Examining an Automated Spam Tool

Saint Aardvark writes "SecurityFocus has published an excellent column detailing how spammers r00ted an Apache server, and used it to send spam. The tool they used is (I hate to admit it) pretty sophisticated: it has macro capabilities, picks up email addresses from and reports success or failure to the master server. It's a very frightening read...and so is this: Message Labs reports that they now intercept 27 spam emails per second, up from 2 per second this time last year. Virus-created proxies are mainly to blame."

Re:Spammers know what they're doing

[Clever+Pun]

Spammers regularly compromise other systems and install sophisticated software to allow easier spamming.

I could have sworn that this was illegal. I mean, it's like some random person changing the lock on my door, giving me a copy of the key, but keeping a copy for themself. If they don't have my permission to do that (read: informed consent), I'm willing to bet that they'd be severly prosecuted.

If, however, it's NOT illegal, what the hell? There'd better be a good reason for it not to be.

Well...

[hookedup]

One day I noticed that one of my remote servers was sending 24 hours a day a continuous 11Kbytes stream, using the 100% of the upload bandwidth (128Kbits).

Seems greed has once again turned around and bit someone in the ass (in this case it was a good thing). So all these spammers really need to do is slow down the avalanche of spam somewhat, and throttle their speeds when relaying. Otherwise, how long would this have went on for if he hadnt noticed his upload being maxed?

Bad getting worse...

[tuxette]

Other trends started this year and expected to increase in 2004 include the use of e-mail to trick people into going to what they think is a legitimate vendor's web site and provide confidential information, such as social security or credit card numbers, MessageLabs said.

Although I haven't experienced spam that goes so far, I have received (in my special spam account for playing with Nigerians and lottery managers) quite a few mails with requests to confirm my e-mail address. It works like this - you get a mail saying something a la: "I am controlling the e-mail sent to my inbox for the following address: sucker@born.every.minute.com. By asking for you to confirm that you really sent email to me I can ensure that I receive no spam and that your email address really exists. This is a one time confirmation, please click the link below and your email will be delivered straight away, now and in the future. Regards, Alberto Huber"

The funny thing about it was that the "I" in question was neither someone I sent mail to nor someone I know at all.

Now if they think I'm going to go click the link to confirm that my e-mail address exists, then they would surely be willing to buy some property on Mars I have for sale. Radiation-free. Really.

stupid gap in PHP...

[kisrael]

Actually, and yeah yeah yeah, I know there are probably settings around this, but that default of cgi variables automatically being turned into global variables of the form $same_name_as_in_the_form has always seemed to be asking for trouble.

PHP, at least when I was looking at it a year and a half ago, always felt half-baked to me.

New protocol?

[HornyBastard]

I think it's time we get a new mail protocol.

If we can somehow get a list of relays authorized for the sender's domain, it would be easier to flag a message as SPAM.

Also, I think the messages should be stored on the relay, with just a URL sent in the mail body. It would solve two problems:
* The size of the message will be limited by the size of the sender's mailbox.
* It will use more resources on the relay, and the admin should be less likely to run an open relay.

Re:All this really makes me wonder...

[wo1verin3]

Occasionally I'll get something in my e-mail such as an uptime service for my website that looks quite interesting and I was about to subscribe when I read the entire e-mail and it stated that I signed up to recieve these e-mails.

I e-mailed their sales dept and informed them that I would have signed up for their service if I heard about it another way, but would instead be going with a competitor because of the way they went spamming.

OpenBSD on macppc

Geez,

This is going to make me move my web server to OpenBSD 3.4-stable on macppc even sooner. It would have two layers of defense against this kind of attack, even if the PHP hole was there.

1. Chrooted apache means that necessary shared libs/utility apps for the binary aren't available immediately.
2. PowerPC processor means that i386-binary payloads won't run

Running under systrace might also help stop it from opening outbound connections.

why not e-stamps?

[goombah99]

How come the idea of e-stamps is not getting any traction? The concept is that you are assessed a small charge for sending unwanted mail.

