Bot Infestations Reach Nearly 1.2M

mengel writes "According to the folks at SecurityFocus the number of bot-infested systems has surged to nearly 1.2 million. This after a big drop in December when lots of people replaced/upgraded systems. Time to upgrade your spam filtering software, the onslaught is coming."

Tweaking liability laws

[Harmonious+Botch]

These bots could be greatly limited with proper tweaking of liability laws. Under current laws, if I leave a pool or a car unsecured and somebody else gets injured or killed, I can be found totally or partially liable. But if I leave my computer unsecured and someone else uses it to cause harm to third parties, I'm in the clear.

Re:Tweaking liability laws

[Watson+Ladd]

It would be hard to determine what constitutes appropriate security. And how are you supposed to know about a zero-day or a subtle misconfiguration? A pool is easy to secure. A car is easy to secure: Both have small threat models and physical protection is all you need. A computer is much harder to secure.

Re:Tweaking liability laws

[gregleimbeck]

If my unsecured computer causes somebody to get injured or killed, I will take responsibility. OTOH, if my car starts spreading malware and spamming, you're SOL.

Re:Tweaking liability laws

True but life is hard. This is the solution to this "problem", just as having a 1 cent cost per an email sent is the solution to the spam "problem".

ISPs should immediately pull the plug too on infested machines to limit damages.

There's no reason to let innocent bystanders to suffer from the criminal neglect of some.

Re:Tweaking liability laws

[Yvanhoe]

I am pretty sure that if someone gets physically harmed because of a negligence on Joe's computer, someone can be found liable. Maybe Joe, maybe Microsoft, maybe Dell, maybe all of them.

Re:Tweaking liability laws

[NeverVotedBush]

But if I leave my computer unsecured and someone else uses it to cause harm to third parties, I'm in the clear.

You would think the legal case could also be made to hold Microsoft liable for stolen personal information, illegal charges to credit cards, raided bank accounts, etc., when known but unpatched (i.e. no patch available) exploits to their software allow people's computers to be compromised.

Re:Tweaking liability laws

[maxume]

It's a bit tricky though. I just run AVG Free Edition and Firefox, and I basically don't notice any malware trying to install itself. I guess there could be lots of stuff I just don't know about running on my system, but there isn't(my modem is idle and acting like it, and I do an ok job of paying attention to running processes). It costs me right around $0 to do this, and the 'cost' of acquiring the knowledge to do this is something like $80; anybody claiming Microsoft was at fault would have to demonstrate that they went to great lengths and it still broke.

Re:Tweaking liability laws

[Harmonious+Botch]

You would think the legal case could also be made to hold Microsoft liable for stolen personal information, illegal charges to credit cards, raided bank accounts, etc., when known but unpatched (i.e. no patch available) exploits to their software allow people's computers to be compromised. Which leads us to the inevitable conclusion that the folks who make and interpret laws have no fucking clue as to what the net really is.

Re:Tweaking liability laws

[mrbluze]

if I leave my computer unsecured and someone else uses it to cause harm to third parties, I'm in the clear

But if you have a car which injures people because the manufacturer put in lousy breaks, lousy locks, lousy steering etc, then the car manufacturer is in trouble, right?

Whilst I agree with you, the liability laws need changing, "reasonable" attempts at securing a Windows PC (eg: using antivirus software) have proven to be a waste of time, so the onus should be on the manufacturer.

Re:Tweaking liability laws

[dattaway]

I'm sure if someone released a bot to turn everyone's computer into a large distributed mp3/dvd botnet, the entertainment cartels might take an interest in fixing our computer problems.

So who wants to write a script?

Re:Tweaking liability laws

[mrbcs]

I work for a small ISP and that's exactly what we do. You get two strikes. First is a warning to clean up your machine and put on antivirus software. Next time, we kick you off the network and terminate your account. Problem totally solved. We've had two people get the first warning. None kicked yet.

Re:Tweaking liability laws

[freedom_india]

...and get sued for millions of dollars for hosting "Shakira"?? No thanks.
RIAA/MPAA do not have any idea of technology. They would rather sue you (unwitting hosed guy) rather than sick the Secret Service on bot writers.
Good luck trying to explain child porn to a jury by stating that your XP was compromised....

Re:Tweaking liability laws

[Bemopolis]

*coughcough* cognitive dissonance *coughcough*

Re:Tweaking liability laws

[1u3hr]

These bots could be greatly limited with proper tweaking of liability laws.

There are hundreds, perhaps thousands, of known spammers in the US. (See the ROKSO list, eg.) Barely a handful are ever prosecuted. One or two have been sentenced, trumpeted here as a victory against spammers, but really showing that being caught and punished for deliberate spamming is a very rare event. Considering that, what could a "negligent" spammer get?

ISPs can easily detect and cut off spam spewing robots. They have the right to do so in their TOS, but are just too complacent or perhaps concerned they'd have to deal with hundreds of clueless users complaining about it.

Re:Tweaking liability laws

so the onus should be on the manufacturer.

Ah, your sig [Do it yourself, 'cause no one else will do it yourself.] conflicts with your argument. :-)

Re:Tweaking liability laws

[jcr]

Does your car run WINCE?

-jcr

Re:Tweaking liability laws

[evought]

"Reasonable" is linked with "customary", which changes over time and is also informed by regulation and case-law. It used to be "reasonable" in many places to put railings around pools, balconies, etc., Now it is considered necessary in many places to have rails be within certain distances of each other (to prevent children falling through or getting heads stuck) either because of codes or because of successful law suits. "Reasonable" postings about danger and liability (e.g. "No lifeguard on duty") also develop over time.

The same sort of thing would happen with computer liability, and, in fact, we will see it happen with HIPAA where very little guidance is given as to what a "reasonable" precaution is. There will be a lot of confusion at first, but it will slowly settle out. It is now considered "standard" precaution to keep your system patched, run anti-virus and run a firewall. Maybe avoiding 0-day vulnerabilities is not "standard", but you can actually reduce threats by tightening down your services, hardware/software firewalls, being paranoid about email, and changing browsing habits (e.g., no javascript). Over time, I expect those precautions would begin to be more standard. The test will be when someone gets sued and a jury finds that their caution was not "reasonable". As such, it generally pays to be more cautious than the current standard.

(IANAL :) )

Re:Tweaking liability laws

[56ker]

Reasonable attempts include turning the inbuilt firewall in Windows on or running a software firewall as well as antivirus software.

This would provide about three warnings that a compromised machine is being used to spam (and I've cleaned a few of these in my time as a freelance computer geek)...

Re:Tweaking liability laws

[mrbluze]

Well, if you compiled your own linux distro, then you did it yourself :) But then you would be extremely unlikely to be unwittingly part of a botnet ;)

Re:Tweaking liability laws

[penix1]

Although it gives you a "warm fuzzy feeling"(TM) that your company isn't contributing to the bot problem, too many kicks and you soon have no customers. All that you are doing is forcing that customer to go to an ISP that won't give them the boot. It does nothing to actually solve the problem.

An alternative would be instead of cutting them off completely, offer them an antivirus solution. Although I hate them, this is what companies like AOL and NetZero are doing.

B.

Re:Tweaking liability laws

[Yartrebo]

I'm not so sure. My best estimate is that running anti-virus software would increase the risk of hacking, at least in the case of Linux. There aren't exactly many Linux viruses (and none that I know of loose in the wild), and anti-virus software, which is proprietary, is a real easy way to get something like Magic Lantern or any other approved virus/trojan on your system.

Re:Tweaking liability laws

[russotto]

You can be found liable if a minor gets injured or killed in your non-secured car; that's attractive nuisance law. You can't be found liable if a thief steals your car and uses it in a bank robbery.

Re:Tweaking liability laws

[stratjakt]

if the **AA was anywhere near powerful enough to push around the tech industry, there would simply be no such consumer device as an "mp3 player" or "divx player", and routers wouldn't pass p2p traffic.

The entertainment content industry is peanuts. Sonys entertainment division is like the pinky toe of the whole operation.

Re:Tweaking liability laws

I am amazed by your stupidity. I hope you get infested and then sued by RIAA.

Re:Tweaking liability laws

[Phroggy]

Good luck trying to explain child porn to a jury by stating that your XP was compromised.... You're forgetting, most of the members of the jury run Windows XP too.

Re:Tweaking liability laws

[fm6]

Oh, great, you want to go after all the people who "let" their computers get infested. No problem getting that law passed!

Re:Tweaking liability laws

[iminplaya]

...what the net really is.

It is quite simply a system of interconnected electronic devices that has, quite predictably, acquired a life of its own, a mere extension of the biological units that created it. As long as we chase that illusive pot of gold, this is going to continue. The easy money is just too tempting. The net is just another tool in this thousands of years old pursuit. The spammers are the symptom. You need to go to the source of their power. That might be the greed of their customers trying to make a quick buck, just like the spammers.

Re:Tweaking liability laws

[kihbord]

In that case, everybody needs to disconnect their cables from the Internet to make our computers secure. ;-)

Re:Tweaking liability laws

[mysticgoat]

You would think the legal case could also be made to hold Microsoft liable for stolen personal information, illegal charges to credit cards, raided bank accounts, etc., when known but unpatched (i.e. no patch available) exploits to their software allow people's computers to be compromised.

I wonder if passing new laws would be necessary? Maybe we already have laws that could be used to get us to the goal of a reasonably safe internet:

Most municipalities have ordinances against "attractive nuisances", and I think the case could be made that Windows is an attractive nuisance and the owner of Windows software (not the licensee, but the actual owner) could be fined for each day of violation until he brings his property into compliance with generally accepted community standards and makes it reasonably safe against becoming zombified.

There are also laws on the books in most jurisdictions regarding reckless endangerment (of 3rd party personal property or safety) that could be brought to bear. Someone who has a habit of leaving their keys in their car in a neighborhood of unruly preteens is recklessly endangering the general public by inviting some 10 year old who would be a menace on the road to steal the car. A company that markets fast motorized scooters to little kids to race up and down the sidewalks is recklessly endangering the general public. Perhaps a company that sells an OS to noobies that isn't safe until someone with a few years of experience configures it, loads appropriate antimalware packages, and configures those, is recklessly endangering all other computer users in the community.

There isn't a need to wait until someone gets hurt; these laws are intended to be used proactively to encourage reckless people and companies from engaging in bad habits.

Maybe all that is needed is the recognition that computing is no longer an esoteric activity, but has now become a necessary part of everybody's daily life. And that the laws we already have in place to protect us in our daily activities now need to applied to this part of our lives.

Re:Tweaking liability laws

"These bots could be greatly limited with proper tweaking of liability laws."

Good luck with that. From the article:

"Increasingly, computer systems in China have become infected with bot software and used to attack or spam other targets."

