Slashdot Mirror
Another Worm Targets Anti-Spam Sites
kevinvee writes "Yahoo! is reporting about the next battle of Spam Houses versus Spamhauses. This time, its W32/Mimail-L receiving the attention. "It's the third Mimail variation to come after us, except this one is trying to do more," said Steve Linford, founder of The Spamhaus Project. Apparently this reincarnation comes as an attachment offering naked photographs. Once infected, a follow-up e-mail is sent to the user stating that a CD containing child pornography will be delivered to their postal address. "These guys write trojan (viruses), they carry out DDOS attacks and they get their money through selling stolen credit cards and spamming," Linford said."
What we need to do is find out the physical addresses of these nice individuals and try to reason with them using advanced negotiation tools, such as baseball bats and tire irons.
Viral software licensing is not freedom, it is in fact GNU/Socialism.
Apparently this reincarnation comes as an attachment offering naked photographs.
Yeah... apparently, people are still STUPID enough to open these things. Does ANYONE out there still beleive you can get "100% free porn, just click here!" from some sleezy, unsolicited email that just redirects you to a credit card entry, despite the "free"?
I guess so...
The fact that when opened this software is allowed to execute code, crawl through the address book, copy itself and send itself out to others is a fault with the system.
I've never had a problem when opening an attachment with Mutt.
Trolling is a art,
There's a term for a coalition engaged in the act of making money through the use of intimidation and illegal acts: organized crime.
The spammers are exactly the same as the mafia.
This is America, damnit. Speak Spanish!
This would scare the living daylights out of my mother if she were infected by this trojan/worm.
I think part of the problem with computer security nowadays is that home users believe that anything is possible. Computers are still far too mysterious to the average user; I'll bet you dimes to dollars many users will think this CD mailing scare is real. Unless email and antivirus vendors do something to educate homes users, what's to stop the next virus from saying "open this attachment or we'll send illegal merchandise to your door?"
Spammers, even benign ones, thrive on the naivety of home users. I still haven't received my cheque from Bill Gates and Walt Disney Jr...
Great idea!
Now try to find a team of lawyers that can successfully prosecute such a case in Romania, China or Russia!
These sorts of scams generally do not originate in places like the US or UK.
Conformity is the jailer of freedom and enemy of growth. -JFK
As others have pointed out, this attack vector isn't persea the software that user is running. The attack vector is the user, the old PEBKAC (Problem Exists Between Keyboard and Chair), which has been showing up as the resolution to many tickets in our troubleticket system.
.com, .pif, .bat, tell them to keep their anti-virus software up to date, don't run strange attachments, and still we get this. At least we have started running all our outbound mail through AV scanning, and that cuts down on a bunch of the crap, but we still can't keep them from going "ooh shiny...." Click!. Until our users figure out that the computer is a little more dificult to use than their VCR (I don't want to get started on ease of use/convience vs security etc.. but when was the last time you played a movie, and you DDOS'd M$), and they actually need to be mindful of what they use/do on it, "bad people" will always be able to do bad things.
The problem is no matter what we do, we can't prevent our users from shooting themselves in the foot. We rename attachments (.exe becomes _exe). We deny
Then again these users are the same people that would call up the phone company complaining of $600+ phone bills to the Caribbean, etc... When you ask them if they have downloaded any programs that offer free "porn" they get all defensive, etc... A quick look at their computer shows tons of those dialer type apps that are making the equiv of 900 (in the US) type calls over seas, and they don't realize it.
For the record, my users would be the users of the ISP that I admin for...
To E-mail me, replace the first period in my domain with an @
The interesting thing is that for Spam to make any sense, it has to get people to pay real money. Thus any profit making Spam will give away a payment trail. So, if I may ask why in the world no authority goes after whoever sells through SPAM ?
Standard answers:
1) They will move offshore
(my reply, yes, but how will they get a payment if not through Visa/Amex/MC or other major intl institution)
2) There will be "false positives"
(I am not so sure about this one. One line of thought is that punishment may be directed to the profit coming from an Spam event, so if innocent sites make money w/out Spam they won't be very hurt. For instance, say spammers send Spam in the name of Amazon.com -- amazon might need to forfeit extra sales attributed to unusual traffic/sales in that period, attributable to the action of Spammers, if they bighugeenlargement.com doesn't have any traffic normally, they should be blown out of the water )
3) Costs of enforcement will be too high
Perhaps. But what are governments for ? If OKOKRIM can worry about persecuting 15 year old computer wizards, and the DoD can worry about persecuting a 66 year old dictator, why can't someone go after Mr. Joe Spammer and his clients ?
Quem a paca cara compra, paca cara pagará.
