Slashdot Mirror
Sobig Worm Attacking RBL Lists?
Ubi_NL writes "According to the Register there is a close correlation between the DDOS attacks on a number of anti-spam lists and the presence of the Sobig virus. Now that Monkeys.com is gone, and spamhaus.org is taking heavy blows, are the spammers actually winning the battle by using viruses?"
We don't come here for have grammar
Everyone on the various anti-spam mailing lists and newsgroups were thinking that these worms were creating a network of spam proxies.
Maybe they were creating a network of DDoS zombies.
If they 'win', people will stop using SMTP email as it would be useless. So even if they 'win', they 'lose' in the end anyway.
Has anybody done a disassembly of Sobig? How is it even distributed, as a binary or as a script? I don't think we should attribute Sobig to the spammers just yet.
OTOH, I have no friggin' idea what I'm talking about...
With the efficiency of spam filters and widespread use of blacklists and such, how can the spammers actually make any money? It's logical that they (the spammers) should try to bring attrition to the defenses of mail servers.
Btw, I have a novel idea for bringing spammers out of business. OK, here goes: spammers want to sell you penis enlargement programs, viagra, and pr0n right? Well, what if someone sets up a company solely dedicated to selling these things at the lowest price possible? People could just go to AllMyPerverseNeeds.com and get their fix cheaply and securely. Obviously we can't compete with Nigeria type spams, but it would bring down a lot of spam I think. So, anyone in favor of starting a non-profit Viagra depot?
That's what TMDA is for. TMDA: 1 spammers: 0.5
Dependable, Reliable Furnishings
Look what I got yesterday (with forged headers):
---- quote --------------
Dear Internet user.
We are an organization dedicated to stopping spam. Please help us as we are
funded solely by private donations.
visit www.spamcop.net for full details. Or you can send your donations to:
Julian Haight
PO Box 25732
Seattle, WA
98125-1232
As you can see by this message unsolicited e-mail is an invasion of your
privacy. As you can also see it can be sent anonymously
We will continue our efforts until all spam is eliminated.
To join please visit www.spamcop.net or contact
jkdom@mail.julianhaight.com
We will continue to send out this message until we convince all ISP's to
stop all spammers.
!!!Stop low-lifes from invading your inbox with their junk!!!
---- end quote ------------
If they spew out fake spam which can only be meant for slanderous purposes, would you really expect them to *not* be in the virus game. Almost all these Windows viruses, if you hexdump them, have smtp capability. It's quite thinkable that a fair amount of them are really experiments rather than 'bad things done to innocent users because the virus writer likes doing that'.
There must be a lot of money involved in the art of spamming still. I wouldn't be surprised if spamhauses are partially means of laundering money as well (think about it). Either way, these people *are* criminals and one should consider them as such.
If the sobig worm were attacking RBLs, wouldn't someone have done a "netstat" on an infected machine and found it? I've netstatted a couple of infected machines; seen nothing even close. Maybe it's just the mail _servers_ killing the RBLs, checking all those thousands of spam mails (sometimes 4 or 5 per server PER SECOND).
Dependable, Reliable Furnishings
Install p0f on your firewall and block all SMTP access from windows machines. How hard was that?
Thus, the US would feel free to invade Spamodia to free the oppressed Spamodians from the evil Spammer overlords. During the invasion, though, the major Spammers would escape, allowing them to continue their spam attacks against the anti-spam coalition forces. And other pro-spam zealots would flock to Spamodia to aid the effort.
I'm guessing this has already been said, but... Instead of focusing on just the spammers themselves, why not target the companies or individuals that from time to time benefit from the spam. I'm assuming there must be some way to track those people receiving money for viagra, enlargements, etc.
Finally this is our chance to make Congress liken spammers to cyber-terrorists, and for a reason politicians fear and know well enough to do something about it: "Now some of the spammers are even building a network of worm-ridden computers, possibly at the fingertips of a madman who is willing to do anything for money, and may only be waiting to turn them into Weapons of Mass Disruption, wreaking havoc to the Nation, the Internet, and e-mail as we know it..." (spooky, huh? ;-))
Outlaw spammers, put an end to spam. Sometimes it's as simple as that. (And it works: Haven't seen much fax spam for years...)
Just be "Mr. Concerned Citizen" for once and send articles like this to your congresscritter now. Let them know what spammers have already done "to your kids" (rather omit the "to your p...s" part even if you've ordered their pills and pumps) "and to your computers".
