Slashdot Mirror
Spammers Using Hacked Machines as Decoys
avi33 writes "This Wired story shows a disturbing alliance between hackers [sic] and spammers. Interestingly, they blame part of the alliance on market forces, leading some skilled engineers to the dark side for profit's sake. A Polish firm claims to have control of 450,000 Trojaned systems that it uses to mask the IP addresses of its hosted sites. In other words, you could host your Viagra-peddling site with a company that has a stringent no-spam policy, but a DNS lookup will point to a home user's compromised machine. Not quite bulletproof, but certainly ups the ante in the spam war."
Of course if broadband ISPs were to implementing a simple inbound firewall
for every user then they'd eliminate most of these problems overnight:
trojaned machines would be unreachable, worms like CodeRed that scan for
vulnerabilities would be halted.
The few users of broadband who actually need to run an Internet visible
server would then have to contact their ISP for a port to be opened, but
that seems like a small price to pay for cutting off 1000s of machines that
have been hacked.
Naturally, this would cause file steal^H^H^H^Hharing applications to stop
working.
John.
This is more than just sending off a single email to a scantly watched abuse email.. This means getting hold of a real person and explaining, realistisay, what sort of legal liabilities they might be open to if they continue to support the spammer's actions. (Hacking laws, aiding and abetting, Trademark infringement and vicarious liability) often fit in there.
If more people would do this, life would get a lot harder for spammers.
Just sue the owner of the company that they're advertising.
Make some $$$.
If we broke more thumbs and kneecaps
Comment removed based on user account deletion
"Not It!"
That is all.
Thank you.
Done.
-- Liberalism is a mental disorder.
It sounds like they run DNS which "load-balances" requests to the spamvertised sites through zombies set up as open proxies. Since the zombies are scattered throughout all IPs, it makes blocking them hard.
Of course the scumbags know their weak spot is the DNS. Blocking particular domains is easy, and changing the authoritative DNS for a zone takes a while (done that too often). It steps up the spam blacklisting to now require not just refusing mail, but also refusing to talk to certain DNS servers that are known to operate this way. They can move around, but it's harder; I'm not sure if this is better or worse than the current situation.
Damn spammers.
People are never as simple as their stereotypes. This applies equally to Christians, Muslims, and Emacs-lovers.
Link this to Al-queada somehow.. The US will get Poland to deport these guys..Problem solved...
antics/foibles of payper liesense corepirate nazi softwar gangster stock markup FraUD execrable.
it's not that hard to do. there's so much of it to choose from.
from the grasping_for_something_to_say_besides_i'm_afraud dept.
Viruses are becoming increasingly more sophisticated and the time between the delivery of a patch from Microsoft until hackers figure out workarounds is becoming dangerously short. In the case of the Blaster virus it was 25 days, Ballmer said
"When it gets down to five or 10 days a lot of our users will be in a tough position. Their [hackers'] exploits are getting more sophisticated," Ballmer said.
you wonder how these fauxking corepirate nazi payper liesense stock markup FraUD ediots can stay out of jail for yet another daze? defense lawyers. that's how. you're paying for it, as well as everything else.
most of them home computers running Windows with high-speed connections.
WHY wasn't ICF turned on by default in XP Home? WHY aren't there pamphlets included with new computers about keeping AV up to date and not opening unknown e-mail attachments? WHY are so many ports in Windows open by default on Home installations? WHY is Microsoft still clinging to the broken "identify executables by extension" mechanism?
We include pamphlets about how not to hurt yourself while you're using your pretty new Gateway PC, but we can't even drop in a fucking 2 page paper about keeping A/V up to date and the danger of executable attachments? Not only that, Microsoft runs on almost all of the Home PCs out there but almost nobody (sorry geeks, we're all still nobodies when we're not on Slashdot) demands any accountability or quality or security from Microsoft?
Fuck it... I'm going to become a goddamn mime.
Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
s/hackers/crackers
Did anyone here try the sites mentioned in the article:
rackshack.net seems to be a static address hosted at ev1.net
removeform.com does not even work, since it seems to always point to
bestportal.biz which has an IP address of 1.1.1.1 which is not even valid.
HuH? What are they talking about?
Even if they did somehow create cloaked IP address, you can still go after the domain name.
The article does not seem to make a lot of sense to me. Some one explain if they found anything
real.
DO NOT PANIC
On our Can-it (anti spam) box, i have seen an increase in messages in the pending bin. They are all the same spam, but from a multitude of different IP. All within a very short timeframe of one another. anyone seeing this too? What sucks is when a spammer decides to spoof your domain and you get a 100000 bounce messages a day. *sigh*
Spammers are winning.
I hate to say it, but they are. They're winning because they play dirty, and we can't stoop down to their level. After two weeks of battling an unusual torrent of spam, I'm ready to torture one of the bastards in a week-long live-webcast to serve as a warning to everyone else. It's time to sink below their level, so we can punch them in the nuts without throwing out our backs!
or the problem will never go away.
Quit buying those penis enlargement pills already...
ELOI, ELOI, LAMA SABACHTHANI!?
It seems that the general computing public has yet to learn that a firewall is every bit as important (if not more important?) than good virus software. With excellent free firewalls available, it seems that the word must be slow to get out to masses. I get probed about once every ten minutes or so when I'm online at home. Examination of the logs reveals that (judging from the ports) most of them are malicious probes looking for zomby bait.
How can we educate the public about this so we don't keep suffering these casualties of war (now spammers have divisions of zombies too!).
StyleChief
Strange women lying in ponds distributing swords is no basis for a system of government! -M. Python
Actually, the viagra just makes you feel bulletproof.
Of course this is just the supply attempting to meet the demand for people who are deseperate need of thicker penises, more viciodin, and larger breasts. Why else would they continue to notify use of these offers? They are just doing the world a needed service I tell you!
[/RANT OFF]genius.
hostages of ?pr? ?firm? hypenosys.
fauxking ediots should be in jail. instead:
from the grasping_for_something_to_say_besides_i'm_afraud dept.
Viruses are becoming increasingly more sophisticated and the time between the delivery of a patch from Microsoft until hackers figure out workarounds is becoming dangerously short. In the case of the Blaster virus it was 25 days, Ballmer said
"When it gets down to five or 10 days a lot of our users will be in a tough position. Their [hackers'] exploits are getting more sophisticated," Ballmer said.
you wonder how these fauxking corepirate nazi payper liesense stock markup FraUD ediots can stay out of jail for yet another daze? defense lawyers. that's how. you're paying for it, as well as everything else.
The only way to fight the spam is white lists supported by keys which should be certified either by the user (friends and partners) or by the goverment (white book).
Everything else is an illusion of a fight and like the Cold War with the Soviet Union. But guess what? "Good" users are playing a role of the Soviet Union dreaming about the perfect cyber society, while spammers are capitalistically motivated sharks (means the western world in the cold war). And the history of the Cold War is teaching that capitalism is winning, while dreamers are losing. Do you wanna win? Change the game rules. IMHO whitelisting is the way to do that.
Less is more !
Forgive my ignorance of the relevant RFCs, but if a service provider doesn't let all valid (according to the RFCs) packets get to your box, are they actually providing "Internet" access?
I.e., isn't it a different protocol at that point?
Is Poland honestly lawless enough for this not to be illegal there? Can no one sic Interpol on these jokers?
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
this has been going on for years. you
think these guys are geniuses and just
came up with this a week ago and already
own 500,000 boxes?
Somebody wrote about this here six months
ago:
http://ralphmag.org/CC/letters.html
A quote from the 2nd page of the article:
/. article
"In a further effort to compromise new systems and add them to their arsenal, Tubul's group appears to be using its "spamvertised" sites to infect visitors with a malicious program. Recent reports in online antispam discussion groups indicate that an invisibly hosted site called miracleformen.com was attempting to install a suspicious executable file on visitors' computers using a vulnerability in Microsoft's Internet Explorer browser."
