Slashdot Mirror
Examining an Automated Spam Tool
Saint Aardvark writes "SecurityFocus has published an excellent column detailing how spammers r00ted an Apache server, and used it to send spam. The tool they used is (I hate to admit it) pretty sophisticated: it has macro capabilities, picks up email addresses from and reports success or failure to the master server. It's a very frightening read...and so is this: Message Labs reports that they now intercept 27 spam emails per second, up from 2 per second this time last year. Virus-created proxies are mainly to blame."
All this really makes me wonder when the death penalty will be approved for spammers. Or at least some harsh beatings...
Spam is profitable, and this is becoming a huge underground business. Spammers regularly compromise other systems and install sophisticated software to allow easier spamming. Here's a document that describes the link between spam and viruses
yet another example spammers aren't just mom&pop operations. This is a big business, with big money backing it.
Something desperately needs to be done with SMTP to control this stuff....
One day I noticed that one of my remote servers was sending 24 hours a day a continuous 11Kbytes stream, using the 100% of the upload bandwidth (128Kbits).
Seems greed has once again turned around and bit someone in the ass (in this case it was a good thing). So all these spammers really need to do is slow down the avalanche of spam somewhat, and throttle their speeds when relaying. Otherwise, how long would this have went on for if he hadnt noticed his upload being maxed?
If only we could harness the power of these cool (and working!) distributed systems to provide efficient peer to peer content distribution or an actual legitimate email system of some sort...
This is obscene. How far will spammers go?
If they're good, and are producing sophisticated tools and methods for spamming, then it's imperative that it is admitted, so people will understand the true nature of the problem and what anti-spammers are up against.
One of the most fatal mistakes you can make in any conflict is to underestimate your opponent.
It's official. Most of you are morons.
Although I haven't experienced spam that goes so far, I have received (in my special spam account for playing with Nigerians and lottery managers) quite a few mails with requests to confirm my e-mail address. It works like this - you get a mail saying something a la: "I am controlling the e-mail sent to my inbox for the following address: sucker@born.every.minute.com. By asking for you to confirm that you really sent email to me I can ensure that I receive no spam and that your email address really exists. This is a one time confirmation, please click the link below and your email will be delivered straight away, now and in the future. Regards, Alberto Huber"
The funny thing about it was that the "I" in question was neither someone I sent mail to nor someone I know at all.
Now if they think I'm going to go click the link to confirm that my e-mail address exists, then they would surely be willing to buy some property on Mars I have for sale. Radiation-free. Really.
People say I'm crazy, I got diamonds on the soles of my shoes...
Actually, and yeah yeah yeah, I know there are probably settings around this, but that default of cgi variables automatically being turned into global variables of the form $same_name_as_in_the_form has always seemed to be asking for trouble.
PHP, at least when I was looking at it a year and a half ago, always felt half-baked to me.
SO YOU'RE GOING TO DIE: The Comic for Dealing with Death
No, not yet! I'm only halfway through my penis-enlarging regimen!
People who buy pump&dump-spamvertised stocks lose their money.
People who buy bogus-prescription opiate painkillers go to sleep all the time and lose their nationwide radio shows.
People who buy penis enlarger pills have their dicks fall off. The problem is that they're usually older men who have already made their contributions to the gene pool, so Darwin doesn't get them in the end.
The problem, of course, is that all of these bad things happen to the customers after they've given the spammers their money, so it doesn't stop the spammers, and if they're dumb enough to believe that the spammers' products will work, they're too dumb to believe the Absolutely True Results By Top Scientists which say that their dicks will fall off if they buy fake vi1@gruh, even if we get the supermarket tabloids to keep printing headlines about it.
I think it's time we get a new mail protocol.
If we can somehow get a list of relays authorized for the sender's domain, it would be easier to flag a message as SPAM.
Also, I think the messages should be stored on the relay, with just a URL sent in the mail body. It would solve two problems:
* The size of the message will be limited by the size of the sender's mailbox.
* It will use more resources on the relay, and the admin should be less likely to run an open relay.
Death has been proven to be 99% fatal in lab rats.
yes it's definitely profitable, this is part of the problem, a major part of it!
even with all the crap that people are doing, new SMPT clients, new RFCs and bullshit, it's not going to work!
why? because spammers pay their ISPs tens of thousands of $ a month just for the privilege of spamming!
I remember an old story months (or years) ago about a spammer, got tracked down, the whole nine yards, the ISP refused to cut them off because they were paying the ISP over $50,000 a MONTH to send spam. These days they pay even more.