I dont see what the technical or social barriers are. For example, it would not require any change in the way mail is transported. Instead it would all be handled by the recipient's browser.

consider the following straw man scheme. I send you an e-mail.
1) If I am in your white list the e-mail is accepted.
2) if not then the e-mail is examined for a signed, serial numbered e-stamp and if present a short message is sent to central post office to debit the senders account one penny, and a receipt is returned to my e-mail program which then lets the message in.
3) Finally if the message does not contain a stamp and is not white listed, the message is put in a spam folder and a memo sent to the sender (me) telling me that I need to request permission to send e-mail.

The last step is how for example Earthlink's highest level spam blocker works. If most messages are spam then of course it doubles the total number of messages sent, but does not double the total message sizes or hand shaking. To the extend that it works, the post offices will only be consulted if the sender is not in the white list so unused stamps can be reclaimed. Moreover one could have the option of refunding the senders stamp if the message were welcome.

I dont see what the sociologocal or technical hurdles are. Not every one has to be using the stamp processing client program. When stamps are not present it defaults to the earthlink system. When they are is skips that nuiscance.

the best part is that legitimate direct mailers might very well be willing to pay the postage to send you an advertisment but presumbaly in many cases these would be targeted ads to people with potential interest.

Re:why not e-stamps?

[letxa2000]

Not every one has to be using the stamp processing client program. When stamps are not present it defaults to the earthlink system. When they are is skips that nuiscance.

The problem is that when you use the EarthLink system, you become a nuisance to hundreds of others around the world.

I currently am up to about 300 spams per day. Most of those are forged addresses--which means they belong to someome, just not the spammer. If I used the EarthLink system I would be sending "challenge" messages to about 300 innocent people each day. Suddenly *I* am part of the spam problem from the perspective of those 300 people per day.

As long as return addresses can be forged, challenge/response systems should be frowned on at least as much as spam--possibly more than spam since they supposedly solve spam by generating more garbage for others on the network which is just counter-productive and annoying.

That said, I like the rest of your idea. Email must remain free so I'm opposed to a system under which I automatically have to pay a penny to everyone I send email to but only get it back if they decide to credit me.

But if you can set your own "charge" for receiving spam and spammers can embed a token in their email saying "I'm willing to pay a maximum of $1 for someone to read this message" then if a spam comes in that pays the amount you've decided to charge for receiving spam, it goes out to the central payment server and credits you and debits the spammer, fine. Pay me $1 per spam and I'll happily receive 300 per day!

Of course, at $1/spam there won't be any... which is even better!

Re:why not e-stamps?

[letxa2000]

In most (but not all situations) its possible to weed out bogus challenge responses.

In most (but not all) situations, it's possible to weed out bogus spam--but that doesn't make spam acceptable.

For example, if I get a challenge to an e-mail I allegedly sent but the recipient if not in my address book (or sent mail list) then my e-mail program can just discard it and never bother me.

That's a whitelist approach. But that's a closed system. Many people (myself included) have to be able to receive email from people we've never talked to. They initiate the conversation, not me. So I can't just have my email program reject email as bogus just because it's not whitelisted or in my "sent" folder.

The point is that the challenge/response model depends on sending out a challenge for every spam that comes in. You are assuming that others are using an anti-spam solution to catch your bogus challenges and treat it as spam. That's a bogus approach.

Yes, people can filter out your challenges. But tell me how that is different from filtering out spam and why your automated challenges should be any more acceptable to me than outright spam? Both are email I didn't ask for and don't want.

Re:yes it is profitable

[phorm]

I remember an old story months (or years) ago about a spammer, got tracked down, the whole nine yards, the ISP refused to cut them off because they were paying the ISP over $50,000 a MONTH to send spam. These days they pay even more.

Because SPAM as a whole is becoming illegal in many areas, and much of what spammers do is already illegal. If the ISP is allowing the spammer to continue operation, and he is pumping illegal products/scams/etc then the ISP will be on the line.

It's one thing to profit for unscrupulous activity, it's another to knowingly allow an illegal one.

Making it easier to certifiably track spammers is part of the solution because if you can say with strong surety that an ISP is supporting the spammer... then you can take action against the ISP.

Re:All this really makes me wonder...

[t0qer]

Too the parent and the parent parent posters...

You both make excellent points,
a. go after the spammer
b. go after the people that fall for it

Yet they're both chicken before the egg type of solutions.

It was a weak protocol that let the genie out of the bottle. Open relays were a part of the net in the beginning because spam didn't exist, there was more co-operation between sysops, and because the net was mainly comprised of scientific and academic types.