Which of us in a position to "tweak" China's "liability laws", insofar as it may have such laws, and what makes you think China, or many other places these bots may be located, has either the will or the means to do anything?

Re:Tweaking liability laws

[erroneus]

A better solution would be to simply restrict their outgoing port access rather than to kick them. If they are on dialup, you just set up a dialup pool just for that (set of) logins that does not allow port 25 to go out.

All over Japan, I have found, they are blocking outgoing port 25 and it's annoying as hell but I understand why they do it.

Re:Tweaking liability laws

[jonwil]

If the RIAA can get the Russians to shut down allofmp3.com, why cant we (as a society, as internet users, as ISPs who have to deal with this crap etc) use the same pressure to get the Russians, Chinese or whoever to go arrest the people who are WRITING the malware in the first place and lock them up somewhere where they have no computers or internet access and can't use their malware skills to write even more malware. If the malware is being written in the USA, we can do the same thing there too. If enough of the people with the skills (which are above what your average work-a-day .NET coder would have) can be locked up, wouldn't that make it harder for these networks to keep operating? Also, while we are at it, lets do the same for the "Mr Bigs" that actually FUND these networks. Maybe we need to find a way to convince men like G.W.Bush that said "Mr Bigs" are terrorists :)

Re:Tweaking liability laws

[iSeal]

If the RIAA can get the Russians to shut down allofmp3.com, why cant we (as a society, as internet users, as ISPs who have to deal with this crap etc) use the same pressure to get the Russians, Chinese or whoever to go arrest the people who are WRITING the malware in the first place and lock them up somewhere where they have no computers or internet access and can't use their malware skills to write even more malware.

That AllofMP3 is actually still operating despite this incredible level of international pressure is a testament to just how little power Western governments truly have. The fact of the matter is that much of the critical infrastructure that allows this spam/botnet activity to persist unabated is protected by special interests within Eastern Europe.

There are key US players as well, but despite the frustrating overt nature of their behaviour, the evidence is such that the FBI/SS would never be able to even get so much as a warrant.

Re:Tweaking liability laws

[HappyEngineer]

Are you sure there are even hundreds? I get a lot of spam, but there's very little variety in that spam. It seems to me like there are a tiny number of spammers that control a large number of zombie machines.

If there were truly a huge number of spammers then you'd think that the average spam per day would stay roughly level. It doesn't. There are days when I get no spam at all. There are days when I get one or two messages. There are days when I suddenly get dozens of messages (usually all of the same type).

Re:Tweaking liability laws

[Tim+C]

The real problem, as I see it, is that the vast majority of computer users have absolutely no understanding whatsoever of even the most basic of good practices when it comes to using and securing a computer. Most infections are entirely avoidable, if only people would stop downloading and running executables from untrusted sources, or from trusted sources when they're not expecting them (eg an unexpected mail from a friend).

Remote exploits are actually comparatively rare; the problem would be a hell of a lot less severe if people would only take the time and effort to educate themselves and apply a little more caution and common sense.

Making a software producer liable for remote exploits in their products I can just about see, although open source would not be immune to that, so it's a can of worms you may not actually want to have opened. Making them liable for a user running a virus or trojan and rooting their own box in the process simply isn't going to work though.

Re:Tweaking liability laws

[freedom_india]

HEY !! Will you all please STOP talking about allofmp3.com ? I just refilled my subscription with 20 dollars and i hope to download that many songs (Mozart, etc) before they are killed totally.
With you guys bringing it up here, is enough initiative for any RIAA cronies to report back to their parents to renew shutdown.
Damn you guys!

Re:Tweaking liability laws

[rhyder128k]

Is "runs windows XP" becoming a euphemism for something sickly?

Re:Tweaking liability laws

[1u3hr]

Are you sure there are even hundreds?

Well, the ROKSO list includes "131 Spam Operations as at 3/23/07", more thna half American. Not all active 24/7 of course.

Re:Tweaking liability laws

[Peter+Simpson]

Wish other ISPs were proactive like yours. It's an opportunity to build a positive customer relationship. You need to remember that the bot-infested customer is most likely unaware of it, and certainly didn't do it deliberately. This is your opportunity to educate them, help them get rid of the infestation and give them some tips to avoid re-infestation (use Firefox instead of IE, don't answer emails from people with money to give away...)

People, in general, have either a neutral or negative impression of the larger ISPs. A positive, non-adversarial bot-removal approach would be a win-win move.

Like I said...too bad the large ISPs haven't figured that out yet.

Peter

Re:Tweaking liability laws

[BrokenHalo]

Oh, great, you want to go after all the people who "let" their computers get infested. No problem getting that law passed!

Indeed, but actually this might not be such a bad idea.

If people were forced to acknowledge some degree of responsibility, to the same degree as people are forced to accept that it is stupid/inconsiderate/illegal to drive a car while drunk (to use an obligatory /. car analogy), our lives would probably be a bit easier. Of course, that would entail some level of quality control on the part of operating systems designers, but that wouldn't necessarily be such a bad thing either.

Given that consumers often pay more for their anti-virus software than they (appear to) do for their OS, it might be easier to get such a draconian law passed than one might suppose.

Re:Tweaking liability laws

[rbochan]

...too many kicks and you soon have no customers...

To be honest with you, I _would_ use that ISP versus one that doesn't dump the garbage traffic. I consider that a damn nice feature.

Re:Tweaking liability laws

[jonwil]

If the Russians truly want WTO membership, they are going to have no choice but to shut down sites like allofmp3.com (or failing that, stop allofmp3.com selling RIAA music and/or allowing western users onto their service)

On the other hand, the US has been "fighting" with South American drug lords that flood the streets of America with illegal substances for decades and they haven't been able to stop the flow there.

Re:Tweaking liability laws

[walt-sjc]

Why is it annoying? Get out of the 1990's and use port 587, the MSA port, instead of port 25 which should ONLY be used by servers. It's too bad that the concept of differentiating MSA / MTA came as late as it did otherwise mail clients would all be defaulting to 587 instead of 25. We enforce this internally... All DHCP desktops / notebooks are blocked from port 25 and must authenticate on port 587. No outbound port 25 except by the mail servers.

While I used to be against it ("if I pay for internet access I don't want it filtered") I'm all for outbound port 25 blocking for dynamic (dhcp) clients at this point. The sooner everyone does it, the sooner we see a significant drop in spam / virus propagation. With port 587, VPN's, proxies, and ssh tunnels (all that require authentication) available, the need for dynamic IP clients to have direct port 25 access to the world is nonexistent. Some people whine about wanting to run home mail servers, but that is already no longer viable to to blacklisting by major mail servers of dynamic IP space.

Re:Tweaking liability laws

[walt-sjc]

If you cause someone financial harm you can be found liable too.

Re:Tweaking liability laws

[walt-sjc]

I just read what I wrote, and see that it's not clear. Note that while you "can" be found liable, it's not guaranteed. It depends on the situation / intent. For example: if your underage kids vandalize someone's car, you can be held financially liable for the damage. It's not a perfect analogy, but no analogy ever is...

Re:Tweaking liability laws

You could port 25 block, and use policyd or some such in your outgoing mail server to limit the number of connections from your customer subnet. 40 every 20 minutes seems to catch most of the zombies and none of the legitimate email users. This works better and you can send yourself a report every morning from the policyd database telling you who is pwned.
This software can be done for free, with a reasonable Linux box and postfix or qmail.

You could also pay for a IDS/Virus Mitigation box from Cisco/Allot/Sandvine/Baracuda. I like the Linux better, cause you want to really only focus on one primary thing, filtering your customers outgoing mail.

If you have not kicked anyone off, you have not been doing it very long, or are not following through.

The ones that used to get warnings from us, well, they ALWAYS come back. Kids / they don't care / they are dumb.
It's always the same people, I swear. despite recommendations of Avast, AVG, Spybot S&D, and do your bloody windows updates.

Now I get a script telling me about them (the same people from 2 years ago) instead of a 79,000 deferred messages and abuse reports from spamcop in the morning.

Re:Tweaking liability laws

[erroneus]

I would say yes to a degree but not entirely.

At least in Japan, the implementation of MSA works by translating a port 587 within the ISP network to a 25 as it leaves the network. As it turned out, it's very bad since, #1, it only takes minor tweaking to make zombies talk across 587, but additionally, if people want to use an external email server for whatever reason and THEY are using the MSA thing as well, they become unreachable since all 587 requests translate to 25 outside the network.

You might say, "that's a bad implementation" and I'll agree with you, but that is what we're seeing.

Re:Tweaking liability laws

[Orange+Crush]

To be honest with you, I _would_ use that ISP versus one that doesn't dump the garbage traffic. I consider that a damn nice feature.

Yes, but are there nearly enough people amongst the teeming millions who feel that way too? Most don't understand that spam comes from ordinary people's compromised computers. As far as they know, AntiVirus software ought to catch and fix any problems (even if they don't update it, renew their subscription, or patch the OS.). If their computer slows to a crawl they assume it's "running out of memory and need to delete some files." To them, a virus causes pop-ups, BSODs and erases their hard drive.

The botnet problem is very difficult to address. Especially because virtually every possible solution involves educating a large chunk of the user base on topics they understand poorly and have little interest in.

Re:Tweaking liability laws

[pjbgravely]

So basically you are saying the companies who sold the hardware / software are at fault. They fail to provide a safe computing environment for the clueless users that they know they are selling their products too.

The solution is to mount home directories noexec by default. Power users would change this so they can run their scripts. All software installed should be on repositories certified safe by the OS providers. The companies that provide installers will be forced to allow their products to be included in OS's repositories.

Hardware sellers that continue to provide software that doesn't have these two features should be liable for the malware.

Re:Tweaking liability laws

[CowboyJezus]

Speaking of tweaking, how do you know if your computer is infested with a bot? I don't know anyone that isn't running some kind of commercial anti-virus, spyware and firewall these days. Many of the programs are free but if you've paid for it, then couldn't you hold your anti-virus/firewall/spyware company liable for said damamges?

Re:Tweaking liability laws

[_iris]

I would also consider their pro-active response to the bot/spam problem (let's face it, they are one in the same) in my purchasing decision. However, I'd much rather see them just rate limit that customer down to ~32 kbs because many, many people would never notice the difference between that and their spam-saturated 128-384 kbs uplink (I'm assuming DSL or cable here), but the botnet operators would find that useless.

Re:Tweaking liability laws

[fm6]

Jeez, I get so tired of Slashdot amateur lawyers. It doesn't matter how much legal liability all those clueless folks with infested computers have. Who's going to approach 1 million plus computer owners and tell them "fix your computer or be sued!" It would be a logistical, political, and economic nightmare.

