Slashdot Mirror
Another Worm Targets Anti-Spam Sites
kevinvee writes "Yahoo! is reporting about the next battle of Spam Houses versus Spamhauses. This time, its W32/Mimail-L receiving the attention. "It's the third Mimail variation to come after us, except this one is trying to do more," said Steve Linford, founder of The Spamhaus Project. Apparently this reincarnation comes as an attachment offering naked photographs. Once infected, a follow-up e-mail is sent to the user stating that a CD containing child pornography will be delivered to their postal address. "These guys write trojan (viruses), they carry out DDOS attacks and they get their money through selling stolen credit cards and spamming," Linford said."
What we need to do is find out the physical addresses of these nice individuals and try to reason with them using advanced negotiation tools, such as baseball bats and tire irons.
Viral software licensing is not freedom, it is in fact GNU/Socialism.
Apparently this reincarnation comes as an attachment offering naked photographs.
Yeah... apparently, people are still STUPID enough to open these things. Does ANYONE out there still beleive you can get "100% free porn, just click here!" from some sleezy, unsolicited email that just redirects you to a credit card entry, despite the "free"?
I guess so...
WHAT? Who? Where? These viruses don't use some security exploit. They get the user to run the attachment..plain and simple. If the user runs a file that is no ones fault but the user.
The fact that when opened this software is allowed to execute code, crawl through the address book, copy itself and send itself out to others is a fault with the system.
I've never had a problem when opening an attachment with Mutt.
Trolling is a art,
The virus installs a DDOS zombie that attacks Spamhaus. It's not that Spamhaus got infected.
There's a term for a coalition engaged in the act of making money through the use of intimidation and illegal acts: organized crime.
The spammers are exactly the same as the mafia.
This is America, damnit. Speak Spanish!
This would scare the living daylights out of my mother if she were infected by this trojan/worm.
I think part of the problem with computer security nowadays is that home users believe that anything is possible. Computers are still far too mysterious to the average user; I'll bet you dimes to dollars many users will think this CD mailing scare is real. Unless email and antivirus vendors do something to educate homes users, what's to stop the next virus from saying "open this attachment or we'll send illegal merchandise to your door?"
Spammers, even benign ones, thrive on the naivety of home users. I still haven't received my cheque from Bill Gates and Walt Disney Jr...
Great idea!
Now try to find a team of lawyers that can successfully prosecute such a case in Romania, China or Russia!
These sorts of scams generally do not originate in places like the US or UK.
Conformity is the jailer of freedom and enemy of growth. -JFK
As others have pointed out, this attack vector isn't persea the software that user is running. The attack vector is the user, the old PEBKAC (Problem Exists Between Keyboard and Chair), which has been showing up as the resolution to many tickets in our troubleticket system.
.com, .pif, .bat, tell them to keep their anti-virus software up to date, don't run strange attachments, and still we get this. At least we have started running all our outbound mail through AV scanning, and that cuts down on a bunch of the crap, but we still can't keep them from going "ooh shiny...." Click!. Until our users figure out that the computer is a little more dificult to use than their VCR (I don't want to get started on ease of use/convience vs security etc.. but when was the last time you played a movie, and you DDOS'd M$), and they actually need to be mindful of what they use/do on it, "bad people" will always be able to do bad things.
The problem is no matter what we do, we can't prevent our users from shooting themselves in the foot. We rename attachments (.exe becomes _exe). We deny
Then again these users are the same people that would call up the phone company complaining of $600+ phone bills to the Caribbean, etc... When you ask them if they have downloaded any programs that offer free "porn" they get all defensive, etc... A quick look at their computer shows tons of those dialer type apps that are making the equiv of 900 (in the US) type calls over seas, and they don't realize it.
For the record, my users would be the users of the ISP that I admin for...
To E-mail me, replace the first period in my domain with an @
The interesting thing is that for Spam to make any sense, it has to get people to pay real money. Thus any profit making Spam will give away a payment trail. So, if I may ask why in the world no authority goes after whoever sells through SPAM ?
Standard answers:
1) They will move offshore
(my reply, yes, but how will they get a payment if not through Visa/Amex/MC or other major intl institution)
2) There will be "false positives"
(I am not so sure about this one. One line of thought is that punishment may be directed to the profit coming from an Spam event, so if innocent sites make money w/out Spam they won't be very hurt. For instance, say spammers send Spam in the name of Amazon.com -- amazon might need to forfeit extra sales attributed to unusual traffic/sales in that period, attributable to the action of Spammers, if they bighugeenlargement.com doesn't have any traffic normally, they should be blown out of the water )
3) Costs of enforcement will be too high
Perhaps. But what are governments for ? If OKOKRIM can worry about persecuting 15 year old computer wizards, and the DoD can worry about persecuting a 66 year old dictator, why can't someone go after Mr. Joe Spammer and his clients ?