Actually, what is really needed is a new mail protocol. Simple as that. Then there wouldn't be this backwards compatible layer full of holes, and it would render all these worms useless.

Re:Spam funders?

[leerpm]

I doubt it. What does a giant corporation like Viacom have to gain from sending out penis-enlargement advertisements?

The most reasonable guess along this line would be the drug companies trying to sell to an underground market. But everyone knows that the drug companies are fighting hard to keep the drug prices artificially high in the US, so what would they have to gain too? I mean, have you looked at most spam lately? It certainly doesn't appear to be a case of a real company trying to make a legimate profit. Most spam is for bogus offers.

How much $$$$

does anyone know how much money a spammer makes? can it really be worth all the effort?

Need to block port 25 all over

[penthouseplayah]

In my dorm we have blocked port 25 from LAN to internet. It was thought to keep viruses from propagating from out network and keep people from setting up a spamserver. Now it looks like a very good decision. (they can actually only use our DMZ smtp gateway, which is antivirus protected).

All ISP or the like should block port 25 outbound by default, and make people use the smtp server of the ISP. If people (1 out of 10.000) would like to use port 25 outbound, they should contact the ISP through a bureaucratic procedure. That would close the trojan hole at least.

Are there any other ports (priviledged/unpriviledged) that one can safely block to avoid trojans and the like???

Re:All this really makes me wonder...

[arivanov]

You will need an ICBM version and Putin's agreement to let it through and not pay you back in the same currency with interest.

Jokes aside, while not being compromised myself I have gone through a similar process investigating distributed server farms on cable and DSL serving counterfeit software (once again advertised by SPAM). In all cases the final step ended up being somewhere in Russia at least 600km from of Moscow.

The method of intrusion is different though. In all cases it is windows software. Common examples are the one which copies DVDs to CDs (with all offers seen over the last 2 months being a trojan). Basically this, along with several similar common SPAM sucker gatherers is used for guess what - to gather suckers. The software actually works, but it contains a fairly sofisticated remote access trojan.

This has recently been extented to include sucker gatherers introduced in counterfeit branded software. Basically, you pay 39$ for a counterfeit Win XP pro at "OEM Clearance Sales" and get a Win XP pro with a "surprise".

Servers are all over the world, mostly on cable networks (strangely enough very few DSL ones). DNS (which is the weakest link) is run by known "questionable" marketing hosting sites usually in the US.

With the number of suckers around trying to copy DVDs onto CDs frankly I do not see a reason for all the effort into hacking sites with vulnerable lame PHP software. So I guess these were some "new kids on the block"

Re:Spam funders?

[Urkki]

I guess porn business is what brings in most of the money for spammers.

And then I suppose that once the basic spamming infrastructure is established and paid for by that, there's ready market for getting other businesses and plain scammers to do spam marketing, thus increasing spammer profits more and pushing down the price per email.

The Marketer is Responsible Too

[supersmike]

If you received an ad in the mail for my product and the ad was contaminated with anthrax, wouldn't I be liable? Maybe not if I told you I used a mail service to send my ad, and that they must have done the contaminating, but at the bare minimum, I would be expected to fess up as to who the mailer is. If I didn't know who the mailer was (blind credit card form or somesuch) I might be guilty of negligence - at least I'll bet a civil suit would say so, because someone has to be blamed for the contamination. Spam may not be anthrax, but there is a conceivable case for liability if we went after the marketers, no?

Do-it-yourself blacklist?

[pjack76]

Here's an idea, tell me why it won't work. :)

Instead of having one mail server for your home or organization, you have two. Except one is secretly useless. It just blackholes everything that's sent to it.

You buy another domain and list the blackhole as the MX record for the new domain.

You sign up for a bunch of email marketing lists using addresses from the blackhole domain.

Everything that gets sent to the blackhole server is by definition spam.

The blackhole server also runs DNS. You set your real mail server's RBL DNS to point to the blackhole server.

Every time the blackhole server accepts a connection on port 25, the blackhole server immediately drops the connection (so no wasted bandwidth) and updates DNS with the originator's IP address.