Re:Tweaking liability laws

[nuzak]

He's mentioned a grand total of two people that got The Warning. I suspect my local library is a bigger ISP than this fella's. They probably don't even do port25 blocking -- and yes, despite the reports of worms that use the smarthost MX, the vast majority still attempt a direct connection. Besides, if all worms switched to using the smarthost, the bigger ISPs that aren't currently tackling their infestation may suddenly be forced to care when all the zombies start abusing *their* resources.

Re:Tweaking liability laws

[Tigwyk]

It doesn't surprise me that someone with this point of view does NOT sign their comment. Extreme right-wing satire, perhaps?

Either way, losing your internet service because someone exploited a zero-day on your box is NOT what I want to see happen. Exploits are constantly being researched by whit e and blackhats alike, but to be cut off without ANY way to defend yourself (seeing as most people don't patch for a few days ... or weeks) is just unfair.

No. Plain, simple, no.

There are other ways to deal with this.

Re:Tweaking liability laws

[nuzak]

> The solution is to mount home directories noexec by default.

$ /bin/sh $HOME/.malware.sh

Re:Tweaking liability laws

[graphicsguy]

If their computer slows to a crawl they assume it's "running out of memory and need to delete some files."

In my experience, if a computer is slow, it means it has anti-virus software installed.

Re:Tweaking liability laws

[pjbgravely]

$ /bin/sh $HOME/.malware.sh

I forgot about that. Malware could just create a launcher that can run a script. Noexec may still stop a binary from running. I will have to look into this further. Maybe there is no hope after all.

Re:Tweaking liability laws

[nuzak]

ELF executables are more or less "scripts" for ld.so, but there's no front end executable itself other than the kernel's exec family of syscalls that can invoke one, and exec checks execution permissions. Any reasonably expressive scripting language like perl or python could manage to trampoline an executable into its own address space (hell, shell could do it by fiddling with /proc/$$/mem), but if you can write arbitrary scripts at that level, you can already perform arbitrary operations without such trickery.

Noexec is better for things like fileservers, or for mounting shares from an alien os/architecture where the executables wouldn't work anyway. The hassles of doing it on home directories are probably not worth the protection.

Re:Tweaking liability laws

[onepoint]

people might laugh, but I run AVG all the time. nightly I run MS-defender, then weekly Search and destroy, monthly I run ad-aware.

You would be surprised what I still find.
avg gets most of the real nastiest and defender gets the odd ball nasty.
Search and destroy gets the web crap and some nasty
and Ad-aware does a nice simple clean up.

works for me.

Re:Tweaking liability laws

[rifter]

It doesn't surprise me that someone with this point of view does NOT sign their comment. Extreme right-wing satire, perhaps?

You sound like one of those New York liberals. Maybe the post was written by the invisible hand!

Either way, losing your internet service because someone exploited a zero-day on your box is NOT what I want to see happen. Exploits are constantly being researched by whit e and blackhats alike, but to be cut off without ANY way to defend yourself (seeing as most people don't patch for a few days ... or weeks) is just unfair.

Fair, schmair, Vladimir! Here we let the market decide; all's fair in Free Market Capitalism!*

* Note that weenie liberal French words like "laissez-faire" have gone the way of Freedom Fries.

** If you don't get it, you might not be a redneck :D.

Re:Tweaking liability laws

[mrbcs]

We have almost 600 customers and yes, smart ass, we block port 25.

Hmmm....

[groovemaneuver]

This must be related somehow to Windows being the most secure operating system... :p

Re:Hmmm....

[glittalogik]

Damn those 1.2 million Linux users! Bloody hell, when will they learn?

Re:Hmmm....

[webweave]

Is this a Windows only thing? The article does not say.

Re:Hmmm....

[pallmall1]

This must be related somehow to Windows being the most secure operating system...

Yes, this is another KISS* from microsoft.

* Keep It Spamming Stupid!

Re:Hmmm....

[RedBear]

I see people making jokes about all these bots being Windows-based, and of course I have to assume myself that this is the case based on experience. However, neither the original article nor the site they link to seem to make any mention of any operating system, no less Windows. Are there any actual statistics for how many of these detected bots are running on Windows? It's hard to be smug about other operating systems be so much more secure without having some actual data to point to.

Well?

Re:Hmmm....

[CowboyJezus]

I think that's because the average user that this article was intended for doesn't realize that "computer" is a broad term and that operating system is anything other than a way to cheat at gambling. ;-)

All those bots must be coming from

[Steve--Balllmer]

all those Linux and OS X systems, since Symantec says Windows is the most secure operating system.

Forget the spam filters...

[ShaunC]

..It's more like "time to put an ad in the paper, an onslaught of new customers is coming!" I wish I still had time to do spyware removals and clean up infested computers. Easy money for those who have the time and are willing to make housecalls.

Re:Forget the spam filters...

I've often wondered how much of a market there really would be for services like this. I recently had my hours at work cut back significantly, and am in the process of looking for a new job...and the thought of putting an ad in the paper has crossed my mind, especially when I see how much places like Best Buy and Staples charge for virus scans and other basic things....

I suppose it depends on where you live etc...but in general do people who put ads in papers like that make money?

Re:Forget the spam filters...

(Not the OP...)

I've been doing this more than a year. I charge a flat $50 fee to "clean up" a machine. This includes antivirus sweep and install (AVG configged to update), and an AdAware/Spybot/HijackThis sweep (AdAware gets installed, the others are run from CD as diag only). I do things freelance, house call, max 1 hour onsite, all cash. You give me $50, I will clean your comp straight up in an hour or less. My expense is a CD of Knoppix, and a CD with the latest copies of the other tools on it.

Almost every time I let them off with less than $50. "Well I usually charge $50 for this but you have been so nice and you gave me some lemonade, I am going to cut it down to $40." They think they just worked me over for a deal, when really they are paying out the butt for having me in their home for 20 minutes to get their machine back working right. If you set things up right you can get to where you have 10-20 pending jobs at any given time and you do the ones geographically close to one another on each day. Imagine billing 4 $50 jobs in one day, even giving them discounts, you can still pull in $150 every day.

The real ticket is getting a couple of high profile jobs. Contact your local radio DJ's, or your local television anchors, offer it as a free service to them, holy hell will that pay off. They will talk you up like crazy for free. Then you're set.

Good luck

Re:Forget the spam filters...

[macaroo]

I am retired and yes I do a lot of malware clean up and tweaking for my customers. It is good money. Easy? I don't think so considering the large number of different spyware. You have to have a lot of patience.

Re:Forget the spam filters...

I get $50 a computer which people are very willing to pay twice a year to have their system tuned up. I do house calls and others just drop off their box and pick it up the next day, these are networked into a server running scripts to clean and tune them up, at any one time there are 10 -15 drop boxes on the network. I get another $25 for letting the client set next to me and ask questions on how to cut and paste, use hot keys, and change the wallpaper and set the screen saver.

If you can be very patient answering questions on how to change the obnoxious Microsoft start up sound that alone is worth another $40.

I, For One...

[NeverVotedBush]

Welcome our new botnet overlords...

Re:I, For One...

[rhyder128k]

How long before these bots link up and become nodes in a larger network? At that point they store information, react to direct stimulus and transmit to the rest of the network. Each cell might be relatively simplistic, with no goals other than self-preservation, replication and transmission of data to the other nodes. Surely, there will be fitness rewards for a node that behaves in a certain way? With a billion of them, I wonder what potential would be for emergence?

[mike begins to buy canned food]

Re:I, For One...

[miro+f]

How long before these bots link up and become nodes in a larger network? At that point they store information, react to direct stimulus and transmit to the rest of the network. Each cell might be relatively simplistic, with no goals other than self-preservation, replication and transmission of data to the other nodes. Surely, there will be fitness rewards for a node that behaves in a certain way? With a billion of them, I wonder what potential would be for emergence?

translation: Imagine a beowolf cluster of those!

How does this sqauare with Vint Cerf's speech?

[winkydink]

Didn't he say at the World Economic Forum at Dovos that as many as 25% of all machines connected to the internet were infected? That strikes me as a whole lot more than 1.2 million

Re:How does this sqauare with Vint Cerf's speech?

[Klaus_1250]

The summary isn't entirely clear. The 1.2 million are reported/analyzed/confirmed (couldn't find info on Shadowservers exact methodology). The number certainly won't cover all botnets (looking at their botnet map).

Re:How does this sqauare with Vint Cerf's speech?

[winkydink]

You're right. I went back and read the original Shadowserver article. It's the number they are tracking, not their belief of the total number of infected machines.

Re:How does this sqauare with Vint Cerf's speech?

[deek]

Didn't he say at the World Economic Forum at Dovos that as many as 25% of all machines connected to the internet were infected?

You should know that 87% of all statistics are just plain made up.

Re:How does this sqauare with Vint Cerf's speech?

[clickclickdrone]

strikes me as a whole lot more than 1.2 million

Actually, the total population of the Internet is only about 2 million. Most numbers you see are just PR, the hardware manufacturers trying to talk it up to make it look busy so they can sell more kit. Most of the people you see in forums, WoW, slashdot etc are just bots. I'm one too.

Re:How does this sqauare with Vint Cerf's speech?

[99BottlesOfBeerInMyF]

Didn't he say at the World Economic Forum at Dovos that as many as 25% of all machines connected to the internet were infected? That strikes me as a whole lot more than 1.2 million

The summary was misleading. 1.2 million was the number tracked by a given group, in contrast to 500,000 they saw with the same honeynets last week. It is not meant to be a total count and the article title should have read, "botnet activity triples from last week." I just happen to have access to (as far as I know) the largest chunk of realtime traffic analysis data on the planet from a project run by some of my coworkers. Doing some quick and dirty math Mr. Cerf's numbers are not entirely implausible. I'm not saying they're right, just that I can't with certainty contradict his assertion and he's not entirely out of the ballpark anyway.

Re:How does this sqauare with Vint Cerf's speech?

[neomunk]

I'm willing to be my left nut that you're so undershooting the mark it's sick.

Look at it this way, if there are only 2 million internet connected computers in the U.S. (not the World, just the U.S.) that would be 1 internet connected computer for ever 150 people.

I simply cannot buy into that.

If the internet population is anything less than 100,000,000 at any given time I'd be shocked and amazed.
I'd believe 1 billion, and I'd believe 1 device for every man, woman, and child on earth if you included everything with a local IP address that could get a packet to or from the ole' intartubes.

That's all speculation though... Still, I have a hard time imagining that there are only 2,000,000 internet connected machines at any given time. Hell, I have 7 right here in my house.

Re:How does this sqauare with Vint Cerf's speech?

[clickclickdrone]

>I'm willing to be my left nut that..
That you're thick as fuck if you thought my post was anything other than a joke. I bet you think The Onion is a real news site too.

Re:How does this sqauare with Vint Cerf's speech?

[neomunk]

Yeah, I know, I'm an idiot for thinking that someone posting on slashdot could believe something so ridiculous. It's not like you see people seriously posting far more outrageous claims everyday.

