Most Spam Comes From Just Six Botnets

Ezhenito noted some research pointing out the (maybe) surprising bit of research that 6 botnets are responsible for 85 percent of the world's spam. That seems a bit high to me, but the only aspect of spam I am an expert in is *getting* it.

Who needs 6?

[elrous0]

Bet I could connect any one of these bots to Kevin Bacon in 3 or less.

Re:Who needs 6?

It only takes one. I can't count the number of times I've received spam that tries to get me to "3nl4rge my K3v1n B4c0n".

Distributed projects

[sakdoctor]

Srizbi is the largest contributor at 39%
I believe this figure could be much larger if the Trojan.Srizbi client was ported to Mac and linux
Anyone know what licence it's distributed under?

Re:Distributed projects

[d3m0nCr4t]

Webmaster404, meet sarcasm and irony.

Re:Distributed projects

[cleatsupkeep]

404 Error: Sarcasm, Irony: Not Found

Hmm, well that explains a lot.

Re:Hmm

Is there a way to block these specific botnets!? Yes. Unplug your computer. Or require every person who is stupid enough to run porn.exe that they found on some website to immediately jump off a cliff carrying their computer with them.

Re:Hmm

[unimatrixzer0]

Yes there is. We must activate Skynet to put an end to this Botnet/spam/virus that is spreading to our computers. Only then will we be rid of these Bots.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Hmm

[Himring]

Hi,

microsoft is fixing spam just like they fixed viruses.

ty

Since ISPs Love Filtering So Much...

[blcamp]

Why can't they focus thier efforts and resources on shaping traffic to block this kind of nonsense, rather than Torrents?

Re:Since ISPs Love Filtering So Much...

[AltGrendel]

1) There are "fewer" people using torrents than using email.

2) Email users include businesses that probably include a draconian SLA on the ISPs part and they don't want to mess with that.

3) And as always, it affects Profit!!!

Re:Since ISPs Love Filtering So Much...

[Von+Helmet]

Spam affects the little guy. Torrents affect (apparently) the big guy.

Re:Since ISPs Love Filtering So Much...

[gmuslera]

Torrents/p2p uses its own ports and protocols, and here you just target client machines. You can easily (?) filter them. Much different is something that is just mail, and there you get it from your mail server, whatever it is, whatever measure is taking. And one of the most used techniques to reduce spam (greylisting) is specifically targetted by Snzbi (the bot responsible back at the time this was published, almost 3 weeks ago, of 39% of the spam), so it dont stop this particular botnet.

Most Spam Comes from just Six Bots, not Botnets

[Aaron+Isotton]

What TFA says is that most Spam comes from the following six types of Bot:

Srizbi: 39%
Rustock: 20%
Mega-D: 11%
Hacktool.Spammer: 7%
Pushdo: 6%
Storm: 2%
Other: 15%

This doesn't necessarily mean that most spam comes from six botnets. Some of the bots could be used by multiple bot masters; OTOH some botmasters could control multiple botnets using different bots.

Something else I just thought of:

The botmasters are going to use the best bot available, i.e. the one enabling them to send most spam at the least cost. On the other hand, the "good guys" are fighting spam (and the bots). So whenever a certain bot starts taking over (currently Srizbi) all the good guys will focus on that one and try to shut it down. So the bot decreases in value and another, better bot will take over. Evolution at its best.

The Antivirus companies which are trying to fight the malware are also trying their best. The big difference is that while the success of a spambot can be easily measured by the customer (i.e. the botmaster), the success of an AV product is much harder to estimate. Also, the typical AV customer doesn't have the ability/time to find out which AV product is best for him. Moreover, AV products are some sort of subscription service (you buy the package and get 1 year of updates) which makes it hard to switch products. Often AV products are bundled with computers, selected by business principles and not by technical superiority.

In other words, the evolution process of malware is far superior to the one of AV products.

Re:Most Spam Comes from just Six Bots, not Botnets

[Aaron+Isotton]

(Same post as before, formatted properly)

Come on. The software bundles are *always* ludicrous. They typically include:

- A crappy "Home User"-Antivirus with huge splash screens and big colorful dialog boxes pissing you off a few times a day.
- A crappy toolbar for your browser (often Yahoo or Google, sometimes worse)
- Some "software update center" which is usually far worse than even Windows Update
- A CD Recording application which is ALWAYS crap.
- A software firewall yelling "OMG PACKET" every time someone sends an UDP broadcast on your network.
- A few "click here to sign up" icons of various services no one has ever heard of (or wants).
- Half a dozen media players fighting for world domination (and stealing file extensions from each other all the time).