You now have your own local blacklist, you don't have to trust somebody elses. Keep a log, if somebody bitches about it you can say "Well, somebody sent spam to my blackhole server on this date at this time from your IP. Suffer".

You'd have to combine it with a whitelist to let Yahoo and Hotmail and so on through, but you'd still kill a lot of spam.

Thoughts?

Re:Do-it-yourself blacklist?

[schon]

Here's an idea, tell me why it won't work.

OK, but remember, you did ask.

First of all: what you envision is nothing new. It's called a 'spamtrap'.

The most important thing is that it relies on security through obscurity - as soon as the spamtrap addresses become known, they're useless (and can actually be used to fsck you up.) If you think this won't happen, I urge you to read the article - this spam machine isn't stupid, and will find your spamtrap addresses faster than you think.

Every time the blackhole server accepts a connection on port 25, the blackhole server immediately drops the connection (so no wasted bandwidth) and updates DNS with the originator's IP address.

Pretty simple - anyone who knows the spamtrap address(es) can now DOS your legitimate mail server by sending mail to your spamtrap. (I realize you noted this, but included only Yahoo and Hotmail.)

Spammers get your spamtrap address, they have infected machines on many different ISPs, so they send mail to your spamtrap using those ISPs' (again) legitimate mail server.

Congratulations, you have just stopped receiving email from every ISP on the planet.

Re:All this really makes me wonder...

[ryanvm]

If you think about it, there are some really intelligent spammers. They're always one step ahead of us and are figuring out new ways to spam us.

I think you're giving them too much credit. Technically, it's a lot harder to selectively ignore certain people then it is to yell at everyone. Staying "one step ahead" really isn't that difficult.

OK. who's behind this?

[Animats]

Let's dig a bit. As usual, we ignore where the spam came from, and concentrate on where the money goes.

The spam contains ads for the "Asta Design Group", which has been widely spamvertized. A bit of searching turns up this address:

• SeafishNET and the Asta Design Group
  360 NE 49 St
  Fort Lauderdale, Florida USA 33334
  E-mail: seafish1@ix.netcom.com
  

Another lead gives us

• The documents and information on this Web site are copyrighted materials of SeafishNET, Asta Designs and its information providers.... "SeafishNET" and the SeafishNET logo are registered trademarks of SeafishNET.

• SeafishNET
  360 NE 49 St.
  Oakland Park, Florida 33334 USA
  (954) 351-7961
  seafish1@ix.netcom.com

Same address and zip code, but in Oakland Park, a Ft. Lauderdale neighborhood. Now we have a phone number. Google gives us

• Charles Fish, (954) 351-7961, 360 NE 49th St, Fort Lauderdale, FL 33334

Checking the satellite imagery, that's a tract house backing up to a six-lane highway. It's not a mailbox service.

Since we're talking about felony computer intrusion here, that's the address to give the cops. This may or may not be the intruder, but they probably know who it is.

Re:OK. who's behind this?

[SaneLane]

One thing interesting to me is that the English used in some of the log messages and other bits of this distributed SPAM system were very obviously written by someone for whom English is a second language. There wasn't enough of it to guess what their native language is, and their English is pretty good, avoiding the common mistakes that usually give away the type of native language.

Given the the German and Russian addresses, I would not at all be surprised if the distributed SPAM software was written by someone in Russia on contract to (paid by) some SPAM company in the U.S. Or perhaps it was written by a foreign national residing in the USA -- like this "Charles Fish" fellow.

Of course, the SPAM regulation law that Congress just passed is almost useless. It never declares or makes SPAM illegal. It just requires spammers to not forge addresses and silly things like that.

I think every corporate IT administrator or geek of another sort should repeatedly emphasize how much time and money is being lost to SPAM until the big corporations really put the pressure on world governments to make SPAM flat out illegal. That won't stop it, but it will give the folks fighting it some legal teeth with which to chomp on the culprits when they can be cornered.

Illegal to look at someone's email?

You know I was just thinking about this. Is it illegal to look at someone's email in the US? Some wiretap like law or something? If so, detecting a spam bot on your system has to be done a different way. And if it is connecting to another smtp server your should not be looking that that either under US law? No?

I'm just thinking ahead, if a spammer is brought to court and stuff gets thrown out cause it was obtained by "illegal" means.

Re:All this really makes me wonder...

