Slashdot Mirror
Aggressive Botnet Activities Behind Spam Increase
An anonymous reader writes, "A spam-sending Trojan dubbed 'SpamThru' is responsible for a vast amount of the recent botnet activity which has significantly increased spam levels to almost three out of every four emails. The developers of SpamThru employed numerous tactics to thwart detection and enhance outreach, such as releasing new strains of the Trojan at regular intervals in order to confuse traditional anti-virus signatures detection." According to MessageLabs (PDF), another contributor to the recent spam increase is a trojan dropper called "Warezov."
I think the Securities and Exchange Commission may turn out to be the most appropriate investigative body for SpamThru and its controllers.
Like many others, SpamThru first showed up on my radar a few weeks ago when a massive pump-and-dump stock spam campaign flooded the inboxes of just about everyone who uses email. They're still at it today, now pumping for ticker EGLY. There's no doubt in my mind that it's the same group of folks responsible for the initial run. All of these spam runs are coming solely through botnets, and the messages - and patterns of messages - share some obvious characteristics.
SpamThru and the recent barrage of stock scams are inextricably linked, I have no doubt about it. If and when the SEC investigates suspicious trading activity surrounding some of these stocks, they're likely to discover a trail that leads them straight to the folks responsible for SpamThru.
Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
Maybe it's the more streamlined version for our 24 hour on demand e-world... :P
Now, I know what you're going to say, you're going to say this is a dupe of last week's story, Bot Nets Behind Recent Spam Surge, but it's not. You see, this is Aggressive Botnet Activities Behind Spam Incease. And it's no longer recent--it's a week old.
So you can call this a dupe, but as you can see, this has clearly changed status from recent to aggressive. Or maybe like code orange to code red, DHS style.
But please, feel free to karma whore the comments from the old discussion into this one. Seriously, anyone get any new information on this? We've got a named virus but is there anything else new?
My work here is dung.
You could've been slimmed instead of spammed! :P
I recommend "Duh" for this article.
"No problem. I have the capacity to do infinite work so long as you don't mind that my quality approaches zero."-Dilbert
...is getting only 75% spam.
Mine is more like 1 real email for every 200 spam messages...
"The need to build the internet comes from something inside us, something programmed... something we can't resist."
And human error behind typo "incease"!
join more mailing lists :-)
sarcasm:
-noun
1. harsh or bitter derision or irony.
Forward the message to mailto:enforcement@sec.gov. Use Thunderbird or another mail client that does not strip or mangle the original headers (like Outlook does).
The SEC will devote significant resources investigating and often prosecuting the people who are behind these scams.
sites like freerepublic avoid dupes like this by having a rule that the subject of the article be used for the posting. Then, checking for a dupe is just a matter of a search for the exact same subject. Its simple and works a lot better.
The war with islam is a war on the beast
The war on terror is a war for peace
What i don't get is why spam is still an issue in this day and age of the internet.
The reason behind spam is simple : it works.
i mean.... it just goddamn works... why otherwise would company pay hundreds of thousands to defend themselves legally and invest in various ways to get to our inbox ?
There are stupid people out there buying from those guys, or whatever product they are advertising.
If you cut the money income, you cut the spam...
instead of spending $$$ and time trying to prevent spam from arriving in our inbox we should spend that money and time educating the crowd that "spamware" is most of the time just a way to get money out of your pocket with no real return value.
If you look like your passport photo, you're too ill to travel. - Will Kommen
Everyone's aware of the excessive spamming on myspace. Hell, I almost think the powers at be at myspace are getting a kickback with the incredible abuse.
But just yesterday I got a 419 email(but with French context, instead of Nigerian) on my Youtube messaging system. He/she even wrote back, regardless of the fact I posted a comment on the account saying "best 419 scammer ever!", that everyone can see.
I'll be expecting facebook spam sometime soon. Er, maybe not.
