Slashdot Mirror
Spammer DDoS-By-Virus On spamhaus.org
McDutchie writes "Steve Linford of Spamhaus announced in a press release that the latest Wintel virus, W32/Mimail-E, was created by spammers for the specific purpose of DDoS'ing Spamhaus, Spamcop, and SPEWS. It's becoming more and more clear that the spambags are the ones behind the recent mess with the Windows viruses. They must really be getting desperate."
I like this NANAE post by Steve Linford much better. Especially the last paragraph.
So how about using Bitkeeper or Freenet or Gnutella to distribute spam blacklists and other information?
-- Ed Avis ed@membled.com
First they spam us and now they do even infect us with viruses... when will it ever stop?
I don't really get it, while spam is increasingly annoying (altough i use a highly customized spam assassin filter i still get about 10 unwanted mails) writing viruses is plainly illegal. But what's the reason for DDoS'ing these sites? The only way to fight the spam is to use mail filters. if people want one they have to customize it themselves to make it actually work.
If the spam keeps increasing as fast as it has in the past few years, the future of mail will be dark... here is my vision: (behold!) you will have a "buddy" list of friendy or coworkers similar to instant messaging services such as ICQ and MSN Messenger and only mails from "thrustworthy" origin gets actually forwarded to you mailbox. not so cool, isn't it? but imho its the only way not to have to delete several dozens of spam a day. (and what annoys me most -> i sometimes accidentially delete mails from friends because they are hidden underneath masses of spam.)
yours
johannes
".Sig Stealer" was here
it goes without saying that this is pretty sleazy, but unless they are idiots, whoever wrote this is probably sitting somewhere overseas. so, unfortunately we can bitch all we want about it being illegal, because noone is going to do anything about it.
time to continue using spamassasin. it works pretty much 100% for me. it's not really the most ideal solution (the ideal solution being saving the bandwith used by spam by not allowing delivery), but it does same the man-time in trashing spam.
"Honey, I feel a certain distance between us..." "Really? A 31ms ping ain't that bad..."
Except, of course, that part of SpamAssassin's checks are to use the 'antispam registries' you are complaining about.
Quite frankly, with the current volumes of spam it is impractical to try and run a mailserver for more than a few thousand users without some form of blocklist or having extremely deep pockets. The problem with SpamAssasin is that it actually increases the load on ones mail servers - a variety of checks have to be run on every single mail. By contrast, using a blocklist means that spam can be rejected before the DATA stage, reducing the load on the server, and the bandwidth consumed by spam.
Blaming GW Bush for the Iraq war is like blaming Ronald McDonald for the poor quality of food.
I dont think anyone can be that stupid... Uhh.... hmm. Nevermind.
Recently my cable internet service was suspended. Upon calling tech support I was transfered to the fraud and abuse department, you can imagine the look on my face. The techie told me that my access had been suspended because a computer on my network was infected with the welchia worm. The techie was kind enough to even provide me with the MAC address of the offending machine. I was suprised because my mixed network of 10, linux and windows machines, is kept up to date with the latest security patches. After checking all 10 machines I found that none of them had the mac address supplied by the techie. Upon further investigation of my DHCP logs I found that my WiFi network, SSID free_as_in_beer had its first visitor. I left it open because I believe in free access and wanted to see if anyone interesting would enter the network. Unfortunatly the mysterious computer was not logged in so I could not send a net send message to it, and it seems that the person would connect infrequently. I asked my neighbors and couldnt find the individual so I was forced to employ WEP enchrption. Now I've got chalkings outside my apartment just incase someone with any bit of knowledge wants a free ride, but my point, yes I actually had one, thanks for reading was that I feel bad for grandpa and grandma with their 2000 model compaq connected directly to the cable modem for emailing the grandkids. I was fortunate enough to convince the ISP that my network had been secured and I was granted access again, they on the other hand have few options. Then again this is a good thing for repair guys that make house calls, but between gator (or whatever its called now) and all the other crap out there I think they're busy enough.
I only wish that I could keep my WiFi up without WEP for my neihgbors or anyone walking by without exposing myself to risk of internet connection termination.
Have any other slashdotters had similar experiences, or suggestions. Thanks.
Im dreaming ofa big bndwdth, That can resist the
Maybe it's a 1-2 punch type approach. ...(DNS/blacklist/etc has to be re-routed until virus passes)
Step A - release virus to DDoS on blacklist maintainers
Step B - while blacklists are down, send out massive spam campaign or more virus-type spam
I'm being serious here...