Quem a paca cara compra, paca cara pagará.
Rationally, I think the only way around it is to attack the economics of spam, as has been suggested by many much smarter than me.
When you talk about changing the economy of spam, you are talking about creating scarcity with regard to communication by taxing it. I couldn't disagree more with the suggestion that we must restrict communications in order to solve the spam problem. We demand that outfits such as the RIAA learn to adapt in a world where communication is profligate and free. How can we, in good conscience, recommend that communication be restricted in an area where our personal convenience and comfort is concerned, and not in another, where someone's multimillion dollar industry is concerned? If we think freedom of information is a good thing, we must be consistent in that belief.
who are those slashdot people? they swept over like Mongol-Tartars.
Hey guys,
Just something to think about: This article talks about spammers along with references to not only spam, but destruction of anti-spam, virii, pornography, theft, identity theft, and child pornography. The only way they could really make spammers look any worse is if they labeled them as baby rapists.
While it could be true, it's beginning to sound like propaganda, intending to make these guys look more Evil than life. Think about the article's motivation, author, and target audience. Be careful, there may be something more going on than what we see on the surface.
~D http://www.dracosoftware.com
This sig has been enciphered with a one-time pad. It could say almost anything.
Somebody else's bad for modding your original post "+1 Insightful" :-)
Using HTML in email is like putting sound effects on your phone calls. Just say <strong>no</strong>.
Thats not the only way to change the economics of spam. Simply put spammers exist because the rate of return on investment is very high. We have to change that economic principle some how, there really is no argument there. There are many suggestions on how to do this, taxing is just one of them. Heck everyone pretending to reply is another one, which forces to spammer to follow many false leads. There is many, but something must be done to make spamming more expensive.
The problem with that is that most spammers websites are hosted on innocent ISPs machines. After all , when someone pays for a web site
the ISP doesn't know what it will be used for. The site only has to stay live for a few days for the spammers to make money. By the time the ISP
has twigged and shut it down the spammers haved moved onto the next ISP to sucker.
The simplest rule when it comes to all forms of scams:
Never give money to someone who initiates contact with you.
I've had the ACLU call me on the phone. I am 99% sure that they are legitimately from the ACLU, but I won't give them a single digit of my credit card, because THEY CALLED ME.
I kindly informed them that I would go to their (secure) website and make a donation. Of course the person calling me doesn't get their commission or whatever, but I'm following the rule.
Please consider making an automatic monthly recurring donation to the EFF
The problem of spam is not caused by the freedom of email, any more than murder is caused by the availability of knives and other weapons. It is too easy for technically-minded people to see spam as a technical problem, which is to be solved by replacing the existing mail system with something more restrictive. However, the spam problem is not spontaneously generated by the mail system, just as knives do not go around murdering people. Spamming, like murder, is a human action that certain humans choose to engage in.
It is, of course, useful to use technology to make harmful actions more difficult. Locking up valuables makes theft more difficult; hiring bodyguards makes assassinations more difficult. However, we do not pretend that technology should make theft or murder impossible, or that the world should be transformed into a padded cell so that everyone is technologically prevented from doing anything wrong. Instead we deter and punish crime through education and law enforcement. Technology can reduce the likelihood and impact of harmful human actions, but we cannot use it as a replacement for social responses.
Regardless of whether particular legislatures have passed laws which specifically address spam, we recognize spamming as a lawless and criminal endeavor. Spammers co-opt the property of others against the will of the property owners. (Note that this is worse than simply using that property without permission.) Just as gangs protect their core unlawful enterprises with further crimes such as murdering rivals and bribing police, spammers have come to use cracking, viruses, and DDoS to protect their core activity. Structurally, spam is just like other sorts of lawless action which we see as the proper jurisdiction of law enforcement rather than technological kludgery.
There is no shortage of evidence, gathered from public sources and fully admissible in court, that particular spammers are engaged in criminal actions such as the above. Contrary to common belief, these spammers are not in "third-world nations"; they are in Western nations such as the USA, Canada, and the UK -- nations which have broadly functional legal systems, and nations whose Internet users are the chief recipients of spam as well. Volunteers have already carefully collected this information in the Registry of Known Spam Operations. What is needed is twofold: (1) Funding for law enforcement to go after the known criminal enterprises; (2) Further litigation by major victims of spam, such as large ISPs, against those who are victimizing them.
The problem with that is that most spammers websites are hosted on innocent ISPs machines.
The objective isn't a DOS, it's to salt their data. If 99 out of 100 'orders' are fakes with invalid cc numbers, their transaction costs will go up and their profitability will plummit.
The other alternative is to track them down and burn them alive.