And even if I -AM- thick for thinking something with such an obviously low probability could happen, what's with the bile and troll like shit throwing attitude in your reply? What, does EVERYTHING you say just have to be dripping with cutting edge sarcasm? You're so fucking obviously cooler than me, I'm sorry to have wasted your obviously precious and important time. Oh, and look, you know about the Onion too, god, that's cool AND modern.

Gimme a fucking break. The chances of finding an idiot post on any given slashdot thread approaches 1 as the number of posts approach, oh, about 20. About the same as troll posts actually. So I think I can be excused for thinking you were being an idiot rather than the troll you were actually being.

My bad.

Re:How does this sqauare with Vint Cerf's speech?

[clickclickdrone]

>It's not like you see people seriously posting far more outrageous claims everyday.
Hmm, you have a point there.

>what's with the bile and troll like shit throwing
You're right, I'm sorry. You were victim of me having a bad hair day and the fact that too many times I've posted something here as a joke and the next dozen posters take it seriously and I've left open mouthed wondering if they've all had a humour bypass. I'm British and I do find a lot of Americans (no idea if you are) just don't spot certain types of humour we use a lot and it gets frustrating seeing it over and over again.

Anyway, again, sorry. I was out of order in the harshness of my response.

Re:How does this sqauare with Vint Cerf's speech?

[neomunk]

Wow.

Um, thanks. And I apologize as well for the venom I squeezed out in my reply too. I guess harshness is doled out a little too quickly here on slashdot.

But my spam is way down from the Dec/Jan peak

[gvc]

Perhaps the big SEC bust actually had some effect. My personal harvest of spam has dropped recently from 1000/day to 500/day.

Re:But my spam is way down from the Dec/Jan peak

[Red+Flayer]

My personal harvest of spam has dropped recently from 1000/day to 500/day.

I noticed the same thing recently, but to use the word 'harvest'?

Gives me the shivers, a vision of thousands of spamfarmers toiling in underground caves carefully tending their spam crops until harvest-time.

I much prefer the term 'cull', since it implies getting rid of the chaff (to mix a farm metaphor or two) as well as refers to the 'meat' connotations of spam.

Eh?

[mcrh]

The report back from the drop in holiday season '06 predicted a surge in Windows XP SP2 installations and slightly better security coming with it. However, at least the latter part of that doesn't appear to be the case.

...So, what happened? Was there, in fact, a sort of mass-migration afterward, which made the more homogeneous operating system landscape a more inviting target than before? Did the operating systems change, but not to XP SP2 --- and if that's the case, what operating systems are the new computers running?

Computer bots

How does one know if their computer (or relative's, etc.) is infected by a bot? Are there special diagnostic tools for that?

Re:Computer bots

[mrbcs]

Usually the computer runs like shit and the network is transferring traffic like crazy when you haven't done anything.

Re:Computer bots

[winkydink]

Not true. Most modern bots are designed to stay under the radar. A zombie PC is worth money and it makes sense to keep control of it as long as possible. So most newer malware uses system resources sparingly.

Re:Computer bots

[goarilla]

tcpdump (nix), ethereal/wireshark (nix+win), netstat (nix), iptraf (nix), htop (nix), lsof (nix), antivirus
adaware, psybot, process explorer autoruns TCPview RootKitRevealer (windows -- Sysinternals) http://www.microsoft.com/technet/sysinternals/defa ult.mspx/, etc ...
if your computer isn't supposed to do anything and it's opening connections to ports 6667 (irc), 25 (smtp), 20 & 21 (ftp) then
it would be a good assumption that your pc has been zombified
there are people over here who have more experience in this area and they will comment :D

Re:Computer bots

[gvc]

Look in the incoming/outgoing connection log on your Linksys (or whatever) broadband router. If you see connections to all sorts of places you shouldn't -- especially on port 25, yank your ethernet cable and consult a professional.

No broadband router? Go buy one. They're free (after rebate, of course!)

Re:Computer bots

windows has netstat.

Re:Computer bots

[Technician]

How does one know if their computer (or relative's, etc.) is infected by a bot? Are there special diagnostic tools for that?

There are 3 things to look for.
1 Is it running Windows?
2 Is it connected to the Internet?
3 Has it been on for more than 20 minutes?

Re:Computer bots

[stewbacca]

Again, this may be a technically sound solution, but it is far beyond the ability of 90% of computer users. I'd bet your average user doesn't even know what Linksys is, let alone port 25. Hell, "ethernet" and "router" are probably foreign to most users.

Re:Computer bots

[goarilla]

yeah i thought so wasn't sure tho !

Re:Computer bots

[TropicalCoder]

I got my ports scanned last week by one of these port scanning services on the internet. Mostly all my ports were locked down and stealthed, so then I started getting my dynamic ports scanned. Now, I know it would take all day to scan them all, but just for the heck of it, I scanned several thousand, thinking I would continue this way until I tired of it. Then I got to port 8701 - and it turned up as opened (TCP connect). I confirmed that with another service. I ran netstat -ano, and it showed no service running on that port. I ran Ethereal, and there was no traffic to or from that port. Actually, I even ran it during the ports scanning process, but I could not see any scanning of that port going on. So what's going on here, can anybody tell me? I run ZoneAlarm on my WinXP Pro system w/DSL modem/NAT, and I certainly haven't knowing allowed anything access to that port. I keep an eye on my processes - nothing there that shouldn't be. I have all the services shutdown that I don't actually need. This is my home computer - no home LAN, no printer even. Can anyone tell me why is that port open?

ISPs take action?

[pembo13]

Why don't ISPs start sending automated physical mail to home of obvious spam bots?

Re:ISPs take action?

Will you pay for the postage stamps?

Battle is now greylisting versus IP address spread

[RonBurk]

IMO, the real battle here is caused by greylisting. Greylisting plus a honeypot database of fake email addresses is clearly the most effective, automatic, general-purpose anti-spam mechanism to come along. Spammers are starting to feel the pinch (even though lots of people are still struggling with old-fashioned "filtering" mechanisms, and are still easy and fun targets).

The spammers who are starting to take on greylisting are doing so by two main mechanisms: massive distribution across IP address space, and direct use of infected PC MTAs.

The IP address spread is fairly simple to understand. If you have 100,000 zombie PCs with 100,000 IP addresses, then clearly you can send 100,000 pieces of spam without ever using the same IP address twice. That makes the honeypot database of greylisting useless, since I rely on waiting to see a given IP address send email to a known "bogus" email address to correctly identify that IP address as a spammer (in the short term, at least).

The direct use of infected PC MTAs is more difficult. If the zombie PC can programmatically use the unspecting owner's own ISP MTA to send the spam, then it becomes very difficult to distinguish that spam from real mail send from a real person (just as botnet click fraud is very difficult for Google to do anything about without also discounting some "real" clicks).

To respond to the massive distributed IP address spammer, I think a drastic increase in bogus email addresses would help, so that they have to transmit to 10 or 100 times more addresses in order to hope to reach the same # of real people. It's easier for website owners to create more bogus email addresses than it is for the spammers to infect more PCs. You basically always "drop" mail sent to a bogus address so that the spammer is convinced it went through and is getting to a "real" person (and probably even sells that address to other spammers as "verified").

That would push the spammers squarely into focussing on using the infected owner's own ISP's MTA for transmission, giving those ISPs an ever-increasing workload of bogus mail to send. Sorry, but that's where this war is headed anyway: to the point where ISPs will start charging customers to disinfect their PCs once they've been identified as botnet spam transmitters.

I'm going to start slowly increasing my spamming of spammer address databases today (e.g., by injecting more hidden text email addresses onto websites). Note that this is not a "solution" to spam (so please don't post that cute little form :-). This is just an effort to push the problem where I think it's going to end up eventually anyway: on the backs of ISPs that have not yet come to view infected customer PCs as "their" problem yet.

If only more ISPs added their net blocks to PBL...

[bcc123]

http://www.spamhaus.org/pbl/index.lasso

How hard is that?

And if all major providers did it, then zombie spam would die out pretty quickly.

Most of these "upgrades" were to Vista...

[FMota91]

...and they have the nerve to call it the most secure Operating System.

Re:Most of these "upgrades" were to Vista...

Most of these "upgrades" were to Vista...

Do you have ANY real data to back that up?

Re:Most of these "upgrades" were to Vista...

[FMota91]

Do you have ANY real data to back that up?

Yes. 67% of computer "upgrades" (meaning people who bought a new computer or upgraded an existing one) were to Vista. I know this because out of a sample of three people who "upgraded" (me, my mother, her husband), two of them bought Vista PCs.

What? It's not like Symantec did much better with their data...

"systems" euphemism

[allin]

The article speaks of "bot-infested systems". Call a spade a spade. These
are bot-infested PCs running MS Windows. They make life hell for the rest of
us.

ZEN DNSBL

[the_flyswatter]

Make sure you update the RBL on your spam blocker to include zen.spamhaus.org. It contains the PBL (Policy Block List) which helps to filter out home internet connections. Zen includes the SBL and XBL, making it the replacement for sbl-xbl.spamhaus.org.

See http://www.spamhaus.org/zen/

Who's buying the crap?

[mightyQuin]

Who are the idiots that buy the crap that make it worthwhile for spammers to install the bots that send out the spam? Shouldn't the people that create this financial incentive somehow be to blame too?

Re:Who's buying the crap?

I'm really really sorry! I don't think I'll do it again. But I did once and as a result I was able to migrate to another country. Were it not for spammers I'd most likely still be stuck at my dead-end job in my country of origin but I got an email about these lawyers that handle migration applications. I investigated them and they were legit so I gave it a shot and now I'm here. I'm not defending spam, but this is the reason it works. Not all spam is selling Bee4gr4 or phony stock. Hey and some people buy even that.

Re:Who's buying the crap?

Good point! There should be "honeypot" spam too and if someone would answer it, they would be shot on the spot. In my country at least...

Maybe this idea could be refined a bit for more general use.

Re:Who's buying the crap?

"...they would be shot on the spot.In my country at least...."

And your country would be reviled and isolated. You would be labeled a despot and if you weren't assassinated by your own people, you would eventually be hanged in the town square.

Re:Who's buying the crap?

[Nethead]

If it cuts down the spam....

Tiny detail concerning shadowserver world map...

It's bit outdated. http://www.shadowserver.org/wiki/uploads/Stats/cci p.jpg
Let's play the game "find name missing/new countries (sorted by alphabet)".

A) Afganistan
B) Bosnia
C) Croatia
...

Re:Battle is now greylisting versus IP address spr

The IP address spread is fairly simple to understand. If you have 100,000 zombie PCs with 100,000 IP addresses, then clearly you can send 100,000 pieces of spam without ever using the same IP address twice. That makes the honeypot database of greylisting useless, since I rely on waiting to see a given IP address send email to a known "bogus" email address to correctly identify that IP address as a spammer (in the short term, at least).

