Slashdot Mirror
Another Worm Targets Anti-Spam Sites
kevinvee writes "Yahoo! is reporting about the next battle of Spam Houses versus Spamhauses. This time, its W32/Mimail-L receiving the attention. "It's the third Mimail variation to come after us, except this one is trying to do more," said Steve Linford, founder of The Spamhaus Project. Apparently this reincarnation comes as an attachment offering naked photographs. Once infected, a follow-up e-mail is sent to the user stating that a CD containing child pornography will be delivered to their postal address. "These guys write trojan (viruses), they carry out DDOS attacks and they get their money through selling stolen credit cards and spamming," Linford said."
I didn't think that it was possible for me to hate spammers more than I already do.
Turns out I was wrong.
In case you don't know what I am talking about, Go see the movie before you mode me down.
for the last time people, I am "frodo from middle eaRTH", not "middle eaST".
What we need to do is find out the physical addresses of these nice individuals and try to reason with them using advanced negotiation tools, such as baseball bats and tire irons.
Viral software licensing is not freedom, it is in fact GNU/Socialism.
Apparently this reincarnation comes as an attachment offering naked photographs.
Yeah... apparently, people are still STUPID enough to open these things. Does ANYONE out there still beleive you can get "100% free porn, just click here!" from some sleezy, unsolicited email that just redirects you to a credit card entry, despite the "free"?
I guess so...
The fact that when opened this software is allowed to execute code, crawl through the address book, copy itself and send itself out to others is a fault with the system.
I've never had a problem when opening an attachment with Mutt.
Trolling is a art,
The virus installs a DDOS zombie that attacks Spamhaus. It's not that Spamhaus got infected.
I think this is actually a good thing because it links spammers with viruses and therefor reinforces the association "spammer = evil". Perhaps sooner or later more people (and gov. agencies and companies) see spam not just as annoyance but as attack.
Seriously, I dislike spammers as much as the next guy, but immediately saying this is the work of a spammer is stretching it just a bit. For all we know the person behind the worm has nothing to do with spam.
Isn't there some way to distribute the anti-spam sites/lists so that a DDOS attack can't take it out? All that's needed is a simple neural net-style system - redundancy and distributed content (which the internet makes simple) could solve this sort of problem, at least for now.
GL
If law enforcements agencies cannot handle the problem it's time for the Wild West solutions. And it seems we have to be the sheriffs. Let's fight those bastards with their own methods. They claiumed OUR network, they use it for their own dirty purposes. And they try to 'kill' those who fight with them. We're the majority. Law & order people! DDoS DDoSers. Kill spammers!
Ok. This is bad idea. But what else we can do?
I think you misunderstood. The virus sends an email about the shipment of the porn CDs with a spoofed return address that's actually the address of an anti-spam organization, so they get bombarded with emails from users who think they're sending them child porn.
Yes, but when those virii are targetting one machine instead of the internet as a whole, it makes something of a difference, Graham...
Simon
Physicists get Hadrons!
I've just received a fake "mailer daemon" rejection message with a viral attachment; although my a/v program caught it, I can see this tactic catching even the most suspicious of us...
Mastercard, wait, even better AmEx issues a card with the same idea. The card is used once in response to a single spam. The card is then cut up but not cancelled. Hand the card numbers and the billing address over on a platter.
When the card is used again, set your phasers to sue. The beneficiary of the card's usage can either be charged with fraud, etc. or roll on their superior. Pass the buck up the ladder until you can jail a spammer not on the basis of spam but of felony(ies).
Of course, this assumes that you can find a "member magnifier" offer that isn't even looking to send you Sucrosa. Still, it might be worth a shot as a low-cost investment with a good potential for a high yield.
The same idea could be used for eBay and PayPal scams. It's not as if none of us have gotten those "Please enter your password in this email and click submit button" spams. I wonder if this is already done. I'm a smart guy, but I'm still just another geek on /.. It seems some well-compensated theft prevention exec would have started doing this a long time ago if it would work. Though honestly, I don't see any problems with it myself.
The only thing more dangerous than a file named -rf is renaming it -rf\ /
As much as I hate spam and worms and such, that is too funny. Some dumb bastard tries to get the free pr0n from the email, gets infected, then gets scared to death because they lock you up for a LONG time for possessing kiddy pr0n.
Maybe this is vigilante spam, using the scared straight theory. Next time Joe Sixpack tries to look at the free pr0n, a little voice will pop up and remind him of what happened LAST time.
This would scare the living daylights out of my mother if she were infected by this trojan/worm.
I think part of the problem with computer security nowadays is that home users believe that anything is possible. Computers are still far too mysterious to the average user; I'll bet you dimes to dollars many users will think this CD mailing scare is real. Unless email and antivirus vendors do something to educate homes users, what's to stop the next virus from saying "open this attachment or we'll send illegal merchandise to your door?"