Re:Most Spam Comes from just Six Bots, not Botnets

Tinfoil hat much Mr. 404? An AV product can't block every threat BECAUSE Windows is closed source? That makes no sense.

The reason that they can't block every threat is that they are still signature based and have not completed the move to behavior based blocking and heuristics. The other problem - the main one - that you don't even mention is users. If someone bothered to write a 'SomeFamousPersonNaked.exe' for other OS'es - stupid users would still run it. (I do note that in today's world, the average Linux user is brighter about these things than their Windows counterparts - mostly because Linux is still in that niche role where it is dominated by computer savvy folks at least for now).

But, give that same Windows user who is stupid enough to run that EXE an Ubuntu machine and send him a version that runs on Linux AND HE WILL STILL CLICK IT. Switching OS'es doesn't make a dork not a dork. Doesn't even really matter whether the user is an admin or not on Windows or Linux - just sending mail doesn't require it and now that Vista is actually usable by many people as a standard user the malware writers will adapt and not try to own the whole machine right away.

I can see how this will be a problem for Linux users in the future if the user base continues to grow into that "stupid user" segment - at which point folks will be more than happy to write bot software for those users to run.

Re:Most Spam Comes from just Six Bots, not Botnets

[rucs_hack]

how marvelously uninformed..

There are no major spam bots for linux because linux just doesn't have that all important desktop install base. However infected linux servers are frequently used to admin botnets. Badly configured linux servers are like treasure to the botnet guys..

Microsoft don't have more bots and virii in windows because their stuff is closed source, they have it because the underlying security model of windows is, and always has been, pretty poor. For years, normal users have run windows boxes in admin mode by default. This is INSANE!!, and yet it persists.
Adding UAC hasn't helped. It was implemented so badly that people just click through the new dialogs without reading the warnings most of the time. This wouldn't happen if it didn't question almost everything you do.

The sony rootkit couldn't be detected because of a flaw in windows that allowed it to hide even from most AV products.

Most AV companies don't 'take bribes' to keep bots going, they just aren't very good these days. The way virii are fought on the desktop needs to change, and that change is very slow in coming.

Re:Most Spam Comes from just Six Bots, not Botnets

[Ash+Vince]

Adding UAC hasn't helped. It was implemented so badly that people just click through the new dialogs without reading the warnings most of the time. No, what most people do is turn it off completely. They do this because it annoys them while they are setting up their machine and they do not understand its value.

When I first configure a linux machine, constantly having to enter the root password anoys me too. My solution is to just log in as root, do all the setup neeeded, then log in as a regular user. I have just been informed by a colleague that vistas implemantation of UAC doesnt really allow this. If this is the case it is a bit of a design flaw.

Re:Most Spam Comes from just Six Bots, not Botnets

[xZgf6xHx2uhoAj9D]

What does the underlying security model have anything to do with idiots running Windows as administrator?

Everything. People run as administrator because they have to.

How is your "poor Windows security model" different than someone running Linux as root?

It's different in that a user does not have to run as root in Linux to get useful work done.

Ever tried to debug as an unprivileged user on W2K? Ever tried to install software? Just what is the Windows equivalent of sudo that ships standard with Windows XP?

Windows is secure once you spend 1 minute creating a non administrator account.

Let me correct that for you: Windows won't let you do anything of substance once you're running as non-administrator. That is the problem.

Disclaimer: this situation has changed somewhat in recent years. However, considering the number of Windows user still running W2K or Windows XP (and for good reason), it's still concerning.

Re:Most Spam Comes from just Six Bots, not Botnets

[jimicus]

I've just spent the last week wrestling with Vista's implementation of UAC, and I agree with what you've been told.

For better or for worse, I administer a bunch of desktops and my current build process consists of a number of automated installations (most software installations can have all the mindless "click next next next" automated away fairly easily). I am at an awkward point where I have enough machines to want to automate the process, but not enough that I can easily just buy 100 identical systems and ghost the lot. And before you ask, I don't run Active Directory so rollout through group policy is out of the question.