[Urkki]

But users wont get smart. So you have to limit any users ability to send email. Simple as that.

For example mandate that ISPs charge 1 cent per e-mail sent from user, and see users to make very sure their computers are secure and not spam relays. Of course this also needs a cap on mails/day, or more like cap on $ spent on sending mail per day so users don't get burned too bad...

Or mandate a CPU challenge per e-mail sent from a MUA that takes 10 seconds to solve per recipient for something like 1GHz x86 CPU, but is cheap to verify by the MTA.

If spammers can't reach high enough volume, spamming will become unprofitable, simple as that.

Re:yep

[Urkki]

There are plenty of suggestions. Combining a good selection of them into a unified protocol would help a great deal. Some of the suggested stuff:

- "CPU cycle" stamp in every outgoing mail.
- Making the To-field to actually determine the recipients
- Making From-field actually identify the sender (by being added by the mail server software, not by client software, so email-specific login to the server would be needed).
- Integrating signatures into the protocol in different ways, at least to identify the originating ISP.
- Making email a "pager-type" protocol, recipient only gets a minimally short message telling where to find the actual message (including checksum of the message or what else is necessary), thus stopping at least the spam content clogging up the network.

Lot of little things that could perhaps also be implemented on top of SMTP even without making it horribly messy. But the reason a new protocol is needed is that old SMTP really stops being used "in the wild" outside private networks, and existing vulnerable legacy software (including the various worm-created spam networks around the internet) stops working.

Re:A question regarding education/tracking?

[pongo000]

1. Because it's usually some spamming company performing the spamming, not the real company. They only hired their "PR services", in which case you have to prove they did know it their marketing practices would be illegal.

True, but what if said companies were publicly outed and humiliated? What if an orchestrated effort was made to let said company know exactly how the world feels about their carelessness in hiring their PR firm? Would that not be sufficient to send the message that if you hire a PR company, you better be damn sure you know how they're promoting your good name?

Re:how to fix the problem

[Otto]

They added hack prevention code to a lot of gallery way back when.. My init.php has similar code to what you posted, but it also has this at the top:

$sensitiveList = array("gallery", "GALLERY_BASEDIR");
foreach ($sensitiveList as $sensitive) {
if (!empty($HTTP_GET_VARS[$sensitive]) ||
!empty($HTTP_POST_VARS[$sensitive]) ||
!empty($HTTP_COOKIE_VARS[$sensitive]) ||
!empty($HTTP_POST_FILES[$sensitive])) {
print "Security violation\n";
exit;
}
}

Essentially, it's just checking key variables like "GALLERY_BASEDIR" to make sure that they're not set in the input. If they are, it suicides. Any variable which is dangerous they can then simply add to that array at the beginning of the file.

Questions for you Linux experts out there

[TheTranceFan]

I'm a relative Linux noob and I'm trying to understand this thing. I read the whole article, but there are a few things I'm not sure I get.

1. Was his server really rooted? It seems like these bogus httpd's that were running were still running as www-data, the user this guy had Apache running as.
2. Did I miss some escalation-of-privileges step, or does apache's user usually have this level of privileges? Like chmod'ing things it got with wget...yikes!
3. I run php with register_globals=off. Is that enough?
4. What's an easy way in Linux to tell if your outbound bandwidth is slammed?

I was very impressed with the forensics this guy did. It was fascinating. Too bad it's necessary. I wonder how many machines out there are compromised without anyone even knowing it.

A realistic solution

[Mostly+a+lurker]

Over 99% of discussion on elimination of spam always seems to resolve around

* Make every stupid person smart so noone responds to spam

* Change every mail server in the world to use a new protocol

* Use client-side spam detection to hide spam and expect the stupid people to use it

Well, I have less than complete faith in any of these methods providing an adequate short term solution. So, why cannot we look at the big picture?

A few major spammers are sending millions of emails. The effect is close to being a DoS attack on the entire Internet. These emails are susceptible to pattern analysis if analyzed on a global basis. Surely what we need is somethng akin to an Internet-wide intrusion detection system. When pattern analysis indicates a spam attack, we simply block the traffic as close to the source as possible.

Wouldn't there be a cost associated with this? Sure. But the spam problem needs to be resolved and this is the only realistic short term solution that I can envisage.