So all your "checks and balances" don't do any good, because the spammers are VALID users (at least in the eyes of the ISP hosting them).
And this is also why no one does egress filtering. AT&T US, etc won't do it because they get PAID to keep sending the stuff...
face it, spam is BIG business, it makes millions, esp for the ISPs, etc.
all your useless "valid" client checks, checksums, special SMTP servers, blah blah blah won't make a damn of difference.
the only way is with either good (huge) blacklists or bayesian all over the place.
and what someone said about "end users" not caring about bandwidth usage, not true. I'm an end-user, and I care, excess bandwidth costs me money dammit! I am my own mail server, so don't tell me a firewall on my server is gonna slow down the traffic. it doesn't.
I keep to my original proposal, a massive blacklist. headache? yes, but it'd work if kept updated...
Yeah, send 'em into the organ banks. Mind you, if my arm falls off, I'm not sure I'd like to know my new one might have come from a spammer...
End of lesson. You may press the button.
No, and apache didn't get rooted, either. A poorly written PHP script did.
Vintage computer games and RPG books available. Email me if you're interested.
Comment removed based on user account deletion
that this intrusion is probably the work of some teenage kid who will never have to do a day of real work in his life. But at least stuff like this keeps us admins employed. . . at least some of the time.
This comment was generated by a squadron of trained super elite albino ninja chickens for you.
This is going to make me move my web server to OpenBSD 3.4-stable on macppc even sooner. It would have two layers of defense against this kind of attack, even if the PHP hole was there.
Running under systrace might also help stop it from opening outbound connections.
It was a pretty good article, but he leaves off one glaring fact. If he had kept his software up to date, this would never have happened. BugTraq says August 2002 when this was identified.
This is a test. This is a test of the emergency sig system. This has been only a test.
it should be noted that this wasn't apache that was rooted. it was a poorly written PHP app, using an injection technique.
http://kered.org
Who exactly is funding all this spam? Is there one major media conglomerate behind it, like Viacom? That would be totally wild.
stuff |
I have 2 questions that I have always wondered:
1. Most spam mails are selling something physical and are actual companies; why can't they therefore be tracked down and slapped with lawsuits easily?
2. Why doesn't user education work? Maybe a mass education campaign towards users will make the spammers give up - I agree there will always be the odd idiot, but if 99% of users are educated, just like most kids know not to talk to strangers, there will eventually be a decline in such?
That sounds suspiciously familiar, especially when you substitute "e-mail" with "innocent-looking links to Amazon.com".
"Ask not what your country can do for you." --John F. Kennedy
Well, there's no accounting for spammers' tastes. Judging from some of the spams I've seen, females with enlarged cocks are apparently pretty popular with these folks...
"Time is an abstract concept devised by carbon-based lifeforms to monitor their ongoing decay." - Thundercleese
I dont see what the technical or social barriers are. For example, it would not require any change in the way mail is transported. Instead it would all be handled by the recipient's browser.
consider the following straw man scheme. I send you an e-mail.
1) If I am in your white list the e-mail is accepted.
2) if not then the e-mail is examined for a signed, serial numbered e-stamp and if present a short message is sent to central post office to debit the senders account one penny, and a receipt is returned to my e-mail program which then lets the message in.
3) Finally if the message does not contain a stamp and is not white listed, the message is put in a spam folder and a memo sent to the sender (me) telling me that I need to request permission to send e-mail.
The last step is how for example Earthlink's highest level spam blocker works. If most messages are spam then of course it doubles the total number of messages sent, but does not double the total message sizes or hand shaking. To the extend that it works, the post offices will only be consulted if the sender is not in the white list so unused stamps can be reclaimed. Moreover one could have the option of refunding the senders stamp if the message were welcome.
I dont see what the sociologocal or technical hurdles are. Not every one has to be using the stamp processing client program. When stamps are not present it defaults to the earthlink system. When they are is skips that nuiscance.
the best part is that legitimate direct mailers might very well be willing to pay the postage to send you an advertisment but presumbaly in many cases these would be targeted ads to people with potential interest.
Some drink at the fountain of knowledge. Others just gargle.
First spam, then the Empire! Finally Portugal is regaining it's place! Seaway to India, you say? Do I ear Brazil? Was that "Eastern Empire" sir? Bollocks! It all fades away compared to the might of SBTF.NET!
;)
On a more serious note, the telephone contact given in the RIPE lookup is a bogus one (lacks one number to be a valid portuguese phone number), the "Rua do Norte" street doesn't exist in Lisbon and SBTF isn't listed in any portuguese site that deals with companies registration.
