Major spam operation suffers data leak containing 1.4 billion records
Major spam operation suffers data leak containing 1.4 billion records

A spamming group called River City Media (RCM), led by well known spammers Alvin Slocombe and Matt Ferris, has had its database of 1.4 billion records leaked.

Revealed by MacKeeper Security Researcher, Chris Vickery in cooperation with CSO Online and Spamhaus, the researchers“stumbled upon a suspicious, yet publicly exposed, collection of files. Someone had forgotten to put a password on this repository and, as a result, one of the biggest spam empires is now falling.”

The files leaked contain 1.4 billion email accounts combined with real names, user IP addresses, and often physical address. RCM is believed to have amassed the information through “offers such as credit checks, education opportunities, and sweepstakes.”

The database is used by RCM, which masquerades as a legitimate marketing business, and as a result sends up to a billion emails a day.

Vickery said: “Think about that for a second. How can a group of about a dozen people be responsible for one billion emails sent in one day?” and goes on to accuse RCM of conducting years of research into automation and fair bit of illegal hacking techniques to facilitate the amount of emails being sent.

He adds: “I say illegal hacking due to the presence of scripts and logs enumerating the groups' many missions to probe and exploit vulnerable mail servers. The following chat log, found among the backups, is just one example of River City Media crew members admitting to exploitative behaviour.”

One of the main hacking methods which Vickery describes is the use of Slowloris attacks by RCM, where the “spammer seeks to open as many connections as possible between themselves and a Gmail server,” by “purposefully configuring your own machine to send response packets extremely slowly, and in a fragmented manner, while constantly requesting more connections.”

This means that when “the Gmail server is almost ready to give up and drop all connections, the spammer suddenly sends as many emails as possible through the pile of connection tunnels. The receiving side is then overwhelmed with data and will quickly block the sender, but not before processing a large load of emails.”

Vickery says, “The twist here is that the spammer is not trying to completely disable the receiving server, he is only temporarily stressing the resources in order to overwhelm and force the processing of bulk email.”

The researchers have sent the other more abusive scripts and techniques to Microsoft, Apple, and others affected. Law enforcement have been notified and are reported to have “expressed interest in the matter.”

Vickery told SC Media UK that the privacy implications here are serious: "Normally it takes a legal process for law enforcement to get the identity behind an IP address or email account. Now we know that lists as large as 1.4 billion exist that make it possible to bypass legal protections. Anyone looking to harass, harm, or even locate an individual would find such a list invaluable."

As of this morning, Spamhaus will be blacklisting RCM's entire infrastructure. Slocombe and Ferris have been contacted for comment and this article will be updated with their responses.