Personally, I haven't seen an influx of the viagra/mortgage spam as much as I've seen a sharp increase in the number of 419 scam emails of varying degrees. One of them is an account that used to get spam only very rarely. I theorize that someone else on the email service fell for the scams and word got around that there are plenty of mugus ripe for the plucking if you spam this domain.
Has anyone else seen a rise in the amount of this type of spam?
Where does the school board find them and why do they keep sending them to ME?
Its time we force ISPs to pull the plug on infected client machines or block entire ISPs. There is no valid argument to support end users who refuse to clean up their machines. The argument that either they are not responsible for the infection or are unable to clean their own machines is crap. If end users don't know how to maintain their equipment then perhaps they should be off the net.
Look at a car as an example. If I refuse to do or pay for routine maintenance it will begin to create more and more pollution and use more and more fuel. Is it the manufactures job to fix it, no, is it the road builders job, no, is it the jerks that sold me crappy fuel, only if I can catch them. So when I fail smog tests I need to either quit using the car or pay to fix it. Might not be the best analogy.
Si vis pacem, para bellum! For evil to succeed good men need only do nothing!
Use Thunderbird or another mail client that does not strip or mangle the original headers (like Outlook does).
It looks like your Thunderbird is configured to forward emails as attachments, but that is not the default setting, if I rememebr correctly.
In Thunderbird, others may have to go to "Message" -> "Forward As" -> "Attachment".
In Outlook 2003, I didn't find how to forward as attachment. You have to copy the headers from the properties window, and paste them in your forwarded message. Far too complicated to explain over the phone to someone who doesn't have a clue
* This article submitted by spam botnet
* Intentional misspellings to fool slashdot spam filter
It's all good.
You mean educate people so they don't fall for scams? So they think for themselves? So they know that offers that are too good to be true can't be true?
Are you nuts? Are you aware that this would mean to the market? People able and willing to compare prices before buying, people having used cars inspected before buying them, people informing themselves about the appliances they buy and who don't blindly believe the ads.
Do you know just how many jobs hang on the fact that 99% of the people around are suckers, incapable of sorting out their own life?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
CRM114 still beats whatever they throw at me.
Um, and do you also think scantilly clad women deserve to get raped?
A pump and dump scheme simply selects a stock with the right combination of price and volume that they think they can manipulate.
Take the EGLY.OB example (heh, it's up 6% right now). It is a low priced (under a dollar) stock, so lots of shares are cheap. It has sufficient volume (100K shares/day) to be useful. If it is too thinly traded you can't accumulate shares on the cheap. If the volume is too high, the market will keep the dumpers shares low.
So, the spammers are doing a buy-low, "advertise" (pump it up), sell-high (dump) campaign. The particular stock selected was probably just a result of a screen for the desired trading properties.
The company whose stock is manipulated (most likely) had nothing to do with it.
This issue is a bit more complicated than you think.
I've been seeing over 80% SPAM in the last couple months. And that is just what is being blocked (spamassassin). The actual number is a little higher. Sad, really.
-matthew
"THERE IS NO JUSTICE, THERE IS ONLY ME." -Death
Is there a joke I'm not in on?
My turnips listen for the soft cry of your love
Can whomever keeps saying itsatrap to every single slashdot post bugger off? I know this is off topic but comeon, this is seriously annoying!!!!
[Note, this post is referring to the tags that can be found amongst others, on this article, so this is a general-issue post not an offtopic one. Thank you.]
It's getting annoying that every article without any relevance gets tagged with "itsatrap". The "fud" tag is grossly overused aswell, but at least it can be perceived as mostly applicable. I'm suggesting, to conform with slashdot grammar, to counter-tag every article that has an irrelevant "itsatrap" tags with "notsatrap".