Spammers, even benign ones, thrive on the naivety of home users. I still haven't received my cheque from Bill Gates and Walt Disney Jr...
What they're doing amounts to terrorism (at least, under today's NewSpeak definition of "Terrorism"). Why are the authorities not trying to track these guys down? How hard can it be? It is extremely difficult to completely cover your tracks on the net. You find out where an email came from. Track it back to the ISP. Find out where it came from. Track it back to the next ISP. Check their logs. Continue until you get to a modem pool/DSL connection. There's your guy.
Are they all outside the country? Will those foreign ISPs not cooperate? Why is this so common?
Like woodworking? Build your own picture frames.
This is getting ridiculous. All of these worms/viruses of late have their own SMTP engine built in, and connect directly to external SMTP servers to spread their payload. ISP's (and businesses that provide access to internal workstations) need to block access to external SMTP servers! In particular, block egress port 25 from the network.
So you will ask, "But then how will I use my company's or other SMTP servers from home?" Easy, the port used for initial mail submission (IMS) should be set to a different port altogether. IMS and mail transport are different activities and should be treated as such. Use SMTP+AUTH+SSL, run it on port 465, and everybody is happy (except spammers and virus authors).
"But I want to run my own server on my dial-up or other consumer level account!" Contact your ISP and see if you can get a static IP address. SMTP servers should be on static IPs, that way bounces and other system messages can be routed properly. Check the AUP of your ISP, you might be prohibited from running a server on your account (find another ISP, or use the tip above to use a different SMTP server).
To do otherwise is to continue to be part of the problem, not part of the solution.
I never really understood why someone didn't just contact the CC companies and get a really low limit on their credit cards. Hell, even TELL them that you're going to use it for "verification purposes" online, so that you'd want to know who tried to charge money to it. I don't know if you can, but ask them to keep track of where it was rejected.
Enter the number once, and watch the traceable info for spammers / people that buy this information just ROLL in.
It may be time-consuming, but so is this battle with attempting to blacklist spammers.
As others have pointed out, this attack vector isn't persea the software that user is running. The attack vector is the user, the old PEBKAC (Problem Exists Between Keyboard and Chair), which has been showing up as the resolution to many tickets in our troubleticket system.
.com, .pif, .bat, tell them to keep their anti-virus software up to date, don't run strange attachments, and still we get this. At least we have started running all our outbound mail through AV scanning, and that cuts down on a bunch of the crap, but we still can't keep them from going "ooh shiny...." Click!. Until our users figure out that the computer is a little more dificult to use than their VCR (I don't want to get started on ease of use/convience vs security etc.. but when was the last time you played a movie, and you DDOS'd M$), and they actually need to be mindful of what they use/do on it, "bad people" will always be able to do bad things.
The problem is no matter what we do, we can't prevent our users from shooting themselves in the foot. We rename attachments (.exe becomes _exe). We deny
Then again these users are the same people that would call up the phone company complaining of $600+ phone bills to the Caribbean, etc... When you ask them if they have downloaded any programs that offer free "porn" they get all defensive, etc... A quick look at their computer shows tons of those dialer type apps that are making the equiv of 900 (in the US) type calls over seas, and they don't realize it.
For the record, my users would be the users of the ISP that I admin for...
To E-mail me, replace the first period in my domain with an @
The interesting thing is that for Spam to make any sense, it has to get people to pay real money. Thus any profit making Spam will give away a payment trail. So, if I may ask why in the world no authority goes after whoever sells through SPAM ?
Standard answers:
1) They will move offshore
(my reply, yes, but how will they get a payment if not through Visa/Amex/MC or other major intl institution)
2) There will be "false positives"
(I am not so sure about this one. One line of thought is that punishment may be directed to the profit coming from an Spam event, so if innocent sites make money w/out Spam they won't be very hurt. For instance, say spammers send Spam in the name of Amazon.com -- amazon might need to forfeit extra sales attributed to unusual traffic/sales in that period, attributable to the action of Spammers, if they bighugeenlargement.com doesn't have any traffic normally, they should be blown out of the water )
3) Costs of enforcement will be too high
Perhaps. But what are governments for ? If OKOKRIM can worry about persecuting 15 year old computer wizards, and the DoD can worry about persecuting a 66 year old dictator, why can't someone go after Mr. Joe Spammer and his clients ?
Quem a paca cara compra, paca cara pagará.
As promised, there's a new tool in town. Project Web Form Flooder is still in beta, but it's functional in flooding spammer's websites with plausible data. Java source code only right now, but I'd imagine the ./ crowd can deal with that.
