Sobig Worm Attacking RBL Lists?

Ubi_NL writes "According to the Register there is a close correlation between the DDOS attacks on a number of anti-spam lists and the presence of the Sobig virus. Now that Monkeys.com is gone, and spamhaus.org is taking heavy blows, are the spammers actually winning the battle by using viruses?"

Useless links

[Karamchand]

Why do you have put a link to spamhaus into this story? Readers might expect something new, special on their page, click on it and help using up spamhaus' valuable bandwidth.

No point in providing useless links..

And how could they win?

[Alien+Conspiracy]

If they 'win', people will stop using SMTP email as it would be useless. So even if they 'win', they 'lose' in the end anyway.

Re:And how could they win?

[Drakon]

When?
do you actually think SMTP would get supplanted in the near term (>5 years) with an incompatible solution?
Do you think there won't be new and better anti-spam solutions before SMTP is supplanted?
(if you answered yes to either of the above, your world view is distorted and you need to stop drinking so much ;-)

Re:And how could they win?

[squiggleslash]

I think most people are moving away from using third party detection spam filters and moving towards more destination-classification systems, such as Bayesian filtering. This, in my view, is probably a good thing, as many of the third party "methods" were, to say the least, fairly scattergun, and some of their louder advocates actively hostile to criticism.

What would be really nice would be for ISPs to give users domains, like Demon Internet does in the UK, which means solutions like mine (I believe there's an open source project to do something similar) would be available to everyone, not just geeks who can run their own SMTP servers who have access to DSL/Cable ISPs that do not block incoming port 25. That system is 99% spam proof - the 1% being the very first spam to hit an address allocated to clueless company that thinks it can get away with spamming or selling email addresses to spammers.

Either way, the spammers can DDoS the anti-spammers without it really destroying SMTP email.

Re:And how could they win?

[Drakon]

This is a very valid point. To many users, the absence of spamfilters would pretty much render the email system unusable.

We're not talking about spamfilters, we're talking about RBLs, which are usually more of a problem than a solution.
Granted that spamhaus provides more services than an RBL does (like providing names of those who should be crucified), but both the original parent of this thread and the article summary are refering to RBLs.

If the spammers are able to shut down spamfiltering services in this way, there will be a significant demand towards getting SMTP replaced by a smater protocol, that will not allow spamming in the form we see it today = spammers lose.

Granted, that if there was no way to filter spam there would be a strong demand for the replacement of SMTP. ignoring Bayesian filtering for the moment (which generally has less false positives, less false negatives, and does not usually trash anything outright), it would be MUCH simpler, and easier to implement spam filtering on top of smtp, or to mearly require that all mail be signed, (etc, ad nausium) than it would be to write a new protocol, and have it implemented, especially if it is incompatible with the existing protocol (which has 100% market penetration)

To install new software on all mailservers is quite a task. This is likely to take time, and be quite an interruption = everyone lose.

Very good! you've covered one of the reasons that this ISN'T GOING TO HAPPEN.

There's also a great danger that Microsoft would take advantage of the situation, and try to create a new propritary mail protocol based on Palladium, for Windows users only = everyone not using Windows lose.

This wouldn't happen because Microsoft is not entirely stupid. This would be akin to Windows Media Player only playing WMA, or Internet Explorer only working with IIS sites.

Re:And how could they win?

[Analysis+Paralysis]

You do not need a domain from your ISP - just use throwaway email addresses from sites like SpamGourmet or SneakEmail.

However, these will only address the issue of a website or online store passing your email address around when they shouldn't (or idiots like Lycos and Yahoo who think sending emails to registered users is cool even when they have not opted in for any). It will not cope with the hardcore spammer who uses spiders to pull addresses from webpages/usenet postings or those that use random-garbage@yourdomain.com (I have been seeing a couple of these). It also does not address the waste of bandwidth/mailserver storage space imposed by delivering unwanted spam (which means higher access fees for everyone). For these, blacklisting is the only palliative - and the fact that spammers are now resorting to DDoSing the blacklist servers should be the best testament to how effective they have been (not to mention some of the pro-spammer AC postings here).