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
The tragedy of the commons is what occurs when there is no limit on use of public resource but iindividuals do not bear the consquence of abuse in a way that would make them modify their behaviour for the common good. The historic solution is to put a fee for admission that promotes optimal use. Now as we have all heard over and over that most propose e-mail stamp plans all fail for one reason or another. Indeed there's that ubiquitous and hilarious form letter someone always posts on slashdot whenever the latest unworkbale plan is proposed that exaplains why it won't work.
So my plan is not to have some micro payment scheme but to simply tax the origin of abuse directly. Windows Operating systems are essentially responsible for all Spam. Now if microsoft had put more effrot into securing their system then windows would have cost more to develop. So instead they are getting rich off of this since the costs of the consequences are not being borne by microsoft. Therefore there is needed a fee. The fee would be applied to cover the cost of rigorous anti-spam actions by ISPs or whomever was the appropriate cop. Alternatively it could have the effect of detering excessive monocropong of operating systems, like Windows, that makes it ripe for epidemics like this
Now before someone says well it's not microsoft's fault, their software is just as good as Linux, mac, amiga, Beos..., let me say that does not matter. Microsoft gets a market advantage and cost structure advantage by meing the mono-crop operating system. Therefore regardless of whether there security is comparabel to some other, they have a greater responsibility and a greater finaincial wherewithall to make their software be more secure. It is precisley fair to treat a monopoly with a different set of stnadards if that monopoly position is 1) the source of the problem 2) they are getting financial gain from being a monopoly.
So rather than flaming me, tell me why this is not a proper anlaysis of the problem and a possible approach to solving it. Yes it's radical. But according to earthlink I get 2000 spam messages a week. and according to this article 3/4 of the mail out there is spam. Radical solutions are called for.
Some drink at the fountain of knowledge. Others just gargle.
...the RSS feed still says Incease...
What's behind the increase in link spam on blogs/message boards?
Fascism starts when the efficiency of the government becomes more important than the rights of the people.
..or is the PDF link in the story dead? Anyone got a mirror, I'd really like to see that.
There was already a wave of FB spam...that may still be going on. It's mostly in those "omgz this grup is huuuge! 100,000,000 awesome beer" groups, though, so I don't see it much. Also, they've got "sponsored" news feed items now.
Facebook is starting to degenerate into myspace parte deux.
Anyone else think the comments just weren't rendering right before they turned off ABP and saw ads?
I would love it if my ratio was that low!
The developers of SpamThru employed numerous tactics to thwart detection and enhance outreach
I can't believe they write this! I find it very easy to block most of those botnets AT THE SMTP LEVEL. No need to even get to the DATA phase, they normally betray themselves by protocol violations before that.
I love the way they say spammers are gearing up for the holiday season. Man, if I get nothing but viagra and penny stocks for Christmas, I'm going to be upset.
Oh wow, botnets and trojans responsible for spam? Oh, this is such breaking news, we would have never known. /sarcasm
Do we need to tag !!itsatrap?
A spam-sending Trojan dubbed 'SpamThru' is responsible for a vast amount of the recent botnet activity which has significantly increased spam levels to almost three out of every four emails
Sounds like a decrease in spam for me, where do I sign up?
If we can hit that bull's-eye, the rest of the dominoes will fall like a house of cards... Checkmate.
I've been inundated so heavily and for so long, I don't remember a time when I only got three spams out of every four emails. I recently tried outsourcing my anti-spam filtering to a third-party supplier. That supplier proxies the SMTP connections and closes them when it detects spam, as opposed to most outsourcers, who store-and-forward the messages.
Because my mail gateways couldn't handle the crushing load of spam I was seeing, I'd hoped that this outsourcer would save me. I was wrong. It turned out that my inability to handle the load at my mail gateways ended up causing DDOS problems for the outsourcer.
I got a call from the product manager who was in Sweden on a business trip, begging me to change my MX records back to my own gateways, because otherwise, his IT folks were going to shut me down in order to save themselves.
I'm currently testing MessageLabs, and it's looking good so far. They're catching nearly a million spams a day for me.