It looks like this process will require substantial redesigning for Vista, as there doesn't seem to be an easy programnatic way to say "do everything below this point without bothering me through UAC". Neither is there an easy programmatic way to disable UAC altogether, even on a temporary basis. (Yes, I know about the registry setting from the command line. But that needs to run from an elevated command line which, guess what, you can't set up without interaction).

The way UAC works is that normal users still can't do a bunch of things. This doesn't change; they probably won't ever see a UAC prompt. Administrators can do everything they're used to, but by default if they want to do anything administrative, UAC steps in and says "Cancel or allow?".

I can understand from Microsoft's perspective that it's somewhat pointless to create such a system and then create an easy method to work around it, but I can't believe that in the whole corporation there aren't a few people with the brains between their two ears to realise that it's a very inelegant solution which adds hassle without really solving the problem.

Re:Most Spam Comes from just Six Bots, not Botnets

[dc29A]

Everything. People run as administrator because they have to. Since when?

On my non administrator account I run the following programs (Windows XP):
- World of Warcraft.
- A few other games I play once every blue moon.
- Music player, video player, encoders, editing software.
- Office.
- VPN client for my job.
- Firefox with Flash, Java, AdBlock and NoScript.
- Azureus.
- Thunderbird.

I need administrator to run these:
- Windows update (Duh!).
- Various software updates (Duh!).

How is that different from a typical Linux usage? I still need root access (via sudo or root) to update my OS and installed programs. So where is this "Windows won't let you do anything of substance once you're running as non-administrator." problem?. I can play video games, do video editing, listen to music, surf the web, use office and work from home via VPN and all that without being logged in as administrator. Where is the problem?

I am perfectly aware that there are a few programs that have trouble running as non administrator most notably CD burning/ripping stuff. You can always run them "Run as administrator" or find one that works fine. Mind you, I never bothered finding one that works well, just picked up one from Sourceforge and run it as root.

The whole Windows security "issue" is strictly educational. The underlying OS has a very solid security framework that IMHO is better than Linux because it's more granular.

Re:Most Spam Comes from just Six Bots, not Botnets

[Jeppe+Salvesen]

Whoa.

Linux is indeed more secure because of the higher eyeball count that comes with open source software. However, if you really want security then make sure to use older versions with backports for security fixes. Programmers introduce security flaws all the time. We are fail constantly, and our failures are made right later on - in open source.

Even the absolutely best AV product possible cannot block every threat because that problem is currently NP complete, to the best of my understanding. Such a product would not be able to block every threat on Linux or OSX either.

The Sony rootkit worked because of incompetence in both Redmond and in the AV industry. However, most people would have clicked through the "install application" screen by habit anyhow.

Microsoft should indeed make a service like the one that is integrated into the iPhone SDK: Only allow signed binaries. Average Joe cannot be expected to figure out what software is secure. Asking him for confirmation of whether he would like to install a piece of software is very much a flawed approach. Use techies mostly know how to protect ourselves. But those root kits run on Average Joe's computer, and until we can prevent him from installing that piece of malware and until he is forced to upgrade his system software and until all his applications are automatically upgraded with the latest security fixes - then we'll have these botnets.

Re:Most Spam Comes from just Six Bots, not Botnets

[RulerOf]

Just what is the Windows equivalent of sudo that ships standard with Windows XP?
I doubt that a Windows equivalent to sudo would ever come about, not because it isn't necessary, but because the model that drives useful work in Windows isn't command line based (even from an Administrator's point of view). That may be changing with MS switching over to Powershell, but as it stands, what you're asking for may not actually be necessary.
 
Vista, though, is supposed to have that magic little password prompt when you need admin privileges on a non-admin account, but if it comes up as often as UAC does (before you disable it because it annoys the shit out of you), I wouldn't use it. Of course, this necessitates that Vista doesn't set you up as an Admin out of the box, which it has each time I've installed it.
 
Interestingly enough, I'd be willing to bet that if the only time UAC came up was in the context of a web browser or email app requiring admin rights (Attention: Hardcore Porn Video.exe is requesting to install "Botnet client." Cancel or Allow?), it'd probably be heeded much more seriously by average Windows users.

