Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sobig Worm Attacking RBL Lists?

Posted by CmdrTaco on from the show-me-the-proof dept.

Ubi_NL writes "According to the Register there is a close correlation between the DDOS attacks on a number of anti-spam lists and the presence of the Sobig virus. Now that Monkeys.com is gone, and spamhaus.org is taking heavy blows, are the spammers actually winning the battle by using viruses?"

8 of 260 comments (clear)

  1. Re:And how could they win? by Drakon · · Score: 4, Insightful

    When?
    do you actually think SMTP would get supplanted in the near term (>5 years) with an incompatible solution?
    Do you think there won't be new and better anti-spam solutions before SMTP is supplanted?
    (if you answered yes to either of the above, your world view is distorted and you need to stop drinking so much ;-)

    --
    Buttsex.
  2. Not really surprising, is it? by borius · · Score: 5, Funny

    With the efficiency of spam filters and widespread use of blacklists and such, how can the spammers actually make any money? It's logical that they (the spammers) should try to bring attrition to the defenses of mail servers.

    Btw, I have a novel idea for bringing spammers out of business. OK, here goes: spammers want to sell you penis enlargement programs, viagra, and pr0n right? Well, what if someone sets up a company solely dedicated to selling these things at the lowest price possible? People could just go to AllMyPerverseNeeds.com and get their fix cheaply and securely. Obviously we can't compete with Nigeria type spams, but it would bring down a lot of spam I think. So, anyone in favor of starting a non-profit Viagra depot?

  3. Attempted slander against anti-spam services also by Ricin · · Score: 5, Insightful

    Look what I got yesterday (with forged headers):

    ---- quote --------------
    Dear Internet user.

    We are an organization dedicated to stopping spam. Please help us as we are
    funded solely by private donations.

    visit www.spamcop.net for full details. Or you can send your donations to:

    Julian Haight
    PO Box 25732
    Seattle, WA
    98125-1232

    As you can see by this message unsolicited e-mail is an invasion of your
    privacy. As you can also see it can be sent anonymously

    We will continue our efforts until all spam is eliminated.

    To join please visit www.spamcop.net or contact
    jkdom@mail.julianhaight.com

    We will continue to send out this message until we convince all ISP's to
    stop all spammers.

    !!!Stop low-lifes from invading your inbox with their junk!!!
    ---- end quote ------------

    If they spew out fake spam which can only be meant for slanderous purposes, would you really expect them to *not* be in the virus game. Almost all these Windows viruses, if you hexdump them, have smtp capability. It's quite thinkable that a fair amount of them are really experiments rather than 'bad things done to innocent users because the virus writer likes doing that'.

    There must be a lot of money involved in the art of spamming still. I wouldn't be surprised if spamhauses are partially means of laundering money as well (think about it). Either way, these people *are* criminals and one should consider them as such.

  4. Re:Where's the hard evidence? by GoneGaryT · · Score: 5, Interesting
    There have been a number of comments on this topic on a closed list for academic sites here in the UK and the analyses point to Sobig DDoS attacks, specifically against spamhaus.org in these cases. Sobig-F was a very well written piece of binary code, encrypted and compressed to 76k AFAIR, and a description of its functionality shows this. In particular, the possibility that it could act as a portal for Trojan downloads reinforces the claim.

    I was trapping infected workstations by monitoring perimeter firewall logs for DNS calls to the root servers, as this is a feature of its activity. Pity I didn't have time to find out what it wanted to resolve, because that could have been interesting.

  5. Spam ostrich by fmaxwell · · Score: 5, Insightful

    I most certainly hope so! Blacklists are a cure far worse than the disease, and I'm completely rooting for the spammers here.

    Publishing spam blacklists is a form of free speech and what you're advocating is the use of illegal means (DDoS) to suppress free speech. You suck.

    What with bayesian junk filtering and using uniquely generated email addresses whenever I give them, I never see any spam, and the bandwidth it's costing me is minimal.

    Grandma isn't going to be able to install and use bayesian filtering or generate unique e-mail addresses, so your solution sucks. Any "solution" which doesn't keep the spammers from getting their messages to the vast majority of people is just some geek doing mental masturbation. The spammers will continue to spam, using up bandwidth and storage, while costing ISPs, their subscribers, and businesses huge sums of money. And you'll sit there at home patting yourself on the back (or elsewhere) even though the spammers used your bandwidth, your ISP's bandwidth, your ISP's storage, and your storage. Not seeing the spam means that you can't complain about it, so that means that the spammer has less chance of being shut down.

    You're just a spam ostrich. You have your head buried in the sand so that you don't see the spam -- even though it's still there.