You can't tax Windows users unless you start clamping down on all the open relays and misconfigured email servers. SMTP is broken, and patchwork solutions like SPF are only helping a small amount. There are servers with no reverse DNS, no MX records, all sorts of invalid configurations. As an admin running several mail servers I have to choose between enforcing all the RFC's (and rejecting email from hundreds of legitimate but broken servers) or leaving the door open and being swamped by spam (which is then trapped by processor intensive sieve, filters, etc). If I turn up the security too high my users start complaining about rejected email from clueless organizations that are running perfectly good Linux/Mac/Windows mail server boxes that are not set up correctly.
IMHO it ultimately comes down to fixing SMTP.
John
"We make our world significant by the courage of our questions and by the depth of our answers." Carl Sagan
Ah, that would be same Messagelabs that inundates me with backscatter spam.
I'm the IT Director for my company here in the northeast US. Our spam percentage over the past year has climbed from about 80% to 91.7% this past month (October 2006). I'd be interested, as a sub-thread here, to have other people with first-hand knowledge about their company spam percentages post a reply here.
Since all this extra spam is coming from botnets running on Windows, just block all email coming directly from a Windows box. I've been experimenting with host fingerprinting using p0f
http://lcamtuf.coredump.cx/p0f.shtml
From this I can see that almost all spam comes from Windows. I'm in the process of configuring my postfix server so it will just reject any mail from a Windows box.
The only false positives I've seen so far, is a handful of legitimate emails that come from Windows Server 2003, so I may exempt that...
Note: I'm not advocating blocking email from Windows users, just email coming directly from a Windows box. If a windows user sends email through their ISP's mail server, it will get thrugoh just fine.
I was wondering what if someone setup "Bot Bait". That is, put a PC out on the Internet completely unprotected and let it get infected with a wide variety of spambots.
Then, you watch to see who is attempting to control the bots. Someone, somewhere must be sending the "attack!" command, and maybe you could trace the command back the origin of the perpetrator. Gather some evidence, and bring the long arm of the law upon the dude.
If you can't touch the perpetrator, you could start taking down his botnet. Once you figure out how that spammer is talking to his bots, you could start to track them down. Once you know where the bots are, you could contact the ISPs about shutting them down if the owners of the infected PCs don't clean them up.
There is no specific law that makes the ISPs responsible for bots, but under common law, if you have control over something, and you are warned about potential harm that the particular object could cause, you are liable for any damage caused by that object. Being the gateway to the Internet for these machines certainly does qualify.
Heck, once you know how the bots are activated and who controls them, you could take over the bots and program them them to attack their creator. Talk about irony.
Thank god there are so many fine young programmers out there (usually East European or Russian) who are using their great skills to make life a little bit more miserable. Spaciba!
It is by the juice of the coffee bean that thoughts acquire speed, the teeth acquire stains. The stains become a warning
My server uses fairly sophisticated set of anti-spam defenses and most of the crap gets rejected. But the hi-jacked IP addresses keep coming back.
There is ought to be a way to notify their abuse-departments quickly and automatically (better than SpamCop).
Perhaps, by sending syslog messages their way? They will then be able to capture a bit of outgoing SMTP-traffic of the accused IP, analyze it (using a Bayesian-based method, for example), and block the SMTP-traffic, if the analysis confirms the complaint.
A blocked user will be able to turn the outgoing SMTP access back on by simply visiting a web-page and entering a text matching a picture and their ISP password — something, a bot can not do. The page will also offer them links to anti-virus and spyware-removal software and strong verbiage about running their PCs responsibly, or face more serious disconnects.
This will allow very swift (within minutes) shutdown of SMTP access for hijacked PCs, without noticably hurting the victims of "false positives" — and without the wholesale disabling of outgoing SMTP-traffic.
In Soviet Washington the swamp drains you.
