Slashdot Mirror
New Spam Zombies Use ISPs' Mailservers
RMX writes "CNet's reporting
that the new
spam zombie PCs are no longer acting as their own mailservers, but cooperate with the ISPs' recommendation that instead of running your own mail server, to use theirs instead."
Is this just doing what normal email clients do already? Why didn't they think of it earlier?
I was reading about the "American GI (Joe) captured in Iraq" yesterday and the same thought crossed my mind today.
If you are going to tell everyone that spam zombies (or terrorist websites) are out there, why don't you give details like processname (or website URL)?
It does no one any good if you just say, "Hey, there's a chance your computer may be infected and is a zombie spammer," if you don't also tell us the zombie process name.
I don't see how that solves this problem. If the mailware can read the configurations of the host's e-mail program, it can immitate any authorization you throw at it...
Unlike when they did it on the clients, this puts it through a limited number of gates.
ISP's will likely start limiting outbound email to x email/hr. Companies and ISP's will likely start monitoring and kill quicker.
This will benefit spammers for a very short period, then bite them in the ass.
ISP's and companies aren't going to tolerate a spike in CPU usage, and possible blacklisting if they can take care of it. They will start blocking IP's from sending mail, etc. etc.
Or the bots could ignore that, and just send out with the default mail settings - most users would have OE set to remember password, so no real gain there.
That can also happen to zombies that send spam without using the ISP's SMTP server. If they do use the ISP's sever that should make the ISP notice sooner though.
[T]he ISP should force their users to authenticate with the server, using secure SSL.
It's a shame that people are so attached to their horrid Microsoft Outlook email client. Otherwise, two problems could be solved in one fell swoop: Have users SSH into the ISP email server, and use a simple client like Pine to send and receive their email.
First, this setup would enforce strong user authentication, as the parent wisely suggested. Secondly, it would eliminate that whole host of attacks against bad email clients (eg. Outlook) that the average computer user inexplicably blames on their ISP.
Years ago, in the days of the 56K modem, the Edmonton Freenet provided email service in which people dialed in and used Pine. It worked great -- it was simple, effective, and they even provided a little manual so that all of the Pine-neophytes could learn to use the system. I remember everyone from the young to the old learning to use the system, and getting along splendidly after the rather small learning curve.
The simple problem of 'Remember my user id and password' negates your simple solution.
Telus, my ISP in British Columbia (Canada) already takes a fairly agressive stance on this situation. In the past few years, they have realized that their clients are idiots and will open up any attachments they get in their email clients, even those great ones with .scr's from v1agra@sh0p0ur31337store.ch.
In order to stop their networks from becoming ridden with viruses, they simply closed off the accounts of whom ever was infected. Sure people complained, but in the end, there were more people that were satisfied since their computer only needed to be infected with one virus for them to notice. Instead of having a computer with 20+ self-propagating viruses, the user only had one when they realized they needed it fixed.
Joe User's seem to ignore popups and slow-downs of their computers as long as they can still connect to the internet and check their AOL email. As soon as they're disconnected, they will call up the ISP and find out how to get their computer fixed.
If these ISP's can take the same stance against zombies becoming spam servers, it shouldn't be long until Joe User is forced to learn how to use a firewall to protect himself from being disconnected.
As soon as we have ISP's that are *more* responsible for the content going through their networks, we'll have a better internet.
oh yea...pine - my mom will be all over that one!
remember, you have to keep these dumbed down for the masses.
Agreed.
The users machine is comprimised. There is no method that can be widely adopted that will keep these programs from using the same functions that the computer does on daily basis.
However, using authentication, ISP's can easily block users who begin to send out too many emails (most likely spam), forcing them to deal with the problem (or get the ISP to allow them to send large volumes), or at least stopping the spread of spam.
Be relentless!
Of course, if the user doesn't let their mail client "remember" their password (I never trust mail clients to remember anything for me), then the virus would indeed be unable to complete it's evil plan.
They'd need to take the time to write a more sophisticated version of the trojan that first does some keystroke logging to steal your AUTH password, -then- sends spam with it.
Once a virus allows "a remote attacker to gain complete control of your computer", there's really nothing that you could do that they won't be able to. Very disturbing how many MS virus alerts contain that very unpleasant phrase...
This is the best sign yet that we're winning the war on spam. This is exactly what measures like SPF were designed to induce - forcing zombies to go through the ISP rather than sending mail themselves.
Now all the ISPs have to do is to filter and detect sudden jumps in email traffic. It will be easy for them to detect systems which have been infected. This will catch the small number of users who suddenly start running high volume email lists from their home systems, but those cases will be few enough that they can be dealt with manually.
This is the beginning of the end for the zombie spam problem!
That would be great, but for some of the same reasons Joe User isn't already securing his PC is because he doesn't know where to start, let alone how to finish.
