Slashdot Mirror

← Back to Stories (view on slashdot.org)

Examining an Automated Spam Tool

Posted by michael on from the processed-meat dept.

Saint Aardvark writes "SecurityFocus has published an excellent column detailing how spammers r00ted an Apache server, and used it to send spam. The tool they used is (I hate to admit it) pretty sophisticated: it has macro capabilities, picks up email addresses from and reports success or failure to the master server. It's a very frightening read...and so is this: Message Labs reports that they now intercept 27 spam emails per second, up from 2 per second this time last year. Virus-created proxies are mainly to blame."

36 of 415 comments (clear)

  1. All this really makes me wonder... by BJZQ8 · · Score: 5, Funny

    All this really makes me wonder when the death penalty will be approved for spammers. Or at least some harsh beatings...

    1. Re:All this really makes me wonder... by taperkat · · Score: 5, Insightful
      can't we just beat the stupid people that actually respond to spam, thereby making the spammers more money to keep berating me to get my cock enlarged?

      after all, I am a female.

      --
      "But I can't get an ocean that's deep enough for my day..." ~The Frames, "Fitzcarraldo"
    2. Re:All this really makes me wonder... by calebtucker · · Score: 5, Insightful

      I totally agree. While I really hate the spammers I think I might hate the people that actually buy stuff from spam a little bit more.

      If you think about it, there are some really intelligent spammers (even though they are disgusting scum of the earth). They're always one step ahead of us and are figuring out new ways to spam us.

      On the other hand, the people who buy stuff from spam are just plain morons. period.

      --
      My sig can beat up your sig.
    3. Re:All this really makes me wonder... by taperkat · · Score: 5, Funny

      but... my family in Nigeria needs your help... *sob*

      --
      "But I can't get an ocean that's deep enough for my day..." ~The Frames, "Fitzcarraldo"
    4. Re:All this really makes me wonder... by arivanov · · Score: 4, Interesting

      You will need an ICBM version and Putin's agreement to let it through and not pay you back in the same currency with interest.

      Jokes aside, while not being compromised myself I have gone through a similar process investigating distributed server farms on cable and DSL serving counterfeit software (once again advertised by SPAM). In all cases the final step ended up being somewhere in Russia at least 600km from of Moscow.

      The method of intrusion is different though. In all cases it is windows software. Common examples are the one which copies DVDs to CDs (with all offers seen over the last 2 months being a trojan). Basically this, along with several similar common SPAM sucker gatherers is used for guess what - to gather suckers. The software actually works, but it contains a fairly sofisticated remote access trojan.

      This has recently been extented to include sucker gatherers introduced in counterfeit branded software. Basically, you pay 39$ for a counterfeit Win XP pro at "OEM Clearance Sales" and get a Win XP pro with a "surprise".

      Servers are all over the world, mostly on cable networks (strangely enough very few DSL ones). DNS (which is the weakest link) is run by known "questionable" marketing hosting sites usually in the US.

      With the number of suckers around trying to copy DVDs onto CDs frankly I do not see a reason for all the effort into hacking sites with vulnerable lame PHP software. So I guess these were some "new kids on the block"

      --
      Baker's Law: Misery no longer loves company. Nowadays it insists on it
      http://www.sigsegv.cx/
  2. Spammers know what they're doing by bigberk · · Score: 5, Informative

    Spam is profitable, and this is becoming a huge underground business. Spammers regularly compromise other systems and install sophisticated software to allow easier spamming. Here's a document that describes the link between spam and viruses

    1. Re:Spammers know what they're doing by Vainglorious+Coward · · Score: 5, Insightful

      Spammers regularly compromise other systems and install sophisticated software to allow easier spamming.

      I could have sworn that this was illegal.

      It is illegal, but then again, many of the products and services the spammers are pimping are also illegal. The legality (or not) has very little to do with it.

      --
      My next sig will be ready soon, but subscribers can beat the rush
    2. Re:Spammers know what they're doing by Urkki · · Score: 5, Insightful

      Of course it is illegal. The problem is catching those that do it. The actual spam marketers will be hard to prosecute for it just because they use services of other "businesses" for delivering their marketing material. And actually getting these "other businesses" to court might be rather hard if they operate in some 3rd World pirate heaven, have no public office, and all business transactions are handled electronically, and are purposefully hidden or obfuscated.

