Slashdot Mirror
Infected Windows PCs Now Source Of 80% Of Spam
twitter writes "The Register is reporting a study by Sandvine.com that blames Microsoft Zombies for 80% of all spam. The study goes on to claim that 90% filtering is not effective given the unprecedented volume and that sophisticated trojans are able to drop spam directly on end user's computers despite current efforts. Just another cost of supporting Microsoft, I suppose."
When XP Bug patch 2 comes out, this suituation will only get worse, since ppl can't patch their dodgy ( illegal) copy of XP.
in filter research, maybe we should be spending it on educating users in basic protections....or converting the unwashed masses. I like the 2nd one better :P :P
Please note the sarcasm in the "unwashed masses" comment before modding me as a troll
Here's an idea to help block spam from these. Don't accept any mail from a block of IPs for residential use. Like all of comcasts home subscribers. Same for ameritech, Road Runner and all those other residential networks. They are under a license agreement to not run a mail server anyway.
I admitt it would be an inconvienamce because I run a mail server like that but it might be worth the pain for less spam.
Evolution or ID?
Schools need to start teaching security. Just the idea and what you do. Kids will go home and teach thier parents. And slowly more people will become educated. How else can you educate the masses?
Evolution or ID?
I can't speak for all geeks out there (we are usually on the front line), but I have seen so many computers running Windows XP out there just getting raped by adware/spyware/worms/trojans lately. One of the primary culprits? Internet Explorer.
The reason I believe it is Internet Explorer is that I have seen a machine that is behind 2 different firewalls (one of which is a very well configured PIX) get molested. It wasn't used for e-mail, no P2P programs for downloading and nothing else was used except the browser. I am SURE some people were browsing dodgy websites on that machine. So far, it is the only PC on that IP segment that has been infected so it wasn't from another machine.
Anyone else see this out there?
... I apologise for the percentage of MS users who are beyond help, and for the admins who allow them to be so.
We keep our corporate networks nice and clean, we stomp on infections fast, we try to educate our users, we run filters and firewalls, we put in place policies and we try our damndest to prevent this stuff.
But if those users go home to an infected PC, then we've failed. failed badly. We don't get paid to keep home machines clean, but how much harder would it be to really educate our users? really?
What can we do? Well, we can impress on our users, as I'm trying to do, that thay can suffer real, genuine harm if they don't practice safe computing.
I have this idea. A user doesn't give a crap if they're not harmed directly by a virus. OK, they have a spamming trojan on their machine, do they notice? no, they don't.
So I make sure I tell my users that there are viruses out there which can log their keystrokes and, by inference, steal their credit card number or online banking details or any other personal information.
That makes them wake up. Once there's a chance they might be directly affected in ways other than a slightly slowed down machine, then they start to take notice.
I'd urge every other techie on a windows network to inform your users in the same way. make sure they know that viruses aren't just something that affects other people. then they'll wake up, and everyone else will be better off. really.
Screw you all! I'm off to the pub
I work for a small ISP and spam is the cause for most of my headaches. We run many different spam and virus filters and they work great but each time we crank the screws down a little with more filtering we get bombarded with calls about it. Seems that people complain about getting spam and when we reduce it more they complain about that because the filters may filter one of their love letters to their mom or whatever. You just can't win I guess.
For the next two weeks until i start a non-crappy job at a linux based company, I still work graveyards at one of the larger aggregate dialup resellers in the US (no, my email address, whois records, etc, are not indicative) and this means i mainly handle abuse complaints.
We get the occasional hit & run spammer who signs up for one of the $9.95/mo services with a prepaid credit card (so we can't effectively fine them) and then spams the heck out of the connection until we cut them off, but 99% of spammer complaints (that aren't due to spamcop being fooled by well crafted headers from brazil, or confused by unpublished relay hosts in our spam filtering cluster) are traced to users who have been with us for some time, who have never given us any trouble, and who have called customer service frequently for fairly basic help with simple internet setup tasks -- usually an account shared by a family with several children, or used by an old lady who just wants to look at pictures of the grandkids on the intarweb gadget. Pretty unlikely spammers.
The accounting department doesn't like it, would prefer to shoot first with a $100 fine and let customers beg for forgiveness later, but i argue constantly that we should give them at least one chance to disinfect their computer. We go ahead and fine 'em if they don't fix their issue within a few days, though, and then accounting makes them prove they are disinfected before giving them their money back.
It's poor customer service, ultimately, but wtf is an isp to do? If we just pestered them with email they'd assume we didn't really mean it, and would never fix their systems.
