Slashdot Mirror
Sobig Worm Attacking RBL Lists?
Ubi_NL writes "According to the Register there is a close correlation between the DDOS attacks on a number of anti-spam lists and the presence of the Sobig virus. Now that Monkeys.com is gone, and spamhaus.org is taking heavy blows, are the spammers actually winning the battle by using viruses?"
Everyone on the various anti-spam mailing lists and newsgroups were thinking that these worms were creating a network of spam proxies.
Maybe they were creating a network of DDoS zombies.
Has anybody done a disassembly of Sobig? How is it even distributed, as a binary or as a script? I don't think we should attribute Sobig to the spammers just yet.
OTOH, I have no friggin' idea what I'm talking about...
This is a very valid point. To many users, the absence of spamfilters would pretty much render the email system unusable.
If the spammers are able to shut down spamfiltering services in this way, there will be a significant demand towards getting SMTP replaced by a smater protocol, that will not allow spamming in the form we see it today = spammers lose.
To install new software on all mailservers is quite a task. This is likely to take time, and be quite an interruption = everyone lose.
There's also a great danger that Microsoft would take advantage of the situation, and try to create a new propritary mail protocol based on Palladium, for Windows users only = everyone not using Windows lose.
I'm guessing this has already been said, but... Instead of focusing on just the spammers themselves, why not target the companies or individuals that from time to time benefit from the spam. I'm assuming there must be some way to track those people receiving money for viagra, enlargements, etc.
There is at least one gaping hole in your argument, namely that blacklists are also suppressing free speech. You Suck.
That's an idiotic statement. Blacklists don't suppress speech. No one forces you or your ISP to use the blacklists or to refuse e-mail from IP addresses listed on them. I use blacklists and my server may reject messages from you. So what? You have no Constitutionally guaranteed right to use my server to deliver your message. It's my private property, just as your ISP's server is their property.
Suppose your ISP started blocking all e-mail from ISP X after reading a New York Times article that ISP X hosts spammers. Would you accuse the New York Times of suppressing free speech? If not, then why would you accuse a blacklist provider of suppressing free speech? Because it's easier to search their database than to search the NY Times archives?
You need to take a class in Constitutional law.
Oh it's you again. You're still pissed off because your ISP harbors spammers and you think that you're not somehow supporting that by helping your ISP stay in business.
As to your statement about Bayesian filtering ... there are many negative effects. First, it works on the basis of content. What makes mail be spam is not what the content is; it's that the senders are using bulk methods to send to people who didn't want it. I do get some mailings that I have optted in to, which if they were sent to people that don't want them, would be spam to them. Bayesian filtering doesn't work on the basis of what spam really is. Secondly, to even use Bayesian filtering, it becomes necessary to let the spam arrive, using up network and server resources as it comes in. Then the Bayesian filtering has to be run which uses up even more server resources. And finally, if it is considered spam and rejected, then a bounce message has to be queued (taking up disk space), and delivery of it has to be attempted (which for most because it is from real spammers, cannot be delivered, and takes space and delivery attempts for several days). So I will never use Bayesian filtering because it is simply all wrong.
now we need to go OSS in diesel cars
Anti-spammers figured out what's going on this summer (see news.admin.net-abuse.email). These numerous Windows worms we're seeing are in fact trial software deployments (funded by major spammers) that are in the process of setting up an anonymous, distributed worldwide spam injection network.
You may mistakenly believe, as I did in the past, that spammers are just a bunch of unemployed losers that sit around late night bulk mailing ads for scams. It turns out that in fact they're well funded losers engaged in such a lucrative industry that they can afford to hire good programmers.
The series of windows worms we've seen this year had preset expiry dates -- ending each of the carefully released wild tests. The most recent versions (swen) have very efficient SMTP engines built-in; these are not amateur projects.
Thanks to Microsoft's monopoly of operating systems, spammers can easily deploy software around the world that relays spam. swen demonstrated the power of this software; many people were DDoS'd off the net. I alone received over 40,000 emails carrying the worm.
Except an all-out-spamwar to break out in 2004.
The spammers are actually doing everyone else a favor by taking these sites down.
Well, they're sure not doing themselves or their ISPs a favor. Because some of my favorite blacklists are no longer available, I'm agressively adding entries to the local blocklists here, as are thousands of other small-ISP admins. The spammers will likely never get out of the local blocklists.
The list is a re-emplementation of a DNS-dased RBL, so to allow current MTAs to access it without modification.
The RBL servers are distributed, PRIVATE AND SECRET, in order to avoid being DDOSed. The servers are ordinary BIND, whose zone file is updated by a process to be implemented.
Those willing to use the RBL service have to run their own DNS server - they are free, however, to allow other trusted people to use their services; only them are going to be affected by an eventual DDOS, but not other users of the DRBL.