I most certainly hope so! Blacklists are a cure far worse than the disease, and I'm completely rooting for the spammers here.
Publishing spam blacklists is a form of free speech and what you're advocating is the use of illegal means (DDoS) to suppress free speech. You suck.
What with bayesian junk filtering and using uniquely generated email addresses whenever I give them, I never see any spam, and the bandwidth it's costing me is minimal.
Grandma isn't going to be able to install and use bayesian filtering or generate unique e-mail addresses, so your solution sucks. Any "solution" which doesn't keep the spammers from getting their messages to the vast majority of people is just some geek doing mental masturbation. The spammers will continue to spam, using up bandwidth and storage, while costing ISPs, their subscribers, and businesses huge sums of money. And you'll sit there at home patting yourself on the back (or elsewhere) even though the spammers used your bandwidth, your ISP's bandwidth, your ISP's storage, and your storage. Not seeing the spam means that you can't complain about it, so that means that the spammer has less chance of being shut down.
You're just a spam ostrich. You have your head buried in the sand so that you don't see the spam -- even though it's still there.
A secure network needs to be created where by ISPs create a special network which only allows emails to be sent to and from each other. Any email coming from relays not from the list of "acceptable" senders, the message is instantly deleted.
It is unfortunate, however, that the majority of the spam I am receiving is from low lives who run a virus and now I get 143K size attachments being rammed to me.
If they are going to do something there has to be a concerted effort by ISPs to work together to kill of open relays and people who spam rather than getting a real job; 8 to 6, crappy holidays and unreasonable pay. If 95% of people out there can live their lives like normal adults, I think that these spammers can too.
"The difference between pornography and erotica is the lighting" - Woody Allen
While grammar may be an issue, the title has a misspelled Attacking as Aattacking (or perhaps it is a Dutch spelling, since they are generous with vowels, at least we know it isn't Welsh, since if it were Welsh there wouldn't be any vowels :-)).
I agree with you on that one. Not only does the traditional open-relay lists make it easy to find open relays to abuse, but the newer broadlisting of spam-sources, which hurts unbelievably many besides the spammer, doesn't have any impact on the amount of spam I see in my mailbox every day.
I run several domains and use multiple blacklists. The blacklists are incredibly effective, especially those which are country-wide like taiwan.blackholes.us and china.blackholes.us. I, and the other users of my domain, don't communicate with people in China or Taiwan. If I disable the blacklists, the ONLY thing that comes to us from those countries is spam.
How do you know that the use of blacklists "doesn't have any impact on the amount of spam" you get? It has a tremendous impact on the amount that I get. Because of those punitive "broadlists", many ISPs like AT&T and PSI who used to write "pink contracts" and host spammers no longer will. The broadlisting makes harboring spammers unsafe. AT&T is not going to piss off their entire subscriber base just to get one big pink contract from some spam house. It's not worth it to them. Many ISPs, especially dial-up ISPs have blocked outgoing port 25 so spammers can't use them for throwaway accounts from with to spam. No ISP wants to risk some spammer paying $9.99 for a month of service which will get the ISP blacklisted.
We are still listed despite having done what we're supposed to: Discovering the spammer, warning the spammer,
Any ISP which "warns" spammers deserves to be permanently blacklisted. What spammer doesn't know that spamming is against their ISP's terms of service and is an annoyance to the recipients? I hope that someone beats the sh*t out of you and gets a warning for it. Then maybe you'll understand why anti-spammers get so pissed off with ISPs who warn spammers.
English ?
And if such a site is under attack, why on earth are you linking it on slashdot's front page ?
Sunny Dubey
How cool would it be if there was evidence that the Direct Marketing Association was behind the SoBig worm? We could sick the RIAA on them, and maybe tell SCO that the DMA was using Linux to develop it. With any luck, they could all come together and ignite like a small star, ridding the world of the lot of them!
Only in my dreams...
Wer mit Ungeheuern kämpft, mag zusehn, dass er nicht dabei zum Ungeheuer wird. --Nietzsche
Before the SoBig virus, each mail server receiving mail would, in the course of a day (about how long DNS black list records would be cached), get SMTP connections from a certain set of other mail servers. Most of those mail servers would be the ones from which email regularly comes in. Although people would have lots of email addresses in their address books, and even more in other files, most only regularly exchange mail with a small subset.