This is just like television, only you can see much further.
They don't. They will simply lop port 25, and force you to use their smtp servers, or lack thereof. While they are at it, meter you $0.10 a letter. And 50 years from now we will be asking why email costs so damn much.
"Learning is not compulsory... neither is survival."
--Dr.W.Edwards Deming
According to Google, the operating systems used to access Google (which I would think correlates fairly well to overall desktop OS use) are:
Win98 21%
WinXP 49%
Win2000 18%
WinNT 3%
Mac 4%
Win95 1%
Linux 1%
Other 3%
So "Windows" accounts for 92%.
If Windows is so easy to hijack and become a spam relay it must be possible for a Trojan to hijack a Windoze box and install all of the patches? Thereby eliminating most of the problem zombie Windoze boxes.
Unless, of course we start getting anti-anti-spam trojans - that actually patch Windoze to stop the anti-spam trojan working?!
Please don't steal my sig, it's my intellectual property
I worked for an ISP that had outbound port 25 blocked. Served both purposes in regards to our users spamming and infected users spamming. If a business client (or residential even), asked to have it open, we'd set their policy to allow outbound port 25 (assuming they had a static ip) with a small extra charge. Therefore this was never a big issue for us. Is it really this hard for ISP's to do this? I know at least in Ontario, Sympatico does this. Reality is, you can't always expect the user to be 100% patched and secured. At least not all of them.
-----
http://home.ica.net/~casino4u - Safe and Secure!
As far as I can figure from the statement in the article:
..it seems to me that the article should say 80% of the service provider's mail traffic was generated by zombies. This is completely different from the statement made in the topic.
"After comparing those data points with the total volume of legitimate messages passing through the service provider's mail system, we are able to arrive at our percentage of 80 per cent",
It's like you'd go to a bar and observe that 80% of women leave with drunken idiots, and thus proclaim that drunken idiots are able to hit 80% of women.
There may be some causality and statistical significance, but it definitely isn't as clear as the article suggests.
http://codeandlife.com
The users often are the problem; give a user 10 steps to perform to possibly view some naughty pictures of a celebrity and chances are, a significant proportion of them will do so and infect their computer in the process. Heck, some of them would probably run it as root/admin if you asked them to...
Speaking from experience, I can tell you that it's not as easy as it seems...
.au where I'm located, the Spam Act 2003 only provides for civil penalty provisions against the spammers (in essence, the .au government will sue you for violating the spam act in civil court.)
Various jurisdiction's spam laws vary, but at least in
Even though the evidential burden in a civil case is much less (balance of probabilities/preponderance of the evidence) than in a criminal case (beyond reasonable doubt,) it still proves difficult to tie a spam purporting to advertise, for example, penis pills, to a purveyor of penis pills.
Penis pill guy sends his spam through a few thousand of 'fresh proxies' (spam guy terminology for freshly rooted or virused machines garnered from crackers or vx people), penis spam ends up in inbox with penis pill guy's contact details.
So far so good, but there's no causal link between A and B of any forensic value whatsofuckingever. Correlation is not causation.
I'd be more inclined to see a system which plugs into the MTA somewhere between RCPT TO and DATA, which performs a basic open proxy scan on the originating MTA (similar to what many EFnet servers are doing ATM,) and if the originating MTA fails the test, mail is refused (preferably with a '550 5.1.1 no such user' error as this may help get you off certain lists) and the originating IP is added to some form of distributed blacklist for X hours (i'd suggest 48... long enough to allow ample time for the machine's owner to find out that they have a virus or spam problem and fix it, not really long enough to cause a major problem.)
I'm actually working on building such a system at the moment... Details will be posted to my website when I have some half decent code that runs (instead of making postfix' smtpd dump core.)
You're doing it wrong.
There's only so much you can really do with "being smart with your email address"
My point is that you do what you can by...
1) Not giving out real email address in forms
2) Not posting un-obfuscated email address to the web
3) Securely running your OS
But if I follow point 4...
4) Don't give your friends your email address
Then really why do I have an email addy in the first place?
Most of my spam I get are actually those annoying bounce-back messages you get from anti-virus filters. "The email you sent had the virus W32.Blaster" etc etc. The problem is that I run a solely Linux household, so it's probably coming from a virus on someone else's computer.
And for my 2c, Thunderbird's spam filter isn't half bad, if you don't mind the spam hitting your box prior to filtering.