The RBL information is distributed via USENET. USENET has proven it's ability to survive all sorts of attacks in the past. It has survived the church of scientology, therefore it will survive chickenboners. It's distributed nature makes it quite invulnerable to the kind of DDOS attacks that currently affect centralized DNS RBLs.
The list maintainer posts PGP-signed updates to USENET via a network of trusted volunteers who do it from dynamic IP addresses of disposable dialup accounts. For safety, the IP addresses are changed immediately following the posting of updates, in order to avoid being DDOSed.
Authentification agaisnt spoofing and flood attempts is provided by the PGP signature.
The RBL users then scan USENET for the updates, who, once authenticated, are used to update the zone files on their private and secret DNS servers.
The DDoS attacks began in earnest about the time there was a shouting match between NANAE, the Usenet Group used by SPEWS, and another web site a few months ago.
I don't believe that the SoBig and MSBlaster and subsequent DDoS attacks were orchestrated by spammers, but I'll hold final judgement. It may still be true, however, I think that a few misguided morons connected to another web site decided to DDoS the blacklists, and that is what we're seeing now. Logically, I can't see spammers bringing more heat down upon themselves than they already have. DDoSing is not going to solve anything, just make the situation worse by shutting down ISP's and sites not involved in the controversy. Just a few days ago in Slashdot there was a story about a spammer from South Florida, including his home address, etc.
As I stated in my report naming the administrator/owner of SPEWS, "Spews No Longer Anonymous", I firmly believe that there are people capable of doing real physical harm to persons on the opposite side, and it is time for this to cease. I'm sure that the authorities are actively seeking the authors of SoBig and MSBlaster, I see one has been apprehended the other day, and once apprehended, their systems would be confiscated for evidence. Should any of those systems hold any DDoS software, that leaves the authorities no alternative but to pursue charges for obstruction of communications, in addition to the charges of authoring a malicious program.
I'm not as much interested in the fate of the blacklists as I am the spillover into the general Internet, and the safety of all concerned, regardless of position. In the long run, I want to see those that are causing the DDoSing to be brought to justice, and that there will be some real dialogue between the factions, rather than the comments I've seen so far from both sides, which in some extreme cases border on terroristic threats.
From "Spews No Longer Anonymous"
The primary reason I devoted my time to tracking down the Administrator of SPEWS was that I saw that if left unchecked, SPEWS would go further out of control. In recent months, SPEWS has managed to anger a good number of persons with the ability to mount a DDoS attack against both SPEWS and Osirusoft, a provider of the SPEWS blacklist. I saw this as an escalation that had an impact beyond the simple email blocks, and believe that in my bringing SPEWS into the light, SPEWS will cease publication of their blacklist, or face what is sure to be a large number of lawsuits by affected companies and individuals. It is well known that SPEWS kept their identity secret in order to avoid lawsuits, and with this revelation, they have no choice but to either act responsibly, or cease operations.
In going through the Usenet NANAE archives, I found many instances of thinly veiled threats by SPEWS supporters against alleged spammers and the "collateral damage" casualties, including one remark that "you're lucky no one has firebombed your NOC". I could see that if left as-is, there would most likely be real physical harm done to either an alleged spammer or SPEWS supporter, and this also motivated me to act to track down the owner of SPEWS.
Pete Carr Owner Chatmag.com
But never mind all that, just suppose that we do allow owners of networks and servers absolute control of what passes over their wires. Is that something you really want? Sure, it gives them the power to shut down spam. But it also gives them the power to control what web sites their users can access. Or what their users can put on their own web sites. Now, if hardware is owned by a private company and all its users are employees who are supposed to be using the internet to do their jobs, I suppose you have to grant that company a large measure of control. But if we're talking about public ISPs, then we're talking about something very scary. These ISPs, if they coordinated their efforts, and were allowed to totally control whatever passes over their wires, could do something that governments have repeatedly tried and failed to do: censor the internet.
A few years ago, there was a site called blackdeath.org that offended certain parties with its anti-Christian rants. Who demanded that their ISP pull the plug. When the ISP declined, they went to the ISP's backbone provider. Which happened to be owned by a major media company. Now, media companies are not fans of censorship, but they like offending people even less -- they might complain to the FCC, or worse, stop watching TV. So the backbone provider told the ISP to pull the plug on blackdeath.org, or else they'd lose their own internet service, and be forced out of business. Naturally they complied. Blackdeath.org went dark, briefly came back with a low-bandwidth provider, then finally disappeared forever.
This really scared me at the time, since the internet backbone had been consolidated into just a few big companies, most of them with the same censorship-prone connections as the Time Warner backbone. Since then, the backbone situation has gotten a little more competitive. But with the trend to consolidate more and more communications into fewer and fewer companies, I wouldn't get to sanguine. And I'd look for solutions to the spam problem that emphasizes individual, not central, control over network traffic.