Let's say the ISP tells him to run ZoneAlarm (firewall for PCs), he will most likely end up just saying "Allow always" to any suspicious programs requesting internet access, or "Deny always" and he'll just have to call the ISP back to figure out why Windows can't open any TCP/IP connections....it's a great fix on paper, but I think there are a lot of other factors that need to be considered before you assume you can "just tell them to become computer security experts"
Because I suspect it doesn't work as well. It's pretty easy for an ISP to notice 100,000 emails from one sender pumping through their SMTP server, but relatively difficult to notice those mails when sent directly through the net. Also, outgoing servers are often set up with throttling.
Of course, nowadays, ISP's have no excuse in either scenario. There are plenty of network monitoring tools that will notice spamming.
Yep. And the great thing about having a licence to use a computer is the immense power it gives the government over you.
Piss off someone in power? Take away your licence.
Mistakenly accused? Take away your licence until you clear things up.
Go up against the latest policial hotbutton that no one takes seriously? To make it serious, they come up with a new punishment. Take away your licence!
A licence to operate a computer is a horrible, horrible idea.
Democrats or Republicans. They are both taking us to the same place and they are not afraid of us anymore.
But more significantly, it represents a massive opportunity cost. There are all sorts of cool things we could have created for our users that we haven't been able to get to because we were tied up with weekly SpamAssasin upgrades. Spam is short circuiting the work of a lot of the most brilliant people into totally profitless endeavors.
With a regular zombie, you really can't email the person controlling the machine (or the one who has it in his house).
With an ISP's mail server, you can.
And they should be more interested in shutting down the thousands of spam messages so that their regular mail can be sent.
Remember:
1) Never ever let a marketing person configure some hardware!
2) Never ever let a marketing director use the internet unattended!
This sounds funny but it is meant seriously!
Grundgesetz * 23. Mai 1949 - 30. November 2007 - http://www.vorratsdatenspeicherung.de/
ok, anti-spy/ad tools and virus scanning is all you mentioned...these are rather simple to set-up and run (assuming removing ads won't disable some program they happen to be running, in which case you'll have an even more pissed off customer calling you or someone). I already admitted this, my main point is configuring a firewall for dummies...do you expect them to lookup each process (some very necessary and some very bad) to either allow or deny it? Are you going to write a complete list of all processes that may at some time request access to the internet through a software client-side firewall? These are my points...I realize it's quite simple to do some of the things you are talking about...you'd have to read my posts to see what I'm talking about though...
I'd really recommend that the uneducated user forget about a firewall. I suppose that if the ISP found that a firewall really did much for their users they could offer 2 networks, one that was behind a firewall allowing access only to ports for http, smtp, etc.. and then a second network for "pro" users that would give them raw access. A web based form could allow users to switch themselves to whichever network they preferred.
Those who know, do not speak. Those who speak, do not know. ~Lao Tzu
The proxy server at work does filtering; it won't let me search google for cable 'strippers', or go to 'demorcrat' or 'buddist' related sites (though I can go to 'republican' or 'christian' related sites). Draw your own conclusions.
Maybe your employer has high grammar standards? Have you tried searching for "democrat" or "buddhist" web sites?
cpeterso
If you start licensing software, effectively making it illegal to run unlicensed software , then you can wave goodbye to Linux or any open source software, as it may well meet the test requirements, but without an "owner" of the software, no one will get it licensed.
Yes, a few won't change their settings before you disable the IP-based relaying, but that all gets resolved in one day. Not a big deal.
I have lived through so many "trivial changes" at ISPs as a tech support rep that not only do I find your statement outright insulting, but that I demand that you immediately retract your statement.
Forcing thousands upon thousands of the unwashed masses to make changes to their computers in "trivial ways" does not take a day. Or a week. Or even a month. It takes approximately two weeks of Undiluted Hell for the poor bastards on the front lines of tech support, followed by four weeks of diluted Hell, then eventually tapering off to a trickle for another couple of months. The last support call about this will come in approximately six months after the change. Oh and by the way, that's on top of the normal call volumes they're expected to handle. So while undiluted hell doesn't seem so bad, it is.
And that's not including the original notice of the change, which took place a month before the change. That was approximately three weeks of somewhat diluted hell.
The fact of the matter is that unless you're a computer geek, you don't know what SSL is (or a POP server, or a DNS server...). And you most certainly don't know how to turn it on. Most people need help from tech support to make the changes, or even to understand the step-by-step instructions given to them in small words.
Since I am now the sysadmin for an ISP, I carefully avoid at all costs changes to the network that "just require changing a checkbox" on each customer's computer. Doing so results in lost customers "because you guys are down so much."
"No problem. I have the capacity to do infinite work so long as you don't mind that my quality approaches zero."-Dilbert