MCI is allegedly hosting a site called send-safe dot com. A Russian is selling a program that can be used to turn computers infected by Sobig into spam sending proxies, even using the ISP’s mailserver to send the spam.

MCI has had them on their network for over a year, and now they’re even denying that they’re hosting the site.

I did some digging.

Turns out there are several sites selling spamware on that server, according to whois.sc. I didn’t check ALL the domains, because I don’t have the silver membership. But what I found was enough to let me know something’s wrong here… There was one seemingly innocent site there too, though. A sick joke repository.

The most interesting little item I found was this:

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Tue, 22 Feb 2005 18:43:24 GMT
X-Powered-By: ASP.NET
Connection: close
Content-type: text/html
X-Powered-By: Electricity
X-Accelerated-By: GeForce4Ti

That’s the headers of the server, when accessing send-safe. I’ve NEVER seen headers like that, and neither had Google. Looks like a joke.

In fact, it seems specific to that site, as other sites hosted on the server has more normal headers. Though I was a bit perturbed by the obscenely long lasting cookie (lasting until 2010) on all sites except the send-safe. It’s actually a server wide setting, since it also affects the IP number, when accessed.

I noticed that MCI also offers colocation. If reading between the lines here, I wonder if that’s what’s going on? A spam friendly outfit has a server there, and MCI are covering for them?

Check out what Spamhaus has to say about this case.

This entry was posted on Tuesday, February 22nd, 2005 at 8:01 pm and is filed under spamhuntress. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.