That isn't greylisting at all (though it is useful against spam).

Greylisting is giving a "new" incoming SMTP connection a 400-series error message the first time they try to send email to you. A 400-series error means a temporary problem - please try again. When they try a second time they try to send email, you accept.

Since all legitimate email servers will retry when they get a 400-series error, a legitimate message will go through, at a cost of a time delay.

However, most spammers don't bother retrying (although some do), so you can block a lot of spam with greylisting, with very little bandwidth or CPU cost.

Must be linux

[rolfwind]

because Windows is the most secure OS:

http://it.slashdot.org/article.pl?sid=07/03/22/212 1214

An easy fix

[davmoo]

In another reply I saw someone suggest ISPs sending automated snail mail notices to users who's machines have been owned.

I'll go one better. Cut the fucking thing off the net until the user fixes the problem.

I fail to see why it seems to hard to detect these things. When an ISP sees a machine go from sending out 4 or 5 emails a day to spitting out thousands of emails every hour, it should be obvious there's a problem.

Also, close the damn mail ports off. If a customer wants to host their own email server at home, fine...but make them call in and request that the port be opened. And make it clear that if their machine gets owned, they get cut off and fined before access will be reconnected.

And finally, spam has been a problem for years...how come the MTAs haven't been rewritten to not allow header forging, etc, in all that time? Isn't this supposed to be one of the big advantages of open source and open protocols?

Re:An easy fix

[metlin]

In another reply I saw someone suggest ISPs sending automated snail mail notices to users who's machines have been owned.

I'll go one better. Cut the fucking thing off the net until the user fixes the problem.

That's not really fair.

Most users are not technically sophisticated to do anything, even if they were told that their computers were affected.

Computers and the internet are far too prevalent today to simply cut somebody off because their boxes were compromised. If you must, blame the manufacturers for designing systems that can so easily be taken over by bots and viruses.

Most people don't really care, because to them the computer is just like the TV or the microwave - a tool that lets them do something. If the tool gets messed up and causes problems because of something, they can't be held responsible because face it, they have no clue whatsoever. If you are designing a system that you think even an idiot can use, then make sure that it is idiot-proof.

But companies want to sell $OS to your grandma, but do not want to take responsibility for what happens when things go to hell. If you are selling something to grandma, make it grandma-proof. She will open attachments, she will not have a clue about what's out there on the web -- if you are selling her a tool, make sure that it is protected against the mistakes she most likely will make.

Somehow, in the software industry, it is considered acceptable to call the users idiots and let go. Now here's the thing -- even some of the very smart people have trouble using computers simply because it is not their thing. Not everybody can be a computer geek, and nor should they expected to be.

If anything, the software manufacturers should be held responsible. Stop blaming the users already, please.

Re:An easy fix

[pavera]

I completely agree with the sentiment of your post. And, there are some ISPs who do just that. I worked for one and implemented the policy. It is easy to do, and easy to implement. The problem is this: unless all ISPs do it, it will never stick. We lost every single customer we cut off. We would disconnect there service and redirect their browser to say "You have a virus, please remove it and call us to restore your internet access".

Well, we would always get an incredibly pissed off customer who would call, scream at us for 10-20 minutes about how they couldn't possibly have a virus or a trojan, how they run antivirus every day (my favorite was to ask "When was the last time you updated your virus software?" The usual response to that is a very confused "Oh, you have to update it?"). Invariably they would cancel their account and we'd never hear from them again. But I'm sure 2 days later they were back on the internet without fixing the virus problem.

Re:An easy fix

[Phroggy]

I fail to see why it seems to hard to detect these things. When an ISP sees a machine go from sending out 4 or 5 emails a day to spitting out thousands of emails every hour, it should be obvious there's a problem.

Also, close the damn mail ports off. If a customer wants to host their own email server at home, fine...but make them call in and request that the port be opened. And make it clear that if their machine gets owned, they get cut off and fined before access will be reconnected. You can't look at these as two separate issues.

Currently, most ISPs are not monitoring what you send out on port 25. They have no technical means to do so, and acquiring that ability would be prohibitively expensive. ISPs can monitor what you send out through their SMTP relay server (most don't analyze the patterns proactively, but they can review the logs when they get a complaint) but generally botnets don't relay through the ISP's server.

But you're absolutely right about ISPs blocking outgoing access on port 25, unless a customer requests it to be open. The difficulty here is that most customers have dynamic IP addresses, and dynamically updating a firewall to allow access to port 25 from some customers and not others is non-trivial. My recommendation would be, block access to port 25 for all customers on dynamic IPs, and by default for all static IPs, but let customers with static IPs request for access to be allowed. Users running their own Linux boxes can configure their MTA to forward everything to the ISP's relay server. Everyone who needs to relay through a corporate mail server can use port 587.

So what's the problem with port 587? Not everyone has their mail server configured to allow it. But if ISPs start blocking port 25 and telling their customers to switch to 587 instead, I think more mail servers (that have users who need to relay from home) will start enabling port 587.

So how does switching to port 587 help? Won't the spammers just switch to that too? At first, yes, but here's the difference: MTAs can be configured not to allow any connections to port 587 without authentication and encryption. A bot can't just pick your domain name out of a hat, look up your MX, connect to port 587, and start sending crap, if the MTA is configured to require authentication. Port 25 can't require authentication, but if bots can't connect to port 25 because it's firewalled on their end, then we're making some progress.

This is not a change that should be made overnight; it will cause problems for a small handful of users. ISPs need to plan for this, set a date several months in advance, notify their customers of the plan and what they can do if they will be affected, and ideally coordinate with other ISPs so a whole bunch of ISPs all start blocking port 25 at the same time.

It'll never work, of course.

Re:An easy fix

[Vskye]

I'll go one better. Cut the fucking thing off the net until the user fixes the problem.
 
This is exactly what we do. The rule at our company is simple. 3 strike policy, and your out. If you send out a shitload of spam, etc we suspend the account. They then call in and bitch, we explain the situation and how they can resolve it by setting up a firewall, anti-virus software, etc. Or, refer them to a local computer tech to reinstall the OS, etc. If it happens again, strike 2. We inform them that they have one more chance to get it correct, or they are history.., no service again. Unfair? Nope. Our NOC watches this crap all the time. OS of choice for this crap is always Windows btw.

Re:An easy fix

I believe it was Douglas Adams who said, the problem with making something idiot-proof is you always "misunderestimate" the idiots.

(paraphrased and then enhanced by a term coined by GWB)

Re:An easy fix

[AK+Marc]

That's not really fair.

I don't blame Mary for carrying Typhoid, I just won't let her prepare food. I don't "blame" the user, but they should be kicked off the Internet until they get their computer fixed. I don't understand why you are bringing up "blame." The user is responsible for fixing their computer, regardless of who is to blame for infecting it.

Re:An easy fix

[toadlife]

The only way to make a computer idiot proof, is to make it so that new binaries cannot be loaded onto the system. Computers are not toasters.

Re:An easy fix

If you design an idiot proof computer, someone will create a better idiot

Re:An easy fix

[mysticgoat]

I agree with parent.

I also want to point out that the automotive industry went through a similar period about 35 years ago, when new cars were required to have pre-installed seat belts. It is now generally accepted that seatbelts, airbags, and less visible things like collapsing steering columns and controlled crumpling are GOOD THINGS TO HAVE IN A CAR. But at the time these were introduced, the sometimes strong argument against them was that none of these things were necessary for a well trained driver. Whatever your opinion about that, the truth of that time was that driving had become a necessary daily activity for a lot of people who had no real desire to do the training: they just wanted to get the kids to the soccer game; do the shopping; get to and from work without having to sit among the coughers and hackers in a germbox (bus)...

Computing is at this same place now. The number of people who have to use a computer to get things done, but who have zero interest in the computers themselves, now far outnumbers the number who are willing to do any training.

It is time to use some legal enforcement to make the network environment safe for the computing public. I think this could be done by applying existing laws regarding reckless endangerment, indiscriminate distribution of attractive nuisances, and so forth to the software industry.

Where is Ralph Nader when we need him? Preparing to run for President again?

Re:An easy fix

[CodeBuster]

I'll go one better. Cut the fucking thing off the net until the user fixes the problem.

Then you will get lots of calls from irrate customers complaining that their "Internet" isn't working and can't you fix it for them by pushing some magic button at your office? If you have spent any time in customer support for an ISP then you know that the level of ignorance people display concerning their PCs is astounding. In fact most people probably know more about their cars, and they don't know much about them either, than their PCs, about which they know almost nothing. If they even knew that they knew nothing then that would be something, but they don't.

They get cut off and fined before access will be reconnected.

Then they will go and buy service from your competitor who is only too happy to get them as a customer. As for collecting your 'fine' well, good luck. It is hard enough to get many people to pay a bill even when they do owe money nevermind a 'fine' imposed for violating the terms of service.

how come the MTAs haven't been rewritten to not allow header forging, etc, in all that time?

How are you going to detect if the headers have been forged? They are just text after all. The only way to tell is to run reverse DNS on the headers and cross reference with your incoming message logs and that gets very expensive, computationally that is, for each message that arrives. In addition, much of the spam these days originates from the bot networks which means that your reverse DNS lookups will match legitimate hosts on major ISPs (i.e. some poor user who has no idea that their machine has been hijacked and turned into a spam zombie). So what then? are you going to block all of Verizon, Sprint, Nextel, etc..just to stop some spam? Subscribe to the Spamhaus block list, run sever side filters such as spam assassin, and encourage users to run their own filters (SpamBayes) on their clients. Other than that there is not a lot that an admin can do about the spam problem without ruining e-mail service completely.

Re:An easy fix

[freedom_india]

If you are that illiterate, then you should not be let loose on the 'net. It is for you guys there's something called AOL.
No, am serious. If i don't know to read STOP signs and road signs, i would not be given a driving license. Same way, if i don't know how to manage my system, i should be knocked off the 'net.
Anyways AOL thrives on people like these and send them cute bills for $129.99 every month.

Re:An easy fix

[repvik]

If anything, the software manufacturers should be held responsible. Stop blaming the users already, please.

Sure, the software manufacturers have some fault in this. But ignorance from the user doesn't help.
I would propose the following to an ISP:

1. Firewall the infestation from the internet
2. Give the user access to the mailserver to *download mail only*
3. Redirect all browsing attempts to a local server that serves step-by-step guides and ready-packaged tools to remove any virus infections/malware. Put up a helpful "send us a mail if these instructions doesn't help" form and leave any phone no. clearly visible.

Re:An easy fix

[repvik]

Port 25 can't require authentication, but if bots can't connect to port 25 because it's firewalled on their end, then we're making some progress.

