Slashdot Mirror
P2P Spam?
Sgt York writes "In a NYT article (republished in the Houston Chronicle, no subscription required) experts at CERT, F-secure, Trusecure, and the Hall of Justice (see article) think that SoBig.F is a spam scheme in the making. They say that SoBig.F is the 6th variant in an ongoing experiment with the possible goal of setting up a distributed spam network, to be rented out to the highest bidder. If that is their goal, they are well on their way. Another disturbing note in the article is that "In the case of four of the six programs, a new version was launched immediately after the self-timed expiration date of the preceding one". SoBig.F expires in two weeks. "
I think the superheroes involved in the SOBIG fight miss the entire point.
The authors are probably testing the feasibility of sending out a virus (which
given the number of copies I receive) will happily be opened by people and
then simultaneously sending out spam messages to the same group of people.
There's no need for the SOBIG authors to control the machines after SOBIG has
been executed. They just need to include the spam message in the virus
itself.
That would make it truly P2P spam. Unsuspecting user X who opens SOBIG would
transmit the mechansim for sending more spam and his portion of the spam
deluge. Of course there could be a downside to all this, once the blacklist
people start cutting off EVERY ISP in the world because of spam messages SOBIG
would defeat itself because no one would be getting mail.
John.
OK, so some company decides to buy. Wouldn't they now be liable for unauthorized use of the computers. Why would a company take the risk? I think this is a red herring, and that it's just another way for worm/virus writers to justify themselves to the world (and themselves).
Couldn't we then find out who wrote the virus just by interrogating the companies who benefit from the advertising?
Is this truly the only Earth I can live on?
No one actually knows how he/she got the list though. The person wrote the virus, gains the list, and sells it. No questions asked about HOW he got the e-mail addresses.
What is slashdot?
If the entire internet were absolutely smashed with spam, at leats one good thing might emerge - the will to actually combat it realistically!
With all the techno-dweebs on this site and all the fasntastic opinions about whitelists and blacklists and graylists and modifying SMTP and replacing SMTP and handshakes and authentication and a million other solutions, perhaps someone, somewhere, will finally being to make a dent in actually dealing with the spam problem.
Yeah, you are missing something. Like the fact that not all business is conducted over the counter, service-with-a-smile-style.
As an example, most convenience store owners don't sell heroin..and if they do, you probably don't know about it. Same sort of deal.
Most companies that spam me on a regular basis probably aren't interested in PR.
Unless herbal penis enlargers are now a legit business. Last I checked, no such luck. Maybe if it worked... well, so I'm told.
My sig sucks.
That's when encryption will be publically adopted.
I suspect that the 20 hardcoded download sites in the current variant are a proof-of-concept, not a future strategy. Every time a virus is exposed that tries to download from some fixed location, I've wondered why virus writers would even try such a thing, when it's obvious that white hats will reverse-engineer their code?
What if the next version uses something more flexible... like a Google search on some particular string? Spend a few months sprinkling links to the download on servers around the world, with pages containing some unique string (call it "foo123"). When the next virus activates, it does a Google search for "foo123", and downloads its replacement. As fast as hosts are removed, more can be created and indexed.
For even better effect, use a moderately common word or phrase that Google couldn't remove from its index without causing big problems.
On the non-technical side... I was struck by the post in a previous SoBig discussion that noted that this variant expires on 9/10, and if the F-Secure expert is right, that's not a good sign:
"I think the motivation is clear. It's money," said Mikko Hypponen, director of anti-virus research at F-Secure, an antivirus firm based in Finland that is decoding the illicit program. "Behind Sobig we have a group of hackers who have a budget and money."
If there's a budget and money, then there's organization, and I'm concerned about the organizations that might see 9/11 as a good day to launch a distributed attack.
Stressed? Me? Of course not. Stress is what a rubber band feels before it breaks, silly.
What if the goal (or effect, either way) was to get things to the point where nearly everything was blacklisted for spam? The virus wouldn't have to send real spam, just fake spam in a way that would cause the person's ISP to be put on the blacklists. Once that happened, people would shut off the spam blocking software, and spam would reign supreme.
They could be hunting spam relays. They could be looking to anonymously bounce kiddy porn. They could be looking for thousands of boxes to keep their warez .torrent files alive and kicking.
Hey, I just thought of that. That'd rock, be much easier and more effective than hunting for pubs. You even have one of your drones host the tracker in the first place.
Anyways, who cares. Patch your machines and shut up. We're seeing as many sobig stories as we are SCO, and it really isnt that big of a deal.
I don't need no instructions to know how to rock!!!!
I'd rather not be a doomsayer, but seriously: If all the spam and viruses continue, people will get so sick of it that they'll take serious action. Since the anti-spam laws are both ineffective and draconian, and very few spammers have been successfully shut down, and worms, trojans, and viruses run rampant despite the availability of patches and better OSes: Everyone will be using a strict whitelist, ISPs will remove the ability to send and receive attachments, and HTML email will be disabled because of the scripting risk. The spammers and malware writers will have forced us to cripple our own communications. Just my 2c.
End wild prognostications.
Yeah, right. You do know that more jails and more jail time doesn't lead to less crime?
I dont know if that's the point, jail should be punishment for breaking the rules, and not worry about being a deterrent.
Save a Life. Donate Blood. Please.