Haven't the authorities shown a propensity for going after malicious software writers, particularly viruses and worms, whilst completely ignoring spam? By writing malicious software, haven't they just attracted a whole lot more attention from law enforcement than they would otherwise have got?
Good on them I say - I think we could do with more law enforcement attention on these sort of people!
Of course it doesn't deny the impacts on those being attacked, nor covers the international aspects of spam. But with more countries creating explicit laws to deal with hacking and misuse of computers, the more dodgy spammers might start getting what they deserve - a good ass-pounding in prison!
Anyone who believes that this is the desperate act of a dying species is woefully wrong. Spammers used to be somewhat naive technologically, but the last year or two has seen a consolidation of spammers with virus writers and in essence the battlelines between the "good" and the "bad" users of the Internet have never been so well drawn as now.
A symptom of all evolving systems, natural or artificial, is that parasites will take advantage of easy opportunities. In nature, this battle has been a fundamental force for evolution and change. I don't see why it should be different in the Internet, which largely behaves like a natural system.
Here is an analysis of the subject by an expert on the matter (oh, it's ME?!). Bottom line: as long as the Internet is built on predictable defined structures (protocols and gateways), it will be heavily parasitized. What we see today is only a warmup. The solution is to find ways of evolving the structures of the Internet faster than the parasites can evolve.
This problem won't go away through wishful thinking - we need to understand what is actually going on. Heck, this discussion is moot: if my theory is correct, self-modifying defensive systems will happen exactly as the parasites have evolved: because this is what happens in natural systems.
I just trolled myself. Damn.
Ceci n'est pas une signature
An eye for an eye, a minute for a minute;
Well, say spammers send their messages to 2 million recipients, and each spend, on average, 10 seconds reading and deleting said spam. That comes out at 231 days of _completely wasted_ life. Life that can never be given back to whoever lost it.
Even worse, since that's time spent awake, it's more like a year of real time. Say the spammer sends 100 such spams, he would then have _wasted_ an entire lifetime. We can thus, by the "An eye for an eye, a minute for a minute" rule, confiscate the rest of his life!
There's the argument you requested!
cheers,
m
I've been using SpamAssassin's Bayesian filtering features to get rid of my spam for good. I've turned off SpamAssassin's use of any of the antispam sites like spamhaus, spews, and spamcop, mainly because some of them have been foolish enough to sweep such a wide net that turning on use of these sites causes SpamAssassin to filter legitimate mail that comes from my own domain! (that's what I get for living in a country whose ccTLD is run by a brain-damaged registrar...) I've been running almost totally on Bayesian filters after having trained them carefully for a month, and have thus far had zero false positives and false negatives. I mainly keep the spam around to further strengthen the training of my filters and for occasional entertainment value. Those Nigerian scams can be really funny sometimes, you know. :)
These blacklists could go away tomorrow and my Bayesian filters will only keep getting better and better at weeding out the spam. In my experience, these antispam sites are actually more part of the problem than the solution, because they filter more mail than they should.
Qu'on me donne six lignes écrites de la main du plus honnête homme, j'y trouverai de quoi le faire pendre.
Spamassassin is great for ISPs and other companies that need rule-based spam checkers that are sort of "generic".
For personal filtering, nothing beats a good bayesian filter. I use POPFile myself and it's approaching 99% accuracy and I _LOVE_ it.
Spam very, very rarely makes it past, and if it does, it's the generic "check out this site" type message with no other information. Even spammers trying this technique aren't having much success as I'm seeing less and less of it (maybe 1 or 2 message a month make it past the filters).
The next step in anti-spam evolution will be spam-scanning software that automatically follows links back to webpages and looks for "spammy" content and tags the message as spam in the email system.
For those out there that havn't tried a bayesian form of filtering yet, give POPFile a try: (http://popfile.sourceforge.net/). Just be sure to read the instructions.
"Nothing strengthens authority so much as silence." - Charles de Gaulle
I see this becoming more and more prevalent as the restrictions against spam increase and the filtering methods become more advanced.
A while back (could be 12 months+) we were discussing the new TLD's coming through. It seems obvious to me that we could fix the spam issue with TLD's. So it's illegal to spam with the new laws, but there is a legitimate business case to spam as some people will buy stuff from the spammers (see dating thread a few days ago).
With a TLD of *.spm (or something unique to mass mailing) we could allow spammers to legitimately send out their campaigns, while allowing easy filtering. If you send mass mail from a non-spm domain then that's where the new laws come in.
There is a similar argument for p0rn sites. Stick them all on an *.xxx domain; as they all say their "clients" knowingly want access and are not out to catch the unsuspecting child.