WTF? So how the heck does my mailserver figure out if I'm authenticated or not? SMTP authentication can be done whether or not it's on port 25, 587 or any other port.

Re:An easy fix

[caluml]

I fail to see why it seems to hard to detect these things. When an ISP sees a machine go from sending out 4 or 5 emails a day to spitting out thousands of emails every hour, it should be obvious there's a problem.

iptables -A FORWARD -p tcp --dport 25 -m limit --limit 5/min -j ACCEPT
iptables -A FORWARD -p tcp --dport 25 -j REJECT

Re:An easy fix

[stewbacca]

Cut the fucking thing off the net until the user fixes the problem

No way. Never. It isn't the responsibility of the law-abiding citizen to cut down on criminal activity. If I want to keep my front door unlocked, that is my choice. If someone chooses to break into my house, they are the ones breaking the law, not me. More realisitically, I should lock my door, but I'm shouldn't be required to install cameras, fencing and hire a security firm. Asking average Joe computer user to spend hours on their computer configuring it for security reasons (cough, MS Windows, cough) is unrealistic.

This is such an aggravating direction our society is going. Why not hold the offenders liable? Why not demand easier, and more secure operating systems from Microsoft? I for one use Mac OS X with default everything for security settings and feel I've done MORE than enough to make my computer "secure enough".

Re:An easy fix

[stewbacca]

It's posts like this that make me want to keep my Windows XP machines on and connected to the net 24/7, without virus software or firewalls. A seatbelt is easy to operate. Norton anti-virus and MS Windows are not.

Re:An easy fix

[Llynix]

I worked in a bar for a year. We had certain customers that would cause problems and as a result were cut off and kicked out. Easy enough.

Now can't they go to the bar down the block and cause problems there? Actually no, our bartender knew and talked to the other bartenders in town. Soon enough that person was cut off from most avenues. Word spreads quickly and a problem is a problem.

It's just that easy. For those who cry foul there are a dozen computer stores in the area which will fix the problem for $50 or less. These people pay that for a month of internet why is it such a problem?

Re:An easy fix

[WeeBit]

I'll go one better. Cut the fucking thing off the net until the user fixes the problem.

That's not really fair.

It is fair.

It is fair because, it is not fair for "that" computer to spread the crapware on the Internet. It is not fair for that botnet to be laying in wait to strike on a whim. The compromised computers have to be stopped somehow. We don't have laws to stop them. If we are led to assume that the user of the compromised computer has no clue their computer has been compromised, then we owe it to everyone online, a next best fix. It may not be fool proof. But it sure beats the hell out of letting the crapware take over the Internet. Having ISP's stop them is next best thing. I think it is time for a responsible user policy. But I don't think it will happen any time soon, because there are just too many crapware in the wild, that can take over computers without the users knowledge. Maybe a different solution? Mass emailing goes out on one port, for which the user has to enable, and the ISP has to ok. Regular emailing on another. I only use this as a suggestion because if a user has no clue about how to fix their compromised computer, then they have no reason to be connected to a port set up for mass mailing.

Re:An easy fix

That's not really fair. It doesn't need to be fair. During an epidemic you wouldn't want the Department of Health to be fair, you'd want them to stop the disease from spreading, and if they need to isolate some of the population to prevent any further damage, then so be it. It is not fair for the victims or their families, but it is also not fair for the rest of us to remain at risk when something can actually be done about it. Just like most users are technically challenged, most people are not doctors, dentists, etc, but we know enough of the basics to care for ourselves.

The suggested idea would actually force users to care more about security. Instead of shutting out affected users completely, I'd suggest they'd be redirected to a site providing them with information and software so they can protect themselves in the future.

Its probably not the ISPs fault, and the user shouldn't be to blame because (s)he usually has no idea of what's going on, so when things go bad...blame Microsoft :)

Re:An easy fix

[99BottlesOfBeerInMyF]

The only way to make a computer idiot proof, is to make it so that new binaries cannot be loaded onto the system. Computers are not toasters.

Toasters aren't idiot proof either and people kill themselves with them every year. That in no way excuses the fact that Windows does not have a sufficiently secure design to perform normal tasks in a normal environment in which it is likely to be placed. Believe it or not, some OS's let you run arbitrary binaries, by default, without giving those binaries access to do any useful, malicious activity.

Re:An easy fix

"That's not really fair."

Well, WA-A-AHH! Where's your blanky and baba?

Here is the only way to do it: this article points out the US Air Force's standard: COMPLY OR DON'T CONNECT! That is the way to be, and it should apply to every computer!

To stay out of jail, you have to follow society's standards. To keep your children, you have to comply with child welfare standards. To drive, you need a license saying you know what the driving standards are.

Your piece of shit botnet computer that is costing my business millions of dollars per year needs to be disconnected and burned to the ground, and you jailed, and me paid compensation for my trouble. END OF STORY!!! Comply or don't connect! Stupidity is no excuse.

Comply or don't connect!
Comply or don't connect!
Comply or don't connect!

Re:An easy fix

[jgerry]

Cut the fucking thing off the net until the user fixes the problem.

One problem with doing this, from the ISP's standpoint, is that they are GUARANTEED to generate a phone call to tech support once the account is shut down. And it's going to be multiple calls, over several days / weeks, while the issue is worked out on the customer's end. Everything I've ever seen regarding profit margins for ISPs says that once you generate a single support incident for a customer, you've lost money on that account for the year. I don't doubt that's true. I still think they should cut the accounts off immediately, but I can understand why they might not want to do that in all cases.

Re:An easy fix

[toadlife]

"Toasters aren't idiot proof either and people kill themselves with them every year." You're right. After writing that I thought of a person I know who stuck a butter knife in a toaster one to try and fish something out. :/

Believe it or not, some OS's let you run arbitrary binaries, by default, without giving those binaries access to do any useful, malicious activity. So, which consumer OS does that in it's default configuration? Please don't answer "OS X" or "Linux" or "*BSD", because that answer would be wrong.

Re:An easy fix

[99BottlesOfBeerInMyF]

So, which consumer OS does that in it's default configuration?

Who claimed any ship with it enabled by default? The consumer (desktop) OS market is monopolized. There are basically three players of any note, MS Windows, Apple OS X, and Linux distro of choice. Of these three the latter two are almost never attacked by malware, making such a system unnecessary at this time. It would be nice, and there are functional systems for both that can be added on, although they are not as polished as if they were built in defaults. At one point a MAC and signing framework were on the Mac OS X 10.5 feature set, but they have vanished from the public docs. The real problem is that only MS has a huge malware problem and hence a need for this, and MS is not exactly renowned for innovation or security or usability or creating technologies that solve their user's problems instead of allow MS to gouge them more.

Re:An easy fix

[o0superficial0o]

I agree with the parent completely that we need to think of generic PCs more like tools that need to be idiotproofed to some degree... but that's a battle that can't be won.

As a side question, though, when was the last time that any of us non-"idiots" went over to our "idiot" grandma's/sister's/parent's/friend's house and helped her/him/them clean up and secure their PC?

Re:An easy fix

[toadlife]

Things like MAC will *not* protect idiots. People want control over their computers. If you try and sell them an "appliance", they will not buy it. That's the problem.

Re:An easy fix

[Phroggy]

Port 25 can't require authentication, but if bots can't connect to port 25 because it's firewalled on their end, then we're making some progress.

WTF? So how the heck does my mailserver figure out if I'm authenticated or not? SMTP authentication can be done whether or not it's on port 25, 587 or any other port. Port 25 can't require authentication; you must allow connections from non-authenticated hosts on port 25, because they may be other mail servers relaying mail to you (however, without authentication, you should not accept mail they send you that isn't destined for your local system). You may accept authentication on port 25, of course, and if a user is authenticated, you can accept mail for either local delivery or relaying.

However, port 587 does not need to accept non-authenticated connections at all, because other mail servers relaying mail to you will only use port 25, never 587. So, you can refuse anything sent to port 587 without authentication, even if it is destined for your local system.

Clear?

Re:An easy fix

[99BottlesOfBeerInMyF]

Things like MAC will *not* protect idiots. People want control over their computers. If you try and sell them an "appliance", they will not buy it. That's the problem.

I disagree. Things like MAC in combination with a few other technology certainly will protect "idiots" especially if by "idiots" you mean normal people who just want a tool that works. Why would you assume MAC would make a computer an appliance? It in no way removes the ability of people to do what they want, it simply adds more control.

Re:An easy fix

[toadlife]

Well it can protect against unknown exploits, but a very substantial percentage of malware is user initiated - i.e. they download it and execute it on purpose.

Re:An easy fix

[99BottlesOfBeerInMyF]

Well it can protect against unknown exploits, but a very substantial percentage of malware is user initiated - i.e. they download it and execute it on purpose.

That is part of what MAC controls are specifically designed to address. A user who intentionally downloads and runs some software does not know if it is trustworthy or what it is doing. That is the problem. Someone downloading a shareware game or utility don't expect that to read their list of e-mail addresses or that it will start sending huge amounts of outgoing e-mail. The fact that they don't have info on its trustworthiness, or what it is doing and that it can do these things by default if it is untrustworthy without the user being informed is the main problem.

With a well designed MAC system a user downloads and runs some malware as usual. But when they run it the system checks several things. Was it pre-installed or user installed? Is is signed? Is it certified? Does it include an Access Control List. From this the computer determines how trustworthy it is. A pre-installed text editor like Wordpad might be given the highest level of trust, while some commercial Adobe app is trusted slightly less while some shareware is trusted even less, while some malware is given the lowest level of trust. Between the included ACL and the ACL for the trust level, the computer decides what that downloaded application can and cannot do without asking the user for more permission. This means if you download some shareware game, it will probably never run afoul of either ACL and the system will be invisible to the end user. This is even more likely once MAC is built in and on by default in an OS because developers will try to avoid triggering it and bothering the user. At the same time a malicious program downloaded probably will run afoul of an ACL because it will try to read your e-mail address book, or set up an outgoing mail server, or gain root access. Once such a system is common malware developers will also try to avoid triggering it, but this will seriously limit the capabilities of any malware they write, probably making them unprofitable.

In a properly designed system, it should ask the user only in very rare instances unlike the current mess that is Windows dialogue box hell. People will need to allow a program to take an action if they are installing a new mail client, or installing some sort of text or image editor that also is not signed by a reputable, known company or organization. There will still be trojans, but they will all have to actually trick the user into thinking their behavior is legitimate, instead of just performing those behaviors silently in the background. This makes them much more limited and the social engineering component a whole lot harder (in addition to breaking all the current malware).

Re:An easy fix

[toadlife]

I don't think you understand the mindset of the average user. If user downloads "dancing bunnies.exe (or .rpm if some other OS was dominant), and the MAC in the OS causes it to not work, then to them, the computer is not doing what it is supposed to do.

