Slashdot Mirror
Bot Infestations Reach Nearly 1.2M
mengel writes "According to the folks at SecurityFocus the number of bot-infested systems has surged to nearly 1.2 million. This after a
big drop in December when lots of people replaced/upgraded
systems. Time to upgrade your spam filtering software, the onslaught is coming."
Perhaps the big SEC bust actually had some effect. My personal harvest of spam has dropped recently from 1000/day to 500/day.
I work for a small ISP and that's exactly what we do. You get two strikes. First is a warning to clean up your machine and put on antivirus software. Next time, we kick you off the network and terminate your account. Problem totally solved. We've had two people get the first warning. None kicked yet.
I'm not anti-social, I'm anti-idiot.
...and get sued for millions of dollars for hosting "Shakira"?? No thanks.
RIAA/MPAA do not have any idea of technology. They would rather sue you (unwitting hosed guy) rather than sick the Secret Service on bot writers.
Good luck trying to explain child porn to a jury by stating that your XP was compromised....
"Doing what i can, with what i have." ~ Burt Gummer
Not true. Most modern bots are designed to stay under the radar. A zombie PC is worth money and it makes sense to keep control of it as long as possible. So most newer malware uses system resources sparingly.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
IMO, the real battle here is caused by greylisting. Greylisting plus a honeypot database of fake email addresses is clearly the most effective, automatic, general-purpose anti-spam mechanism to come along. Spammers are starting to feel the pinch (even though lots of people are still struggling with old-fashioned "filtering" mechanisms, and are still easy and fun targets).
The spammers who are starting to take on greylisting are doing so by two main mechanisms: massive distribution across IP address space, and direct use of infected PC MTAs.
The IP address spread is fairly simple to understand. If you have 100,000 zombie PCs with 100,000 IP addresses, then clearly you can send 100,000 pieces of spam without ever using the same IP address twice. That makes the honeypot database of greylisting useless, since I rely on waiting to see a given IP address send email to a known "bogus" email address to correctly identify that IP address as a spammer (in the short term, at least).
The direct use of infected PC MTAs is more difficult. If the zombie PC can programmatically use the unspecting owner's own ISP MTA to send the spam, then it becomes very difficult to distinguish that spam from real mail send from a real person (just as botnet click fraud is very difficult for Google to do anything about without also discounting some "real" clicks).
To respond to the massive distributed IP address spammer, I think a drastic increase in bogus email addresses would help, so that they have to transmit to 10 or 100 times more addresses in order to hope to reach the same # of real people. It's easier for website owners to create more bogus email addresses than it is for the spammers to infect more PCs. You basically always "drop" mail sent to a bogus address so that the spammer is convinced it went through and is getting to a "real" person (and probably even sells that address to other spammers as "verified").
That would push the spammers squarely into focussing on using the infected owner's own ISP's MTA for transmission, giving those ISPs an ever-increasing workload of bogus mail to send. Sorry, but that's where this war is headed anyway: to the point where ISPs will start charging customers to disinfect their PCs once they've been identified as botnet spam transmitters.
I'm going to start slowly increasing my spamming of spammer address databases today (e.g., by injecting more hidden text email addresses onto websites). Note that this is not a "solution" to spam (so please don't post that cute little form :-).
This is just an effort to push the problem where I think it's going to end up eventually anyway: on the backs of ISPs that have not yet come to view infected customer PCs as "their" problem yet.
The IP address spread is fairly simple to understand. If you have 100,000 zombie PCs with 100,000 IP addresses, then clearly you can send 100,000 pieces of spam without ever using the same IP address twice. That makes the honeypot database of greylisting useless, since I rely on waiting to see a given IP address send email to a known "bogus" email address to correctly identify that IP address as a spammer (in the short term, at least).
That isn't greylisting at all (though it is useful against spam).
Greylisting is giving a "new" incoming SMTP connection a 400-series error message the first time they try to send email to you. A 400-series error means a temporary problem - please try again. When they try a second time they try to send email, you accept.
Since all legitimate email servers will retry when they get a 400-series error, a legitimate message will go through, at a cost of a time delay.
However, most spammers don't bother retrying (although some do), so you can block a lot of spam with greylisting, with very little bandwidth or CPU cost.
Although it gives you a "warm fuzzy feeling"(TM) that your company isn't contributing to the bot problem, too many kicks and you soon have no customers. All that you are doing is forcing that customer to go to an ISP that won't give them the boot. It does nothing to actually solve the problem.
An alternative would be instead of cutting them off completely, offer them an antivirus solution. Although I hate them, this is what companies like AOL and NetZero are doing.
B.
This is a sig. This is only a sig. Had this been an actual sig you would have been informed where to tune for more sigs.
The big question: how many infected systems are running Vista? If there are a significant number of infected Vista systems, Microsoft blew it again. (Remember, Microsoft said that Windows 95 was going to fix security. Then Windows XP was going to fix security. Then Vista...)
On the other hand, if Vista systems aren't being turned into zombies, we may be at the beginning of the end.
Spammers have had to resort to more and more desperate efforts to keep spamming. In the late 1990s, spammers could just buy a big pipe and start sending. That's dead. Then there was spamming through open relays. That's essentially dead. There used to be a significant amount of "legitimate spam". That was killed by the combination of CAN-SPAM and spam filters - if it comes from a known spam source, it gets deleted, and if the sender lies about the source, they've committed a felony. China finally cracked down on "bulletproof hosting". (There are some "bulletproof hosting" outfits left, but most are gone and some of the remaining ones may be sting operations.) Zombies are about the only way left to spam in bulk. And note how few different spams there are. The number of actual spammers left isn't that large. It's small enough for law enforcement to target.
If the zombie problem can be cracked, which ought to be possible, spamming may drop to a minor problem.
I'll go one better. Cut the fucking thing off the net until the user fixes the problem.
This is exactly what we do. The rule at our company is simple. 3 strike policy, and your out. If you send out a shitload of spam, etc we suspend the account. They then call in and bitch, we explain the situation and how they can resolve it by setting up a firewall, anti-virus software, etc. Or, refer them to a local computer tech to reinstall the OS, etc. If it happens again, strike 2. We inform them that they have one more chance to get it correct, or they are history.., no service again. Unfair? Nope. Our NOC watches this crap all the time. OS of choice for this crap is always Windows btw.
Life was hell, then I discovered Linux...
A better solution would be to simply restrict their outgoing port access rather than to kick them. If they are on dialup, you just set up a dialup pool just for that (set of) logins that does not allow port 25 to go out.
All over Japan, I have found, they are blocking outgoing port 25 and it's annoying as hell but I understand why they do it.
To be honest with you, I _would_ use that ISP versus one that doesn't dump the garbage traffic. I consider that a damn nice feature.
...Rob
The American Dream isn't an SUV and a house in the suburbs; it's Don't Tread On Me.