Either that, or someone writes a virus that gets the spammers IP's from these lists and DOS's them back.
I don't like spam, but I have to admit that the thought of someone seriously inconveniencing SPEWS doesn't upset me too much.
Our server ended up on their blacklist despite never having sent a spam, because someone else in the 16-bit IP range had. 16 bits, that's up to 65K machines with maybe half a million users...
Our machine is in a server park. Of course spammers operate from such places. The SPEWS argument that you block thousands of innocent users to get at one guilty one is just plain immoral, and, at least in my case, has the effect of making me opposed to any centralised anti-spam measures, whereas previously I would have been favourable.
If it ever happens again, I'll buy myself a clean SMTP server, or find another solution, but the one thing I'm never going to do is contact my ISP (who, incidentally, enforces a strict anti-spam policy), because I object on principle to being dictated to by people who treat my company's reputation as 'collateral damage' as part of their quixotic campaign.
As for the 'change ISP every three weeks' advice, that just isn't a viable option when you have a few dozen domains, many of them interacting with third party mail filtering, Exchange servers etc.
If SPEWS dropped that one policy of punishing the innocent in an attempt to get at the guilty, it would have my support. Until then, I expect SPEWS to continue to alienate the people who should be on the anti-spam campaign's side.
Virtually serving coffee
So there.
Any technology distinguishable from magic is insufficiently advanced.
more then likely, your hosting service refused to act on spam complaints, and spews kept escalating the listing untill the whole /16 got nuked (would you indulge my curiousity and tell me what /16 your on? I'm willing to bet its a major spam haus). Spews wasnt trying to get that one spammer only, its trying to beat some sense into your hosting service by bitch slapping them. You are collatoral damage.
/24 at a minimun, with most entries taking out a /16 to /20. And I know i am not the only one doing this.
Changing isps every 3 weeks isnt viable, but when you pick isps in the first place, do you homework.
Pick a good one once, and your very unlikely to ever have to worry about Spews. The reason why Spews is a problem for you is because a LOT of mail admins including me use it. Spews itself IS NOT your problem, its your isp thats the problem for refusing to deal with spammers on their network. We collectively have decided that when a major isp refuses to deal with their spam problem, that we'll refuse to deal with them. And your caught in the middle.
Hypothetically, if Spews ever died, you'd have far worse problems. Why? For example, I HEAVILY firewall off large isps that have major spam problems, you should see my ruleset for blocking. Not counting the geographic bans, its at 944 entries, and each entry drops a
Now imagine your isp starts harboring a spam gang (ala Verio or C&W) and blatantly lies and refuses to get rid of the spammers despite all complaints. This quickly gets noticed in NANAE, and mail admins will start dropping that entire hosting service into their deny lists and firewalls. Good luck EVER getting out of 1000's of firewalls and deny lists. At least you can get off Spews if your isp cleans up.
Lawyers, MBA's, RIAA? A jedi fears not these things!
Have a look at the Terrorism Act 2000 (the latest UK anti-terrorist legislation). It's getting close... If the DoS attack can be said to be for the purposes of intimidating supporters of anti-spam legislation, they are probably caught.
By section 56, someone directing an organisation carrying out such a DoS attack is liable to life imprisonment.
Unfortunately, I think we have 10-20 more years before we start to see really efficient policing of the Internet. Laws and law enforcement agencies need to be changed and they need time to learn how to efficiently handle electronic crime
What I think we'll end up with is one of two things:
(1) The internet largely hobbled by draconian rules, regulations and laws and left unusable except for EDI among large corporations. Think of "national security", "public morality" and "piracy" as the reasons here.
(2) The "internet" still exists, but most people connect through "super ISPs" that filter, process and protect their users. Unlike AOL, they actually will be responsible for protecting PCs connected to their networks.
No, I cannot concur here. In the last two weeks, I've noticed that the reject rate on my filters has gone up by a surprising amount. I use a custom access table, backed up by several RBL lookups done by postfix, with SpamAssassin on the backend to catch anything that does make it through the initial gauntlet.
Looking back through my logs, I've only got three weeks saved, but here's the breakdown of rejects for each week:
Week ending Oct 18 - 122
Week ending Oct 25 - 250
Week ending Nov 1 - 214
0400 Yesterday through now - 37
Note that I'm seeing hits on addresses that have never existed here, i.e. webaster@$mydomain (yes, the spelling mistake in webaster is theirs, not mine), spammers_lie@$mydomain (non-deliverable, harvested from my usenet posts), mers_lie@$mydomain (trying to remove the obfuscation I might have put in), and now I'm seeing the idiots try to get their crap through by using a non-existent address, john@$mydomain, as the "mail from:" value to attempt to get their crap through.