Some say "bad publicity is good publicity"... I would rather not have my country mentioned by these particular reasons.
But... the guy reporting it is from Spain... this could be some devious plot to, er, something.
cheers
Actually, nowhere does it say that root privilege was used at all -- the attack was against a PHP interpreter embedded in an Apache binary running as www-data, and it started a new process which also ran as www-data. The article summary is a bit misleading.
Hi
s ins
I have made an eigenpoll
to find the best spamtools.
First ranking the tools you know,
the it runs some data minning and find the best tool.
Right now the list looks like.
sa-exim
Outclass
Mail Scanner
spamprobe
POPFile
SpamBayes
SpamAssas
Vipul's Razor
Blackmail
bogofilter
Infinospam
Spamthi
Shovel
SpamBouncer
Declude JunkMail
spamhole
In my dorm we have blocked port 25 from LAN to internet. It was thought to keep viruses from propagating from out network and keep people from setting up a spamserver. Now it looks like a very good decision. (they can actually only use our DMZ smtp gateway, which is antivirus protected).
All ISP or the like should block port 25 outbound by default, and make people use the smtp server of the ISP. If people (1 out of 10.000) would like to use port 25 outbound, they should contact the ISP through a bureaucratic procedure. That would close the trojan hole at least.
Are there any other ports (priviledged/unpriviledged) that one can safely block to avoid trojans and the like???
1) make money (or is spamming that easy?) :-)
2) get my rc control car that gives me a reduced mortgage, life insurance and 'elongates' my love life
More seriously, the education needs to be for the people who buy off these people. If people stop using the 'services' then the spammers will move onto some other way of making money.
I've gotten a few of those and always attributed it to a legitimate TMDA triggered by the newer breeds of email viruses that set the from: to be someone else from the addressbook (ie, me).
Let's first of all say I am no fan of spam. In fact, I hate it. All spammers - and virus writers - should be strung up and subjected to some real virii.
However, some of these statistics are possibly obscuring reality. For example, let's take Messagelabs anti-spam service. Until recently, all emails from WorldPay - receipts, etc. - were marked as spam. All the traffic on an email discussion list that I have signed up for are marked as spam. Some commercial email notification lists that I have signed up for (ie. Maplin offers) are marked as spam.
But none of those emails *are* spam. Admittedly, some spam emails do get through without being flagged. So maybe it's a bit 'swings and roundabouts'. And regardless, the situation is pretty depressing anyway.
One thing I have been thinking about - and just wondering whether it should be entered as an Ask Slashdot item - are some of the 'cures' as bad as the problem itself?
I work on biology / medicine journals websites, and we offer a number of automatic notification and general update services. Note that these are *not* spam - they are requested by individuals by signing up on the website - and instructions are given in every email in how to remove yourself from the list. And they are a very valuable service to many people that do choose to receive them. Yet it only takes 1 person to not bother to read or follow the removal instructions, or otherwise hit some other temporary (accidental) issue that holds up their removal, and then submit it to a blacklist service to bugger things up for many other people.
So where is the regulation on the blacklist services? Where is the ability for *genuine* (provably genuine) companies to register their services in such a way that rather than getting blacklisted immediately, they have the opportunity to respond to the issue raised? Is this a small or large price to pay to partially stem the tide of actual spam?
Uh, no. Using "he" as a generic 3rd person pronoun is deprecated, and has been so for a long time. Though I cringe at the thought of women being spammers, and would hope that women would have more sense. :-)
Note that both your references have notations about generic usage and the problems that arise.
The least worst I've heard recently is singular "they".
...laura
If you received an ad in the mail for my product and the ad was contaminated with anthrax, wouldn't I be liable? Maybe not if I told you I used a mail service to send my ad, and that they must have done the contaminating, but at the bare minimum, I would be expected to fess up as to who the mailer is. If I didn't know who the mailer was (blind credit card form or somesuch) I might be guilty of negligence - at least I'll bet a civil suit would say so, because someone has to be blamed for the contamination. Spam may not be anthrax, but there is a conceivable case for liability if we went after the marketers, no?
I wonder how long before people start having to "strike back". This guy got as far as finding out the master server; just imagine, for a moment, what he could have found had he turned the table and rooted the master server. He probably would be able to trace back all the way to the culprit.
I'm not saying this should be done; I'm just saying this will be done, sooner or later, by someone who got fed up enough. And that will mean the end of the Internet as we know it, since the spammers will react violently to the strike back, turning the whole net into a gigantic game.