  3. Well... by hookedup · · Score: 5, Interesting

    One day I noticed that one of my remote servers was sending 24 hours a day a continuous 11Kbytes stream, using the 100% of the upload bandwidth (128Kbits).

    Seems greed has once again turned around and bit someone in the ass (in this case it was a good thing). So all these spammers really need to do is slow down the avalanche of spam somewhat, and throttle their speeds when relaying. Otherwise, how long would this have went on for if he hadnt noticed his upload being maxed?

  4. If only by goodbye_kitty · · Score: 4, Insightful

    If only we could harness the power of these cool (and working!) distributed systems to provide efficient peer to peer content distribution or an actual legitimate email system of some sort...

  5. They "r00ted" a native american waiter? by Anonymous Coward · · Score: 5, Funny

    This is obscene. How far will spammers go?

  6. Why do you hate to admit it? by Tim+C · · Score: 4, Insightful

    If they're good, and are producing sophisticated tools and methods for spamming, then it's imperative that it is admitted, so people will understand the true nature of the problem and what anti-spammers are up against.

    One of the most fatal mistakes you can make in any conflict is to underestimate your opponent.

    --
    It's official. Most of you are morons.
  7. Bad getting worse... by tuxette · · Score: 5, Interesting
    Other trends started this year and expected to increase in 2004 include the use of e-mail to trick people into going to what they think is a legitimate vendor's web site and provide confidential information, such as social security or credit card numbers, MessageLabs said.

    Although I haven't experienced spam that goes so far, I have received (in my special spam account for playing with Nigerians and lottery managers) quite a few mails with requests to confirm my e-mail address. It works like this - you get a mail saying something a la: "I am controlling the e-mail sent to my inbox for the following address: sucker@born.every.minute.com. By asking for you to confirm that you really sent email to me I can ensure that I receive no spam and that your email address really exists. This is a one time confirmation, please click the link below and your email will be delivered straight away, now and in the future. Regards, Alberto Huber"

    The funny thing about it was that the "I" in question was neither someone I sent mail to nor someone I know at all.

    Now if they think I'm going to go click the link to confirm that my e-mail address exists, then they would surely be willing to buy some property on Mars I have for sale. Radiation-free. Really.

    --
    People say I'm crazy, I got diamonds on the soles of my shoes...
  8. stupid gap in PHP... by kisrael · · Score: 4, Interesting

    Actually, and yeah yeah yeah, I know there are probably settings around this, but that default of cgi variables automatically being turned into global variables of the form $same_name_as_in_the_form has always seemed to be asking for trouble.

    PHP, at least when I was looking at it a year and a half ago, always felt half-baked to me.

    --
    SO YOU'RE GOING TO DIE: The Comic for Dealing with Death
  9. No Death Penalty, Please!!! by tds67 · · Score: 5, Funny
    All this really makes me wonder when the death penalty will be approved for spammers. Or at least some harsh beatings...

    No, not yet! I'm only halfway through my penis-enlarging regimen!

  10. New protocol? by HornyBastard · · Score: 5, Interesting

    I think it's time we get a new mail protocol.

    If we can somehow get a list of relays authorized for the sender's domain, it would be easier to flag a message as SPAM.

    Also, I think the messages should be stored on the relay, with just a URL sent in the mail body. It would solve two problems:
    * The size of the message will be limited by the size of the sender's mailbox.
    * It will use more resources on the relay, and the admin should be less likely to run an open relay.

    --
    Death has been proven to be 99% fatal in lab rats.
  11. yes it is profitable by RouterSlayer · · Score: 5, Insightful

    yes it's definitely profitable, this is part of the problem, a major part of it!

    even with all the crap that people are doing, new SMPT clients, new RFCs and bullshit, it's not going to work!

    why? because spammers pay their ISPs tens of thousands of $ a month just for the privilege of spamming!

    I remember an old story months (or years) ago about a spammer, got tracked down, the whole nine yards, the ISP refused to cut them off because they were paying the ISP over $50,000 a MONTH to send spam. These days they pay even more.

    So all your "checks and balances" don't do any good, because the spammers are VALID users (at least in the eyes of the ISP hosting them).

    And this is also why no one does egress filtering. AT&T US, etc won't do it because they get PAID to keep sending the stuff...

    face it, spam is BIG business, it makes millions, esp for the ISPs, etc.

    all your useless "valid" client checks, checksums, special SMTP servers, blah blah blah won't make a damn of difference.

    the only way is with either good (huge) blacklists or bayesian all over the place.

    and what someone said about "end users" not caring about bandwidth usage, not true. I'm an end-user, and I care, excess bandwidth costs me money dammit! I am my own mail server, so don't tell me a firewall on my server is gonna slow down the traffic. it doesn't.

