Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Spam Zombies Use ISPs' Mailservers

Posted by samzenpus on from the trust-this-mail dept.

RMX writes "CNet's reporting that the new spam zombie PCs are no longer acting as their own mailservers, but cooperate with the ISPs' recommendation that instead of running your own mail server, to use theirs instead."

17 of 383 comments (clear)

  1. Eh? by Anonymous Coward · · Score: 3, Insightful

    Is this just doing what normal email clients do already? Why didn't they think of it earlier?

  2. Unnamed processes by Dancin_Santa · · Score: 3, Insightful

    I was reading about the "American GI (Joe) captured in Iraq" yesterday and the same thought crossed my mind today.

    If you are going to tell everyone that spam zombies (or terrorist websites) are out there, why don't you give details like processname (or website URL)?

    It does no one any good if you just say, "Hey, there's a chance your computer may be infected and is a zombie spammer," if you don't also tell us the zombie process name.

    1. Re:Unnamed processes by rusty0101 · · Score: 5, Insightful

      That presumes that the process name will be pre-defined. We already have viruses that generate a new name for their executable, or library, and use that name to modify the workstation or server's database to automatically launch it each time the computer is rebooted. If this virus also is generating spam, it will be run with the process name of the executable or library, and at best you will see a process name that you don't recognize. Considering the fact that a significant percentage of the population of computer users do not even know how to bring up the task list, much less know what each process that normally runs is, is named, or does, telling them to kill off any process that looks like 'libraryname0.dll' is not going to be particularly helpful.

      Your best bet is to find a personal firewall that asks you if application x is allowed to generate network traffic. Hopefully the firewall will tell you more, such as the type of traffic the application is attempting to generate, but even that can be more information than a general user is prepared to try to asses.

      If your firewall tells you that 'tobmaps.exe' is trying to send e-mail to your isp's mail server, you might tell it no, don't allow that sort of traffic. If it tells you that 'tobmaps.exe' is attempting to connect to login.yahoo.com via http, you might inadvertantly allow it, even though login.yahoo.com is the first step towards sending e-mail through Yahoo.

      In most cases however you can probably tell your personall firewall to block all traffic to any IRC network, unless you speicifically approve the app, and know what you are doing. Of course over time spambots are going to move on from IRC channels to Instant Messaging services, to various p2p applications, if they haven't already.

      Saying 'kill off any process named xyz-abc.exe' is all well and good, but is probably going to be a one shot solution to a small subset of the people infected with a spambot.

      -Rusty

      --
      You never know...
  3. Re:Why aren't they using SMTP-AUTH? by LostCluster · · Score: 3, Insightful

    I don't see how that solves this problem. If the mailware can read the configurations of the host's e-mail program, it can immitate any authorization you throw at it...

  4. This is easier to solve by digitalgimpus · · Score: 4, Insightful

    Unlike when they did it on the clients, this puts it through a limited number of gates.

    ISP's will likely start limiting outbound email to x email/hr. Companies and ISP's will likely start monitoring and kill quicker.

    This will benefit spammers for a very short period, then bite them in the ass.

    ISP's and companies aren't going to tolerate a spike in CPU usage, and possible blacklisting if they can take care of it. They will start blocking IP's from sending mail, etc. etc.

  5. Re:Simple solution by kerrle · · Score: 5, Insightful

    Or the bots could ignore that, and just send out with the default mail settings - most users would have OE set to remember password, so no real gain there.

  6. Re:violation of ISP contract? by enosys · · Score: 3, Insightful

    That can also happen to zombies that send spam without using the ISP's SMTP server. If they do use the ISP's sever that should make the ISP notice sooner though.

  7. Re:Simple solution by danielcole · · Score: 3, Insightful

    The simple problem of 'Remember my user id and password' negates your simple solution.

  8. Re:violation of ISP contract? by xtrvd · · Score: 5, Insightful

    Telus, my ISP in British Columbia (Canada) already takes a fairly agressive stance on this situation. In the past few years, they have realized that their clients are idiots and will open up any attachments they get in their email clients, even those great ones with .scr's from v1agra@sh0p0ur31337store.ch.