It's Exchange that seems to be dead. Given the sudden dearth of enlargement offers in my inbox, I have to say "it's a good thing."
Help stamp out iliturcy.
S'ok, though... DaemonPortOptions and a quick 'killall -HUP sendmail' took care of everything.
Mail? Put "slashdot" in the subject to pass the spam filters.
If this theory were true, then the "test" virii would be much more benign. Since they have been quite noticable, people have been compelled to take steps to close the holes. I would suspect that the next variant will be much less of a nuisance than its predecessors simply because the target market has been substantially reduced.
No, if I was looking for a fun conspiracy theory, I would enjoy suspecting that Microsoft has decided that this is a good time have all their customers tighten up their security.
something secure & authenticated (a la whitelists)
What, exactly, is going to replace it?
I keep hearing this, and nobody who's pushing it has any idea how to actually make it work, without A) destroying email completely, or B) being stuck with the same issues.
I don't want to have to pay $125 per year (for a personal cert) just to be able to send email - but that's pretty much the only thing that will stop spammers (and it won't do that, either - I won't pay it, but I'm sure that spammers will, they'll just tack it onto the cost of doing business, just like their current $20 throwaway dialup accounts.)
Spamming is a social problem, not a technical one - any system that allows free communication is vulnerable to abuse by sociopaths. The only technical way to stop spam is to make it stop being free - which will destroy it's value to everyone else, too.
Controlling e-mail better does not necessarily have to kill it: Firstly, you would have one protocol for server-to-server communications and another for client-to-server.
Since the server-to-server protocol would require registering with some kind of mail-server authority, you can use Kerberos, for instance, without requiring a third-party certificate vendor.
Your own ISP could manage their mail server in a similar manner, but even if the new protocol for mail clients required a cert, that cert could be issued by the mail server software itself. After all, you already have a relationship with your ISP and there is nothing more a third-party certification provider could do to verify your existence than your ISP does to insure they will get paid.
If these new protocols include spam-reporting tools built into clients and servers, it would be simple for an ISP's mail server software to identify potential spammers by the incoming complaints and alert the mail administrator who could examine the evidence and dump you if you are spamming. As long as they know who you are, third-party certification is unnecessary.
Incidentally, automated spam complaint tools would be the basis for a server-registering authority to enforce spam policies on registered servers. They wouldn't need to review every complaint, just mail originators that generate a certain critical mass of complaints. If you are legitimately managing an opt-in list ("sign up here for our newsletter"), any complainer would get removed automatically by your ISP's list software and the spam tools the registering authorities use could highlight repeat complaints or remove requests to uncover non-legitimate lists (without requiring list managers to register with anybody).
As far as server managers paying fees to be registered, I would oppose that and it's really unnecessary. All of this could be paid for and managed by bandwidth providers, for instance. After all, reducing spam is in their own best interest. Or legislated fines for abuse could fund it. There are a lot of ways to do this without requiring server fees. Yes, fees for registering servers would severely stymie a lot of legitimate uses of e-mail: e-mail serving should be free, even if it is more managed.
The problem of cutover could be managed by getting the updated clients out first and include the option to treat the two e-mail streams as entirely separate inboxes. Eventually users would be able to turn off non-secure e-mail reception at their server. Though standard SMTP should always be supported as a kind of semi-anonymous e-mail option. In fact, it could be turned into a deliberate anonymous e-mail service through regulated restriction of header attachment.
Governments, also interested in reducing spam, could offer grants to support development of new protocol updates for "orphaned" server software or mail server versions that are running on outdated OSes or hardware-limited machines or grants that allow small-volume or low-income server owners to upgrade cost-effectively.
There are other interesting things you could add while designing a new protocol. How about transparent client-to-server, server-to-server encryption? With accompanying legislation, you could build in a system that allows ISPs to comply with wire-tap warrants for specific individual mailboxes without giving authorities (or anybody with a packet-sniffer) the ability to read all the e-mail they want Carnivore-style. Ideally, the legislation would compel mail server vendors to include the ability to provide legitimate warranted e-mail monitoring while making illegal non-warranted "cooperation" by ISPs. Nothing about this would (or should) interfere with your right (or ability) to encrypt your private communications, it just means that if you do that, your e-mail would be encrypted twice.
Anyway, fixing an old insecure protocal does not have to increase anyone's costs for using e-mail and ultimately will greatly reduce the cost of e-mail.
-Robert
Keep in mind that writing and releasing a virus/worm/trojan requires a bit of skill and time and has the nasty side-effect of carrying significant jail time. Spammers don't have skill (or they'd be engineers), spammers don't have time (they have to work around filters all the time) and several years of jail time might not be too appealing to spammers either. Piggybacking on SoBig's backdoor for the purpose of spamming is guaranteed to have some nice FBI folks knocking on your door, confiscating all your equipment and looking for evidence of virus creation. Just a matter of time until you're read your rights from there on.
I know people make a lot out of the fact that SoBig carries its own SMTP client engine. So what though? That feature enables SoBig to also use non-Outlook machines as staging areas. Simple.
Use Occam's Razor and some common sense and see SoBig as what it is: a plain old worm somebody wrote to show off to his friends that has nothing to do with spam. Somebody as skilled as the worm writer probably hates spam as much as the rest of us. Not that I'm justifying SoBig in any way, I just removed 570 copies of SoBig.F from my inbox. :-(