Ultimately, the only long-term solution is to make spam unprofitable - and given that most of it is generated by US businesses (as covered in this MSN article), this would be best done by imposing heavy fines on companies using, or profiting from, spam.

I hope so!

are the spammers actually winning the battle by using viruses?"

I most certainly hope so! Blacklists are a cure far worse than the disease, and I'm completely rooting for the spammers here. What with bayesian junk filtering and using uniquely generated email addresses whenever I give them, I never see any spam, and the bandwidth it's costing me is minimal. Blacklists however make it nearly impossible for me to communicate with quite a few people (my ISP has found itself on one blacklist, and no matter what they're doing, they can't get off).

And of course, if the spammers are indeed using viruses, afterwards whn the blacklists are gone, we can nail them for having used those viruses, and we'll be rid off to pests, with an internet that's once more in nearly pristine condition.

Attempted slander against anti-spam services also

[Ricin]

Look what I got yesterday (with forged headers):

---- quote --------------
Dear Internet user.

We are an organization dedicated to stopping spam. Please help us as we are
funded solely by private donations.

visit www.spamcop.net for full details. Or you can send your donations to:

Julian Haight
PO Box 25732
Seattle, WA
98125-1232

As you can see by this message unsolicited e-mail is an invasion of your
privacy. As you can also see it can be sent anonymously

We will continue our efforts until all spam is eliminated.

To join please visit www.spamcop.net or contact
jkdom@mail.julianhaight.com

We will continue to send out this message until we convince all ISP's to
stop all spammers.

!!!Stop low-lifes from invading your inbox with their junk!!!
---- end quote ------------

If they spew out fake spam which can only be meant for slanderous purposes, would you really expect them to *not* be in the virus game. Almost all these Windows viruses, if you hexdump them, have smtp capability. It's quite thinkable that a fair amount of them are really experiments rather than 'bad things done to innocent users because the virus writer likes doing that'.

There must be a lot of money involved in the art of spamming still. I wouldn't be surprised if spamhauses are partially means of laundering money as well (think about it). Either way, these people *are* criminals and one should consider them as such.

What about netstat?

[DWormed]

If the sobig worm were attacking RBLs, wouldn't someone have done a "netstat" on an infected machine and found it? I've netstatted a couple of infected machines; seen nothing even close. Maybe it's just the mail _servers_ killing the RBLs, checking all those thousands of spam mails (sometimes 4 or 5 per server PER SECOND).

Re:PARENT MODERATED DOWN UNFAIRLY

"the blacklist owners claim that spam costs people moeny, but what about the money people lose do to inaccurate or overzealous blacklisting?"

This from the country which bombed three whole countries because of the actions of a handful of people?

Two can play that game!

I don't know if spammers are responsible for the SoBig virus, I would guess that they aren't but I can seriously believe that they are in control of a number of zombies and are capable of "defending" themselves using DoS attacks.

But this can be fixed through cooperation. All we need is a few hundred, or peraps a couple of thousand blocklist hosts and a method of coordinating them.

This is easier than it seems. The method already exists. It is called Newsgroups. The only problem that needs to be solved is a method of proving authenticity. Those solutions are also already available.

List updates could be delivered quickly via IRC too. May as well use the enemy's weapons against him.

Spammers as cyber-terrorists

Finally this is our chance to make Congress liken spammers to cyber-terrorists, and for a reason politicians fear and know well enough to do something about it: "Now some of the spammers are even building a network of worm-ridden computers, possibly at the fingertips of a madman who is willing to do anything for money, and may only be waiting to turn them into Weapons of Mass Disruption, wreaking havoc to the Nation, the Internet, and e-mail as we know it..." (spooky, huh? ;-))
Outlaw spammers, put an end to spam. Sometimes it's as simple as that. (And it works: Haven't seen much fax spam for years...)
Just be "Mr. Concerned Citizen" for once and send articles like this to your congresscritter now. Let them know what spammers have already done "to your kids" (rather omit the "to your p...s" part even if you've ordered their pills and pumps) "and to your computers".