    In order to stop their networks from becoming ridden with viruses, they simply closed off the accounts of whom ever was infected. Sure people complained, but in the end, there were more people that were satisfied since their computer only needed to be infected with one virus for them to notice. Instead of having a computer with 20+ self-propagating viruses, the user only had one when they realized they needed it fixed.

    Joe User's seem to ignore popups and slow-downs of their computers as long as they can still connect to the internet and check their AOL email. As soon as they're disconnected, they will call up the ISP and find out how to get their computer fixed.

    If these ISP's can take the same stance against zombies becoming spam servers, it shouldn't be long until Joe User is forced to learn how to use a firewall to protect himself from being disconnected.

    As soon as we have ISP's that are *more* responsible for the content going through their networks, we'll have a better internet.

  9. Re:Simple solution by caino59 · · Score: 3, Insightful

    oh yea...pine - my mom will be all over that one!

    remember, you have to keep these dumbed down for the masses.

  10. We're winning by SiliconEntity · · Score: 5, Insightful

    This is the best sign yet that we're winning the war on spam. This is exactly what measures like SPF were designed to induce - forcing zombies to go through the ISP rather than sending mail themselves.

    Now all the ISPs have to do is to filter and detect sudden jumps in email traffic. It will be easy for them to detect systems which have been infected. This will catch the small number of users who suddenly start running high volume email lists from their home systems, but those cases will be few enough that they can be dealt with manually.

    This is the beginning of the end for the zombie spam problem!

  11. Re:violation of ISP contract? by CrackerJack9 · · Score: 5, Insightful

    That would be great, but for some of the same reasons Joe User isn't already securing his PC is because he doesn't know where to start, let alone how to finish.

    Let's say the ISP tells him to run ZoneAlarm (firewall for PCs), he will most likely end up just saying "Allow always" to any suspicious programs requesting internet access, or "Deny always" and he'll just have to call the ISP back to figure out why Windows can't open any TCP/IP connections....it's a great fix on paper, but I think there are a lot of other factors that need to be considered before you assume you can "just tell them to become computer security experts"

  12. Re:Eh? Because... by kd3bj · · Score: 5, Insightful
    Why didn't they think of it earlier?

    Because I suspect it doesn't work as well. It's pretty easy for an ISP to notice 100,000 emails from one sender pumping through their SMTP server, but relatively difficult to notice those mails when sent directly through the net. Also, outgoing servers are often set up with throttling.

    Of course, nowadays, ISP's have no excuse in either scenario. There are plenty of network monitoring tools that will notice spamming.

  13. Re:violation of ISP contract? by ErikZ · · Score: 5, Insightful


    Yep. And the great thing about having a licence to use a computer is the immense power it gives the government over you.

    Piss off someone in power? Take away your licence.

    Mistakenly accused? Take away your licence until you clear things up.

    Go up against the latest policial hotbutton that no one takes seriously? To make it serious, they come up with a new punishment. Take away your licence!

    A licence to operate a computer is a horrible, horrible idea.

    --
    Democrats or Republicans. They are both taking us to the same place and they are not afraid of us anymore.
  14. Re:violation of ISP contract? by NoSuchGuy · · Score: 4, Insightful

    Remember:

    1) Never ever let a marketing person configure some hardware!
    2) Never ever let a marketing director use the internet unattended!

    This sounds funny but it is meant seriously!

    --
    Grundgesetz * 23. Mai 1949 - 30. November 2007 - http://www.vorratsdatenspeicherung.de/
  15. Re:violation of ISP contract? by cpeterso · · Score: 3, Insightful


    The proxy server at work does filtering; it won't let me search google for cable 'strippers', or go to 'demorcrat' or 'buddist' related sites (though I can go to 'republican' or 'christian' related sites). Draw your own conclusions.

    Maybe your employer has high grammar standards? Have you tried searching for "democrat" or "buddhist" web sites?

    --
    cpeterso
  16. Re:violation of ISP contract? by squeee · · Score: 3, Insightful

    If you start licensing software, effectively making it illegal to run unlicensed software , then you can wave goodbye to Linux or any open source software, as it may well meet the test requirements, but without an "owner" of the software, no one will get it licensed.