Instead of having one mail server for your home or organization, you have two. Except one is secretly useless. It just blackholes everything that's sent to it.
You buy another domain and list the blackhole as the MX record for the new domain.
You sign up for a bunch of email marketing lists using addresses from the blackhole domain.
Everything that gets sent to the blackhole server is by definition spam.
The blackhole server also runs DNS. You set your real mail server's RBL DNS to point to the blackhole server.
Every time the blackhole server accepts a connection on port 25, the blackhole server immediately drops the connection (so no wasted bandwidth) and updates DNS with the originator's IP address.
You now have your own local blacklist, you don't have to trust somebody elses. Keep a log, if somebody bitches about it you can say "Well, somebody sent spam to my blackhole server on this date at this time from your IP. Suffer".
You'd have to combine it with a whitelist to let Yahoo and Hotmail and so on through, but you'd still kill a lot of spam.
Thoughts?
Wow, a lucrative publishing contract! I don't have to be evil anymore. --Meteor
Not selfish. The word you want is stupid. Your attitude is equivalent to saying you don't care about massive water pollution because you've got a really good personal filtering system that can make a small amount of drinking water safe, so you don't care about pollution, say, killing crops.
The problem with spam is that it is threatening to overwhelm the basic infrastructure of the net.
The spam contains ads for the "Asta Design Group", which has been widely spamvertized. A bit of searching turns up this address:
360 NE 49 St
Fort Lauderdale, Florida USA 33334
E-mail: seafish1@ix.netcom.com
Another lead gives us
SeafishNET
360 NE 49 St.
Oakland Park, Florida 33334 USA
(954) 351-7961
seafish1@ix.netcom.com
Same address and zip code, but in Oakland Park, a Ft. Lauderdale neighborhood. Now we have a phone number. Google gives us
Checking the satellite imagery, that's a tract house backing up to a six-lane highway. It's not a mailbox service.
Since we're talking about felony computer intrusion here, that's the address to give the cops. This may or may not be the intruder, but they probably know who it is.
I haven't met the guy and tend to hold him in reasonably high regard based on what I've read of his writings on the Internet. That being said, he appears to be extremely opinionated and tends to say or imply that certain people that disagre with him are idiots. While this may be the case (or may not be; I have no idea, but I'll give djb the benefit of the doubt), his tendency to express himself so bluntly probably turns many people off.
Help save the critically endangered Blue Iguana
The overwhelming amount of spam I get now involves the advertising (and presumably selling) of a controlled substance--a prescription drug that is deemed a narcotic. The prescribing of this drug (and a few others in the spams) by legitimate physicians, and its dispensing by legitimate pharmacies are strictly regulated in some kind of effort to prevent the abuse of the drug--an abuse that is rampant in many areas of the US.
I keep waiting to hear that the Federal authorities have taken some action in this regard. If you've ever been through US Customs (and especially if you're young, not white, or in any way "unusual" looking) you'll know that they make a great show of looking through everybody's sneakers and dirty laundry on the hunt for "illegal drugs." Even in these times of terrorism, it's their chief claim to fame.
The potential for abuse seems enormous and growing to me. It also seems to me that a lot of the spams advertising this stuff originate in, or pass through, the U.S. If somebody in our town hung out a sign saying GET YOUR PRESCRIPTION NARCOTICS HERE--NO PRESCRIPTION REQUIRED, my guess is the police would take an interest. But we seem to have virtual open-air drug markets operating undisturbed.
If anyone wonders how spammers make money, this is certainly one possible way, and I suspect it's incredibly lucrative.
DUCT TAPE: The Election Supervisors' Secret Weapon
I was very impressed with the forensics this guy did. It was fascinating. Too bad it's necessary. I wonder how many machines out there are compromised without anyone even knowing it.
* Make every stupid person smart so noone responds to spam
* Change every mail server in the world to use a new protocol
* Use client-side spam detection to hide spam and expect the stupid people to use it
Well, I have less than complete faith in any of these methods providing an adequate short term solution. So, why cannot we look at the big picture?
A few major spammers are sending millions of emails. The effect is close to being a DoS attack on the entire Internet. These emails are susceptible to pattern analysis if analyzed on a global basis. Surely what we need is somethng akin to an Internet-wide intrusion detection system. When pattern analysis indicates a spam attack, we simply block the traffic as close to the source as possible.
Wouldn't there be a cost associated with this? Sure. But the spam problem needs to be resolved and this is the only realistic short term solution that I can envisage.