That doesn't mean I think a well designed MAC system shouldn't be enabled by default in OSs (Microsoft is starting with Vista with MIC, but has a loooong way to go), I'm just skeptical about how effective they will be in the face of users who just *have* to see those dancing bunnies.

Re:An easy fix

[99BottlesOfBeerInMyF]

I don't think you understand the mindset of the average user. If user downloads "dancing bunnies.exe (or .rpm if some other OS was dominant), and the MAC in the OS causes it to not work, then to them, the computer is not doing what it is supposed to do.

So here's the thing. You've been using Windows 2045 for a year or two now and you've never, ever been prompted by the OS to let any program do anything and it has all worked. You, the average user, tries to run said dancing bunnies and the OS says, "This program is completely untrusted and its origin cannot be confirmed. It wants access to your e-mail address book. (Stop it from reading e-mail_address.db)(Let it read e-mail_address.db)(Always let it read e-mail_address.db)(Advanced Options)"

What does the average user do? If they don't expect it to read their e-mail addresses they will probably stop it from so doing. If the program will not run without said access, the OS tries again, in the background invisible to the user and hands the program a dummy file full of randomly generated address info, or just within a dummy VM. Assuming this does not work, the user who really needs to see the bunnies, reruns it and allows it access to that and to set up an e-mail server. In the worst case this too fails and the user, frustrated with it not working, disables all the security and runs it again allowing it to root his machine, but this will still not show the user the bunnies. So what has happened? The most foolish user on the planet manually disabled the security and gained nothing and has learned the expensive lesson that the security is not the problem. Once their computer has been shut down by the ISP and cleaned they will know next time that disabling the security will still not let them see the bunnies.

Such a system can still be defeated, but malware of the type you describe would not live long or spread far, especially once user become accustomed to using such a system and not getting millions of spurious false positive warnings. The way around such a system is to trick users into running a program that the user thinks is supposed to have access to the resources it will be abusing, but that is a lot harder. Not many users want to install a new e-mail program, or IRC client, so the ability for that type of trojan to spread is very limited. Further, since the OS will need to be accessing trust databases for signatures and certifications, it is easy to add a signature based malware list as well making it even harder for that type of trojan to last more than a few days.

There will always be malware. Implementing MAC in the way I described, however, is reasonably secure enough to stop all but a tiny amount of it and is what MS should have started building in 1998 when the malware scene exploded. If they had to worry about customers moving to the competition it is exactly what someone would have created.

Re:An easy fix

[toadlife]

I get where you're going and I agree. Unfortunately due to the state of third party software for Windows, it will probably take until "windows 2045" for the false positives to finally die down to a point where a warning prompt actually garners serious attention from the average user. :(

Re:An easy fix

[99BottlesOfBeerInMyF]

I get where you're going and I agree. Unfortunately due to the state of third party software for Windows, it will probably take until "windows 2045" for the false positives to finally die down to a point where a warning prompt actually garners serious attention from the average user. :(

One of the interesting things about the OS market is that MS's monopoly gives them huge power to make major changes. If MS had specified in Vista that all software will ship with a certificate and an ACL or it will be running in restricted sandbox with the olde fashioned WinXP looking interface and MS themselves had gone through and made certificates and ACLs for the top 5000 software packages on the market, then we'd be looking at about 3 years until most users are at the state I described. I specified 2045 because I have no confidence that MS has the capability or motivation to actually do this and fix the security problem. To them, the average customer gets their machine infected, throws it in the trash and hits it with a hammer and goes to the store to get a new one, and all their options are Windows machines, so they just pay MS again. MS loses nothing when users' machines are compromised so they won't bother fixing the problem.

Open Source Virus Protection

[evought]

I use ClamXAV on OS X, which is based on the GPLed clamAV anti-virus engine. I have also used clamAV embedded in the PostFix mail server on Linux to scan incoming email for sites I maintained. It gets decent reviews against other packages and I have been happy with it. I use a Windows variant when I am forced to deal with XP as well. Anyway, it is completely open source and all above-board. I would not touch Symantec software with 3.048 m pole these days.

The reason I use AV software on OS X is not just masochism. For one, I have a rarely used XP/bootcamp install and it is safer to scan it from OS X which a Windows virus cannot easily affect. For another, I avoid unwittingly passing virii from one Windows user to another. Lastly, I am paranoid and want to stay in good habits. It is quite likely that viruses will eventually appear on OS X as it grows in popularity, even though it is not as good a host. The practice costs me nothing and may save me something in the end.

Re:Open Source Virus Protection

[Gareth+Williams]

I run a gnu/linux based operating system, and I don't forsee that I will ever run antivirus software on it. Yes, even if people actually start writing viruses that target it.

I don't look at automated breaches of security as any special case. A security breach is a security breach. Crack attempts, spyware, adware, malware, viruses, trogans, blah blah... it's all the same problem: stopping unauthorised code running on your machine.

If my mail client has a bug that allows remote code execution, the mail client is faulty and must be patched. If my browser has a bug that allows a remote site to snatch files off my local filesystem, then my browser is faulty as must be patched. If I, FSM forbid, stupidly download and run some malicious application then I am faulty and must be "patched".

I have all non-essential services turned off, I run a firewall, I keep all my applications up to date with security patches, and I only install software from my distribution's repositry.

I don't care how much money they are making for some big security companies, these "anti-virus" applications that people are so obsessed with running on windows are just an ambulance at the bottom of the cliff.

There is something fundamentally flawed with the idea of waiting until your security has already been breached and then trying to clean up after the fact. Once it's breached that's it, game over - reformat, reinstall O/S, and replace data with last known good backup.

Re:Open Source Virus Protection

[randomjohndoe]

There is something fundamentally flawed with the idea of waiting until your security has already been breached and then trying to clean up after the fact. Once it's breached that's it, game over - reformat, reinstall O/S, and replace data with last known good backup.

The key, then, is to know when your security has been breached. Anti virus s/w may provide that warning. What do you use? Something like tripwire?

Re:Open Source Virus Protection

I keep all my applications up to date with security patches, and I only install software from my distribution's repositry I'm not sure what point you're trying to make with your overall post, besides a "holier than thou" statement, but the above quote explains exactly the reason people have anti-virus software. They don't do as you do.
Most people can barely turn the computer on, let alone download security patches. On the other side, you have the people who can turn the computer on and think the computer is for entertainment only, so download every single file they can find that advertises itself as amusing (regardless of the source).
The problems, of course, are people and education.

Re:If only more ISPs added their net blocks to PBL

[ampmouse]

The Spamhaus PBL is bad for maintaining a decentralized Internet. It forces users to send mail through ISP relays, which is an unnecessary and insecure process. It does little to prevent spam as any good spammer will just relay through the ISP's server anyway.
This page goes into grater detail explaining why DULs (the old name for PBLs) are bad.

How's Vista doing on this?

[Animats]

The big question: how many infected systems are running Vista? If there are a significant number of infected Vista systems, Microsoft blew it again. (Remember, Microsoft said that Windows 95 was going to fix security. Then Windows XP was going to fix security. Then Vista...)

On the other hand, if Vista systems aren't being turned into zombies, we may be at the beginning of the end.

Spammers have had to resort to more and more desperate efforts to keep spamming. In the late 1990s, spammers could just buy a big pipe and start sending. That's dead. Then there was spamming through open relays. That's essentially dead. There used to be a significant amount of "legitimate spam". That was killed by the combination of CAN-SPAM and spam filters - if it comes from a known spam source, it gets deleted, and if the sender lies about the source, they've committed a felony. China finally cracked down on "bulletproof hosting". (There are some "bulletproof hosting" outfits left, but most are gone and some of the remaining ones may be sting operations.) Zombies are about the only way left to spam in bulk. And note how few different spams there are. The number of actual spammers left isn't that large. It's small enough for law enforcement to target.

If the zombie problem can be cracked, which ought to be possible, spamming may drop to a minor problem.

Re:How's Vista doing on this?

[gujo-odori]

China cracked down on bullet-proof hosting? As a person who has been in the anti-spam business for over four years now, all I can say to that is:

BAAAAAAAAAAAAAAAAAAAAAAAAAAAHAHAHAHAHAHAHAAAAAAAAA AAAAAA!!!

Seriously, though, China remains a huge source of spam. Some may be zombies, I'm sure, but commercial spammers in China, operating on IPs with no forward or reverse DNS are very common. They've cracked down on bullet-proof hosting like they've cracked down on pirate DVDs: not really at all, just a little window dressing.

Re:How's Vista doing on this?

I don't see how Vista will be better. Or indeed any other OS for that matter. There are many ways to get spam zombies installed, and some are via security holes, e.g. in IE or in a network service that shouldn't be running by default. But others are installed by user action, either when the user installed something else, or as a result of the user being tricked into running a program. This second type will never go away, no matter how secure the OS is, and it could affect a Linux or MacOS user just as easily as a Vista noob. As they say in tech support, the problem is between the chair and the keyboard.

Re:How's Vista doing on this?

[99BottlesOfBeerInMyF]

But others are installed by user action, either when the user installed something else, or as a result of the user being tricked into running a program. This second type will never go away, no matter how secure the OS is, and it could affect a Linux or MacOS user just as easily as a Vista noob. As they say in tech support, the problem is between the chair and the keyboard.

I strongly disagree with this. There will always be exploits and trojans, the point is not to make them impossible, but to make them very rare and hard to exploit. With Vista, MS has finally pulled their security almost up to the granularity of user accounts, which was too little granularity many years ago. That does not mean others cannot do better. Look at an SELinux setup. The user downloads and installs an application they think is one thing, but which is secretly some sort of malware. With Vista it can do whatever the user can do. With SELinux, it cannot even do that, but is restricted to a subset of actions, like writing only to its own files and not overwriting other programs or your personal files or connecting to the internet. In order to make this work there need to be changes to the way application designers make applications and there need to be methods put into place to enforce those restrictions (access controls), ways to determine the "trust" of applications (signing, certifications), and default settings and ACLs that make most of it invisible to a user. This all begins with rejecting the flawed design models that equate running software, with letting software do anything it wants, even if only one in ten thousand people really want to let any software they install start up an e-mail server.

Re:If only more ISPs added their net blocks to PBL

[bcc123]

Absolute majority of spam now comes from desktops infected with mailing software. So no, in this case, the spammer won't simply relay through the ISP's mail servers. The reason they infect boxes in the first place is so that they can mail directly from all those IPs. The reasoning in your link is really outdated.

Bullshit

[Tablizer]

The bot problem is way exaggerated. They are very rare even insi FREE V1AGRA WITH YOUR LOW MORTGAGE!

spam for your bot

[Gary+W.+Longsine]

If your computer is sending me spam, it's killing me by taking away, say, one second of otherwise useful life. It's doing that millions of times a day. If we total those seconds up, you've killed several people and you're still not liable for anything.

