Slashdot Mirror
Spammer DDoS-By-Virus On spamhaus.org
McDutchie writes "Steve Linford of Spamhaus announced in a press release that the latest Wintel virus, W32/Mimail-E, was created by spammers for the specific purpose of DDoS'ing Spamhaus, Spamcop, and SPEWS. It's becoming more and more clear that the spambags are the ones behind the recent mess with the Windows viruses. They must really be getting desperate."
I like this NANAE post by Steve Linford much better. Especially the last paragraph.
So how about using Bitkeeper or Freenet or Gnutella to distribute spam blacklists and other information?
-- Ed Avis ed@membled.com
First they spam us and now they do even infect us with viruses... when will it ever stop?
I don't really get it, while spam is increasingly annoying (altough i use a highly customized spam assassin filter i still get about 10 unwanted mails) writing viruses is plainly illegal. But what's the reason for DDoS'ing these sites? The only way to fight the spam is to use mail filters. if people want one they have to customize it themselves to make it actually work.
If the spam keeps increasing as fast as it has in the past few years, the future of mail will be dark... here is my vision: (behold!) you will have a "buddy" list of friendy or coworkers similar to instant messaging services such as ICQ and MSN Messenger and only mails from "thrustworthy" origin gets actually forwarded to you mailbox. not so cool, isn't it? but imho its the only way not to have to delete several dozens of spam a day. (and what annoys me most -> i sometimes accidentially delete mails from friends because they are hidden underneath masses of spam.)
yours
johannes
".Sig Stealer" was here
it goes without saying that this is pretty sleazy, but unless they are idiots, whoever wrote this is probably sitting somewhere overseas. so, unfortunately we can bitch all we want about it being illegal, because noone is going to do anything about it.
time to continue using spamassasin. it works pretty much 100% for me. it's not really the most ideal solution (the ideal solution being saving the bandwith used by spam by not allowing delivery), but it does same the man-time in trashing spam.
"Honey, I feel a certain distance between us..." "Really? A 31ms ping ain't that bad..."
Except, of course, that part of SpamAssassin's checks are to use the 'antispam registries' you are complaining about.
Quite frankly, with the current volumes of spam it is impractical to try and run a mailserver for more than a few thousand users without some form of blocklist or having extremely deep pockets. The problem with SpamAssasin is that it actually increases the load on ones mail servers - a variety of checks have to be run on every single mail. By contrast, using a blocklist means that spam can be rejected before the DATA stage, reducing the load on the server, and the bandwidth consumed by spam.
Blaming GW Bush for the Iraq war is like blaming Ronald McDonald for the poor quality of food.
Recently my cable internet service was suspended. Upon calling tech support I was transfered to the fraud and abuse department, you can imagine the look on my face. The techie told me that my access had been suspended because a computer on my network was infected with the welchia worm. The techie was kind enough to even provide me with the MAC address of the offending machine. I was suprised because my mixed network of 10, linux and windows machines, is kept up to date with the latest security patches. After checking all 10 machines I found that none of them had the mac address supplied by the techie. Upon further investigation of my DHCP logs I found that my WiFi network, SSID free_as_in_beer had its first visitor. I left it open because I believe in free access and wanted to see if anyone interesting would enter the network. Unfortunatly the mysterious computer was not logged in so I could not send a net send message to it, and it seems that the person would connect infrequently. I asked my neighbors and couldnt find the individual so I was forced to employ WEP enchrption. Now I've got chalkings outside my apartment just incase someone with any bit of knowledge wants a free ride, but my point, yes I actually had one, thanks for reading was that I feel bad for grandpa and grandma with their 2000 model compaq connected directly to the cable modem for emailing the grandkids. I was fortunate enough to convince the ISP that my network had been secured and I was granted access again, they on the other hand have few options. Then again this is a good thing for repair guys that make house calls, but between gator (or whatever its called now) and all the other crap out there I think they're busy enough.
I only wish that I could keep my WiFi up without WEP for my neihgbors or anyone walking by without exposing myself to risk of internet connection termination.
Have any other slashdotters had similar experiences, or suggestions. Thanks.
Im dreaming ofa big bndwdth, That can resist the
Maybe it's a 1-2 punch type approach. ...(DNS/blacklist/etc has to be re-routed until virus passes)
Step A - release virus to DDoS on blacklist maintainers
Step B - while blacklists are down, send out massive spam campaign or more virus-type spam
I'm being serious here...
Haven't the authorities shown a propensity for going after malicious software writers, particularly viruses and worms, whilst completely ignoring spam? By writing malicious software, haven't they just attracted a whole lot more attention from law enforcement than they would otherwise have got?
Good on them I say - I think we could do with more law enforcement attention on these sort of people!
Of course it doesn't deny the impacts on those being attacked, nor covers the international aspects of spam. But with more countries creating explicit laws to deal with hacking and misuse of computers, the more dodgy spammers might start getting what they deserve - a good ass-pounding in prison!