Re: very recent
What the hell is that link?
My home webserver has problems with "referrer spammers" (guys who keeps wasting your bandwidth with false referrer info to get higher scores at Google). Currently I just keep a list of spammers IPs and block them away.
Some of the "referrers" are spammed from many different IPs, usually from some DSL provider. I wonder if they're cracked machines doing the spammer's job.
Prescriptive grammar:linguistics
My blacklist runneth over....
A clever person solves a problem. A wise person avoids it. -- Einstein
We'd have a cure for AIDS and the common cold by now.
From the article:
My experience with rackshack.net (e.g. ev1.net) is quite the opposite. While one of their hosted spammers was making a 3 week long run of thousands of spam to my mail server, this was repeatedly reported to them, including by telephone call, and they did nothing about it ... at least not for 3 weeks. That is why rackshack.net and ev1.net have earned a special place in my private blacklists to block their entire network. Only their CEO can make arrangements to get it unlisted now.
now we need to go OSS in diesel cars
it started as a network of hi-jacked zombie machines...
And its original purpose was more nefarious than destroying the human race: shoving SPAM down people's throats!
The way to go after spammers, as I keep pointing out, is to follow the money. Find out where the credit card transaction goes. If a criminal offense is involved, any financial intermediary has to either reveal who's behind it or be charged with being an accessory to a felony.
Personally, I'm glad this sort of thing is happening. If it didn't, it would mean Microsoft was highly secure and it would not be possible for one to hijack their operating system so easily. Because of security issues such as this, Microsoft is making the inevitable exodus from their platform that much easier. I pray for more issues such as this. The more we have, the sooner Microsoft will fade from the scene.
End of Line.
Money?? You mean there is money to be made in spamming?! SIGN ME UP. Heck, I'll kick in my mother's family-only email address. I didn't know there was still a way to make money with computer skills.
Well, maybe from 2001...
This is why spews is great. They don't just block the machine that got spammed, but the ISP hosting the site advertised in the URL, forcing the ISP to remove the spammer completely.
I guess you could use this to take out your competion by sending fake spam though. Oh well.
That's the most incoherent /. post I've read in months. Truly a remarkable achievement in the face of such stiff competition.
> control of 450,000 Trojaned systems
This is all Microsoft's fault.
We need to fire up a few more lawsuits in other countries against the buggers for excreting such holy software...
Whatever,, your a few YEARS late on this one wired.
The only reason to Spam is to sell a product. But surely if some seller advertises this way, utilizing hacked systems, they are in serious violation of law. Why don't the feds simply go after the clients of spammers. If that happened enough you'd think that the spammers wouldn't be able to make money and would simply stop spamming!
its ignorant statements like that that make ISP's think its acceptable to filter ports and protocols. this is NOT acceptable.
Interesting ports on 200.138.238.253:
(The 1642 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
21/tcp filtered ftp
23/tcp filtered telnet
25/tcp filtered smtp
80/tcp filtered http
110/tcp open pop-3
119/tcp open nntp
135/tcp filtered msrpc
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
1080/tcp open socks
6667/tcp open irc
7000/tcp open afs3-fileserver
12345/tcp filtered NetBus
12346/tcp filtered NetBus
Device type: general purpose
Running: Microsoft Windows 95/98/ME|NT/2K/XP
OS details: Microsoft Windows Millennium Edition (Me), Windows 2000 Professional or Advanced Server, or Windows XP
TCP Sequence Prediction: Class=random positive increments
Difficulty=10401 (Worthy challenge)
The real problem is that services are becoming centralized which allows for easier spamming. In addition, there is a very easy system to crack and install a home-built forwarder.
The real answer should be distributed services. That is, companies should offer a nice set-up for doing e-mail, web-services, etc from the home. It should like wise be a service that the system is updated.
I prefer the "u" in honour as it seems to be missing these days.
Hallowed be thy compiler.
I was wondering how it would be possible to automatically combat this. It would need some form of tracroute combined with a DNS lookup that logs the DNS server when the end point in the trace is a cable or dsl user. The cable or dsl user should be fairly easy to identify as such in that their names usualy include in some form that refers to their ISP.
You already posted this and it is as incoherent this time as that.
[sic] is only meant to be used when a typo is reprinted verbatim, and it appears after the incorrect word. "hackers" appears to be spelled correctly.
https://www.accountkiller.com/removal-requested
I've seen several articles and profiles on spammers, and those that fight them, but I've never seen an honest and critical look at those who are encouraging more spam by making it profitable for them. Who buys the penis pills? Who can't find porn on their own? Ok, the answers are obviously morons with small penises, but what makes them respond to spam, when it is such a widespread problem? It worries me that as the battle continues between spammers and anti-spammers, a kind of symbiosis will thrive that'll prevent any real attempt on how to stop the problem. Look at telemarketing. The main argument for telemarketing has been jobs. Millions of jobs! How did it get to be so many? Morons with small penises? And soon enough spam and anti-spam camps alike will screaming the same things. Lets focus on the consumer and make it clear that they are the real problem here.
...Before computer use (at least on the Internet) requires a license. I realize that has some very large drawbacks, but at the rate we're going one day the benefits really will outweigh the drawbacks. Do we have to wait until network traffic is 90% spam and viruses? 99%? 100%? A computer can do more damage to the network than a car can do to a highway, and we license driving. Maybe we'll wait until poor network performance starts to kill people by interfering with hospitals and emergency services.
don't tempt them - I mean, do you really think the "all natural penis enlargement tablets", or the "hair regrowth lotions" work?
What's to stop a spammer trying to sell AIDs-stabilising drugs? "all natural, developed by Dr Chien using ancient herbal remedies the big corporations don't want you to know about".
Immoral bastards, all of them.
and I caught this past Sunday. I wouldn't have noticed it if hadn't been that my user account loat privilages to "ls". I'm in the process of trying to sort out the problem and secure my machine. For the moment, I've stopped almost all service on the machine except the ones I need for internet connection sharing and only have the DSL modem on when I'm surfing and checking my email.
Since I'm not a system administrator, anybody have some good pointers for me? Since I haven't read the article yet, does it give home users (particularly Linux users) some good info on securing your computer/home network?
The most ironic thing about this, was that I was planning on taking my computer down in about a week to do most of the work I'm trying to get done now.
In the US, but what about other countries???
© 2004 The SCO Group, Inc. All Rights Reserved.
Uh ... Poland is a country of the former Soviet Union? I don't think so.
Maybe an eastern block country. Maybe a Soviet satellite state. But hardly on the same level as Belarus or the *-stan countries (Turkmenistan, Kazakhstan, Uzbekistan, etc.).
Tuus crepidae innexilis sunt.
This is totally evil, that spammers are stooping so low to... wait a minute. Never mind.
/. article. (I'm guessing the easiest way to patch would be to switch to Mac, or perhaps Linux (tee hee!))
Can you say class action suit? The fear of my system being hacked by spammers has left me depressed. Give me a million dollars. Now.
Maybe if we geeks find out how to patch systems affected, that would make a good followup
I read this and this and thought:
If you want to Linux to dominate and destroy Microsoft.. Start writing Windows worms, viruses, start using windows web servers to spam spam spam. Make windows so intollerable that people will have to switch, even if they don't want to.
Be a black hat for white hat reasons?
So if I have an off-the-shelf router this side of my cable modem, what can be done to prevent my cable connection from being used for this?
And the why is the link to the story about the guy who was seemingly the origin of lots of spam.
I'll go re-rtfa, but such a fix didn't pop out so far...
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
If that's the way spammers operate, there's no need for new spam laws, no? What they're doing (unauthorized access to a machine) is already a criminal offense. Why not prosecute on that?
Opus: the Swiss army knife of audio codec
I pray for more issues such as this. The more we have, the sooner Microsoft will fade from the scene.