If you "fix" SMTP, how can you expect all those people running "perfectly good" SMTP servers right now to upgrade, even if they won't do something simple like implement SPF?
You're throwing out legitimate email either way.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
I keep bringing this up, time and time again.
It's not the people trying to sell the crap that are the real issue, its the middle-men who sell the dream of "internet marketing".
Moreover, I blame those "Work at Home, make Million$" ads you in magazines and on TV; these are essentially proxies for Internet marketing and the people who do well in those jobs turn to botnets and other illegitimate means. Meanwhile the parent marketing company can distances themselves from them, calling them "consultants" when people bitch about spam campaigns.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
Spammers, ad-ware writers, and other scum have made many, many people's online experience a nightmare. While most people try to defend themselves by installing spam filters, spyware detectors, anti-virus programs and other software, spammers continue to come up with yet even more insideous ways around these defenses with impunity. We have even asked the government to help us, and what does Uncle Sam do? He passes a law that is most favorable to spammers. The law is called the CANNSPAM act. CANNSPAM puts the burden of "opting out" of spam on us users. We have been instructed many times by anti-spam gurus to not to reply to spam or visit a spammer's websit in order to "opt out". This is because spammers in many cases use these opt out requests to confirm an actual working email address. Spam filters in many cases miss some spam and can actually flag very important legitimate email as spam. Again, we are punish while spammers continue to profit.
Spammers will continue to spam as long as there is money to be made in doing so. The economics are on the spammers' side. If a spammer sends out one million spams that advertises a product, and only one person out of ten thousand buys the advertised product, the spammer has made one hundred sales. These sales were generated at little cost to the spammer, and at big cost to users and internet providers. The Internet service providers have to pay the costs of storage and equipment to process the spam. Time is money, and many users spend their precious time deleting spam, upgrading filters, etc. If the user is at work, then their company has to pay for this time in lost productivity. The same thing goes for malicious software that generates popup ads, skews search engine result, etc. People can continue to use their antivirus, antispam, and antiadware programs to try to protect themselves, while the bad guys continue to get away with their spamming, pop-up advertising, and search engine skewing with impunity. Using defensive means to defend against spammers is much like putting one's hands over one's face in order to protect against the punches of a schoolyard bully. One might keep a specific blow from blackening an eye, or fattening a lip, but he or she has so far done nothing to deter the bully from throwing even more punches. The bully will continue to throw punches as long as there is satisfaction in doing so. It is only when the bully is confronted with a crowd of angry people, or a damned good fighter does he or she have an incentive to quit throwing punches. As it goes with bullies, the same thing goes with spammers. Punching back can definitely be a deterrent! Spammers will stop spamming only when the cost of spamming becomes higher than the profits made from spamming.
There have been many people who have made small steps in making spamming more expensive. These people understand that the spammers' weakest point is at their point of sale - usually a website. Many of these people have written programs called "spam vampires." These "vampires" are usually small programs or scripts embedded on a webpage, and they cause a visitor's browser to repeatedly download content from a spammer's website. These repeated downloads can cost spammer's a lot of money for bandwidth usage as well as processing power required to handle the data transfer. When enough people run "spam vampires," a spammer's website can cost a spammer money while at the same be too busy to process requests from those people who actually buy products advertised in spam. Programs that download content from spammers websites have been proven very effective. A program called, "Make Love Not Spam" was so effective, that it actually shut down many spammer's websites. "Blue Security" was another hard hitter against spammers. When "Blue Security" was up and running, many people, including me, noticed a huge decrease in the amount of spam received. Unfortunately, both Blue Securi
This is the first ACTUALLY HUMOROUS (versus lameass rehashed cliche attempt at such .. oh wait I'm sorry IN SOVIET RUSSIA, joke thinks YOU are lame!) post I've seen in this whole damned discussion. Bravo.
How the fuck do they send Spam to people through e-mail? How the fuck do I get in on this free Spam offer?