Re:Most Spam Comes from just Six Bots, not Botnets

[WK2]

Just what is the Windows equivalent of sudo that ships standard with Windows XP?

It's called, "runas". It is a Windows program that allows you to run an arbitrary program as any other user (if you know the password, of course).

Windows won't let you do anything of substance once you're running as non-administrator. That is the problem.

That's not what I've observed. Back when I was using Windows 2K, I regularly ran as an ordinary user. Most programs worked just fine. Almost all of the Windows programs worked under a regular user, except for the ones that genuinely needed Admin access.

Ever tried to install software ... as an unprivileged user on W2K??

You can install software as an unprivileged user if you don't require Admin access to write to the directory you are installing to. So for example, if you install into your "My Documents" folder, you do not need Admin access. If, however, you want to install to "Program Files", then you need Admin access, unless you have altered Program Files to be editable by everyone. It pretty much works exactly like it does on Linux.

Now that I've gotten your inaccuracies out of the way, I'd like to point out that Windows, and many of the program written for it, don't seem to understand Least User Authority. The main goof Microsoft did was give the regular user Admin privileges at install-time. Windows requires Admin privileges just to look at the clock/calendar. Many programs written for Windows need to be manually "finessed" after installing, so that they can work properly for regular user accounts.

Re:Most Spam Comes from just Six Bots, not Botnets

[xZgf6xHx2uhoAj9D]

I have no doubt that Windows has nice foundations, but this never seems to translate into my experience as an end-user. I use a W2K machine at work and quite frankly I spend probably close to 10% of my time there as an administrator. I need to set Thunderbird to be the default mail reader or something. Most of it is just installing new software.

Quite frankly, I've yet to find Windows as good as sudo when it comes to limiting my time as root. On Linux, if I need to execute a 2 second command as root, I run sudo and it takes 2 seconds. On Windows, somehow it's more involved. I end up logging out and logging in as administrator. Then I end up browsing (yikes!) to the download site as administrator to download the installer.

I'm sure it's possible to do all this as a non-privileged user, but Microsoft seems to be trying their hardest to make it inconvenient. Whatever their theoretical underpinnings, Microsoft could take some UI lessons from the Linux folks. They shouldn't be working against the user.

Re:Most Spam Comes from just Six Bots, not Botnets

[Doogie5526]

sudo -u

The -u (user) option causes sudo to run the specified command as a user other than root. To specify a uid instead of a username, use #uid.

Re:Most Spam Comes from just Six Bots, not Botnets

[mcvos]

How is that different from a typical Linux usage? I still need root access (via sudo or root) to update my OS and installed programs.

OS yes, but you don't have to be root to install or update programs. I've seen lots of systems where programs were owned by bin, public or some other user. But more importantly, modern distributions like Ubuntu encourage you to use sudo, and that's almost infinitely safer than actually logging in as root.

I can play video games, do video editing, listen to music, surf the web, use office and work from home via VPN and all that without being logged in as administrator. Where is the problem?

Installing new software. I'm a programmer, and I often need to install some new tool. For that reason, all programmers at my work have Administrator rights on their standard Windows login. In linux, I could install those tools in ~/bin, and while I'm sure that's usually technically possible in Windows (though some programs really do not like to be installed in \Documents and settings\, if only for a the spaces in the directory name), it is at the very least very uncommon.

The real problem here may not be technological, but cultural. In unix culture, it's common for users to install stuff in ~/bin, but in Windows culture, that's uncommon. It's much more common to give everybody who needs to install stuff Administrator rights. And that's where your technically sound security model breaks down.

Re:Anti-bots?

[ajs318]

In theory, yes it would.

In practice, no it wouldn't.

You'd be opening yourself up to prosecution. Even in countries without specific "misuse of computers" laws, running a program on someone else's computer is trespass. You might think that, since trespass is a civil matter, you'd only need to worry about someone who has the money to sue you taking a dim view of what you were up to. And you'd be right. But the botnet-controllers have got enough money and would be bothered to take you to court.

And I haven't even touched on the really horrifying issue: what if your benign, anti-malware malware malfunctioned, or was subverted by the next generation malignant, anti-benign-anti-malware-malware malware? You could easily end up becoming even worse than the enemy whose dirty tricks you borrowed.