True, and I believe that most laws today are ineffective so I think we should promote more lawlessness so the current way of doing things will fade from the scene and something better will arise from it. In the meantime, you shouldn't mind then if I steal your computer, beat your family members, and use your credit card right? Bully idea.
In Soviet Russia, trojans control 450,000 firms!
sometimes the pateNTdead eyecon0meter just goes off on it's own, sensing a mistitlement or something. we'll make the appropriate adjustments directory.
When I lived on the dorms, it was a different story. There were an average of 4000 attempt portscans on my machine a day.
Its almost gotten to the point of without turning to viglantism on the internet and launching counter DDos attacks on the spammers themsleves, especially those outside of countries that don't enforce or don't attempt to enfore any type of Spam laws. Most spammers now operate outside of western countries, so what's the cure?
Filtering helps, tools like Spamassassin has brought my total spams from like 80 a day to less than 10.
I for one, as much as I hate them, wouldn't mind to see a few class action lawsuits against spammers. How much longer until the pipes bust with junk and turn the Internet into a near useless medium.
I know several of my clients now call me instead of email as they say that they "Have to wade through 30 junk messages for one valid message". I have rules set up to where my customer's and family email go to seperate folders, and that helps even more, but something needs to be done.
As much as I hate to bitch and not offer any answers, I am afraid that I am stumped. I fear that any attempts to write new protocals, espically by the likes of M$, Yahoo, HP, and other major players, with result in the closing of networks, (i.e. this message was not authenticated by a pallidum enabled server, therefore it will be rejected. Please trade your Mac in for a PC with Win XP^2 for $1000) and cause a leap backwards. At the same time, while people here can say the OSS community will develop an "open" solution, the very fact that its open means that the very people we try to stop will be able to circumvent anything the community develops. Not to say this won't happen with closed-source technology, but then companies like M$ can possible use DMCA against the spammers that reverse engineer such technology.
In any case, spammers are winning and we all are losing.
"The problem with socialism is eventually you run out of other people's money" - Thatcher.
Yes, but it's only a felony in the US. None of those doing the work are in the US.
Even a US-based spammer can claim ignorance of the hired hackers' methods.
And what if the credit card is charged in Kazakhstan?
Who are the ISPs/registrars for these fuckers and why aren't burly men in blue suits and submachine guns breaking down the doors of their registered addresses? Isn't DNS tiered? Isn't there an upstream DNS terminating at a registrar? Why can't this be tracked?
It's 10 PM. Do you know if you're un-American?
But how in the world do we prosecute them if all their spam is zinging off trojaned machines, their "legal" address is an abandoned oil platform in the Caribbean, their credit card processing is done in Russia, their legal department is a nonexistent address in Bangalore & they're drop shipping from East Bumfsck, Kansas?
At that point, what district attorney in the US has enough money to investigate?
"Obviously, I'm not an IBM computer any more than I'm an ashtray" (Bob Dylan)
I installed ZoneAlarm on several WinME and Win98 PCs. However it crashed and otherwise hosed about half of them over time. Hopefully it is better now...but there is a reason why some people are wary of it. Early consumer HW firewalls needed regular power cycling to keep them alive. Really, a very large segment of the population has no idea about how to maintain their computers. The broadband ISPs might need to provide this service. Fortunately HW NATs are making inroads. Though not perfect, they certainly help.
there's plenty of coherence. the remarkability is noted.
Here is yet another example of how spammers have no regard for laws and where their activity is blatantly criminal. It also illustrates why spam laws will be ineffective.
.sig?
It is about time for Law enforcement to find them (follow the money, duh!) and prosecute them. If they are hiding someplace that has no effective rule of law, find them and then knee-cap them. Maybe then they will appreciate law-and-order a bit more.
Psst. Hey buddy, can you spare a
I've read that one of the suspected purposes of Sobig was to create this zombie network with which to propagate spam. Now this article pretty much points us in that direction. Really disturbing.
I would think that the old days created industrial spy-caliber "hackers" but now it seems that a local script kiddie with a few ways to plant trojans can now have a decent going rate in the black market.
I wonder if there will now be flourishing closed-source underground 1337 groups who don't share 0'day exploitz (and thus stopping the "information wants to be free" mantra) because it has more value sold to marketeers who want to create their zombie army of spam.
More pressure on the powers-that-be to stop viruses, trojans, and the like from getting control of a PC...or at least educate users in the possible consequences they may have.
all these comments and this is the *only* one that really exposes the naivete of the original post. blocking inbound is useless if a machine is trojaned because the trojans can initiate the connections outbound *on or to any port*. and trojans can arrive in email so an inbound block won't prevent the infiltration of trojans.
Seems to me that one of the biggest problems is that there's no way to contact the end user of an IP.
.sig
(there's a secondary problem - who should be allowed to contact them)
Most of these trojaned machines wouldn't be if the owner of the machine was aware that they were trojaned.
Perhaps the standard response to an abuse complaint should be;
redirect all outbound connection attempts to an explanation of the complaint,
and an explanation of how to fix a trojaned machine.
-- this is not a
They are only winning to those that don't do anything to help themselves.
The Verisign SiteFinder was a bad thing, obviously, but I laughed at the reaction "It's breaking my spam filter." What kind of archaeic, obsolete spam filter were these people using?
Likewise, that spammers are using trojaned systems is bad, of course. Any system compromise is bad. But this is just normal virus and hacking. It doesn't make it any harder to get rid of your spam.
I've said it once and I'll say it again, Bayesian filers is the solution. It works today and it depends on no-one but yourself to start using it. Since I started using it in May, I've received 20,596 spams--of those I've seen 89 of them. I.e., only 0.43%. It comes out to one spam every other day, though that's deceptive since probably half of those that got by were cases of a single spam sent 5 times in rapid-fire mode and they all happened to get through at once--the same spam 6 hours later would've been filtered. In reality, I'd guess I see one spam per week. In a perefect world I wouldn't see any, but that's good enough for me in this imperfect world.
Now, some will say "But that doesn't solve the bandwidth problem." In the short-term, no, it doesn't. But in the short-term it doesn't waste my time which is my single largest expense when it comes to spam. And, in the long-term, if more people started using Bayesian the response rate on spam would continue to plummet making it less and less useful to spam in the first place.
But those that are being bothered by spam on a daily basis simply aren't using the tools and technology that are available to them, and have been for over a year.
Sorry, but I only speak English, could you please try again. On second thoughts, please don't try again. Ever.
Dude! That's what the toe of your steel-toed work boot is for.
I've always wondered why we don't place more responsibility on the owners of the systems that are being hacked to create spam or DDOS attacks. For an analogy, imagine that the owner of a sporting goods store refused to lock the door. Every night, someone would enter the store, steal a baseball bat, and hurt someone else with it. Sure, the thug doing the stealing and batting is wrong but so is the store owner. He would be help legally accountable (in the USA, anyway). Likewise, owners of insecure computers should also be held responsible for the harm caused by their negligence.
People have been spoofing internet addresses since man invented fire.
Whats more fun is DOS attacks like this. Trojan that pings some dot com.
Make your application really cool and useful, and some dot com is fucked.
God spoke to me
Just admit defeat and shut your mail server down. You can't win, so you may as well just save yourself some frustration and withdraw from the fray completely. Let people get in touch with you some other way.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
If the spammer's father had used a Trojan, we wouldn't be having these problems now...
"Freedom means freedom for everybody" -- Dick Cheney
I've said it before, I'll say it again. I'll keep saying it until it becomes law.
Give him some webmail account that he can access over dialup from prison. Publish that email far and wide so it'll end up on every spam list in the world.
Then, tell him that once a year he'll get an email with a password that if he gives the prison guard, he can leave at any time.
This email can come in any form, with any subject heading, very likely disguised as spam. His webmail account will also have a 5Mb limit, and if the email bounces because it just happens to come when the mailbox is full, he'll have to wait for the next year.