If we flood spammer's websites with garbage data, maybe, just maybe we'll do a little to remove the profit motive in spamming, and once there's no money in it it'll end.
Isn't it time we stopped crying and started doing something?
Hey guys,
Just something to think about: This article talks about spammers along with references to not only spam, but destruction of anti-spam, virii, pornography, theft, identity theft, and child pornography. The only way they could really make spammers look any worse is if they labeled them as baby rapists.
While it could be true, it's beginning to sound like propaganda, intending to make these guys look more Evil than life. Think about the article's motivation, author, and target audience. Be careful, there may be something more going on than what we see on the surface.
~D http://www.dracosoftware.com
This sig has been enciphered with a one-time pad. It could say almost anything.
It's easy to say "don't open obvious spam at all" and "never open an attachment" and "never click on a URL in an email."
Personally, my middle-aged brain only functions at about a four-nines reliability level, meaning that if I deal with thirty pieces of email a day, about once a year I'll accidentally do something STUPID.
Like pressing "reply" before I've finished composing my mail. Or replying to all when I only meant to reply to one. Or replying to a list when I only meant to reply to one person on a list. Or thinking that PayPal might really have sent me an email. Or opening a foreign attachment. Typically I realize that I've goofed approximately five hundred milliseconds after performing the mouse click that commits me to the imprudent action.
(It doesn't help that I actually have real human friends who do send me email message with subject lines that are blank, or consist of the single word "Hi!" or "Meeting.")
I am sure that you never ever do anything STUPID, and I fully agree with you that someone as STUPID as I deserves to have my computer infected with viruses.
"How to Do Nothing," kids activities, back in print!
Somebody else's bad for modding your original post "+1 Insightful" :-)
Using HTML in email is like putting sound effects on your phone calls. Just say <strong>no</strong>.
Cannot resist this one...
OK kids, sit down and let uncle bubba explain this one for you. One, if you see something once, it might be a coincidence. Twice means that maybe lighting is hitting the outhouse twice. This is the third one of these, and with each successive version, the methods and operations of the virus are getting more effective and efficient. That means at least two developers were able to reverse engineer and increase the efficiency of the payload of the virus, OR someone is monitoring what is going on and making improvements. Tell you what, I will let you think about that one for a sec...
We also have the comments from the spammers themselves. Many have come out into the open and said that anti-spam orgs declared war on them, and that they would fight back. Do you honestly think that this is just a chance happening?
I guess it could be, I mean, you could have some slashdotter waging a disinformation campaign targeting anti-spammers to piss everyone off...
Oh, and too the nuts want to sue Microsoft under the same pretenses as suing gun manufactures...dude, spammers are equal opportunity abusers...they are abusing open protocols as much as they are using OS holes to propagate this crap. So unless you want to sue Berkley or something like that...
Spammers evil...viruses evil...censorship evil...censoring spam ev...WAIT!...good...
"We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns -- the ones we don't know we don't know."
i have yet to see anyone point out WHY spam is actually as effective as it is -- people buy into it!
if spam wasn't a money-maker, spammers wouldn't exist, it's as simple as that. just like if diets weren't such a huge industry, you wouldn't be seeing posters on how you could lose 30lbs in 30 days plastered all over your city (the birth of spam, might i add).
if all these men just stopped caring about the size of their weenies, spam would take a huge hit. if we'd all be a bit smarter and not even consider clicking on insurance / any financial links in spam, that market would also take a huge hit. and if we were all more passionate with our partners then that takes care of goat / bestiality porn. the 'barely legal' crap, you have to deal with on your own. that's just wrong.
honeypots, bayesian filters, spam blockers, LAWS... so much time, effort and money is being put into something that will only be solved once we start dealing with our own insecurities / needs.
### http://www.gunfinger.com ### greed / tec
Sounds like your IP is inside a CIDR block listed by SPEWS (or something similar). If it happened to be SPEWS (your symptoms certainly match), did you actually bother to read the SPEWS FAQ?
There certainly is a reason why you got blocked. Either someone has sent spam from your IP (if you have dynamic IP) or spam has been sent from the same netblock (and your ISP didn't bother to eject the spammer scum).
If you present this kind of accusations, we (or at least I) would like to hear some more details...
99 bottles of beer on the wall... take one down, chug it a-down 98 bottles of beer on the wall... 98 bottles of beer on
but some of these "Blacklist" organizations are not trying to help eliminate spam, or even block it, they are trying to _make money_.
<rant>
MAPS is one of them, and unfortunately I've been dealing with this problem first hand. I just installed a new server and out of the box Apache2 was setup to be an open proxy. It didn't take more then an hour or two before the IP was listed on MAPS-OPS. This is fine. However I promptly closed the proxy and notified them. What did they tell me, they sent me some canned email that told me to close the proxy.