Spam ostrich

[fmaxwell]

I most certainly hope so! Blacklists are a cure far worse than the disease, and I'm completely rooting for the spammers here.

Publishing spam blacklists is a form of free speech and what you're advocating is the use of illegal means (DDoS) to suppress free speech. You suck.

What with bayesian junk filtering and using uniquely generated email addresses whenever I give them, I never see any spam, and the bandwidth it's costing me is minimal.

Grandma isn't going to be able to install and use bayesian filtering or generate unique e-mail addresses, so your solution sucks. Any "solution" which doesn't keep the spammers from getting their messages to the vast majority of people is just some geek doing mental masturbation. The spammers will continue to spam, using up bandwidth and storage, while costing ISPs, their subscribers, and businesses huge sums of money. And you'll sit there at home patting yourself on the back (or elsewhere) even though the spammers used your bandwidth, your ISP's bandwidth, your ISP's storage, and your storage. Not seeing the spam means that you can't complain about it, so that means that the spammer has less chance of being shut down.

You're just a spam ostrich. You have your head buried in the sand so that you don't see the spam -- even though it's still there.

Huh ?

[phoxix]

and spamhaus.org is taking have blows

English ?

And if such a site is under attack, why on earth are you linking it on slashdot's front page ?

Sunny Dubey

I've said it before...

[terrencefw]

...and I'll say it again.

The main problem here is that we have millions of hosts connected to the Internet that just aren't robust or secure enough to be connected to a public network (I'm mostly talking about Windows machines here, if you hadn't guessed).

There was a discussion last week on slashdot about ISP's doing egress filtering home users's connections and I'm all in favour of that.

Unless you're hell-bent on running a mailserver on your DSL line, there's no reason for you to go out on port 25. Even if you do run a mailserver, you should have your box forward all outbound mail to your ISP's mail relay. AOL and some other large ISPs won't accept mail from you if you don't anyway.

IMHO ISPs have a responsibility to protect the backbones from their lame-ass customers with compromised machines.

Reply rather than mod if you think I'm talking out of my outbound relay.

Re:I've said it before...

[Detritus]

Mail service should be decoupled from Internet access service. There are a number of valid reasons why a customer may not want to use his ISP's mail server, such as security, reliability and performance. Many ISPs have shown that they are incompetent in running their own mail servers.

Re:I've said it before...

[Zocalo]

Seconded (with a caveat). A huge proportion of home users do not even know what an SMTP server is, let alone what is does and why they would want one. As long as the ISP makes provision for SOHO offices and "advanced" users to get such blocks removed on request I have zero problem with this. In fact, the ISP I currently use for my home connection does this, and while I had to chase the issue up (overworked support team I guess), they had no issues with removing the block. Frankly I think it's just a matter of time before this becomes the default anyway. With DCOM/NetBIOS/spam attacks choking ISP's core infrastructure and numerous abuse complaints coming in as well, who could blame them?

Well, the above mentioned switched on users and small businesses with satellite offices using consumer DSL circuits to save money, that's who. I'd also be unhappy about the prospect of this being a slippery slope. Let's say we start by forcing SMTP through the ISP's server (which kills SoBig) and also block DCOM and NetBIOS (which probably shouldn't be on the Internet outside a VPN anyway). Fine, but what happens when we get a major exploit on another non-core protocol? Do we block that too? Who decides?

Are you sure you will feel that way when one of the protocols *you* rely on gets firewalled by your ISP to "protect the Internet"?

Re:How the attack works

[seanadams.com]

You make it sound like the spammers were so shrewd as to design this ingenious "attack" scheme into the virus from the start. I highly doubt that.

There is no evidence that the SoBig virus was written by spammers, or even that the RBL DDOS is intentional. To me it looks like the RBLs simply can't handle the load from trying to filter out this virus, plain and simple.

Perhaps an improvement to filtering tools would be to rely as much as possible on bayesian and rule-base filters, and only contact an external RBL (or other rule) if the score is borderline. Right now they're hitting the RBLs for every single message even if it would fail the most simple filter. I imagine the problem is just that everyone's mail server can easily handle 1000x the current level of crap, but the RBLs can't.