Looking for a computer support specialist for your small business? Check out
A while ago, Microsoft said it had closed an exploit in Hotmail allowing spammers to bypass the spam checker of Hotmail. It looks like they've found another exploit, because spam is back in the inbox again.
And the funny thing is - it is so obvious that this spam could be easily deleted, either before reaching the inbox, or after. So much spam follows the same pattern, if there was a button to declare it spam, a sufficient number of claims of any specific email being spam could be cause enough for a script to then delete every instance of that message in the system.
Do these companies get money from spammers to turn a blind eye to the crap they send me?
If the internet (or email) in its present form gets to be more bothersome than useful, I have no doubt that an "improved" internet-type system will appear. Like most new computer technologies, it starts with nerds (/.), but if it is actually useful and useable enough, others will eventually get into it. Think of how fast file sharing took off - Napster (a new concept to most) was so easy and had so much to offer that even technophobic middle-agers used it. When Kazaa came around, it took no time at all to become huge, since the concept was familiar and interface simple.
GL
If what they're doing is redirecting to random compromised machines which in turn go to the real site, one method for combatting them is to set up a honeypot of easily-compromised machines and wait for one or more of them to get infected by these loser's trojans. Then firewall logs (or analysis of the trojan) will reveal the real addresses being relayed.
Shouldn't we be monitoring spam anyway, building a list of source IPs, and notifying the ISPs responsible for those IPs to pass along a message to their customers to either a) stop sending spam or b) fix the holes in their machines, or c) they will be cut off from the 'net...
"Freedom means freedom for everybody" -- Dick Cheney
Just make it legal to kill spammers and loot their bank accounts and hardware afterwards. Would solve the spam problem in about a week and a half. -Mike
Immoral bastards, all of them.
;-)
At first I read that as "Imortal bastards, all of them."
Now THAT would be scary!
www.eFax.com are spammers
Why is a polish firm releasing studies about the internet? I'm not likely to believe anything that Kiwi says about the internet.
"Anyway, long story short... is a phrase whose origins are complicated and rambling...." - Abraham Simpson
Can be found here.
About a year ago, my brother-in-law and i were working for a major drug company (drug distribution, not manufacturing). We had a strict anti-spam policy. Well, one day our network went down because a spamming company (we eventualy traced it back to "hanmail", a korean equivalent to hotmail) was hammering us trying to get into our mail servers to send out porn. About 50,000 queued messages in the course of an hour. We couldn't understand how they could be sending so much data, but we eventualy found out... They had almost an entire subnet's worth of computers hammering us! We eventualy got our people back online by letting the spammer's traffic through the firewalls, and letting the mail servers do the domain blocking so it was more distributed. Also the mail servers just dropped the incoming packets, instead of denying them like the firewalls, so we didn't have nearly any outgoing... That bought us enough time to contact the ISP, get them blocked at that level, and then set up some honey-pots just to be on the safe side. It's all better now, and usualy about once a week the honey-pots get hammered by a new set of spamming SOB's... Se' la vi.
Anyway, this has been going on for a while. I'm supprised there hasn't been a story ealier.
That's it. I give up.
I'm going to plow under my 1/4 acre back yard and plant a bunch of ohhhh... potatos, corn, beans, etc.
I'll be back in a few years.
I hope this whole mess is cleared up by then.
They aren't really bothered by the mortgage-type garbage, but they are getting tons of the herbal penis and breast growth pills, porn of every kind, etc...
I volunteered to help, but I'm frightened of what I'll find. I just have visions of walking into a room full of unpatched NT4 servers...
Aaaaaaaaaaagggghggghhhgggghhh.....
*breath* *breath*
Aaaaaaaaaaaggggghhh.....
Computer Science is Applied Philosophy
That's just 450,000 M.O.s, if you ask me.
A programmer is a machine for converting coffee into code.
I've mentioned this before, but just in case you & others didn't read it, I'd like to repeat it.
I honestly think that capital punishment should be dealt out to spammers. Think about that for a second. People are used to debating about it in the context of rape, murder or other serious crimes. What makes this so different? They are literally breaking into our computers just to deliver junk that we don't want.
I would be offended if I had to unsubscribe from every spammer's list, but @ least it would be tollerable & easy enough to stay on top of things. However they aren't even allowing us to do that.
The way I see it, they are nickle & diming us every day. If we aren't allowed to defend ourselves @ their expense, then there is no real freedom. We are just slaves who are allowed to carry on a relatively normal existance.
testing out my trending skills
I won't mind as long as you don't mind when I start firing when you try to steal my computer, beat my family members or attempt to pick my pockets =]
End of Line.
I know it's been said before, but none of this would exist if everybody followed the simple idea that if you're not actively searching for a product, don't go to a given site. I have never clicked on the "punch the monkey and you can win a prize" banners or any links for any life insurance, viagra, penis enlargement, young hawt teens with farm animals, etc. links because I am not the one initiating the dialogue with the suppliers/service providers.
Death penalty for spammers? You are an idiot. What, are you 12 years old, or something?
Spamming is an increasingly aggressive business and need to be dealt with increasing aggressiveness . Its a sad state when we can't even implement effective solutions without being strong-armed by parasites. And we all stand around with our thumbs up our butts.
Quack, quack.
I'm ready to torture one of the bastards in a week-long live-webcast
:o)
Where can I sign up to view, and how much will it cost?
Does this mean that people here are advocating for tougher penalties against *hackers*?
After all, how am I supposed to know the differance between some kid runnin Nmap and some eastern european 'spacker' (their term, not mine).
If we turn loose an internet equivialent of the Patriot act how many of us will be caught up in the witch hunt that would follow?
Instead I read how spammers easily DoS whoever ticks them off, and now the crackers are aligned with them for fun and profit. I hardly find that to be the rebellious attitude I thought made up the cracker personality.
The cracker mentality would make an interesting psych. study.
I pulled a jack move to cop this sig
How you you really *know* your computer has been comprimised? I keep my A/V up-to-date. I repeatedly run it, adaware, and spybot. I use both a hardware and software firewalls. I run windows xp and have tuned off most everything such as messanger (both the chat tool and the net send service). I am paranoid as hell about getting cracked and someone sending crap like this through my cable. But unless one of the above programs screams at me, I really wouldn't know if I've been compromised. Zone Alarm use to catch a lot of funky crap (incoming probes) until I started using a Linksys firewall router. How do I know if I am really safe? I'm a software guy, but never really been a network guy (other than writing socket code for embedded systems). Scary stuff.
Anonymous Cowards suck.
Not just windows users, but us linux, mac, bsd etc users who have to put up with spam infesting our boxes, and the ISPs transporting it all.
So, what will it take? The above article is obviously talking about a serious crime. Websites that try and infect PCs with a virus that turns them into a spam proxy. Spammers paying money to use such a system. People, this has RICO all over it. Not only does it involve hacking, but spammers are paying money to use compromised system to spread their spam. This is a federal case. If any bigname spammer is doing this, well, we could shut them down!
Imagine the FBI busting in, confiscating their PCs, and forbidding them from using them till the case goes to trial. We hear all the time about the FBI throwing the book at people who commit small computer 'crimes'. Let's set this frothing dog loose on those who deserve it.
1) Spread this story to your ISP. Explain it to them. Crackers and spammers are in collusion. Ask for them to talk to their local FBI office.
2) If you get spam, contact the FBI yourself. Explain the above story to them. Make sure they understand. Have your friends call them about it.
3) Call your senator, tell them there are people out there who really do deserve to be locked up in jail for YEARS.
4) This is a National infrastructure issue. They're infecting computers to spread spam. I wonder what truly malicious foreign govts could do. Be sure that the FBI and your senator understand this.
http://www.nipc.gov/incident/incident.htm
If they're going to use a distributed method to spread spam and infect computers, we need to raise a stink.