Alright, so I double check again, I search google for open proxy testers, run them, they all return negative, I look at the MAPS "test report", all it says is:
IP: closed
IP: test finished.
Looks to me like the proxy is closed. I email them again, to say the proxy is closed, unless you can give me other details, your own test results seem to confirm this, whats going on?! They reply back saying their open proxy test is robust, advanced, and proprietary, therefore they can not give me any information regarding the test. Not only that, they want me to show what I did to close the proxy, and prove to them that I am the server administrator! Oh, and the best part, they want the email to come from abuse@<blocked_IP> or postmaster@<blocked_IP>.
Well, for one I can't email them from those addresses because THEY BLOCKED ME! For two, how can I prove I'm the server administrator? The email address I'am using to contact them is listed in the whois record for the domain as the "admin contact". Thats not good enough though apparently. What do they want, a digital photo of me standing beside the server with a big "anti-spam" sticker on it?
Thats the last I heard from them, they blocked me from filling out there "remove me from the list" form. Nice.
If every open relay and proxy in the world was closed at this minute, MAPS would go out of business, therefore they have absolutely no interest in removing people from their list.
</rant>
Never. .biz is a good token for my bayesian filter. I guess the sleazy sound must attract spammers like moths to a flame.
I tell you, this is the most compelling argument I've ever heard for a redundant TLD.
(Inevitably, in every thread about spam, someone proposes a solution with one or more flaws. This is a handy form that passes the lameness filter and that can be reused for all such posts to save time! It does not specifically address all possible flaws and may be expanded in future versions.)
Your post advocates a
( ) technical ( ) legislative (x) market-based (x) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which vary from state to state.)
( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
(x) The police will not put up with it
( ) Requires too much cooperation from spammers
(x) Requires cooperation from too many of your friends and is counterintuitive
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business
( ) Ideas similar to yours are easy to come up with, yet none have ever worked
( ) Other:
Specifically, your plan fails to account for
(x) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
(x) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
(x) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
(x) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook
( ) Other:
and the following philosophical objections may also apply:
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
(x) Countermeasures cannot involve wire fraud or credit card fraud
( ) Countermeasures cannot involve sabotage of public networks
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough
( ) Other:
Furthermore, this is what I think about you:
(x) Nice try, dude, but I don't think it will work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!
It's the ratio.
In my Bayesian corpus, the .COM extension in an HTML tag is a 90.43% spam probability (because most of my non-spam doesn't have HTML tags) and a 22.0% spam probability in free text.
Meanwhile, BIZ is a 99.92% spam probability when found in an HTML tag and a 90.5% spam probability in free text.
So, yes, .BIZ is a good spam token and I, too, have thought about filtering everything .BIZ. The main reason I don't is because my Bayesian filter catches 99.9% of it all anyway so there's no reason to bother increasing my false positives by filtering BIZ.
Methods to get spammed when you know better:
If none of these things had happened to me since 1998, my current address would probably be spam free.
Explaining the problem to people beforehand is only so effective. Telling off your friends after the fact is not a solution. Eventually you just have to give up. My work address has been quite safe, I generally don't use it to correspond with the outside world, especially non-technical people and it is reasonably cryptic, but my personal address is ceaselessly bombarded.
Spammers do indeed have a weak point. They are dependent on procesing their payments via credit card companies.
I once tried to set up an online business that would accept payment via credit card. To set up a trading account, you have to jump through all sorts of hoops and rules. It's not cheap or easy. The credit card comapnies cheak who you are quite rigourously before they will give you a business trading account.
Part of their rules is that the trader must clearly identify theirself/the business when making a sale.
There are only a very few credit card companies - amex, visa, mastercard, mbna, that covers about 80% of the market.
I'm not quite sure how to go about informing the credit card comanies that you have received an illegal credit card payment request. Perhaps you could send the spam to them, or the url of the actual webpage where it asks to fill in your credit card numbers.
For the desperate, you could actually pay something, maybe using a spare card that you never use, then at once inform the credit card company of the situation, requesting a refund, and giving them relevant details, e.g. the website with the unlawful request on it, so that they will place a black mark against the trading account of the spammer.
Too many of them and they will close his trading account. With the resources that credit card companies have for checking on background, its gonna be bloody hard for the spammer to reopen new acocunt, especially as lying for the purposes of getting a trading account is something that the police take REALLY seriously...
(close your card or keep an eye out for any further withdrawals from your account and instantly notify the credit card company - they will then know the spammer's been passing around your details and have his address on file - more charges for the police to use)
What do you think of this method?
-tomato