Slashdot Mirror
New Spam Zombies Use ISPs' Mailservers
RMX writes "CNet's reporting
that the new
spam zombie PCs are no longer acting as their own mailservers, but cooperate with the ISPs' recommendation that instead of running your own mail server, to use theirs instead."
There's a very simple solution that many webhosting companies already use -- the ISP should force their users to authenticate with the server, using secure SSL. It's good practice any way, and doing so would make even more work for the spam bots (they would have to find the user's login and password for the SMTP server).
Be relentless!
Will many ISP SMTP servers get automatically blacklisted because of this?
What ISP isn't going to notice thousands if not millions of rapid-fire connections to its SMTP server?
I'm a big tall mofo.
First of all, most ISPs require you to authetenticate in some way. Either they require a login/password or more often, they wait until you check your POP3 email and give you a 30 minute window to send email without authentication.
Secondly, ISPs often have a limit to how fast you can send mail or how many per day you can send.
I don't really see this as a problem.
What kind of crappy ISP delivers messages containing *.SCR, *.CPL, *.COM, *.PIF, *.BAT and so forth to their customers?!
And yes, Joe User tends to ignore popups, because a lot of the "professionals" are idiots. We have a radio program in Portland on the weekends hosted by some "long time computer experts". Every time the topic of "how to prevent popups" comes up, the host insists that your web browser has NOTHING TO DO WITH IT. Popups are entirely a problem with your machine being infected and you need to install a good virus scanner to avoid them.
People have called up and said "no, I think they're talking about web popups that you get when you visit a website without a popup blocker". Rather than suggesting people use Firefox or something, he actually says "If you're getting popups, it is because you've done something wrong and aren't protecting your PC". He refuses to acknowledge (and has for many months) that if you visit a website without some form of popup blocker, you'll often encounter popups BECAUSE THE WEBSITE IS SENDING THEM.
I mean... it baffles me that people like this are being treated like expert professionals and they're misleading thousands of people in the process of pumping up their own misguided ego.
Heck, we had our Telus business ADSL shut down because somebody bounced through a wireless card on an XP laptop that the dumb**** marketing director had enabled the "provide access to the internet" or whatever it is via.
Our office was only on the 4th floor, and his system was right at the window, so somebody popped through and started doing crap on the Zone servers. Telus cut us off within a day, and I was damned impressed.
I was angry too - but not at Telus. At the marketing guy and myself (for leaving open outbound access). I fixed his system, and instituted "via proxy only" outbound for port 80, and no more problems.
I agree with you on making everybody a security expert. People simply don't have enough time to learn how to use a computer, especially if they just want to check their email on it. But if they cannot use their computer without it causing problems to the rest of us on the internet by being a Spam server, they need to take responsibility somehow.
I'm going to go on a strech here. It's similar to driving a car (Please note, I said similar, not the same as). You recieve a license to use a car so that you can drive around in a controlled environment where other people reside: The public roadways. You can do what ever you want on your own environemtn (Own PC) just as you can spin doughnuts in your backyard if you really want to.
You get your license to drive on the public roadways (Networks) and if you choose to not lock your car, then somebody else will steal it and hopefully the police will either take your car away (take your computer away) or they'll take your license away if you were the one actually doing the infraction. (ISP disconnects you from the internet)
If you are caught doing something bad in a car on public roadways, you should be punished; if you choose to turn on that computer that is not secured in any way, shape, or form, you should not be allowed to take the use it. [Don't yell at me yet]. If you're not prepared to get into a car and harness its abilities, then you'll want to start with a car that's attached to a track, like those ones the 4 year olds use in amusement parks.
You can consider those tracked cars like Mac's; because with all due respect, you can't become a zombie computer without at least trying.
Until you learn to use a car, you'll never get a license to use it. Until you learn to use a computer, you shouldn't be on the internet.
My two cents.
Thanks for your insightful reply CrackerJack9.
While I agree with your post, can we both also agree that "stay between the lines" "obey speed limits" and the like are much more simplistic than some of those you would need to understand to be truly proficient at protecting your home network. I realize, "don't double click that attachment that says it will show boobies if i do" isn't too complicated, but it also takes place in a different realm than driving a car does. Perhaps we should blame culture, simply that computers are relatively new, or even that you don't need a license (to show at least some proficiency and basic rules to follow, like a drivers permit) that there are so many problems that can very easily be avoided. What I don't think is that by making (people who have car accidents or get speeding tickets) them install a program that is quite complicated, (even if considering only the conceptual complications) such as a firewall, will help solve the problem to a reasonable degree. By reasonably, I mean not snatching anyone's computer away simply because they did not run Windows Update hourly. Just like we don't get driving licenses revoked after a single accident or ticket. I'm all for Computer Usage 101 coming with any computer purchase or something in that sense, but ISPs forcing them to install things or improve security beyond their capacity to do so seems unreasonable to me (see parent post/my reply).
From what people are saying, ISPs can't even manage the spam and virii coming from their own customers computers.
I doubt they'll be able to handle anything like a licence.
Democrats or Republicans. They are both taking us to the same place and they are not afraid of us anymore.