"I am the Black Mage! I casts the spells that makes the peoples fall down!" ~8BT
I've had spam show up at new accounts that were only registered, never used. I've even had spam arrive at an email account that was sent before I even created the account!
Then theare are the moron spammers who send out group addressed emails (the ones with 20-30 variants on spelling anything at all like your name.)
Anti-spam on the client is not the solution.
Sticking there severed heads on pikes outside ISPs would be far more effective and satisfying.
Or the traffic problem could be justifiably claimed as a result of poor engineering by Microsoft, and make Bill & co. responsible for the resulting expenses.
Or we could just make ISP's responsible for disconnecting any customer who has an infected machine connected. When the machine is cleaned, then they could reconnect, not before.
No, I don't care about people who can't afford to take care of their machine, buy hardware firewalls, virus scanners, etc. I don't care that people driving rust buckets can't afford better cars, either -- get the hazard off the public byways!
I do not fail; I succeed at finding out what does not work.
The US FCC makes you not only buy a license for your radio/tv transmitters, but also the operators of such must be highly technically trained and be licensed as well. Since an Internet-connected computer is basically a "transmitter" to the public these days, I think they should require licensing as well, with stiff penalties for any operator who operates them "out of spec" just like radio transmitter operators who are negligent (or malicious). Hell, the Brits even require you to buy a license to operate a television receiver!!! It would be a huge source of revenue for the government to mandate computer and operator licenses. If software publishers were also required to be certified by the government, it would ultimately lead to much better quality software on the market too.
"In order for Linux to have the same infection rate as Windows, Linux would have to have the same (or similar) flaws. "
5 g traq/2003/ 07/msg00277.html
If 80% of the users had Red Hat 9 installed, they'd be sending out 80% or more of the spam. RH9's sshd is exploitable out of the box. Heck many distros CDs come with exploitable sshds and often sshd is the service that gets started by default.
The same people who don't patch their windows machines won't patch their linux machines.
In some stupid hacking contest half a year back, there were silly people who picked RH as their O/S, didn't know how to secure it and kept getting rooted. Either they didn't patch sshd or didn't patch OpenSSL.
The spammers won't really care whether there are 100 vulns or 1 vuln in one machine. All they care is how many vulnerable machines there are.
Heck, from my webserver logs I see that at least some spammers are trying to get apache's mod_proxy to send email. They are succeeding for some configs.
Here's a victim:
http://forums.devshed.com/archive/t-9903
Here's another incident
http://cert.uni-stuttgart.de/archive/bu
>>But if I follow point 4...
>>4) Don't give your friends your email address
Here is a semi-interesting tangent.
I gave my wife and one son (both computer illiterates) each an e-mail address.
My wife gave her e-mail address to her sister, but my wife would not write any email (she prefers Long Distance phone calls.... argh!). However her sister emails her things, include some of those stupid 'pass this on to a friend' emails. Still, my wife doesn't even read her own email. After about a month, I found her email address on one of these bulk 'pass it on' messages. Since that time, spammers have inundated her mailbox.
In the meantime, my son has never sent an email, nor has he given out his email address to anyone. As an experiment, I wanted to see if the spammers would find him. So far, they haven't.
So you are right-- if you don't want spam, don't give out your email address.
In Outlook, executable files, scripts, and screensavers are blocked by default.
If you tried deleting everything on your hard drive, you'd get errors from system files that are in use. Windows won't delete them.
In windows, click-to-infect is the norm.
I have a feeling you haven't used a copy of Windows since 1998. Pure FUD.
"Sufferin' succotash."
The problem with front-end client spam filtering is that it does nothing to reduce the backbone traffic volume nor the data volume the email server has to process.
Someone is selling the products. They are illegally using home PC resources via spamnets. I fail to understand why the spammers can't simply be charged with theft, fraud, and locked up accordingly.
Or just shot if they happen to be in a country that permits such penalties. The genepool needs some cleaning...
I do not fail; I succeed at finding out what does not work.
Hidden filetypes or macros?
I've yet to find a feature of macros in Office that can't be done another way. Sandboxing would be great so that you'd know if it was going outside of the workbook/document. Some little game from someone or something with some calculations should only work within the document. I haven't tried macros in OOo. Can they go out or not?
And hidden filetypes are an "arggghhhh!" for me when I go onto a PC that isn't mine.
So if you're a victim of Microsoft's negligence in making systems that can easily be converted to attack zombies, click here to contact that law firm. The most effective victims would be those who run Linux, because they're not subject to Microsoft's EULA. For them, it's a pure negligence issue. A Linux-based ISP or hosting service would be the poster child for such an action. They're being hammered on, they didn't sign any Microsoft EULA, and they're clearly suffering sizable damages due to Microsoft's negligence.