Rationally, I think the only way around it is to attack the economics of spam, as has been suggested by many much smarter than me.
When you talk about changing the economy of spam, you are talking about creating scarcity with regard to communication by taxing it. I couldn't disagree more with the suggestion that we must restrict communications in order to solve the spam problem. We demand that outfits such as the RIAA learn to adapt in a world where communication is profligate and free. How can we, in good conscience, recommend that communication be restricted in an area where our personal convenience and comfort is concerned, and not in another, where someone's multimillion dollar industry is concerned? If we think freedom of information is a good thing, we must be consistent in that belief.
who are those slashdot people? they swept over like Mongol-Tartars.
Hey guys,
Just something to think about: This article talks about spammers along with references to not only spam, but destruction of anti-spam, virii, pornography, theft, identity theft, and child pornography. The only way they could really make spammers look any worse is if they labeled them as baby rapists.
While it could be true, it's beginning to sound like propaganda, intending to make these guys look more Evil than life. Think about the article's motivation, author, and target audience. Be careful, there may be something more going on than what we see on the surface.
~D http://www.dracosoftware.com
This sig has been enciphered with a one-time pad. It could say almost anything.
Thats not the only way to change the economics of spam. Simply put spammers exist because the rate of return on investment is very high. We have to change that economic principle some how, there really is no argument there. There are many suggestions on how to do this, taxing is just one of them. Heck everyone pretending to reply is another one, which forces to spammer to follow many false leads. There is many, but something must be done to make spamming more expensive.
The problem of spam is not caused by the freedom of email, any more than murder is caused by the availability of knives and other weapons. It is too easy for technically-minded people to see spam as a technical problem, which is to be solved by replacing the existing mail system with something more restrictive. However, the spam problem is not spontaneously generated by the mail system, just as knives do not go around murdering people. Spamming, like murder, is a human action that certain humans choose to engage in.
It is, of course, useful to use technology to make harmful actions more difficult. Locking up valuables makes theft more difficult; hiring bodyguards makes assassinations more difficult. However, we do not pretend that technology should make theft or murder impossible, or that the world should be transformed into a padded cell so that everyone is technologically prevented from doing anything wrong. Instead we deter and punish crime through education and law enforcement. Technology can reduce the likelihood and impact of harmful human actions, but we cannot use it as a replacement for social responses.
Regardless of whether particular legislatures have passed laws which specifically address spam, we recognize spamming as a lawless and criminal endeavor. Spammers co-opt the property of others against the will of the property owners. (Note that this is worse than simply using that property without permission.) Just as gangs protect their core unlawful enterprises with further crimes such as murdering rivals and bribing police, spammers have come to use cracking, viruses, and DDoS to protect their core activity. Structurally, spam is just like other sorts of lawless action which we see as the proper jurisdiction of law enforcement rather than technological kludgery.
There is no shortage of evidence, gathered from public sources and fully admissible in court, that particular spammers are engaged in criminal actions such as the above. Contrary to common belief, these spammers are not in "third-world nations"; they are in Western nations such as the USA, Canada, and the UK -- nations which have broadly functional legal systems, and nations whose Internet users are the chief recipients of spam as well. Volunteers have already carefully collected this information in the Registry of Known Spam Operations. What is needed is twofold: (1) Funding for law enforcement to go after the known criminal enterprises; (2) Further litigation by major victims of spam, such as large ISPs, against those who are victimizing them.
The problem with that is that most spammers websites are hosted on innocent ISPs machines.
The objective isn't a DOS, it's to salt their data. If 99 out of 100 'orders' are fakes with invalid cc numbers, their transaction costs will go up and their profitability will plummit.
The other alternative is to track them down and burn them alive.
Neither of the above is desirable since mistakes will be made and innocents will be put out of business or killed. The desirable solution is to throw them in jail and fine the hell out of them after they are found guilty in a fair trial. However, vigilante action is the natural consequence when the law fails to take action.
What a GREAT idea. Fight Spam by committing a federal offence. You can laugh at the foolish spammers from prison.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
It's their DATA that's valuable. The data that unsuspecting knuckleheads willingly provide is what they make their money from. Flood their data with garbage so they can't tell the real from the bogus and their entire database becomes effectively useless.
I'd actually go one step further. A Racketeering-Influenced Corrupt Organization.
> The spammers are exactly the same as the mafia.
But on that, I must dissent. The Mafia has a long and storied history of providing everything from illicit booze, prostitution, sports gambling, lotteries with better payouts than the government-run lotteries, duty-free liquor and cigarettes, financial assistance to those with whom banks will not deal, as well as a full range of soft and hard drugs.
Unlike spammers, the mafia provides things that people actually want.