Anyone who believes that this is the desperate act of a dying species is woefully wrong. Spammers used to be somewhat naive technologically, but the last year or two has seen a consolidation of spammers with virus writers and in essence the battlelines between the "good" and the "bad" users of the Internet have never been so well drawn as now.
A symptom of all evolving systems, natural or artificial, is that parasites will take advantage of easy opportunities. In nature, this battle has been a fundamental force for evolution and change. I don't see why it should be different in the Internet, which largely behaves like a natural system.
Here is an analysis of the subject by an expert on the matter (oh, it's ME?!). Bottom line: as long as the Internet is built on predictable defined structures (protocols and gateways), it will be heavily parasitized. What we see today is only a warmup. The solution is to find ways of evolving the structures of the Internet faster than the parasites can evolve.
This problem won't go away through wishful thinking - we need to understand what is actually going on. Heck, this discussion is moot: if my theory is correct, self-modifying defensive systems will happen exactly as the parasites have evolved: because this is what happens in natural systems.
I just trolled myself. Damn.
Ceci n'est pas une signature
An eye for an eye, a minute for a minute;
Well, say spammers send their messages to 2 million recipients, and each spend, on average, 10 seconds reading and deleting said spam. That comes out at 231 days of _completely wasted_ life. Life that can never be given back to whoever lost it.
Even worse, since that's time spent awake, it's more like a year of real time. Say the spammer sends 100 such spams, he would then have _wasted_ an entire lifetime. We can thus, by the "An eye for an eye, a minute for a minute" rule, confiscate the rest of his life!
There's the argument you requested!
cheers,
m
I've been using SpamAssassin's Bayesian filtering features to get rid of my spam for good. I've turned off SpamAssassin's use of any of the antispam sites like spamhaus, spews, and spamcop, mainly because some of them have been foolish enough to sweep such a wide net that turning on use of these sites causes SpamAssassin to filter legitimate mail that comes from my own domain! (that's what I get for living in a country whose ccTLD is run by a brain-damaged registrar...) I've been running almost totally on Bayesian filters after having trained them carefully for a month, and have thus far had zero false positives and false negatives. I mainly keep the spam around to further strengthen the training of my filters and for occasional entertainment value. Those Nigerian scams can be really funny sometimes, you know. :)
These blacklists could go away tomorrow and my Bayesian filters will only keep getting better and better at weeding out the spam. In my experience, these antispam sites are actually more part of the problem than the solution, because they filter more mail than they should.
Qu'on me donne six lignes écrites de la main du plus honnête homme, j'y trouverai de quoi le faire pendre.
Spamassassin is great for ISPs and other companies that need rule-based spam checkers that are sort of "generic".
For personal filtering, nothing beats a good bayesian filter. I use POPFile myself and it's approaching 99% accuracy and I _LOVE_ it.
Spam very, very rarely makes it past, and if it does, it's the generic "check out this site" type message with no other information. Even spammers trying this technique aren't having much success as I'm seeing less and less of it (maybe 1 or 2 message a month make it past the filters).
The next step in anti-spam evolution will be spam-scanning software that automatically follows links back to webpages and looks for "spammy" content and tags the message as spam in the email system.
For those out there that havn't tried a bayesian form of filtering yet, give POPFile a try: (http://popfile.sourceforge.net/). Just be sure to read the instructions.
"Nothing strengthens authority so much as silence." - Charles de Gaulle
I don't like spam, but I have to admit that the thought of someone seriously inconveniencing SPEWS doesn't upset me too much.
Our server ended up on their blacklist despite never having sent a spam, because someone else in the 16-bit IP range had. 16 bits, that's up to 65K machines with maybe half a million users...
Our machine is in a server park. Of course spammers operate from such places. The SPEWS argument that you block thousands of innocent users to get at one guilty one is just plain immoral, and, at least in my case, has the effect of making me opposed to any centralised anti-spam measures, whereas previously I would have been favourable.
If it ever happens again, I'll buy myself a clean SMTP server, or find another solution, but the one thing I'm never going to do is contact my ISP (who, incidentally, enforces a strict anti-spam policy), because I object on principle to being dictated to by people who treat my company's reputation as 'collateral damage' as part of their quixotic campaign.
As for the 'change ISP every three weeks' advice, that just isn't a viable option when you have a few dozen domains, many of them interacting with third party mail filtering, Exchange servers etc.
If SPEWS dropped that one policy of punishing the innocent in an attempt to get at the guilty, it would have my support. Until then, I expect SPEWS to continue to alienate the people who should be on the anti-spam campaign's side.
Virtually serving coffee
more then likely, your hosting service refused to act on spam complaints, and spews kept escalating the listing untill the whole /16 got nuked (would you indulge my curiousity and tell me what /16 your on? I'm willing to bet its a major spam haus). Spews wasnt trying to get that one spammer only, its trying to beat some sense into your hosting service by bitch slapping them. You are collatoral damage.