Re:spam for your bot

I want the five seconds of my life back that I spent reading your message.

Re:If only more ISPs added their net blocks to PBL

[jonwil]

What the bots are doing is instead of directly sending spam out to the wide world from the zombie machine, they are reading the SMTP server settings from mail clients like Outlook and relaying mail through that instead (to avoid blocks on port 25 by ISPs)

Bat infestation?

[Joelfabulous]

Was I the only one whoe read it as "Bat Infestations Reach Nearly 1.2M?"

Man, are my eyes ever going fast. Stupid kerataconus.

Most Secure OS?

[ludw]

So what about "Most Secure OS" then: http://it.slashdot.org/article.pl?sid=07/03/22/212 1214

And this is why we'll never solve the problem

Because of ninnies screaming "computers are too hard to secure" No, they are easier to secure than your car and house. Just run real software. Do it or get the hell off line.

In any case...

[BrokenHalo]

In any case, I find that figure of 1.2M a bit doubtful. Given how easy it is for the average Winbloze user to get sucked into a botnet, I would have put the figure a lot higher.

Just two days ago, I had the unfortunate task of trying to disinfect my boss's wife's computer. I discovered that it was involved in no less than three botnets, as well as being riddled with more viruses than a ten-dollar tart. Needless to say, her AVG was out of date. It ended up being easier to wipe everything and start from scratch.

OK:

[BrokenHalo]

Are there any actual statistics for how many of these detected bots are running on Windows?

You could probably start by working backwards and making a few assumptions.

How many Linux-based botnets do you know of? If there are any at all, I really want to know.

How many OS X-based botnets do you know of? Again, if there are any at all, I really want to know.

Oh, you were saying? OK, maybe there are a few botnets running on IBM or Cray mainframes, but it takes a lot of them to make up 1.2 million.

Re:OK:

[godzilla808]

Several discussions of Linux Botnets:

http://lwn.net/Articles/222153/
http://blogs.securiteam.com/index.php/archives/815
http://www.networkworld.com/community/?q=www.deb.r adcliff.com

Re:OK:

[BrokenHalo]

Yes, and in fact I have read those. However, at this stage they don't really tell us anything very much more profound than not to choose non-dictionary passwords, and to keep our PHP daemons (not that a desktop machine is necessarily likely to be running one) up to date with patches.

First Thought...

[smaddox]

First thing I thought when reading the subject line:

"Shit, Skynet finally took over."

How dumb do I feel now...

Re:First Thought...

[dw604]

You'll know it when dotslash.org starts posting about human-nets...

Re:If only more ISPs added their net blocks to PBL

[stu42j]

Actually, one of the nice things about PBL is the "Self-Service Removal Mechanism". If you are running an outgoing mail server on your pseudo-static dsl ip address, you can easily remove it from the PBL.

Even if spammers can send spam through ISP relays, most of them don't (at least not yet). Just yesterday, 23 spams were blocked by PBL on just my personal email address. I'm sure that many people see much higher results.

Re:Battle is now greylisting versus IP address spr

[nuzak]

Increasingly bots _are_ retrying greylists now, and pretty soon they all will. However, you still have a window to analyze what they tried to send you the first time and simply block them outright if and when they try again.

Re:If only more ISPs added their net blocks to PBL

[nuzak]

> The Spamhaus PBL is bad for maintaining a decentralized Internet.

Too god damned bad. Since the current SMTP-based mail architecture lacks usable end-to-end authentication, we're expected to trust any random idiot on random connections, and hey look what we got. If you want your decentralized net back, go do it on another protocol, because as far as decentralization goes, the spammers ruined this one.

NO! Don't do this!

[tacokill]

STOP BLOCKING OUTBOUND PORTS! This is not a good solution.

First, its the hotels and their blocking of the outbound VPN ports (Hampton Inn/Hilton -- I am looking at you!). Anymore, it's getting to be a crapshoot as to whether I can get on my company's VPN when I staying at a hotel. The Hilton group is just the worst offender but I have seen it at other hotels too.

And now, you want to close outbound port 25. So how do I send my e-mail? We use POP3.

I ask because there are a lot of stupid people implementing these "blocking" solutions and nobody is considering that business people use these things ALL the time while on the road. You can complain about how we are "behind" by using POP3 but until you are ready to come and migrate us to something else (for free), you don't get to decide what we use and don't use. POP3 is legal, technically allowed, standardized, and works.

(sidenote: we *can* use webmail, which helps mitigate this problem but seriously....its a real problem for anyone who does business on the road. Who wants to open their Outlook and "guess" why you can't check your e-mail? And trust me, the people at the hotels have NO idea what is and isn't blocked so they are no help either. Same for the tech support numbers at those hotels.)

These numbers are too low by at least100x

[Arrogant-Bastard]

My own experiments show much larger numbers: in January 2007,
one such experiment revealed a confirmed 1.8M bots with another .7M probable/possible. The number of bots worldwide has been
estimated by others as in the range of 100M (Evron et.al. 70M;
Cerf, 140M) so I very much question the methodology used here.

I wouldn't be suprised in the least if the worldwide numbers were
much higher. But there's no way they're less than ~100M.

Re:NO! Don't do this!

[erroneus]

I mean for offenders with infected machines, not everyone at large.

Re:NO! Don't do this!

[rifter]

And now, you want to close outbound port 25. So how do I send my e-mail? We use POP3.

If you are using a VPN then the ports being blocked by the hotel are no longer relevant. They are blocking port usage on their network, but you are not using their network except as a conduit to your network. They cannot block port 25 on your VPN. They can block port 25 for IP traffic in and out of their network, which will not affect your VPN transactions.

Re:If only more ISPs added their net blocks to PBL

[neomunk]

Thank you oh grand overlord for taking our decentralized network from our unworthy hands.

Seriously, you want a CENTRALIZED network, go get one, using another protocol. One that's not chocked full of features you seem to take as bugs.

Re:NO! Don't do this!

[tacokill]

did you read my post? Outbound VPN ports are being blocked in a LOT of hotels. Yes, its counterintuitive -- but its going on in the name of protecting ppl from spam. I have no idea why they are blocking VPN's in the name of spam, but trust me, they are doing it. I run into it all the time and so have others.

Of course you can VPN and then hit your POP3 box through your own network. But what if outbound VPN port AND outbound port 25 are blocked on the hotel's network? What do you do then? Answer: nothing, you're screwed.

Re:Battle is now greylisting versus IP address spr

[Kevin+DeGraaf]

Since all legitimate email servers will retry when they get a 400-series error, a legitimate message will go through, at a cost of a time delay.

I think you meant "all legitimate, properly-designed email servers".

Our incoming email is filtered by a Postfix proxy that does, among other things, greylisting. Earlier this week, I had to deal with a "sysadmin" at a remote site whose email system interpreted our SMTP 450 codes as permanent failures (WTF?!?) and bounced emails back to its clients with a message to that effect.

A long chain of emails and phone calls later (why am I spending work time to educate someone I don't know?), he finally indicated understanding, but I put his domain into our whitelist just to be safe. :-) I'm not counting on him fixing (i.e. replacing) his retarded proprietary mail system any time soon.

Re:If only more ISPs added their net blocks to PBL

[nuzak]

> Thank you oh grand overlord for taking our decentralized network from our unworthy hands.

You're most welcome. Get far playing the oppression card, do you?

End of spam?

[TropicalCoder]

For those of you who are hoping we are soon going to see an end to spam via the use of honey pots, gray listing, and the crackdown by SEC, I would suggest you don't get your hopes up too high. Yes - maybe spam could start dropping off, but these people aren't going to give up. These spammers are hooked on their easy money, and don't seem to be bothered by their conscience. They will just move into more evil things such as identity theft. What I wonder about the problem of bot nets - where is the leadership? Couldn't some - I don't know what - company - organization - government - whatever - start organizing an education campaign with newspaper and multimedia campaigns, speakers at PTA meetings, wherever people congregate to teach people all the things they need to know to reduce the problem? We could organize community volunteer drives, etc - you get the picture. The thing is - these bot nets represent a real evil in this world - and a national security risk. Home many people with p0wnd home machine go on to spread the infection to their offices, etc? How many of these people have sensitive data on their machines that can cause an impact far beyond that single individual? If we all worked together, we could make a huge dent in the problem - don't you think? Like for example, laws should be passed that all ISPs must do whatever minimal monitoring that is necessary to spot bot controlled machines, cut them off in the ways suggested. Why is there no highly organized effort - like a "Take Back the Net" campaign?

Re:If only more ISPs added their net blocks to PBL

[ampmouse]

SMTP is not runed. The PBL is a lazy solution. With a few reality checks (ex. vaild HELO, plausible FROM address) using MIME-Defang, and a properly configured spamassassin, I can filter out any spam that would be rejected by the PBL. With a little work, you can too.
Over the last month I had 3 messages (out of thousands) that managed to get past my filter, and no legitimate mail was lost. Of the three messages, one came through an ISP relay, one through a major unix mailing list, and one came through a IP not listed on any block list. The PBL would not made a positive cotribution in any of thoes cases.
Realy, there is nothing wrong with using the PBL. Just don't use it alone to reject connections, insted use it as part of a scoring system that includes other factors. That's what all the major (gmail, yahoo, hotmail) providers do.

Re:If only more ISPs added their net blocks to PBL

[neomunk]

Oppression card? That's cute. You declare that the decentralized network is dead (which is the exact opposite of the truth, decentralization is just MAYBE starting to slow down) and then say I'm screaming 'oppression'.

What I was screaming about is the utter denial you're in about the situation, the thought that the decentralized network is dead because you said so. You're not oppressing me, in fact this is one case where attempts of oppression invariably fail. Why do they fail? Why, the nature of the decentralized network.

That's why I told you to go get your own network, not to give me mine back. In fact, since the decentralized network is so open and versatile, you can build your (virtual) centralized network right on top of the actual decentralized one.

In short, you're not oppressive (though your ideas would be if possible to implement) you're simply mistaken.

Re:If only more ISPs added their net blocks to PBL

[nuzak]

> You declare that the decentralized network is dead

I said it was basically dead for SMTP, thanks to the spammers. And I think it's more like it's moving toward federated, and yes, even balkanized, rather than centralized.

As long as we have "smart endpoint, dumb network", we can always have a decentralized net, and believe me I consider this a good thing. But not all protocols are nor should be so fully egalitarian. Go announce your own BGP4 ASN for example and see how far you get.

There's a lot of kooks with fiery rhetoric who rail and rant with vitriol against people who are trying to keep abuse from taking over the network -- anyone remember Dave Hayes? Anyway, you don't come off like that now ... sorry for treating you like one of them.