Slashdot Mirror
Fortune 1000 Companies Sending Spam, Phishing
An anonymous reader writes "The Register takes a look at spam touting everything from Viagra to phishing sites being sent from Fortune 1000 networks. Oracle was found to have a machine pushing out a PayPal phishing scam, and BestBuy had a system sending thousands of spams a month. The Washington Post's Security Fix blog also is tracking this story, finding stock spam being pumped from ExxonMobile and from American Electric Power, among others. Another machine at IndyMac Bank was the source of spam touting generic prescription drugs. From the story: '...an IT engineer with American Electric Power, said the stock spam came from a bot-infected computer belonging to a contractor at one of its power generator plants.'"
Once you consider how many americans are supposedly still on dial-up it stands to reason that some portion of the zombie bot-nets will be hosted on corporate americas computers instead of in the home.
My humor is probably your flamebait
Yeah, home users aren't the whole problem.
But why aren't these companies correctly firewalled? Why do they allow machines other than their email servers to make outbound port 25 connections?
Why aren't their logs monitored? Wouldn't this be easy to spot?
Even with the resources of the biggest companies, their people cannot keep their machines clean or even stop them from sending spam. Who knows what else. A spam zombie can just as easily log network traffic, passwords and anything else on their wires.
Port 25 is usually for server to server SMTP transmissions.
If you're an end user, you should have a username/password and be using port 465 or 587 (or whatever your email admin setup).
That is why companies should block outgoing port 25 connections from everything except there own mail servers.
Isn't it a lot more likely that their Windows boxe(s|n) just got zombified?
You're probably right; spammers are among the most aggressive attackers and most of the F1000 have large distributed networks where a (hopefully) small number of systems are going to be vulnerable at any moment. On the other hand, these companies can and do pay for high quality and high capacity pipes. They are also far less suspect as a source of spam, and the ISPs will certainly be reluctant ($$) to take unilateral action to deal with suspect traffic (as some do with their residential customers.)
For all of these reasons F1000 hosts are many times more effective as spam zombies than your average asymmetric DSL host, so I have no problem with people exposing carelessness or neglect among these companies. They have the resources and talent to prevent this sort of abuse. If they're not, a little bad press might help. Earlier today we all learned that some 40+ million credit/debit card accounts got downloaded from commercial IT systems. I wouldn't be surprised to learn that those same companies have a long history of unwittingly contributing bandwidth to spammers.
Lurking at the bottom of the gravity well, getting old
I seriously hope you are being sarcastic. If I ran across a firewall admin on any corporate network allowing outbound 25 from anything but the corporate email servers I would suggest canning their asses in a heartbeat. It is just stupid on so many levels. First of all checking personal email from work should be on the top 10 things of "you aren't allowed to use the corporate network for this", beyond that, outbound 25 has precious little to do with that anyways, unless they are running an email server on the corporate network in which case that should be #0 on the list since #1 assumes that your employees aren't stupid enough to use your corporate resources to run personal servers, either way a good firing would fix that in a hurry. Honestly, since most corporate networks these days are using exchange boxes, they shouldn't even really be allowing outbound 25 from ANYTHING on the internal network. A good admin will have a secured relay be it part of the firewall or a sun box or something other than allowing the win/exchange boxes from talking directly to the net.
You can argue morale issues until you are blue in the face, network security should trump that in 99% of those cases. The enterprise network exists for the sole benefit of the enterprise. Personal email, instant messages, myspace, what the hell ever, has a risk that FAR outweighs any potential benefit. If your employees can't leave their email/myspace/im friends for 8hrs a day you should probably find employees who can. There is plenty of websurfing around that doesn't involve grotesque breeches of security to keep people entertained while they are being productive. If the company is paying you so little that you can't afford your own internet access you should probably find a new job.
The only change I can believe in is what I find in my couch cushions.
You can argue morale issues until you are blue in the face, network security should trump that in 99% of those cases.
That's a classic example of IT narrowmindedness. If the employees no longer care, no technical measures will secure your data. Security is everybody's business, not just yours. People will naturally protect that which they care about. No morale = no security.