It's time for this to become a major legal issue.
The problem is when the ISP's SMTP server doesn't behave in the manner you want it to: it's slow, often unreliable, won't accept large attachments, blocks certain file extensions as attachments, and so on. Oh, and it doesn't support SSL/TLS. This isn't just my ISP, nearly every ISP I've used in the last 5 years has had similar limitations. The unfortunate fact seems to be that ISPs provide connections. They're really not very good at providing other services like reliable email servers, webhosts, usenet servers and so on.
Personally I'd be much more comfortable paying the ISP a touch less, not having access to all the "extra" services (50mb webspace, 20 POP3 accounts, usenet, etc.) and get the services I actually need from a professional hosting company. Group a few people together on a user-mode Linux VPS and it only works out at a couple of pounds per person per month.
There's also the whole privacy issue - I don't necessarily want a large corporate entity (my ISP) having access to all the email I sent, when I send it, to whom I send it, etc. etc.. If this article were about anything apart from the unpleasant reality that is junk email, most of the comments here would be bemoaning the invasion of privacy.
is this a case of giving up some freedom (port 25) for some sanity?
My ISP already does this. What I'd encourage (see my earlier post for a fuller explanation) would be a captive portal ISPs could use for customers' machines which are victims of viruses. All it needs to be is a page telling people to sort the mess out, providing a few useful links to online virus scanning sites and so on. The message is more about informing the unsuspecting customer than it is about draconian blocking, etc.
No offense tonyray, but selling computers at your shop doesn't make you an ISP just because those computers can get on the internet.
Having actually worked for a mid-size ISP (~180 000 broadband subscribers when I left three years ago, a little less dial-up users then that), and having dealt with roughly 6000 tech support calls in that period (mostly part-time), I call BS on saying that Linux users cause far more problems is pure FUD.
It was not officially supported, but most calls from Linux users ended in about 2 minutes after giving them our DNS servers, mail and smtp servers, and checking if their cable modem was functionning normally on the network. It's a longshot to declare that the majority of your supposed linux users have been hacked too.
If the source of 80% of spam is infected PCs could a method of OS finger printing (ala nmap) not be used to identify the offending PC as 95/98/XP and either flag (with an X header) or reject the mail? A test of the source address would do. It's not perfect and firewalls etc would make it a tad unreliable but if you mix this with other tools like spamassassin it just might work.
Just an idea...
Paul
Yep, a friend of mine who I would describe as a "power user" got sauser *WHILE* he was downloading the patch for it.
Religion is a gateway psychosis. -- Dave Foley
Same thing with Blaster...if you didn't install the patches from a CD, as soon as you got online, you would get infected. Perhaps the situation is better now, but that's how it was last Fall.
I had the misfortune of working as a technician (I know, it's idiotic -- some of us have bills to pay) at Best Buy during that time, and we had to patch every single new machine that was sold off the floor.
Of course, we charged a $25 fee for this service.
And, of course, people bitched that it was a scam, but, hey, we didn't write the virus. And we sure as hell didn't make Windows insecure by default.
Sure enough, people that refused to pay the extra $25 came back a week later, crying that they were infected.
We did some testing (nothing scientific, I assure you) and the fastest we saw a machine get infected was within thirty seconds of being on a dial-up network.
So claiming that Windows is insecure has nothing to do with the stupidity of its users (although that factor does play a role).
You think it's coincidental that Microsoft released a patch CD for free last October? (Which, btw, was FAR TOO LATE to do jack shit about intercepting Blaster's wrath.)
The old Lie: Dulce et decorum est Pro patria mori
Is when people counter the "I don't use Linux because I'm not that adept concerning computers." argument with "well it wouldn't kill you to learn more about your computer."
This is true, but I am a Windows user for a long time now (still run Linux on my server) and I haven't had a computer virus in AGES (at LEAST 6-7 years).
Because I have a firewall, I don't use IE or Outlook, and I keep stuff patched.
The point? If you learn more about your computer you can make Windows alot safer. and I guarantee you it wont take as much learning/suffering as it takes to get started in Linux on the desktop. Not to mention patching my Windows machine is as simple as running windows update....my linux server? Well, depending on what were talking about it could be as simple as downloading an RPM or, and this is the fun part, updating something from source....either way its nowhere near as easy as updating Windows....hopefully someday it will be!
"The saddest words of mice and men, are not those which were, but should have been."