    I keep to my original proposal, a massive blacklist. headache? yes, but it'd work if kept updated...

    1. Re:yes it is profitable by phorm · · Score: 4, Interesting

      I remember an old story months (or years) ago about a spammer, got tracked down, the whole nine yards, the ISP refused to cut them off because they were paying the ISP over $50,000 a MONTH to send spam. These days they pay even more.

      Because SPAM as a whole is becoming illegal in many areas, and much of what spammers do is already illegal. If the ISP is allowing the spammer to continue operation, and he is pumping illegal products/scams/etc then the ISP will be on the line.

      It's one thing to profit for unscrupulous activity, it's another to knowingly allow an illegal one.

      Making it easier to certifiably track spammers is part of the solution because if you can say with strong surety that an ISP is supporting the spammer... then you can take action against the ISP.

  12. Re:(Slightly OT) Apache R00ted?? by SuiteSisterMary · · Score: 5, Informative

    No, and apache didn't get rooted, either. A poorly written PHP script did.

    --
    Vintage computer games and RPG books available. Email me if you're interested.
  13. Comment removed by account_deleted · · Score: 5, Insightful

    Comment removed based on user account deletion

  14. OpenBSD on macppc by Anonymous Coward · · Score: 4, Interesting
    Geez,

    This is going to make me move my web server to OpenBSD 3.4-stable on macppc even sooner. It would have two layers of defense against this kind of attack, even if the PHP hole was there.
    1. Chrooted apache means that necessary shared libs/utility apps for the binary aren't available immediately.
    2. PowerPC processor means that i386-binary payloads won't run

    Running under systrace might also help stop it from opening outbound connections.
  15. Pretty good article by bigjnsa500 · · Score: 5, Insightful

    It was a pretty good article, but he leaves off one glaring fact. If he had kept his software up to date, this would never have happened. BugTraq says August 2002 when this was identified.

    --
    This is a test. This is a test of the emergency sig system. This has been only a test.
  16. apache wasn't rooted, an installed PHP app was by deander2 · · Score: 4, Insightful

    it should be noted that this wasn't apache that was rooted. it was a poorly written PHP app, using an injection technique.

    --
    http://kered.org
  17. A question regarding education/tracking? by Anonymous Coward · · Score: 4, Insightful

    I have 2 questions that I have always wondered:

    1. Most spam mails are selling something physical and are actual companies; why can't they therefore be tracked down and slapped with lawsuits easily?

    2. Why doesn't user education work? Maybe a mass education campaign towards users will make the spammers give up - I agree there will always be the odd idiot, but if 99% of users are educated, just like most kids know not to talk to strangers, there will eventually be a decline in such?

    1. Re:A question regarding education/tracking? by Kjella · · Score: 4, Insightful

      1. Because it's usually some spamming company performing the spamming, not the real company. They only hired their "PR services", in which case you have to prove they did know it their marketing practices would be illegal.

      2. No, 99% is not enough. A 1% response rate would be insanely high. Even a 0,01% response would easily be enough. Because it costs next to nothing, with next to nothing in risk.

      To pull on your "99% of users are educated, just like most kids know not to talk to strangers" analogy, it wouldn't work if the pedos could ask thousands of children simultaniously (i.e. no cost of time) and none of those that refused would report it. Who cares if 990 turn you down, if you can have a 10-kid orgy every day? Sounds awfully cruel, but that's the way spam works today. They pray on the few stupid enough, and hope that the great majority will simply hit 'delete'.

      Kjella

      --
      Live today, because you never know what tomorrow brings
  18. Re:enlargements by ebonkyre · · Score: 5, Funny

    Well, there's no accounting for spammers' tastes. Judging from some of the spams I've seen, females with enlarged cocks are apparently pretty popular with these folks...

    --
    "Time is an abstract concept devised by carbon-based lifeforms to monitor their ongoing decay." - Thundercleese
  19. why not e-stamps? by goombah99 · · Score: 4, Interesting
    How come the idea of e-stamps is not getting any traction? The concept is that you are assessed a small charge for sending unwanted mail.