Scripts such as FormMail, (a script to take the unput from a post, format and send the data as an email) often do not check for proper input or malformed data. This is not a criticism of Matt's Script Archive, there's a wealth of information there and I've done good work with the examples presented therein. However, It's important to know that these are examples, freebies, and as such they may have security problems.
I bring up FormMail, because there are spammers who search for old versions of this script and use it to forward spam message out of our own server via your website. While this isn't as bad as having a compromised computer, it can still look bad to upper management who may not know the difference between spam and a virus.
You're clueless about how spam negatively impacts quality of life. What are you, a spammer or something?
In the past week or two I have "noticed" a dramatic increase in the amount of spam in my inboxes (even the accounts that I never use except for between family and friends). This tells me that there is another relationship between virus/worm writers and spammers. When a worm sends emails from tens of thousands of address books, a savy spammer can harvest hundreds of thousands of previously unknown email addresses! I'm thinking that some of the worms that have made it around recently may have been written with that idea in mind.
I have not protected myself with anything special but I have created a couple of pretty basic filters that have done an adequate job of filtering much of the spam (who ever besides a spammer sends email with the words viagra or penis for instance). But still a lot of spam makes it past the filters and it is an amazing annoyance. But everyone knows that right?
I agree with you; Bayesian filtering is a solution whose time came long ago. It works outstandingly for me, and I've heard similar success stories from others---you, for example. However, the people most likely to let Bayes guard their inbox are the least likely to respond to spam. In other words, if more people start using Bayesian filtering, fewer people will be annoyed but you won't have much spam reduction, since you'll still have large numbers of stupid, clueless, or stupid and clueless people (and I refer to clueless people knowing that I'm clueless in many things) going unprotected.
However, that's why email programs and ISPs should have Bayesian spam filtering. In email programs, it should be enabled by default, preferably with some decnt default training and prominant buttons for training the filter. The ISPs should use something like TarProxy to slow any spammers who try to spam them. The clueless and/or stupid people get protected because they don't do anything about the protection, and everybody is happy who deserves to be.
From: hotstacey@yo_baby8765.com
Subject: Watch spammer die 1234xvcgt
Computer Science is Applied Philosophy
Right now I am installing and configuring bogofilter, spamassassin, and antivirus at the gateway. It's going pretty good, but it's a lot of work. At least with bogofilter, you can set up a dummy account to collect forwarded e-mail and automatically add it to the filters. The minus side is that it's a bit of work to get set up properly and catching only spam.
If you need advice, I can at least point you in the right direction (and cheap, all open source software)
All we need to do is get rid of money and the materiality and we'll mostly solve about half the world's problems, including spam/marketing/greed/corruption. Of course, it will create a few new ones, but I think things would generally be better.
Ok, now bring on all the slashdotters who think that they are all wise and shit.
Without the registrar, you can't update your DNS tables to point to the hacked machines. Domain registrars who allow such criminal activity to continue after being notified of it are directly complicit in this illegal activity and their management should be prosecuted to the fullest extent of the law.
One good example of a registrar knowingly and openly aiding and abetting in criminal activity is DomainDisover, aka BuyDomains for their continued support of documented criminal outfit vano-soft.biz/soft4all.biz -- not only do they host on hijacked web proxies, but the DNS servers that they use to point to these hijacked machine are ALSO themselves hijacked machines. DomainDiscover could put an end to this criminal behaviour by dropping their criminal client, but they are content instead to assist in this illegal activity. People think that I'm going overboard when I suggest ths spammers be shot -- I'm not, I'm being realistic. It's the only way to get rid of them.
STOP MISUSING APOSTROPHES, YOU MORONS!!!
This technique could also cause loops on transparent proxies, where a proxy captures the request, does a DNS lookup, and sends the request to another location with a proxy, that does the same thing, until either something kills the connection or it gets through to an unproxied address. It is common for proxies to make use of DNS lookups instead of the target IP, as they can determine if there is more than one IP available using DNS, and use the best one to make the request to.
Erik
Well now there's a thought...! Let's remove the customer's right to choose by forcing their hand because, quite honestly, we know better than the user what they need to run on THEIR computer - the one that THEY paid for with THEIR money. When we get the market sequestered we can embrace standards that are "OK" and extend them to make them better. After all - we know better what those standards need to be than the common user - and we'll rule the computer world so people will have to use our stuff.
What a great idea - what should we call our empire..? How about SoftMicro...? or LinuxSoft...?
How about we win customer support by earning it with a superior product that the customer chooses because it is simply better - and we work hard to continue to make it better and more worthy of customer migration by it's very merit. A harder method but it has been done in the face of an 800lb gorilla - to wit: AMD...
A saying my father taught me: "Winners compare their accomplishments to their goals, losers compare their accomplishments to the accomplishments of others." We need to stop worrying about Microsoft and start worrying about Linux. I would rather gain customer acceptance because Linux was a great product than because Micrsoft sucked. That means we only have to suck less to win - how about we just don't suck at all... Now there's a worthy goal...
To mods - yeah, yeah, Offtopic, I know
Computer Science is Applied Philosophy
As I read it, a spammer will sit at foo.com, sending messages out through one of half a million compromised machines. Doing a DNS lookup on foo.com will, in turn, yield one of half a million IP addresses.
This makes me wonder if it would be possible to look up all half a million addresses by brute force... do a reverse DNS lookup on foo.com 5 billion times, and you should have a fairly comprehensive list of everyone who's got a compromised windows box out there... these could in turn be blacklisted.
Slashdot: where spammers sending you unwanted email are the scum of the earth, but media pirates are fighting the system of unfair prices.
It's like a dorky version of the middle east.
"...always new atoms but always doing the same dance, remembering what the dance was yesterday." -Richard Feynman
Although I agree with the fact that this is not a very nice thing, trojanized computers, spam relays etc. The DNS itself is not doing anything illegal, a dynamic DNS with a round-robin which updates every 5 minutes is not illegal in itself. You can't block a DNS because it does something inventive within the boundries set by the
Although I know that dynamic IPs for primary and secondary nameservers are not allowed in a number of countries, they are required to be static in the Netherlands and afaik Belgium. And afaik they are absolutely not allowed to be CNAME'd.
I think this is more a case of bad practise on the part of the root domain provider, if they allow people to do things like this, then this is result.
I could rant, but won't.
'I am become Shiva, destroyer of worlds'
What happens when someone makes a legal trojan? Something like Gator that but with a EULA that says "by installing this you are giving us the right to use your computer to send email" While most of us run adaware or Linux or BSD the vast sea of "end useres" out there do not. What is worse is that it would be totaly legal!
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
ITS CRACKERS! Hackers are just normal computer enthusiats like me and you. Crackers are the malicious ones. http://www.catb.org/~esr/writings/hacker-history/h acker-history-3.html
Tragek
Filtering and firewalling are fine, but users should pay *more* for these services, since they take staff time and resources to implement and maintain.
Open connections require ISPs to do nothing, therefore those connections should cost nothing.
It's kind of a no-brainer idea for ISPs to charge extra for some kind of filtering/firewalling anyway, since shedloads of lusers will wet their pants with excitement to get better "protection" and will see it as extra cost for extra value.
The FBI, Treasury and the IRS have proven track records for following the most convoluted money trails. There's really no reason why they can't trace credit card transactions and find these people.
A RICO case against them would be great; huge fines, long-ass jail sentences, and virtually anybody that as much shared the same ashtray as these people gets to spend the next 25 years years in a the Federal pen.
"Colin, Donald, Karl, Paul, Condoleeza, I think the CIA's finally figured out who keeps signing up president@whitehouse.gov for all them thar porner-graphic websites."
5 minutes later, somewhere in central Poland air defense command
"Comrade Igor, I am spottink multiple very fast movink radar signatures going at mach 10, comink right at us!"