Re:Hmm

[Just+some+bastard]

Is there a way to block these specific botnets!?

No!?

Rejecting on invalid Helo, no rDNS and checking the Spamhaus zen RBL is quite effective. Improving on that requires an admin to explicitly block known residential blocks via rDNS and IP (grumble).

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:How much spam do you actually get?

[shird]

rather than creating a new gmail account, you should look at spamgourmet.com. The email accounts are created and limited automatically. Just give out an email address, and it automatically is limited to x many emails. You need to have a read up on it, but its very easy to use.

Or you can put a prefix to your gmail address with a '+'. ie. "temp+john38@gmail.com" the mail still gets delivered to john38@gmail, but with 'temp+john38@gmail.com' in the 'to:' field, allowing you to filter it easily.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Blocking known residential blocks sucks

[Nursie]

Blocking known residential blocks sucks as a solution as it removes some of the democracy of the net.

I (like others I'm sure, but maybe not so many of us these days) run a mail/web server from home. I just use it for personal mail. I have SPF and rDNS set up, I play by all the rules. Why block me because I use ADSL at home with a static IP ?

Whilst I appreciate that accepting mail from my IP is potentially a higher risk factor, blocking all residential blocks sems to me to be overkill.

Re:Blocking known residential blocks sucks

[Corporate+Troll]

Oh, I did that too. I resigned, I still have my own mailserver, but it simply sends everything through my ISPs smtp server. Even then, I sometimes get flagged as spam. This is, alas, a battle we have lost ages ago :-(

Re:Blocking known residential blocks sucks

[domatic]

I don't care for the sucky aspects of it either but ultimately I have to keep email useful for the users on my network. We usually have ~=1000 valid incoming emails a day. Likely many of those are spam too but I've cranked up the filters as high as I dare. Blocking off residential IP space spares us from having to filter and deliver 50,000 to 100,000 spams a day. That is a pretty good chunk of CPU and bandwidth saved right there. An immediate 50:1 to 100:1 reduction on incoming server load is hard to pass up. Furthermore, some percentage of the traffic that we DO let through turns out to be spam anyway. My best estimate is perhaps 50 spams get through a day. If I had to categorize botnet traffic, that would inevitably go up and get users barking at me.

Now, I COULD let the botnet traffic in and heavily penalize it in spam points. On the other hand, I whitelist maybe two or three servers on residential IP space a year. The tradeoff in bandwidth, server resources, and filter accuracy between "allow categorized residential" and "block residential minus whitelist" is simply too favorable in the blocking direction.

Functional democracies require ways to deter griefers or at least the very worst of griefers. The spammers have made SMTP their personal playground and there is no end in sight to it. It is they who should have the blame for mail servers being configured as fortresses. It is all the mail admins can do to keep on top of their shenanigans.

Re:Blocking known residential blocks sucks

[statemachine]

Blocking known residential blocks sucks as a solution as it removes some of the democracy of the net.

It's usually more nuanced than this. What is meant are dynamic IP addresses and IP blocks that are both under TOS restrictions for running a server.

I (like others I'm sure, but maybe not so many of us these days) run a mail/web server from home. I just use it for personal mail. I have SPF and rDNS set up, I play by all the rules. Why block me because I use ADSL at home with a static IP?

I've had your exact setup and have had little problem. Have you tried checking the blacklists and removing your IP? I check every few months just to make sure I'm not being listed for whatever reason.

You are not among these (you have a genuine complaint), but many others who talk about residential blocks are operating servers in violation of their TOS. You and I, on the other hand, have gone out of our way to get a connection that allows servers. While I am sure there are some people who don't have access to buy such a connection at the same reasonable price you and I pay, these people are rare. The majority just want the rock bottom pricing but all of the upper Tier benefits.

And it's not like I haven't been in these rare people's situation: where one lives a server-friendly TOS can't be had. I've found hosting at friends' houses, at work, and even a co-lo just to keep my personal server online. Yes, it's inconvenient. Yes, it costs a bit more (I've always paid my friends, or if at work, had my server provide a service). I'm not going to debate "worthiness," but I've always gone the extra mile. If there is a server-friendly TOS available to people to buy, I am not sure I can sympathize with people who choose not to upgrade/switch to it.