    I dont see what the technical or social barriers are. For example, it would not require any change in the way mail is transported. Instead it would all be handled by the recipient's browser.

    consider the following straw man scheme. I send you an e-mail.
    1) If I am in your white list the e-mail is accepted.
    2) if not then the e-mail is examined for a signed, serial numbered e-stamp and if present a short message is sent to central post office to debit the senders account one penny, and a receipt is returned to my e-mail program which then lets the message in.
    3) Finally if the message does not contain a stamp and is not white listed, the message is put in a spam folder and a memo sent to the sender (me) telling me that I need to request permission to send e-mail.

    The last step is how for example Earthlink's highest level spam blocker works. If most messages are spam then of course it doubles the total number of messages sent, but does not double the total message sizes or hand shaking. To the extend that it works, the post offices will only be consulted if the sender is not in the white list so unused stamps can be reclaimed. Moreover one could have the option of refunding the senders stamp if the message were welcome.

    I dont see what the sociologocal or technical hurdles are. Not every one has to be using the stamp processing client program. When stamps are not present it defaults to the earthlink system. When they are is skips that nuiscance.

    the best part is that legitimate direct mailers might very well be willing to pay the postage to send you an advertisment but presumbaly in many cases these would be targeted ads to people with potential interest.

    --
    Some drink at the fountain of knowledge. Others just gargle.
  20. Re:yep by Urkki · · Score: 5, Insightful
    • Something desperately needs to be done with SMTP to control this stuff....

    Yes. It needs to be completely blocked at backbone routers, and new and better alternative developed.

    So, the steps would be
    1. develop a better alternative as fast as possible, and make it as simple as possible to implement.

    2. deploy the better alternative for test use.

    3. develop a fixed version 2 of the better alternative after it's holes are discovered.

    4. deploy the fixed version.

    5. block SMTP and version 1 of new protocol at international and national backbones and national borders, so that everybody is forced to switch.

    So SMTP would still be completly usable for example inside organizations, so if a company has huge installed base of legacy software, they could have internal SMTP-new protocol gateway.

    Of course this would require IETF to get their act together, and various governments to agree that this must be done, and actual new protocol to be simple enough and not contain patented algorithms or any other stupidities.

    So it will not happen. Then spam will overwhelm the internet transfer capacity. Then SMPT is blocked and free internet e-mail will cease to exist. Proprietary solutions will develop, but there will be a chaos. Incidentally, Microsoft will happily provide a closed proprietary system only usable from their operating systems.
  21. spamtools by AeiwiMaster · · Score: 5, Informative

    Hi

    I have made an eigenpoll
    to find the best spamtools.

    First ranking the tools you know,
    the it runs some data minning and find the best tool.

    Right now the list looks like.

    sa-exim
    Outclass
    Mail Scanner
    spamprobe
    POPFile
    SpamBayes
    SpamAssass in
    Vipul's Razor
    Blackmail
    bogofilter
    Infinospam
    Spamthis
    Shovel
    SpamBouncer
    Declude JunkMail
    spamhole

  22. how to fix the problem by Brandon+T. · · Score: 5, Informative
    You can fix this problem by catching attempts to modify the $GEEKLOG_DIR file via get or post methods at the top of the gallery/classes/geeklog/User.php file. Insert this line:
    if (isset($_GET['GEEKLOG_DIR']) ||
    isset($_POST['GEEKLOG_DIR'])||
    isset($_SESSION['GEEKLOG_DIR']))
    die('nice try buddy.');
    }
    The $GEEKLOG_DIR variable is actually set at the end of the gallery init file, so it should not be coming from any other directories. This is another example of why it's bad to leave register_globals on, as the whole problem could have been avoided otherwise.
  23. Need to block port 25 all over by penthouseplayah · · Score: 4, Interesting

    In my dorm we have blocked port 25 from LAN to internet. It was thought to keep viruses from propagating from out network and keep people from setting up a spamserver. Now it looks like a very good decision. (they can actually only use our DMZ smtp gateway, which is antivirus protected).

    All ISP or the like should block port 25 outbound by default, and make people use the smtp server of the ISP. If people (1 out of 10.000) would like to use port 25 outbound, they should contact the ISP through a bureaucratic procedure. That would close the trojan hole at least.

    Are there any other ports (priviledged/unpriviledged) that one can safely block to avoid trojans and the like???

    1. Re:Need to block port 25 all over by tgd · · Score: 4, Insightful

      To do that ISPs need to allow SMTP authenticated users to send e-mail with any domain name attached.