Yes, they've become so desperate that criminal methods aren't below them. All the filtering that's being done has lowered their response rates to where it's no longer as profitable as it used to be. Of course, the mindset of these idiots is that they'll just crank out the spam all that much harder, in all that much more quantity, in order to get the rates back up to something manageable. Of course, it's beyond them to think that if people are no longer interested in their pitches, they might check employment opportunities at the local McDonald's, as that might be more a more lucrative situation for them.
Quite frankly, with the current volumes of spam it is impractical to try and run a mailserver for more than a few thousand users without some form of blocklist or having extremely deep pockets. The problem with SpamAssasin is that it actually increases the load on ones mail servers - a variety of checks have to be run on every single mail. By contrast, using a blocklist means that spam can be rejected before the DATA stage, reducing the load on the server, and the bandwidth consumed by spam.
I'd rather just say "no CC/BCC lists above 30 people" and make it a part of the spec. A maximum bandwidth usage amplification of 30:1 means that if network usage *really is* that expensive, the spammer gets screwed an acceptable percentage of that amount (or ISP who is letting spammers send gigs and gigs of email).
That takes care of bandwidth concerns on the server side.
The question then is the cost of "human time" of skimming through it, which affects the *client*, not the mail server operator. I claim that client-side filtering is currently the best way (as opposed to server-side blocklists or filters) to handle this -- it lets people set their *own threshold* on what they want to see and use whatever filters they like best. I happen to be partial to SpamAssassin, but folks can use whatever is best for them.
Also, *advisory* server-side filtering may be a useful service for ISPs to provide, where emails are tagged with "POTENTIALLY-SPAM" or similar, instead of just dropped. Then, if the client desires, he can filter in whatever manner he so prefers.
Frankly, in the end, we're going to wind up with whitelisting anyway, though. Other approaches just leave things open to attack. My only concern is that the whitelisting return an appropriate "can't send" response, rather than something hacked up that just bounces the mail.
May we never see th
Consider the consequences of univeral use of whitelists.
Spam initally becomes almost completely ineffective (good), and it becomes difficult to contact people initially without an introduction.
So, how do we solve the problem of contacting someone who does not have my address on their whitelist, e.g., a researcher who just published something of interest?
We'd need to start a way of traversing overlapping "buddy networks". This may spawn something like the 'Six Degrees of Separation' experiment/game, as in "I need to get this message to Mr. X, could you please forward it to someone who might be closer to him?".
This could have ineresting social consequences. Increasing bonds by increasing communications and traded favors? Increasing annoyance among friends? I don't think spam could penetrate such a filter, since it would have to convince multiple people that it is a genuine message.
Thoughts?
To me, your argument sounds like trolling.
SPAM on my 6 year old email address exceeded 200 messages a day, a few of which regularly made it past Spam-Ass. The moment I changed my MX to use blacklists (both Dynamic IP and known-open relay), SPAM throughput dropped by at least 40%. And as aothes above have pointed out, without tweaking, SPAM-Ass uses RBLs.
I would love for there to be a clean solution to this, but there presently isn't one. I'd rather see a few rejects a minute, than waste CPU and bandwidth tagging a message for the user...
As long as the coast of SPAM is born by the recipient, or recipents ISP, things will continue to get worse.
DJB had a suggestion here:
http://cr.yp.to/im2000.html
[...]
my ISP (who, incidentally, enforces a strict anti-spam policy)
These two statements are mutually contradictory. But first, a reminder that SPEWS is not Not NOT representative of mainstream anti-spam blocklist providers. Both SpamCop and SpamHaus use narrow targeted blocklists. Furthermore, the real responsibility for your blocked email lies with the recipient postmaster who chose to use the SPEWS list. Their server, their rules. You could call them and ask to be whitelisted.
According to best evidence, SPEWS always starts with an abuse complaint email and a /32 blocklisting. If further spam arrives at their address(es?) the listing expands to /28, /24, etc, until either the spammers are removed or the entire ISP is listed. In order to reach /16, your ISP must have ignored SPEWS and retained its spammers for a long Long LONG time.
Not all block lists are the same. The only one I can think of off hand that displays the above behavior is SPEWS. And they don't blacklist a block entire datacenter netblocks just because one guy was running a vulnerable form mail. For that they would block one IP. They expand to netblocks when emails to abuse@ about the problem go unheeded and the problem doesn't get fixed. So in short, if you want to stay off SPEWS get yourself an ISP/Hosting Provider that actually responds to abuse complaints.