Re:People need to take responsibility

[CaptainPatent]

What you have is a good idea in principle, but with potentially horrible consequences.

I would suggest some measures we can use:

1) static IP's. Then we can easily track down infected machines and take them offline. Advertising companies are jumping for joy at this one. The more stable the IP address, the more they can bombard you with ads specially tailored for you. I like the fact that DHCP refreshes my IP every day or so, it means that sites that use web-bugs and other semi-devious methods of gathering information and (much worse) sell it to other companies, only have a very limited time frame to do so - and the fact that my IP does refresh makes them that much less able to make any profit off of me.

2) Laws that require people to assume some form of responsibility when they connect a computer to the net. And what's going to happen if they don't "take responsibility?" By what metric do we judge responsibility? It sounds like the only way to enforce this is to dig into private internet usage information. I think the last thing I want is another person snooping around in the internet garbage bin for places my computer has been and is going to.

3) Perhaps some form of compulsory insurance policy. Mainly see the above, but in addition the last thing we need is another mandatory insurance policy.

4) Laws that require ISP's to disconnect spam bots and take some responsibility. This one may not be a terrible idea in practice, but ISP's are currently going nuts over things like bittorrent. What's to stop them from classifying bittorrent activity as "suspected botnet activity?"

I do like the spirit of the post, but I don't think there's a clear-cut solution to the problem.

Is this a surprise to anyone?

[damn_registrars]

Seeing that six botnets propagate most of the spam really shouldn't be a surprise to anyone who is familiar with spamhaus. After all, why would the spammers want to reinvent the wheel and produce new botnets when each botnet is itself constantly gaining new zombie PCs?

Really, this is nowhere near as useful as the spam distribution data that is available through spamhaus, telling us who is behind the bulk of the spam, and what geographic parts of the world they are associated with. The botnet building and controlling seems to be the easy part of the spammers' game now, and we can all thank our neighbors and their new un-patched boxes on 24/7 DSL / cable connections for that.

Sue the companies who advertise

[ThirdPrize]

While most of us treat spam as junk it is there to serve a very specific purpose. To get our money into the accounts of unscrupulous companies. A mate of mine (honestly) replied to spam and got some pills back. There are proper businesses behind them. Why can't we trace where the money goes and sue their butts off?

How many companies are actually advertising at any one time? Is all the spam for one company, ten companies, a thousand companies or a million?

Re:Sue the companies who advertise

[oliderid]

Precisly...For example US mortgages debt. I guess the "real" businesses behind could be easily tracked but US police officers. All you have to do is respond to the SPAM and wait until you get a phone number, a bank account or whatever. Or those VIAGRA pills...If they are "officals", then you can track their production numbers to the last "official" resellers.

There are plenty of spams requiring real businesses behind. Most of these businesses are located in western countries. Why can't they track them?

Re:Sue the companies who advertise

[vsloathe]

There's a very simple reason you can't sue the companies who advertise via spam. They are not the ones sending you spam. Most email spam you receive is the result of affiliates of these companies who get paid a commission to sell you their products. Most companies strictly forbid the use of non CAN-SPAM compliant marketing, but some allow it "off the record". The best you can do is send an email to the online pharmacy or mortgage company or retailer on the other end and let them know "xyz account" is using spam to promote their product. Best case, you will get said affiliate's account banned. Most likely though, even if that does happen, the spammer will have multiple other accounts set to other bank accounts and other PO Boxes, et al. Ostensibly though, these companies have no hand in or knowledge of the promotion methods being used to sell their product, unless customers complain.

Re:Sue the companies who advertise

[Hi_2k]

Take a look at Joe Jobs to see the problems inherent in that.

Re:People need to take responsibility

[ledow]

Let's ignore all your points for a second and cut to the crux of the matter. The country you live in could legally enforce all of your suggestions absolutely perfectly. It wouldn't make a dent. You could do it in twenty, fifty countries. You still wouldn't make a dent. Law is not universal. In my continent you can't HAVE software patents, they actually do not exist. You aren't going to make that change any time soon no matter what your country does. Similarly for any legal resolution to spam, viruses, botnets etc. Even if 50% of the world's botnets are on American PC's (for example), by definition even the owner's don't want them or even know they are there. Nor do the ISP's, or the transport carriers, or anyone else along the line. But it's like suing people because they gave you a cold - they didn't want to catch the cold in the first place and, yes, although there are measures they can take to lessen their potential exposure to the virus, nothing is guaranteed.