  6. How the attack works by Skapare · · Score: 4, Informative

    Before the SoBig virus, each mail server receiving mail would, in the course of a day (about how long DNS black list records would be cached), get SMTP connections from a certain set of other mail servers. Most of those mail servers would be the ones from which email regularly comes in. Although people would have lots of email addresses in their address books, and even more in other files, most only regularly exchange mail with a small subset.

    Enter the SoBig virus. It gathers up email addresses, not only from the address book, but also from email contents, web cache, documents, and just about everything else. Then it sends email to them in a probably uniform distribution of selection. The number of different domains being sent to from one computer in a day is now much larger than normal (in addition to the increased traffic). At the receiving mail servers, the number of different mail servers the SoBig spam is coming from is also much larger than normal. Now mail servers are getting mail from just about every mail server that has any user with any instance of a user email address that names that receiving server.

    With the same mail servers sending mail over and over, the receiving server's DNS cache will have hits very frequently. With an increase in diversity of mail servers trying to deliver the SoBig spam, the number of cache misses goes up. Each cache miss means a query that recurses back to the DNS blacklist servers. Thus the query load on those servers goes up, effectively a DDoS.

    Additionally, most DNS servers out there are "open recursive name servers". That means they let anyone, anywhere, do a recursive lookup. Spammers can drive even more load on the DNS blacklists by sending out DNS queries (with forged source addresses, of course, so they don't have to deal with the bandwidth of the answers) to those open recursive name servers, forcing more and more queries to focus in on the authoritative servers for the DNS blacklists.

    This attack can be successful because spammers have far more network access from a wide variety of places than there are authoritative name servers for DNS blacklists (the ultimate target). And since recursive DNS lookup only has that server for a source address, all the DNS blacklists will see are queries from those open servers.

    One way to address some of this problem is to close off recursive lookups. But given that millions of networks are run by incompetent or non-existant administrators, that isn't likely to happen on the scale needed to prevent the abuse. And it won't stop lookups by the receiving mail servers trying to check out all the different SMTP connections due to the spam from the viruses.

    Blacklists will most likely end up having to be done by a means other than DNS, unless blacklist operators can manage to acquire sufficient bandwidth and server power to ride out the loads (which could very well be even greater than the GTLD servers that host "com" and "net" would see). Some form of distributing a static list file will probably happen. And, unfortunately, that means whoever gets listed will have a much harder time getting out of all those distributed lists, as many people won't be updating them as often as they should. The original reason to use DNS was to have a relatively quick means to remove a listing and have it take effect throughout the internet. By breaking the DNS mechanism, the ability to remove a listing is what suffers the most.

    What I hope will end up happening is that spammer networks and generic (dialup, cable modem, DHCP, etc) addresses get listed in distributed files, and the more transient cases still get handled by DNS. The listings in DNS would be the ones that won't be so important to big time spammers, so they would be less attractive targets of attack, and if attacked anyway, would not open up the major points spammers find easy to use (e.g. their own networks and the generic networks where open proxies are found all over the place).

    --
    now we need to go OSS in diesel cars
  7. I've said it before... by terrencefw · · Score: 4, Insightful
    ...and I'll say it again.

    The main problem here is that we have millions of hosts connected to the Internet that just aren't robust or secure enough to be connected to a public network (I'm mostly talking about Windows machines here, if you hadn't guessed).

    There was a discussion last week on slashdot about ISP's doing egress filtering home users's connections and I'm all in favour of that.

    Unless you're hell-bent on running a mailserver on your DSL line, there's no reason for you to go out on port 25. Even if you do run a mailserver, you should have your box forward all outbound mail to your ISP's mail relay. AOL and some other large ISPs won't accept mail from you if you don't anyway.

    IMHO ISPs have a responsibility to protect the backbones from their lame-ass customers with compromised machines.

    Reply rather than mod if you think I'm talking out of my outbound relay.

    --
    Like tinyurl, but one letter less! http://qurl.co.uk/
  8. We figured it out this summer by bigberk · · Score: 5, Interesting

    Anti-spammers figured out what's going on this summer (see news.admin.net-abuse.email). These numerous Windows worms we're seeing are in fact trial software deployments (funded by major spammers) that are in the process of setting up an anonymous, distributed worldwide spam injection network.

    You may mistakenly believe, as I did in the past, that spammers are just a bunch of unemployed losers that sit around late night bulk mailing ads for scams. It turns out that in fact they're well funded losers engaged in such a lucrative industry that they can afford to hire good programmers.

    The series of windows worms we've seen this year had preset expiry dates -- ending each of the carefully released wild tests. The most recent versions (swen) have very efficient SMTP engines built-in; these are not amateur projects.

    Thanks to Microsoft's monopoly of operating systems, spammers can easily deploy software around the world that relays spam. swen demonstrated the power of this software; many people were DDoS'd off the net. I alone received over 40,000 emails carrying the worm.

    Except an all-out-spamwar to break out in 2004.