybercrime laws and arrested some alleged identity thieves. Warner hopes these moves will presage a crackdown on bulletproof hosting. "This is the next area for them to tackle," he said.
Sign up for CIO Asia eNewsletters.