Enter the SoBig virus. It gathers up email addresses, not only from the address book, but also from email contents, web cache, documents, and just about everything else. Then it sends email to them in a probably uniform distribution of selection. The number of different domains being sent to from one computer in a day is now much larger than normal (in addition to the increased traffic). At the receiving mail servers, the number of different mail servers the SoBig spam is coming from is also much larger than normal. Now mail servers are getting mail from just about every mail server that has any user with any instance of a user email address that names that receiving server.
With the same mail servers sending mail over and over, the receiving server's DNS cache will have hits very frequently. With an increase in diversity of mail servers trying to deliver the SoBig spam, the number of cache misses goes up. Each cache miss means a query that recurses back to the DNS blacklist servers. Thus the query load on those servers goes up, effectively a DDoS.
Additionally, most DNS servers out there are "open recursive name servers". That means they let anyone, anywhere, do a recursive lookup. Spammers can drive even more load on the DNS blacklists by sending out DNS queries (with forged source addresses, of course, so they don't have to deal with the bandwidth of the answers) to those open recursive name servers, forcing more and more queries to focus in on the authoritative servers for the DNS blacklists.
This attack can be successful because spammers have far more network access from a wide variety of places than there are authoritative name servers for DNS blacklists (the ultimate target). And since recursive DNS lookup only has that server for a source address, all the DNS blacklists will see are queries from those open servers.
One way to address some of this problem is to close off recursive lookups. But given that millions of networks are run by incompetent or non-existant administrators, that isn't likely to happen on the scale needed to prevent the abuse. And it won't stop lookups by the receiving mail servers trying to check out all the different SMTP connections due to the spam from the viruses.
Blacklists will most likely end up having to be done by a means other than DNS, unless blacklist operators can manage to acquire sufficient bandwidth and server power to ride out the loads (which could very well be even greater than the GTLD servers that host "com" and "net" would see). Some form of distributing a static list file will probably happen. And, unfortunately, that means whoever gets listed will have a much harder time getting out of all those distributed lists, as many people won't be updating them as often as they should. The original reason to use DNS was to have a relatively quick means to remove a listing and have it take effect throughout the internet. By breaking the DNS mechanism, the ability to remove a listing is what suffers the most.
What I hope will end up happening is that spammer networks and generic (dialup, cable modem, DHCP, etc) addresses get listed in distributed files, and the more transient cases still get handled by DNS. The listings in DNS would be the ones that won't be so important to big time spammers, so they would be less attractive targets of attack, and if attacked anyway, would not open up the major points spammers find easy to use (e.g. their own networks and the generic networks where open proxies are found all over the place).
now we need to go OSS in diesel cars
The main problem here is that we have millions of hosts connected to the Internet that just aren't robust or secure enough to be connected to a public network (I'm mostly talking about Windows machines here, if you hadn't guessed).
There was a discussion last week on slashdot about ISP's doing egress filtering home users's connections and I'm all in favour of that.
Unless you're hell-bent on running a mailserver on your DSL line, there's no reason for you to go out on port 25. Even if you do run a mailserver, you should have your box forward all outbound mail to your ISP's mail relay. AOL and some other large ISPs won't accept mail from you if you don't anyway.
IMHO ISPs have a responsibility to protect the backbones from their lame-ass customers with compromised machines.
Reply rather than mod if you think I'm talking out of my outbound relay.
Like tinyurl, but one letter less! http://qurl.co.uk/
There is at least one gaping hole in your argument, namely that blacklists are also suppressing free speech. You Suck.
That's an idiotic statement. Blacklists don't suppress speech. No one forces you or your ISP to use the blacklists or to refuse e-mail from IP addresses listed on them. I use blacklists and my server may reject messages from you. So what? You have no Constitutionally guaranteed right to use my server to deliver your message. It's my private property, just as your ISP's server is their property.
Suppose your ISP started blocking all e-mail from ISP X after reading a New York Times article that ISP X hosts spammers. Would you accuse the New York Times of suppressing free speech? If not, then why would you accuse a blacklist provider of suppressing free speech? Because it's easier to search their database than to search the NY Times archives?
You need to take a class in Constitutional law.
Oh it's you again. You're still pissed off because your ISP harbors spammers and you think that you're not somehow supporting that by helping your ISP stay in business.