Telus's attempts at spam control remind me of the keystone cops. They hinder people who know what they're doing, and do *nothing* to stop spam.
Telus has had its netblocks (including the ones their mailservers are on) blacklisted many, many times - and their respons has been to simply ask for removal, without actually fixing the problem. When their mail servers got blacklisted by Spamcop, their response went something like "well, we're a large ISP, so you should remove the block."
here is an example of Telus stupidity in action. I've received the *exact same* response from them
They don't give out static IP addresses (even though they claim they do), instead forcing their customers to use DHCP for their mailservers (yes - even when the customers *PAY* for a static IP address) - and when the addresses change, the customers frequently find themselves in various blacklists.
If you think that Telus is responsible, you should do a google groups search for them in news.admin.net-abuse.email
Yeah, the police should take your car away if you leave it unlocked. You must live in California.
Personally I would rather see it this way; if your car is doing something bad, then it should be stopped and not allowed on the road until it's fixed. IE leaking oil on the road, lots of smoke coming out of it, or parts falling off.
If your driving down the freeway with a 300 feet of linked banners attached to the back of your car, then you should be stopped. Even if you didn't attach those banners to it.
The above is not worth reading.
Probably the kind of ISP that realizes it's a security issue related to Windows, and therefore one of the risks best dealt with by the end user. Editing users' e-mail based on a file extension is stupid anyway. That's probably the same kind of thinking that went on at Microsoft's OS development group when they implemented file-type detection; More specifically, that shallow thinking is what is directly responsible for the Windows vulnerabilities based on extension-only file-type detection and the shell's automatic file association helper.
So why not stop there? Windows' shellexec helper also attempts to do something with
Jesus, why are we still having this discussion? It's real simple for Microsoft to fix: Make it so any file coming from someplace other than the local filesystems is downloaded to disk only. Or simply give IE and Outlook their own file helper registries, where the default is to just download the file without attempting to open it. People have been setting up their own helper applications in Netscape for years, and no one ever died of exhaustion from the extra work.
Fred
"A fool and his freedom are soon parted"
-RMS
it would be interesting if, instead of simply cutting off their access, they switched them over to a non-routeable subnet (via a short dhcp lease time) and direct all HTTP traffic to a single server which would then alert them to the problem (with bold blinking red on black text or something equally as noxious) and provide them with a list of links to various tools to disinfect them, based on what's a common problem at the time being. all stored on this private subnet, of course.
They could even go a step further and automatically generate a custom page for the user based on the type of traffic and its signature (iis exploit, etc.), their IP address (thus, it would startle them with their own name), and even provide them with the most likely fixes for the problem.
Then, after they're done fixing things they could click a button that said "I have fixed my computer and would like to use the internet within 15 minutes" or something like that. They'd then be 'tested' for such hostile network activity again, and if they didn't pass they'd be alerted to it.
I could imagine a large cable/dsl ISp implimenting something like this. it would pay for itself in a couple months due ot bandwidth and tech support calls.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
How about this idea?
Demonstrate you can use a computer responsibly and you can get an SSL-like certificate from any number of private companies and other organizations saying so.
People would be free to send email without such a certificate.
People would also be free to reject any such email. Or accept it, it would be their choice.
Just because it CAN be done, doesn't mean it should!
How about licenses for the publishers? Say, Microsoft couldn't sell a new version of Windows unless it passed some basic safety tests first, kind of like emissions testing and safety checks for cars to ensure they're "street legal".
Yeah, horrible idea, but we can't blame everything on the uneducated/uninterested users.
No, forcing clients to use valid SMTP servers is the most of the reason SPF exists. The point is, most security measures on SMTP servers are moot because they can work around them simply by running their own SMTP process.
The idea is to force them to adhere to using authorized servers that are actually under someones control.
Now things like shutting down open relays, smtp auth, send limits, outgoing filters etc. are not just a wasted effort.
Right now if an infected box on our network is spamming someone we don't know till they contact us about it. If we force them to have to spam through a mail platform in our control we can almost automate this process.
Saying Java is nice because it works on all OS's is like saying that anal sex is nice because it works on all genders.
I seriously doubt that anyone who doesn't understand how to keep their computer from being bogged down by spyware would think that their ISP had something to do with their not being able to do something. They would more likely think that the internet was broken.
And it really wouldn't be all that hard to have the firewall return a page stating that the ISP has them on a more secure network along with instructions to move themselves to the open network.
The reason that I see a system like this being somewhat practical is the fact that I have been a part of administering one for quiet some time now. You wouldn't believe the number of people who didn't even notice that they were on a limited network. As long as they could check their e-mail, IM, and view most sites they were happy.
I don't doubt that a system like this will work, I do however doubt that any ISPs are going to work on implementing such a system until malware seriously effects their bottom line.
From an ISPs stand point a nonworking PC just frees up more bandwidth for everyone else.
Those who know, do not speak. Those who speak, do not know. ~Lao Tzu
How many ISPs have SMTP+AUTH (or some other type of authentication, like POP-before-SMTP)? If they are not running a totaly open relay, usualy they just restrict access to their own IP addresses, and to their domain (e.g. '@comcast.net').