Neither of the above is desirable since mistakes will be made and innocents will be put out of business or killed. The desirable solution is to throw them in jail and fine the hell out of them after they are found guilty in a fair trial. However, vigilante action is the natural consequence when the law fails to take action.
What a GREAT idea. Fight Spam by committing a federal offence. You can laugh at the foolish spammers from prison.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
Never. .biz is a good token for my bayesian filter. I guess the sleazy sound must attract spammers like moths to a flame.
I tell you, this is the most compelling argument I've ever heard for a redundant TLD.
It's their DATA that's valuable. The data that unsuspecting knuckleheads willingly provide is what they make their money from. Flood their data with garbage so they can't tell the real from the bogus and their entire database becomes effectively useless.
I'd actually go one step further. A Racketeering-Influenced Corrupt Organization.
> The spammers are exactly the same as the mafia.
But on that, I must dissent. The Mafia has a long and storied history of providing everything from illicit booze, prostitution, sports gambling, lotteries with better payouts than the government-run lotteries, duty-free liquor and cigarettes, financial assistance to those with whom banks will not deal, as well as a full range of soft and hard drugs.
Unlike spammers, the mafia provides things that people actually want.
I think you've missed the profit model of spam. You need to recognize the difference between the spammer and the merchant. Two different businesses, with two different objectives.
The spammer makes money by selling bulk-email services to merchants. $100 dollars for 1 million emails, that sort of thing.
The merchant spends his money for this advertising, hoping to get the promised 1% (or .1% or whatever) of responses to pay for it.
It's very important to see that the spammer gets his money regardless of whether or not the merchant makes money. The spammer stays in business. As for the merchant? The spammer certainly does not care.
There are hundreds of small businesses started each day by out-of-work ex-employees, drones tired of their McJobs, etc. They each have an idea of how to Get Rich Quick, if only they could get their message out. "I know, I'll hire a spammer!" After using up their advertising budget on spam and getting 0 returns, they fold up and go back to McWork. But another hundred try the same thing tomorrow.
All this project will do is inconvenience and annoy these suckers who were so stupid as to give a spammer their money. While you might consider it their karmic punishment for hiring spammers, you are only giving them more crap to do while they're busy going out of business. But they're going out of business regardless, because they spent their ad budgets on spam instead of a legitimate medium. They aren't going to be repeat spam customers anyway. The spammers' profits don't come from repeat customers. They come from duping this never-ending supply of rubes.
Poisoning the merchants' databases will not adversely affect the spammers, nor do I believe it will slow the tide of spam. If it makes you happy to drive the point home with these stupid merchants, fine, just don't fall into the illusion that it will have much of an effect.
John
Further litigation by major victims of spam, such as large ISPs, against those who are victimizing them.
... so you won't see the equivalent of NY AG Elliot Spitzer's action against the mutual funds.
Nice idea, but. The new federal "anti-spam" legislation specifically removes private "right of action" against spammers. That is, victims can't sue. All they can do is complain to the federal government, which can act - or not - in its own way and time. It also pre-empts states from passing anti-spam laws stricter than the Fed's
What more evidence do we need that certain dominant elements among the Majority leadership are in favor of economic rape by any means, of any resource?
"with their freedom lost all virtue lose" - Milton
I disagree.
If hiring a spammer means 0.1% valid responses and 1% invalid responses, then the merchants will eventually catch on and stop hiring the spammers. At some point, this ratio gets so small that it's not worth advertising.
Sure, this may take a some time and some merchants, but eventually it will work its magic.
In other words, this law is just like the other laws this current set of jackasses has come up with:
Clean Air Act and Clear Skys Initiative gives free reign to industry to pollute as much as it wants with no ill consequence.
USA PATRIOT Act is the most unpatriotic and authoritarian piece of legistlation since the Alien Sedition Acts, possibly earlier.
The Medicare Reform hands medicare over to private HMO's and basically sets up Medicare for a crash in a few years.
The Energy Bill that hands over tons of money to the corporations that caused the problem in the first place.
The effort to "free" Afghanistan that basically handed that country over to opium drug lords.
They go into Iraq in part because they may be collecting radioactive material to build nuclear bombs to use on the US, and procede to dump 75 tons of depleted uranium rounds in their country.
They critisize corporate fraud and promise to crack down, then procede to disolve legal and financial protections for whistleblowers. Not to mention many of thier own little financial escapades.
They proclaim to "Leave No Child Behind" (TM) and then procede to slash funding across the board for public education.
They "support the troops" by slashing pay and benefits for active duty and veterans and extending tour durations over and over.
And many many many more.
They make war in order to maintain peace.
They proceed to strip us of all our freedom in the name of protecting it.
They maintain security by controling hiding information.
War is peace.
Freedom is slavery.
Ignorance is strength.
This is no different, and not the least bit surprising.
Any sufficiently advanced influence is indistinguishable from control.