As to your statement about Bayesian filtering ... there are many negative effects. First, it works on the basis of content. What makes mail be spam is not what the content is; it's that the senders are using bulk methods to send to people who didn't want it. I do get some mailings that I have optted in to, which if they were sent to people that don't want them, would be spam to them. Bayesian filtering doesn't work on the basis of what spam really is. Secondly, to even use Bayesian filtering, it becomes necessary to let the spam arrive, using up network and server resources as it comes in. Then the Bayesian filtering has to be run which uses up even more server resources. And finally, if it is considered spam and rejected, then a bounce message has to be queued (taking up disk space), and delivery of it has to be attempted (which for most because it is from real spammers, cannot be delivered, and takes space and delivery attempts for several days). So I will never use Bayesian filtering because it is simply all wrong.
now we need to go OSS in diesel cars
Anti-spammers figured out what's going on this summer (see news.admin.net-abuse.email). These numerous Windows worms we're seeing are in fact trial software deployments (funded by major spammers) that are in the process of setting up an anonymous, distributed worldwide spam injection network.
You may mistakenly believe, as I did in the past, that spammers are just a bunch of unemployed losers that sit around late night bulk mailing ads for scams. It turns out that in fact they're well funded losers engaged in such a lucrative industry that they can afford to hire good programmers.
The series of windows worms we've seen this year had preset expiry dates -- ending each of the carefully released wild tests. The most recent versions (swen) have very efficient SMTP engines built-in; these are not amateur projects.
Thanks to Microsoft's monopoly of operating systems, spammers can easily deploy software around the world that relays spam. swen demonstrated the power of this software; many people were DDoS'd off the net. I alone received over 40,000 emails carrying the worm.
Except an all-out-spamwar to break out in 2004.
The list is a re-emplementation of a DNS-dased RBL, so to allow current MTAs to access it without modification.
The RBL servers are distributed, PRIVATE AND SECRET, in order to avoid being DDOSed. The servers are ordinary BIND, whose zone file is updated by a process to be implemented.
Those willing to use the RBL service have to run their own DNS server - they are free, however, to allow other trusted people to use their services; only them are going to be affected by an eventual DDOS, but not other users of the DRBL.
The RBL information is distributed via USENET. USENET has proven it's ability to survive all sorts of attacks in the past. It has survived the church of scientology, therefore it will survive chickenboners. It's distributed nature makes it quite invulnerable to the kind of DDOS attacks that currently affect centralized DNS RBLs.
The list maintainer posts PGP-signed updates to USENET via a network of trusted volunteers who do it from dynamic IP addresses of disposable dialup accounts. For safety, the IP addresses are changed immediately following the posting of updates, in order to avoid being DDOSed.
Authentification agaisnt spoofing and flood attempts is provided by the PGP signature.
The RBL users then scan USENET for the updates, who, once authenticated, are used to update the zone files on their private and secret DNS servers.
But never mind all that, just suppose that we do allow owners of networks and servers absolute control of what passes over their wires. Is that something you really want? Sure, it gives them the power to shut down spam. But it also gives them the power to control what web sites their users can access. Or what their users can put on their own web sites. Now, if hardware is owned by a private company and all its users are employees who are supposed to be using the internet to do their jobs, I suppose you have to grant that company a large measure of control. But if we're talking about public ISPs, then we're talking about something very scary. These ISPs, if they coordinated their efforts, and were allowed to totally control whatever passes over their wires, could do something that governments have repeatedly tried and failed to do: censor the internet.
A few years ago, there was a site called blackdeath.org that offended certain parties with its anti-Christian rants. Who demanded that their ISP pull the plug. When the ISP declined, they went to the ISP's backbone provider. Which happened to be owned by a major media company. Now, media companies are not fans of censorship, but they like offending people even less -- they might complain to the FCC, or worse, stop watching TV. So the backbone provider told the ISP to pull the plug on blackdeath.org, or else they'd lose their own internet service, and be forced out of business. Naturally they complied. Blackdeath.org went dark, briefly came back with a low-bandwidth provider, then finally disappeared forever.
This really scared me at the time, since the internet backbone had been consolidated into just a few big companies, most of them with the same censorship-prone connections as the Time Warner backbone. Since then, the backbone situation has gotten a little more competitive. But with the trend to consolidate more and more communications into fewer and fewer companies, I wouldn't get to sanguine. And I'd look for solutions to the spam problem that emphasizes individual, not central, control over network traffic.