Blam-ski
Cole's Law: Thinly sliced cabbage
Well, while spamming is irritating and irresponsible but not necessarily illegal, selling "generic" equivalents of patented pharmaceuticals (whether bogus or not) and hacking people's computers are definitely illegal. Methinks it's time the law started getting serious about these people.
It Is the Nature of Information to Transgress Artificial Boundaries
Every domain listed in that Wired article resolves to 1.1.1.1 on my Verizon DSL account. Are they that clueful?
"This Wired story shows a disturbing alliance between hackers [sic] and spammers. "
If I can trouble the readers and posters of Slashdot, what does the "sic" in "[sic]" mean?
Ok, here's a question that might be totally obvious but doesn't seem to have been really asked before: isn't the fact that almost HALF A MILLION machines got broken into a punishable offence in itself? If people like Kevin Mitnick go to jail for cracking "just a few" machines, then certainly it would count as a MAJOR offence to have obtained illegal access to a number of computers that is at least several orders in magnitude higher??
;-) This is a trend that must be dealt with quickly and firmly.
If there really aren't any laws in Poland against such MAJOR abuse, then just trick them into going to the US for some "lucrative deal" and deal with them there
Ironically, I see this as a major opportunity though - basically, they have made it trivially easy to detect massive amounts of compromised machines. Just keep resolving the spamvertised domains and you should be able to find at least a few thousand machines per day. What to do with this information? You could try the legal (good) route in contacting the ISPs and/or using such machines to trace origins of the crackers. On the other hand, it might be possible to somehow 'nuke' those machines if they are still exploitable.
I've seen the idea mentioned elsewhere... basically, what MIGHT be nice is government supported blacklisting facilities. I would gladly pay e.g. $10/year if it helped stamp out most of the spamming and DDoS activities. That way, it could be made certain that the blacklisting is fair (ok, assumption) and won't be easily DDoS'ed out of existence.
I plan to plan / Dutch course in The Hague
Forgot to put plain text. However I cannot repost the same :(
:)
in plain text since slashdot has some kind of semi-intelligent filter
Anyway, my previous post contained the Whois query for bestportal.biz and DNS query for the same domain as of today. But I think DNS query from my linux box consistently gives me 1.1.1.1 whereas the other poster
got a valid IP address when they tried accessing www.removeform.com
Needs more investigation
DO NOT PANIC
Nah. Unconstitutional, and the case would take way too long to try. What we need is a few unstable whacked-out gun nuts to get so ticked off that they go hunting for spammers. How would you like to be on the jury of those murder trials instead?
Dude, Bill Gates is paying you good money to write drivel like that, can't you use his grammar checker?
The problem is windows, its design, distribution and operation. It was never ready for the desktop and it will never be ready for the internet. It's supposed to be an "easy to use" "consumer level" OS, but keeping it up is harder than other. The machines are broken because the software they run was designed to be pushed on by third parties. The end user has no control of it and can not keep others from running code on it.
MS released a patch and it never got populated as much as it should.
This is a cop out, blaming the user for Microsoft's sucky distribution method. Microsoft only distributes it's crap on CDs and CDs are dead. There's no such thing as a nice up to date network install in the M$ world, so there's no way the end user can do anything but install from a months or years old, turn everything on and rape me CD. The only way an end user could possibly get all of M$'s huge "patches" is to use ANOTHER OS, but what end user can figure out how? Computer shops can't even figure it out and Microsoft can't really keep up anyway. The diligent are getting just as burnt as everyone else, perhaps mores because Microsoft "updates" inclued nasty EULA's as well as break critical applications.
For every reason these things should be turned off, it's turned on.
Right, tell me why Outlook auto-executes porn spammer email again? Is it because Bill Gates wants my 2 year old girl to look at popups while my system is trojaned?
does finger pointing solve anything?
Yes it does. People are sick of the problems they have with M$. Just not being able to turn off pop-ups is bad enough. Having the senders of such garbage own your machine is much worse.
Did pointing fingers get most everyone to stop using telnet vs ssh? Did it stop people from sending sensitive data over non-ssl connections? No. Did it stop people from running daemons as root? No.
If you know someone who does these things on a non-Microsoft platform, kindly tell them why they should not. It does help and I don't know anyone who does these things anymore.
propose a solution
Dump M$. I've been M$ free for years and I'm better educated, less troubled and much happier. You don't need their shit, you are better off without it and so are the rest of us. Microsoft has proved itself unwilling or unable to fix their problems they need to be shunned.
Friends don't help friends install M$ junk.
I think this is an opportunity to be the first virus writer to be loved by everyone with an e-mail address. A worm that eats those trojans for breakfast could reduce spam dramatically within hours. Not that I want to encourage people to do something illegal, but if you're writing itanyways, instead of deleting files this could actually be more fun.. Good luck ;)
"It's too bad that stupidity isn't painful." - Anton LaVey
How many current desktop OSs can run .exe files?
ha ha ha ha ha ha
It doesn't matter if you run as administrator since the machine can install the file without your permission.
Any preoccupation with ideas of what is right or wrong in conduct shows an arrested intellectual development. (Wilde)
Traceroute and Ping work on IP addresses. The DNS lookup happens before the traceroute or ping packets are initiated. Can you check if you consistently get different result for traceroute and for ping?
DO NOT PANIC
With enough machines comprimised, the whole operation can be automated. From capturing new machines to distributing content from the captured boxes. The loser can go through an anonymizer from time to time as he starts new campaigns. You will never see him because his worms do all the dirty work.
Then again, you might catch someone. It's impossible to hook up a M$ box to the internet without it being owned. The problem will then be chasing down the thousands of people you will dig up. Go for it and tell us what you find.
Friends don't help friends install M$ junk.
Another site, hosted by the Polish group. offers free credit consultations. Traceroutes to the site, removeform.com, also provided ever-changing results, ranging from a computer connected to a DSL line in Israel to another provided by EarthLink. However, the title of the site's home page consistently read "Yahoo Web Hosting," suggesting it was actually located on a server run by the Internet giant.
Ok, so I tried:
$ dig removeform.com
[...]
ANSWER SECTION:
removeform.com. 25m5s IN CNAME bestportal.biz.
bestportal.biz. 25m6s IN A 1.1.1.1
AUTHORITY SECTION:
bestportal.biz. 55m6s IN NS dns1.name-services.com.
bestportal.biz. 55m6s IN NS dns2.name-services.com.
bestportal.biz. 55m6s IN NS dns3.name-services.com.
bestportal.biz. 55m6s IN NS dns4.name-services.com.
bestportal.biz. 55m6s IN NS dns5.name-services.com.
ADDITIONAL SECTION:
dns1.name-services.com. 1d9h11m38s IN A 63.251.163.102
dns2.name-services.com. 1d9h11m38s IN A 216.52.184.230
dns3.name-services.com. 1d9h11m38s IN A 63.251.83.36
dns3.name-services.com. 1d9h11m38s IN A 63.251.83.37
dns4.name-services.com. 1d9h11m38s IN A 64.74.96.225
dns4.name-services.com. 1d9h11m38s IN A 64.74.96.226
dns5.name-services.com. 1d9h11m38s IN A 212.118.244.163
dns5.name-services.com. 1d9h11m38s IN A 212.118.244.164
Surely looks fishy. Trying to go to that site fails, naturally. However, since I run my own DNS cache:
Oct 10 00:41:00 charon named[310]: unrelated additional info 'dns1.name-services.com' type A from [63.251.83.36].53
Oct 10 00:41:00 charon named[310]: unrelated additional info 'dns1.name-services.com' type A from [63.251.83.36].53
Oct 10 00:41:00 charon named[310]: unrelated additional info 'dns2.name-services.com' type A from [63.251.83.36].53
Oct 10 00:41:00 charon named[310]: unrelated additional info 'dns2.name-services.com' type A from [63.251.83.36].53
Oct 10 00:41:00 charon named[310]: unrelated additional info 'dns3.name-services.com' type A from [63.251.83.36].53
Oct 10 00:41:00 charon last message repeated 3 times
Oct 10 00:41:00 charon named[310]: unrelated additional info 'dns4.name-services.com' type A from [63.251.83.36].53
Oct 10 00:41:00 charon last message repeated 3 times
Oct 10 00:41:00 charon named[310]: unrelated additional info 'dns5.name-services.com' type A from [63.251.83.36].53
Oct 10 00:41:00 charon last message repeated 3 times
What they actually do seems to be poisoning people's DNS caches with the constantly changing info, since the real answer to the query is the CNAME which in turn points to 1.1.1.1. I cannot go to that site. My BIND thus protects me?