As you seem to be from the school of "a good firing will fix anything". Hopefully for your own sake your boss wises up and uses a 'good firing' to adjust your attitude, because I doubt anything else will penetrate that skull.
The problem is, that the whole story is two sided.
It's very hard to maintain an open attitude when working in IT. Especially when you're doing Internal IT only (i mostly work for our customers, and do our internal IT as a side job).
People fuck up, and are afraid of the consequences when they fucked up - thus they will try to find something else to blame.
IT People fuck up too, and are afraid of the consequences when they fucked up - thus they try to find someone else to blame.
The consequences are that Users and IT People don't trust each other. And this is bad, very bad.
IT is something to make your users more productive, and help them to get their work done faster. A restrictive policy usually won't help you with that. My company has a very open IT policy - and i think it helps with both morale and problem resolution.
We even allow our employees to plug their own laptops into the company network. Yes, it's risky. But the problems incurred and benefits reaped are a better than properly securing this (e.G. buying 802.1x switches and segmenting clients into VLANs according to their identification).
Remember - IT is an internal service to make the company work better. IT is not an end, it's a means to achieve an end faster. You as an IT guy should think about "how do we get our employees to be more productive" and not "how do we restrict them as much as possible so that i can sit around and read dilbert all day long".
IT narrowmindedness? Sure, whatever, I am so sick of users justifying the most insane bullshit on the network and then crying about the IT department being enforcing such harsh restrictions. Go buy your own internet access and expose your home network to whatever you want, not mine. Then on top of this its the IT departments fault when the secretary has installed 18 random mouse cursors and other malware crap and her computer runs like shit. While doing contract work I almost watched a woman get fired on the spot for that crap because they kept having to call my company in and send me out to bill them for something like $70/hr to come and fix this womans PC. Finally the boss asked me what it was and I told him she has all this garbage installed and every time I remove it she puts it back on and then I have to come back out and fix it. So...she was costing her company hundreds of dollars in support because she just HAD to have the puppy theme for IE and all the puppy cursors.
Further, since I have frequently worked on secure networks, if I catch you doing something stupid you are likely to get reprimanded and depending on the level of stupid fired, if higher up the chain catches you, or something bad happens due to your nonsense...you are looking at fired or jail. So in fact when dealing with sensitive networks that is the method because it isn't fun and games, its business, and the corporate network doesn't exist for your amusement. There is plenty you can do to kill time with a solid network with good policy, that doesn't involve installing a bunch of BS, or allowing IM/Email/etc. Unless you haven't been watching the news, data exfiltration is a major issue, and most problems are inside jobs.
I seriously don't understand this IT narrowmindedness crap that keeps coming up. Users expect their IT department to protect them. They follow the logic of "if I can do it then I must be allowed to do it and it must be ok" A good IT department lays down solid policy and enforces it. Security is everyones business, but its the IT departments job. You can bet your ass the first time something goes wrong the IT department is going to be answering alot of questions about "why didn't you have something in place to prevent this".
Exposing your network to user stupidity has nothing to do with morale. People cry this morale bullshit when trying to justify poor policy or poor behavior when its just a failure to do their job or take security seriously. We have had IPTV on the network for ages, you can watch any number of TV channels fed through the network. Live TV, and not sucking down precious internet bandwidth. But people will still bitch and moan about wanting streaming media so they can watch whatever stupid clips they find on myspace that have driveby malware installs and other such exploits and then when a good admin blocks myspace people like you will cry about how aweful and draconian it is to protect your network from threats when the users want to expose millions of dollars of equipment to risk.
I invite you to go deal with a melissa "virus" type cleanup, not even really a virus, user must interact with it and it still spread like wildfire and caused millions in damages on just the few networks I supported at the time. (In fact almost watched a guy get fired on that one too for causing the loss of 2GB of marketing images). Even better, go deal with a real virus that can spread on its own because some dumb bastard clicked on cool_mp3.scr from his webmail that he shouldn't have been using. A real outbreak costs an insane amount to contain and most of the time it could have been prevented by good policy and enforcing that policy.
My responsibility is to the security of the network, not the whim of the user.
The only change I can believe in is what I find in my couch cushions.