      I have to run my own e-mail server, because Comcast (my cable modem provider) doesn't allow me to send outgoing e-mails with my real e-mail address, its go to be @comcast.net or whatever their domain is.

      If they block port 25, e-mail is effectively shut off for me as a usable technology on the Internet, and I'll be stuck either having to tunnel the e-mail to someone who doesn't have it blocked, or change ISPs.

  24. Interesting, but... by grahamtriggs · · Score: 5, Insightful

    Let's first of all say I am no fan of spam. In fact, I hate it. All spammers - and virus writers - should be strung up and subjected to some real virii.

    However, some of these statistics are possibly obscuring reality. For example, let's take Messagelabs anti-spam service. Until recently, all emails from WorldPay - receipts, etc. - were marked as spam. All the traffic on an email discussion list that I have signed up for are marked as spam. Some commercial email notification lists that I have signed up for (ie. Maplin offers) are marked as spam.

    But none of those emails *are* spam. Admittedly, some spam emails do get through without being flagged. So maybe it's a bit 'swings and roundabouts'. And regardless, the situation is pretty depressing anyway.

    One thing I have been thinking about - and just wondering whether it should be entered as an Ask Slashdot item - are some of the 'cures' as bad as the problem itself?

    I work on biology / medicine journals websites, and we offer a number of automatic notification and general update services. Note that these are *not* spam - they are requested by individuals by signing up on the website - and instructions are given in every email in how to remove yourself from the list. And they are a very valuable service to many people that do choose to receive them. Yet it only takes 1 person to not bother to read or follow the removal instructions, or otherwise hit some other temporary (accidental) issue that holds up their removal, and then submit it to a blacklist service to bugger things up for many other people.

    So where is the regulation on the blacklist services? Where is the ability for *genuine* (provably genuine) companies to register their services in such a way that rather than getting blacklisted immediately, they have the opportunity to respond to the issue raised? Is this a small or large price to pay to partially stem the tide of actual spam?

  25. Re:SpamAssassin makes me not care by harlows_monkeys · · Score: 4, Insightful
    I know it is selfish...I no longer care about spam

    Not selfish. The word you want is stupid. Your attitude is equivalent to saying you don't care about massive water pollution because you've got a really good personal filtering system that can make a small amount of drinking water safe, so you don't care about pollution, say, killing crops.

    The problem with spam is that it is threatening to overwhelm the basic infrastructure of the net.

  26. OK. who's behind this? by Animats · · Score: 5, Interesting
    Let's dig a bit. As usual, we ignore where the spam came from, and concentrate on where the money goes.

    The spam contains ads for the "Asta Design Group", which has been widely spamvertized. A bit of searching turns up this address:

    • SeafishNET and the Asta Design Group
      360 NE 49 St
      Fort Lauderdale, Florida USA 33334
      E-mail: seafish1@ix.netcom.com

    Another lead gives us

    • The documents and information on this Web site are copyrighted materials of SeafishNET, Asta Designs and its information providers.... "SeafishNET" and the SeafishNET logo are registered trademarks of SeafishNET.

    • SeafishNET
      360 NE 49 St.
      Oakland Park, Florida 33334 USA
      (954) 351-7961
      seafish1@ix.netcom.com

    Same address and zip code, but in Oakland Park, a Ft. Lauderdale neighborhood. Now we have a phone number. Google gives us

    • Charles Fish, (954) 351-7961, 360 NE 49th St, Fort Lauderdale, FL 33334

    Checking the satellite imagery, that's a tract house backing up to a six-lane highway. It's not a mailbox service.

    Since we're talking about felony computer intrusion here, that's the address to give the cops. This may or may not be the intruder, but they probably know who it is.

  27. Questions for you Linux experts out there by TheTranceFan · · Score: 4, Interesting
    I'm a relative Linux noob and I'm trying to understand this thing. I read the whole article, but there are a few things I'm not sure I get.
    1. Was his server really rooted? It seems like these bogus httpd's that were running were still running as www-data, the user this guy had Apache running as.
    2. Did I miss some escalation-of-privileges step, or does apache's user usually have this level of privileges? Like chmod'ing things it got with wget...yikes!
    3. I run php with register_globals=off. Is that enough?
    4. What's an easy way in Linux to tell if your outbound bandwidth is slammed?

    I was very impressed with the forensics this guy did. It was fascinating. Too bad it's necessary. I wonder how many machines out there are compromised without anyone even knowing it.