Of course it runs NetBSD. BTC: 1NT7QvbetmANwaMzhpVL6
The great majority of users treat a computer as an appliance. Passive consumers of content. Meat.
Any preoccupation with ideas of what is right or wrong in conduct shows an arrested intellectual development. (Wilde)
It seems like the RIAA has figured it out, yet our public servants have yet to. If I had the authority I could waste most of the companies doing this blatant illegal activity in a heart beat.
It's simple - follow the trail, and we're not talking needing some ancient American Indian tracker skills.
FOLLOW THE MONEY.
Step 1. Ask (demand) the five major credit card companies to set up multiple credit card numbers that have been marked as illegal tracking cards. In other words, purchases made on these cards indicate that the merchant account is for illegal activity.
Step 2. Filter through the spam (I can donate my spam right now - I get hundreds daily) and attempt to purchase anything using credit cards in Step 1.
Step 3. Demand the banks freeze funds in the merchant accounts that the credit cards have been charged to. (discontinue the use of these credit cards to avoid DOS retaliation activity).
Step 4. Profit. All frozen funds are collected for prosecution under appropriate government statutes.
Step 5 (optional). Subpaoena all merchant account credit card activity and notify the credit card holders that the merchant they purchased their Viagra from is really an Al Qaida front....
The above technique is used for credit card purchases however, I have tracked down a number of companies offering "financial" services by submitting false identities and when they call for "Harrison Fjord" I take over the converstation with some sticky questions about their SPAM policy. It takes just a few of these and you can easily track down some very dubious commercial activity.
I am perplexed. The law enforcement activity goes after Sklyrov who has quite possibly never done any harm to anyone yet they can't seem to follow the easy steps above. I could argue that the money spent going after Lamo, Mitnick and even theoreticaly various alleged al-Qaida could be better spent on the public good by some simple detective work.
<Ding!> Headline for the next NYT article. IT HAS BEEN ALLEGED that terrorist funding is being aquired through the illegal activity of selling organ enlargement food supplements ... All I need now is some way of delivering the message ... I know SPAM !
The theory here is quite simple. Make it difficult to make money with SPAM and the reason for SPAM will cease.
Am I missing somthing ? Why is this such a difficult thing to do that the FBI or state law enforcement have not figured this out ? Is this a violation of some constitutional right, surely they nuked most of these in the last round with the "Patriot Act" ?
This is why I have huge chunks of Europe and Asia in my block lists. If ISPs don't act immediately on spam complaints, then they keep getting more and more open SMTP relays and trojaned machines in their net space. Soon, the only thing to do to stem the flood is to drop entire Class Bs into the local blocklists. I don't know if our server or any of our users can even receive email from anywhere in Poland anymore.
Great! I'll tell you, it almost makes spam fun for me. I look at my statistics and just grin at all the garbage my filter kept out of my life. "Let's see, how many spams did my filter block THIS month?" :)
However, that's why email programs and ISPs should have Bayesian spam filtering. In email programs, it should be enabled by default,
I agree 100%. I personally think they should be enabled by default both in email programs and by ISPs--of course with the option of disabling them. But the idiots won't bother to disable them so they'll be protected, and those that don't want the ISP meddling with filtering can disable it.
I agree, the spam volume won't go down until everyone--especially the idiots--start using Bayesian, whether they make the effort to do so (doubtful) or whether they simply don't make the effort to disable it (probable).
But still, I must say... as much as I'd like to see spam stop wasting bandwidth, the most expensive aspect of spam is the time it wastes for the receiver. And Bayesian fixes that for us whether the spam is still being sent or not.
If cases like these were documented and escalated to Abuse helpdesks, that could help. Particularly if it was supplied with evidence of spam, DNS query/responses, etc. etc.
Even large ISPs would be quickly swamped by such queries. Most ISPs would still choke under the load (if they're not already).
From a technical viewpoint, ISPs are nearing their limits to deal with spam. It will take a significant change in either ISP policy (and the enforcement of it) and/or legislation to combat this situation.
Linford is on the ball. These people need jail time. Too bad ISPs don't have unaccountable black ops budgets....
We don't have to sink to the spammers' level in order to fend them off: we can fight them successfully without stooping at all.
Fighting spam is easier than it seems, and a lot more satisfying than bitching about it. I get about one piece of spam a week: I'm on so many "don't email this guy!" lists that I have to use sock-puppet addresses to get spam to fight!
Why not join the war?
Bellhead
These guys are using one of my addresses as a faked From: So I'm getting all the bounces and it gave me a chance to look at their approach.
/cgi-bin/ that probably forward the entered data a step further down the line.
They seem to be using many trojaned Windows machines on DSL and cable modems, and rotate through them reasonably quickly. The email headers show that they typically announce themselves as compuserve.com or microsoft.com, but the reverse lookup of the ip-addresses gives them away. I couldn't easily tell from nmap what trojan they are using.
The mail itself refers to a website that has a pretty bogus whois registration (vano-soft.biz) (phone number is +000000000 etc). The DNS trick is cute. Their nameservers (ns1.uzc12.biz..ns5) (uzc12.biz seems to be registered in the same crappy way as the other domain). All nameservers resolve to about 4 differnt ip's which in turn resolve the webserver name to different sets of 5 hacked servers. The DNS timeout on the nameservers is about 2 hours, the webservers are set to 120 seconds. Probably to make sure things shuffle around nicely. The nameservers are spread out enough that I have a suspicion that they are hacked as well. There might be hidden primaries to update these.
The final webservers are again most likely hacked machines and the pages do not seem to have embedded tags or trackers and rely on forms and scripts in
All in all plenty of information to send to various abuse departments, and I'm getting an annoying but strangely intrigueing view on what hoops these spammers are going through.
I've said it once and I'll say it again, Bayesian filers is the solution.
/dev/null -- and worse, now you're spinning extra cycles to scan the mail.
No, it's not. Filtering is merely automating "just hit delete." It still gets sent, it still travels the wires to your box, it still hits your spool.
The core argument against spam is that it shoves the costs of advertising onto the recipents. That's why we said that "just hitting delete" wasn't an acceptable answer.
Now, you're singing "Just use Baysian to delete for you." Same spam on the wire, same hit on the spool, same copy to
Just hit delete means you kill 1000 this month -- and 10000 a year later. I'm tired of paying for bandwidth that spammers use. I'm tired of throwing cycles at SpamAssassin to trap the spam.
Filtering is not an answer. Filtering is a bandage -- and it's one that's soaking through.
Ceci n'est pas une sig.
That's because those same record executives give them huge stacks of money. We don't, so we don't count.
The politicians will never lean on Microsoft to secure their product for the same reason.
The best that we can hope for is a few ineffective laws that makes it look like they care.
