Fortune 1000 Companies Sending Spam, Phishing

An anonymous reader writes "The Register takes a look at spam touting everything from Viagra to phishing sites being sent from Fortune 1000 networks. Oracle was found to have a machine pushing out a PayPal phishing scam, and BestBuy had a system sending thousands of spams a month. The Washington Post's Security Fix blog also is tracking this story, finding stock spam being pumped from ExxonMobile and from American Electric Power, among others. Another machine at IndyMac Bank was the source of spam touting generic prescription drugs. From the story: '...an IT engineer with American Electric Power, said the stock spam came from a bot-infected computer belonging to a contractor at one of its power generator plants.'"

Re:Companies can restrict outbound port 25 connect

[Sparr0]

Why would you NOT allow outbound port 25? Thats a ridiculous restriction. The office I work at has plenty of people who *GASP* check their personal email from work. When they send replies, their SPF/DomainKeys/Whatever-using ISP requires them to use the proper SMTP server. As it should be.

Make them pay!

[Tijaska]

If corporates host boxes that pump out spam, sue them! Their firewalls shouldn't allow emails to flow out of their networks except from one of their approved mail gateways, which should require user authentication before accepting mail, and which should apply reasonable limits like 300 emails sent per source IP address per day, except for the corporate's own spam machine (a.k.a. marketing). Corporates should be held accountable for choosing cheesy software that allows viruses to take over their boxes, and for failing to protect them with their own firewalls, to the extent that this is possible with cheesy software. Let's share the pain, and over time it will percolate back to the prime source of cheesy software.

Re:Big surprise

[Frogbert]

This got me thinking. How many users are out there that know their computer was infected or screwed with while they were visiting a porn site, and are too afraid of getting fired (for looking at porn) to tell IT that something is wrong.

Food for thought.

Re:They have usernames/passwords, right?

Many email clients still default to port 25 for outbound traffic. I'd rather not have port 587 become standard as it will encourage ISPs to block it as well. Having my own mail server is a hassle sometimes, but there are a few people like me who want to connect to their own mail server. This also goes for university campuses, and public wifi spots. Obviously encrypted communication is important in these scenarios and I do run webmail and ssh for backups. I understand the reaction to automatically block port 25, but consider this. What if the machine is spamming message boards and blogs? That would be port 80. Are you going to block port 80 too? A proxy might help with this situation, but its still food for thought. Using a proxy would involve admins securing there network. At the end of the day, these companies did not secure their systems or allowed contractors to plugin to their network. Its still their fault.

Re:That's inbound. I'm talking outbound.

[hedwards]

When I was in college a couple of years ago, we had a couple of computer labs. The one I am going to talk about was a mac based lab completely consisting of old world macs. What they did to limit the amount of damage that a root kit could do and make it harder for large amounts of malware to get on there was this:

In addition to the normal security setup each computer had an additional program on it. The function of the program was to reset the contents of the computer to that of a default image every single time it was rebooted.

While that is not at this point in history enough on its own as some things can apparently now get into the firmware and it does nothing to prevent malware getting on between boots, it does make it that much slower for any sort of spyware or spam programs to get on there as well as limiting the stay in most cases to under a day.

Reminds me of when I first started my current job,

[BurningFeetMan]

The PC hadn't been turned on in about 6 months. Apparently the dude who I was replacing was into Russian brides and err, certain types of ethnic pr0n, and had got the sack for various dodgy reasons 6 months prior to my instalment. Anywho, in the 6 months that this computer was un-manned, my company installed Norton across all other PC's.

My 2nd day was interesting, when I first turned on the computer. EVERYONE who had the Norton running detected all sorts of network worms and virusiis's (:P) the second I'd booted into Win XP. I thought,
"Oh crap, here we go. Time to clean up this mess..."
and began a search for *.jpg. Kapow, tonnes of hairy pr0n, selected all and shift deleted.

Next, it was time to install the company antivirus software, which was Norton. The next couple of days were spent trying to free my infected system of all sorts of goodies. I started by enabling the Norton Mail Monitor, and oh my, how funny!

"Scanning out going mail, Scanning out go-Scanning out going mai-Scaning out g-Scan"

The WHOLE screen filled up with Norton "scanning out going mail" boxes, like, 100's of them. This was my first job outside of the IT industry, and a big WELCOME TO THE REAL WORLD for me. So yes, what's the point of my story? Well, Russian brides are hairy. OH, and not all companies have IT departments, let alone competent IT staff who can source and cease zombie machines from operating.

Maybe it's time

[dreamchaser]

Maybe it's time for individuals and corporations to be held libel for what their computers spew. Got a botnet sending phishing emails from your business? Boom, big fine. Got an infected home machine sending out spam? Boom, a somewhat smaller fine.

Actually, here's the complementary thought

[Moraelin]

This got me thinking. How many users are out there that know their computer was infected or screwed with while they were visiting a porn site, and are too afraid of getting fired (for looking at porn) to tell IT that something is wrong.

Food for thought.

Actually, here's another thought for you: how many got pwned by other means, but are affraid that some "lusers are idiots" type will blame it on porn? I've only skimmed through the thread and I already see two blanket generalizations to the effect that, respectively, (A) infections come from porn surfing, and (B) the user is lying through his teeth if he's saying otherwise.

The fact is, there are so many ways to get pwned today, it's not even funny. Email attachments, trojan programs packed as some cutesy screen server or utility you can download, phishing-like schemes where you're sent to a page chock-full of IE exploits, warez sites (tend to be worse than porn as infection risk goes), spyware serving ads with exploits in them, or rarely a genuine site or ad provider getting pwned and helping spread exploits (don't assume that _only_ spam zombies can possibly ever get installed when security is breached), etc.

Yes, you can say that they should have known better, but it's still not porn. And it sometimes comes with the endorsement, real or faked by a trojan who took over a friend's address book, of someone they know. E.g., every company has a wiseguy or two setting up some jokes mailing list and forwarding there anything he receives, indiscriminately, including links to other sites. And by indiscriminately, I mean here one even managed to forward a couple of business emails to that list.

Then there are malicious insider jobs. There are cases of sheer idiocy on the part of some techie or programmer or PHB. (You can occasionally read advice even on /. to the effect of leaving a backdoor to some client's machine so you can remotely debug it, for example. Or insecure stuff left in programs just on the assumption that noone will know it's there.) Etc.