/24 at a minimun, with most entries taking out a /16 to /20. And I know i am not the only one doing this.
Changing isps every 3 weeks isnt viable, but when you pick isps in the first place, do you homework.
Pick a good one once, and your very unlikely to ever have to worry about Spews. The reason why Spews is a problem for you is because a LOT of mail admins including me use it. Spews itself IS NOT your problem, its your isp thats the problem for refusing to deal with spammers on their network. We collectively have decided that when a major isp refuses to deal with their spam problem, that we'll refuse to deal with them. And your caught in the middle.
Hypothetically, if Spews ever died, you'd have far worse problems. Why? For example, I HEAVILY firewall off large isps that have major spam problems, you should see my ruleset for blocking. Not counting the geographic bans, its at 944 entries, and each entry drops a
Now imagine your isp starts harboring a spam gang (ala Verio or C&W) and blatantly lies and refuses to get rid of the spammers despite all complaints. This quickly gets noticed in NANAE, and mail admins will start dropping that entire hosting service into their deny lists and firewalls. Good luck EVER getting out of 1000's of firewalls and deny lists. At least you can get off Spews if your isp cleans up.
Lawyers, MBA's, RIAA? A jedi fears not these things!
Have a look at the Terrorism Act 2000 (the latest UK anti-terrorist legislation). It's getting close... If the DoS attack can be said to be for the purposes of intimidating supporters of anti-spam legislation, they are probably caught.
By section 56, someone directing an organisation carrying out such a DoS attack is liable to life imprisonment.
Unfortunately, I think we have 10-20 more years before we start to see really efficient policing of the Internet. Laws and law enforcement agencies need to be changed and they need time to learn how to efficiently handle electronic crime
What I think we'll end up with is one of two things:
(1) The internet largely hobbled by draconian rules, regulations and laws and left unusable except for EDI among large corporations. Think of "national security", "public morality" and "piracy" as the reasons here.
(2) The "internet" still exists, but most people connect through "super ISPs" that filter, process and protect their users. Unlike AOL, they actually will be responsible for protecting PCs connected to their networks.
No, I cannot concur here. In the last two weeks, I've noticed that the reject rate on my filters has gone up by a surprising amount. I use a custom access table, backed up by several RBL lookups done by postfix, with SpamAssassin on the backend to catch anything that does make it through the initial gauntlet.
Looking back through my logs, I've only got three weeks saved, but here's the breakdown of rejects for each week:
Week ending Oct 18 - 122
Week ending Oct 25 - 250
Week ending Nov 1 - 214
0400 Yesterday through now - 37
Note that I'm seeing hits on addresses that have never existed here, i.e. webaster@$mydomain (yes, the spelling mistake in webaster is theirs, not mine), spammers_lie@$mydomain (non-deliverable, harvested from my usenet posts), mers_lie@$mydomain (trying to remove the obfuscation I might have put in), and now I'm seeing the idiots try to get their crap through by using a non-existent address, john@$mydomain, as the "mail from:" value to attempt to get their crap through.
Yes, they've become so desperate that criminal methods aren't below them. All the filtering that's being done has lowered their response rates to where it's no longer as profitable as it used to be. Of course, the mindset of these idiots is that they'll just crank out the spam all that much harder, in all that much more quantity, in order to get the rates back up to something manageable. Of course, it's beyond them to think that if people are no longer interested in their pitches, they might check employment opportunities at the local McDonald's, as that might be more a more lucrative situation for them.
[...]
my ISP (who, incidentally, enforces a strict anti-spam policy)
These two statements are mutually contradictory. But first, a reminder that SPEWS is not Not NOT representative of mainstream anti-spam blocklist providers. Both SpamCop and SpamHaus use narrow targeted blocklists. Furthermore, the real responsibility for your blocked email lies with the recipient postmaster who chose to use the SPEWS list. Their server, their rules. You could call them and ask to be whitelisted.
According to best evidence, SPEWS always starts with an abuse complaint email and a /32 blocklisting. If further spam arrives at their address(es?) the listing expands to /28, /24, etc, until either the spammers are removed or the entire ISP is listed. In order to reach /16, your ISP must have ignored SPEWS and retained its spammers for a long Long LONG time.
Spammers spend a tremendous amount of time and energy cracking systems, setting up zombies, getting around barriers of all sorts. The reason why is because they have a financial incentive to do so.
If security through obscurity is an intellectually bankrupt concept, then the spam industry innovates security knowledge like no other.
The fact is that spammers not only save work for the script kiddies, they help the NSA, CIA, FBI, KGB... as well as IBM, MSFT, SYMC...
Think of them as parasites that feed off our collective ignorance, and you'll see what a useful cleansing function they serve in the greater ecosystem.