ICANN requires that domain registrants maintain accurate WHOIS information for their domain names. In the Wired article example, the domain name "removeform.com" is registered via Enom.com and the WHOIS information lists the registrant as:
a y01.htm):
Organization Name: Tablent
First Name: Karol
Last Name: Nowak
Address 1: Jasna 4
Address 2:
City: Kitrit
StateProvince: AS
PostalCode: 33-526
Country: US
Phone: +1.225322432
Fax: +1.243252224
EmailAddress: blah5@o2.pl
If this information is innacurate (and i'm not saying it is), you may complain to the registrar. The registrar is required to enforce this accuracy and delete the domain name if the information is not corrected by the registrant.
Here is the wording from the ICANN registrar accreditation agreement (http://www.icann.org/registrars/ra-agreement-17m
3.7.7.2 A Registered Name Holder's willful provision of inaccurate or unreliable information, its willful failure promptly to update information provided to Registrar, or its failure to respond for over fifteen calendar days to inquiries by Registrar concerning the accuracy of contact details associated with the Registered Name Holder's registration shall constitute a material breach of the Registered Name Holder-registrar contract and be a basis for cancellation of the Registered Name registration.
Unless you earn only pennies per hour, "just hitting the delete key" is the most expensive part of spam. Like I said in my original message, I agree that it would be better if it weren't sent at all. But the largest cost to me--and to SOCIETY--is the time it takes to DEAL with spam, not the bandwidth--although I don't deny the bandwidth is a cost... just not as significant as my time.
and worse, now you're spinning extra cycles to scan the mail.
Better my CPU consume some cycles than spam consume my time. My CPU is cheaper than my time.
Just hit delete means you kill 1000 this month -- and 10000 a year later.
Again, re-read my above message. In the short-term, yes. But as more and more people use filters fewer people will receive spam and even fewer will respond to it. Over time spam becomes less lucrative so there is less reason to send it.
It seems to me like you are looking for an overnight fix. There isn't one. But effective and pervasive spam filtering is a solution that keeps me from having to deal with spam on a daily basis in the short-term, and will lead to a reduction of spam when it no longer becomes profitable to send spam since everyone filters it.
It could be stopped COLD.
... attbi.com customers, charter in Saint Louis, RoadRunner machines, ...). See what they resolve soft4all.biz to. See what those are running on. Those haven't been outed in the media yet. For those, it is business as usual. (NOTE: for the past week or so, it seems some "activisits" may be "doing something" and sometimes very few of the listed nameservers work - have they started securing some and leaving them as honeypots?).
For months the nameservers listed in the root servers (which are also running on trojaned machines) and the websites running on trojaned machines (likely proxies) have been reported to the registrars, the operator of the *biz root server machines and icann.
The artice gave the exmaple of www.removeform.com.
That resolved as an alias for the Canonical NAME bestportal.biz with namservers ns[1-5].bubra.biz.
That has been reported to the registrars for bestportal.biz and bubra.biz (enom and domaindiscover) and the operator of the *.biz root servers (neulevel.biz) and icann over and over and over.
For months this has been reported to the registraras and neulevel.biz and icann.
Nothing was done.
Within hours of the article appearing, it seems to have been fixed - for this ONE case.
Find the nameservers for soft4all.biz in the root servers - ns[1-5].UZC12.biz. See that those are running on (lots of things
It seems that the registrars and icann have one acceptable policy in the dark and another in the light of day.
changing the authoritative DNS for a zone takes a while
... well, it is business as usual.
The first time I saw this done was using hosted nameservers. When informed, those went down.
The next time it was in the *.com domain with namservers running on trojaned machines as well. Five or more listed. The spammer relied on at least one remaining up for a day for his spam run for he had a new set of trojaned IP addresses entered in the *.com root servers each day.
They have switched to the *biz domain. They run the nameservers on trojaned machines. One of the advantages the *biz domains advertizes is that the root servers can be updated in real time. I have seen the nameservers listed in the *biz root servers change every five minutes for this operation.
In the *biz domain, running the nameservers on trojaned machines as well, it is easy to move them at a moment's notice -
well, that is if you have a registrar who, having been informed and shown the evidence, that the nameservers are on hacked machines, will knowingly aid in the exploitation of those hacked machines.
For months this has been reported to the registrars and the operator of the *biz root servers (neulevel.biz) and nothing was done.
Within hours of the WIRED article appearing, the particular case of bestportal.biz (tne canonical name for www.formremove.com which was mentioned in the article) and its nameserver listing (ns[1-5].bubra.biz) was fixed.
Of course, the other reported cases (soft4all.biz with nameservers ns[1-5].UZC12.biz) about which the have been informed
It appears that as long as they can get away with it, the registrars, the operator of the root nameservers and icann (to whom it has also been reported) are quite willing to support networks of trojaned machines.
I hearby promise that if I serve on the jury when you are convicted of a crime that I will do everything in my power to find you innocent of all charges and blameless. I will convince the rest of the jury to do the same.
But only if your good work resulted in their complete and total termination.
A few hundred acts of public torture and execution of known and proven spammers will do wonders.
Being a known spammer should be known as a Darwin Award Winning category.
I doubt it. Just somebody who understands the concept of proportionality in jurisprudence.
If the police are entirely corrupt, and the army is fighting abducted kids on dope, don't expect any enforcement of internet licences!
However, the threat of declaring war on Poland if they don't get this guy and hang him by the balls in a public place, might get something done about the case in hand.
Spammers are winning.
:)
The battle, yes, but not the war.
By playing dirty like this they force us to play dirty as well.
I suggest that the always-eager-to-serve antispam vigilantees simply set up a network to do DDoS against all the trojan proxies. Remember, they run Windows and they will crash/die if you blast them with a few Gbit/s of evil traffic. Sure, it'll hurt the legitimate owners of those computers but after all it's their own fault by allowing the trojans onto their systems in the first place. Maybe they'll learn and fix their machines. If not, they are quickly taken off the net - for our safety.
With this we both remove these proxies, hurt the spamvertizers and prevent the proxies from being used for DDoS against RBLs and similar! - Not a bad outcome at all!
"For every complex problem, there is a solution that is simple, neat, and wrong." -- H.L. Mencken (1880-1956) --
...attacking spammers on their home turf and playing "dirty" in order to impede or stop their work. i've recently met some people who do both telemarketing and spam, and it would be trivial to put them out of commission technically speaking. so start already! :P
No problem. As long as you're not trying to sell me something :)
This isnt really news, irc haxerz have been mass owning peoples machines for years and using them for DDoS, proxies, and probaly all other types of things .. I wonder when they will start using it to crack md5 passwords? Some kids claim to own thousands and thousands of machines, blackhat seti networks would rule .. with the proliferation of new users, its alot easier to plant backdoors .. that no virus scanner [should] catch ...
If you're interested in facts I'll tell you what they are and I'll give you sources - Chomsky on The Big Idea
Hiding known file extensions is not, in and of itself, a problem. Think about it: under such an environment, the very appearance of extensions such as .txt and .jpg - which are known extensions! - should raise a red flag with respect to the file in question.
- White Knight of the Order of Mihoshi Enthusiasts
A student of mine just e-mailed me: "I just read the article on invisible hosting, and must say, that in my opinion, it will open up a floodgate of new problems and ideas. I can't wait for somebody to take advantage of utilizing invisible hosting in combination with P2P programs. I'd like to see the RIAA control that one. Ed"
The right way to implement this is to have a carrier who has a clue and lets you use your Internet connection as a real full-scale internet connection, but has most kinds of world-to-user connections blocked by default and a friendly web menu for users to turn ports on and protocols if they want. Depending on hardware choices, this may be something you implement at the ISP's router, or may be something you implement at the customer premises equipment (cable modem or DSL box) -- the CPE approach scales better for performance, but sometimes you want to block things at the big end so that attackers don't flood your narrow DSL pipe or neighborhood cable segment.
That way you can get the best of both worlds - freedom to user your system to its fullest capacity, including applications that your ISP hadn't thought of in advance, but relative safety because most people don't turn things on that they don't understand, so broken applications and operating systems are kept protected behind firewalls unless there's a good reason to enable them.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks