Sobig Worm Attacking RBL Lists?

Ubi_NL writes "According to the Register there is a close correlation between the DDOS attacks on a number of anti-spam lists and the presence of the Sobig virus. Now that Monkeys.com is gone, and spamhaus.org is taking heavy blows, are the spammers actually winning the battle by using viruses?"

Re:Viruses - not necessarily.

[DWormed]

That's what TMDA is for. TMDA: 1 spammers: 0.5

Simple solution

Install p0f on your firewall and block all SMTP access from windows machines. How hard was that?

Re:Not really surprising, is it?

Except that selling prescription drugs without a prescription, including viagra, unapproved drugs, and counterfeit drugs is illegal in the US and many other countries. Many of the other things you see advertised by spam are also illegal many or most places. Not only is the spam annoying and often illegal, so too are the products being advertised, which are often hazardous. By selling these products openly you would be taken down very quickly. Doing business outside the US helps somewhat but shipping these things to a US address is still illegal, and anyone who does it enough to be important will find himself in hot water quickly.

Re:I hope so!

Blacklists are a cure far worse than the disease

I agree with you on that one. Not only does the traditional open-relay lists make it easy to find open relays to abuse, but the newer broadlisting of spam-sources, which hurts unbelievably many besides the spammer, doesn't have any impact on the amount of spam I see in my mailbox every day. So you have something which doesn't work as it is expected to, which actually aids the spammers, and which is run by people so fanatically thick-sculled and narrow-minded to fix it when they make a mistake, we do have something that is far worse than the disease. If only the blacklists were run according to clear rules which includes ways to appeal or review listings, they would be somewhat better than the vigilante lists we have today.

Yes, it's me with the unfair SPEWS and SpamHaus listing... We are still listed despite having done what we're supposed to: Discovering the spammer, warning the spammer, booting the spammer and informing SPEWS and SpamHaus. They goofed and made an error in their listings (to include a different customer that never has spammed) and now they can't see that the spammer is long gone. No spam involving our networks for over 9 months now which should be evidence enough but they still haven't delisted us.

Yes, I hope those blacklists are gone soon. We don't want fanatics with a God-complex and a grudge to have the power to drive people out of business without clear justification.

"Secure" network..

[CooCooCaChoo]

A secure network needs to be created where by ISPs create a special network which only allows emails to be sent to and from each other. Any email coming from relays not from the list of "acceptable" senders, the message is instantly deleted.

It is unfortunate, however, that the majority of the spam I am receiving is from low lives who run a virus and now I get 143K size attachments being rammed to me.

If they are going to do something there has to be a concerted effort by ISPs to work together to kill of open relays and people who spam rather than getting a real job; 8 to 6, crappy holidays and unreasonable pay. If 95% of people out there can live their lives like normal adults, I think that these spammers can too.

Re:I hope so!

[fmaxwell]

I agree with you on that one. Not only does the traditional open-relay lists make it easy to find open relays to abuse, but the newer broadlisting of spam-sources, which hurts unbelievably many besides the spammer, doesn't have any impact on the amount of spam I see in my mailbox every day.

I run several domains and use multiple blacklists. The blacklists are incredibly effective, especially those which are country-wide like taiwan.blackholes.us and china.blackholes.us. I, and the other users of my domain, don't communicate with people in China or Taiwan. If I disable the blacklists, the ONLY thing that comes to us from those countries is spam.

How do you know that the use of blacklists "doesn't have any impact on the amount of spam" you get? It has a tremendous impact on the amount that I get. Because of those punitive "broadlists", many ISPs like AT&T and PSI who used to write "pink contracts" and host spammers no longer will. The broadlisting makes harboring spammers unsafe. AT&T is not going to piss off their entire subscriber base just to get one big pink contract from some spam house. It's not worth it to them. Many ISPs, especially dial-up ISPs have blocked outgoing port 25 so spammers can't use them for throwaway accounts from with to spam. No ISP wants to risk some spammer paying $9.99 for a month of service which will get the ISP blacklisted.

We are still listed despite having done what we're supposed to: Discovering the spammer, warning the spammer,

Any ISP which "warns" spammers deserves to be permanently blacklisted. What spammer doesn't know that spamming is against their ISP's terms of service and is an annoyance to the recipients? I hope that someone beats the sh*t out of you and gets a warning for it. Then maybe you'll understand why anti-spammers get so pissed off with ISPs who warn spammers.

How the attack works

[Skapare]

Before the SoBig virus, each mail server receiving mail would, in the course of a day (about how long DNS black list records would be cached), get SMTP connections from a certain set of other mail servers. Most of those mail servers would be the ones from which email regularly comes in. Although people would have lots of email addresses in their address books, and even more in other files, most only regularly exchange mail with a small subset.

Enter the SoBig virus. It gathers up email addresses, not only from the address book, but also from email contents, web cache, documents, and just about everything else. Then it sends email to them in a probably uniform distribution of selection. The number of different domains being sent to from one computer in a day is now much larger than normal (in addition to the increased traffic). At the receiving mail servers, the number of different mail servers the SoBig spam is coming from is also much larger than normal. Now mail servers are getting mail from just about every mail server that has any user with any instance of a user email address that names that receiving server.

With the same mail servers sending mail over and over, the receiving server's DNS cache will have hits very frequently. With an increase in diversity of mail servers trying to deliver the SoBig spam, the number of cache misses goes up. Each cache miss means a query that recurses back to the DNS blacklist servers. Thus the query load on those servers goes up, effectively a DDoS.

Additionally, most DNS servers out there are "open recursive name servers". That means they let anyone, anywhere, do a recursive lookup. Spammers can drive even more load on the DNS blacklists by sending out DNS queries (with forged source addresses, of course, so they don't have to deal with the bandwidth of the answers) to those open recursive name servers, forcing more and more queries to focus in on the authoritative servers for the DNS blacklists.

This attack can be successful because spammers have far more network access from a wide variety of places than there are authoritative name servers for DNS blacklists (the ultimate target). And since recursive DNS lookup only has that server for a source address, all the DNS blacklists will see are queries from those open servers.

One way to address some of this problem is to close off recursive lookups. But given that millions of networks are run by incompetent or non-existant administrators, that isn't likely to happen on the scale needed to prevent the abuse. And it won't stop lookups by the receiving mail servers trying to check out all the different SMTP connections due to the spam from the viruses.

Blacklists will most likely end up having to be done by a means other than DNS, unless blacklist operators can manage to acquire sufficient bandwidth and server power to ride out the loads (which could very well be even greater than the GTLD servers that host "com" and "net" would see). Some form of distributing a static list file will probably happen. And, unfortunately, that means whoever gets listed will have a much harder time getting out of all those distributed lists, as many people won't be updating them as often as they should. The original reason to use DNS was to have a relatively quick means to remove a listing and have it take effect throughout the internet. By breaking the DNS mechanism, the ability to remove a listing is what suffers the most.

What I hope will end up happening is that spammer networks and generic (dialup, cable modem, DHCP, etc) addresses get listed in distributed files, and the more transient cases still get handled by DNS. The listings in DNS would be the ones that won't be so important to big time spammers, so they would be less attractive targets of attack, and if attacked anyway, would not open up the major points spammers find easy to use (e.g. their own networks and the generic networks where open proxies are found all over the place).