DNSBLs who just list specific IP's are ineffective. Why? Because pink contract providers just move their spammers around. SPEWS works on a form of social pressure - forcing the ISP's to actually deal with their spammers. Personally, I feel this is an acceptable tactic, and use SPEWS. If you don't like it, don't use it. If someone doesn't want to accept your email because it comes from a "spammy" netblock, thats their choice, not yours.
Why?
Just out of curiosity, what about whitelisting do you think is non-functional? I've been using a program that, among other things, is an automated whitelist management program. It's called TMDA and it works fantastically. There are other similar programs.
I'm just curious as to why you think whitelisting is non-functional.
Key to financial independence: Spend less than you earn. Save and invest the difference. Do it for a long time.
But not whitelisting as we know it.
Think about it: most spam comes from cable and adsl connected machines. dynablock.easynet.nl is trying to block each and every dynamic IP on earth, effectively making it a whitelist of static and therefore blockable IP's.
One could even take this one step further: blacklist the entire internet and whitelist known mailservers. Getting out of that should be easy, but no so easy that a spammer could do it automatically. And when you're spamming from a whitelisted IP, the IP is blacklisted again for, say, 1 week. Then it can be whitelisted again, but when you're spamming again, then it's blacklisted for a month.
The hard part of such a whitelist is: where do you start? I think it would be sensible to start out by simply tagging mail originating from blacklisted IP's. Early adopters can then whitelist each and every IP they expect mail from. After a while a sufficiently small amount of mail will be tagged by the blacklist, so it can be used to start blocking with it.
If we only could convince each and every postmater on earth to use such a system, it could be very, very useful.
Meanwhile, please use Dynablocker. It can really help making h4x0red boxes useless as a spam source.
This is your sig. There are thousands more, but this one is yours.
Spammers spend a tremendous amount of time and energy cracking systems, setting up zombies, getting around barriers of all sorts. The reason why is because they have a financial incentive to do so.
If security through obscurity is an intellectually bankrupt concept, then the spam industry innovates security knowledge like no other.
The fact is that spammers not only save work for the script kiddies, they help the NSA, CIA, FBI, KGB... as well as IBM, MSFT, SYMC...
Think of them as parasites that feed off our collective ignorance, and you'll see what a useful cleansing function they serve in the greater ecosystem.
I'm seeing a different tactic to get around the bayesian filtering. I've noticed large sections of text, totally unrelated to the product being sold in the body of the spam message, i.e. parts of books (I recongnized Dracula in one), space shuttle reports, etc. The spammers are trying to flood the message with non-spam text in order to slip by the filtering. It's most certainly an arms race out there, and there's no end in sight.
That's why I feel the next step should be creating filters that automatically follow the links. Let's DDOS the web sites. This costs the spammer more money in bandwidth (it's not free; perhaps the monthly limit could be hit real quick and the website taken down for a month), and perhaps will prevent someone who would buy (which just encourages them) from being able to get to the site. Of course, this wouldn't stop joe jobs. :(
They where a great free email service ('whitelist') similar to the TMDA system.
I see quite a few posts suggesting that spammers are getting desperate, but brazen seems more appropriate. They are shutting down some of our most effective anti-spam tools and there seems nothing we can do about it. To me that looks more like their winning.
Quack, quack.
If spammers are really behind these virii, and we're able to verify it, then it is probably that even the blind and computer-ignorant gov. offices, like FBI, or whoever, will eventually get the same info others have.
You would think so wouldn't you?
The problem is spammers have been breaking federal laws since the beginning of the Internet. Hijacking a mail relay has never been legal -- it's a felony. Ever heard of anyone getting jail time for a flood ping even though it is illegal?
It's interesting. You can DDOS an entire network into the stone age, interrupting commerce and costing tons of money and lost productivity, but if you put up a web site selling a tobacco pipe, you'll get 10 years in jail. Ask Tommy Chong.
Well, if you use TMDA, you can configure it to avoid what you're talking about. With TMDA, it can detect whether or not an email was sent in response to an actual email that you sent. If so configured, then any challenges that you get from someone will only be delivered to your mailbox if you actually sent the original email. If a spammer, right now, sends an unsolicited challenge to my mailbox, I'll never see it.
So, exactly the contrary to what you're saying. The wider spread the use of C/R like TMDA, the less effective that your suggestion will be.
Key to financial independence: Spend less than you earn. Save and invest the difference. Do it for a long time.