1) "static IP's" - we can already trace where all the stuff comes from - there are complete trails back to the sending machines and from there back to the perpertrators. But most of it generally comes from computers abroad, or from people attacking computers from abroad, or via proxies, all of which are subject to different laws and untouchable. Even ASKING for the details belonging to a particular IP that resides in a foreign country is unbelievably difficult. And you won't get them, but your law enforcement might. And you think you can shut them off before they cause damage because you have their IP address? Nope. It's too late. By that time, the botnet's already moved on to take advantage of the next exploit. We have dynamically updating realtime, very expensive blocklists with dedicate people to add new machines as they are found - they don't stop that much, really.

2) "Laws that require people to assume some form of responsibility when they connect a computer to the net." - in every country in the world. With similar provisions. Quickly. Not going to happen. EVER. And then you're into why do you have to take responsibility and how do you ensure it? Your kid put a virus on your machine? I'll sue you, then. No? You caught a spyware toolbar which send me spam? I'll sue you, again. You'd either sue people literally off their computer seats, everything would get thrown out of court, or you've just helped the government introduce legislation to make them monitor everything you do at your computer, with fingerprint ID required to logon.

3) "Perhaps some form of compulsory insurance policy." - For owning a computer? No. If you could tax people for being stupid, the world would be split between the bankrupt and the filthy rich.

4) "Laws that require ISP's to disconnect spam bots and take some responsibility." - So now they're responsible for their users actions? They won't let you do it. If you do, they will shut themselves down and get out of the business. They ALREADY disconnect bots - it is in their interests. They ALREADY have to deny all responsibility for your actions. And they are ALREADY in deep legal grey areas because of the burden of proof of doing such things and the expense of a mistake (Sorry, Company X, I thought you sent a spam. I've just cut off your Internet by mistake. Bye-bye online business).

But the fact is that none of your measures are sensible or practical, some are even impossible, and all of them are in place in one way or another today. The fact is that every country in the world has a different idea. If we can't convince them all that death by execution or torture might be a bad idea, how the hell do you think you're going to get them to shut down botnets?

Re:Anti-bots?

[ajs318]

I came to the conclusion that the only way to stop it is for each ISP and mail server to require correct sender IP info from the sender, or bounce the message right back.

Almost. Actually, if the HELO is incorrect, or the originating machine is not registered as an MX for the domain, the proper course of action would be to return an SMTP error code -- absolutely not bounce the message back. If it's genuine, there'll be a copy on the sending machine somewhere anyway; and the bounceback from failed spamming attempts is not pretty. (Domains of mine have occasionally been used as the purported originators of spam, and the floods of "returned" mail coming "back" from clueless ISPs -- hello? see where that HELO is coming from? is that machine an MX for my domain? then WhyTF do you think this message has anything to do with me? -- are as bad as anything else.)

If more people configured their sendmail to reject bad HELOs, it would be a lot harder to send spam.

Re:How much spam do you actually get?

[Tacticus.v1]

I just checked this and i think you got the address round the wrong way.

you need to put it john38+temp@gmail.com for it to work as the other way round just goes to the wrong address

Re:Anti-bots?

[MightyYar]

I was wondering whether it would help if Google (and maybe some of the other top 10) notified you when you showed up on one of the IP block lists with a big yellow box at the top of the page, like an IE alert: "Warning: Your computer has been reported to be a SPAM relay! Please clean up your computer with the following tools..."

Something like that. They could get the list of infected IPs from one of the black lists.

I'm not a network guy, so I don't know what kind of technical restrictions there would be... obviously this wouldn't work well with proxies - maybe NAT would be an issue as well? In any event, I personally would appreciate such a service, even if I got hit with false positives once in a while. Of course, the bots would eventually get wise and filter out the messages, but that's part of the fun of the war.

Re:Anti-bots?

[Just+some+bastard]

An MX record isn't required for sending mail, for receiving mail there's a fallback to A if no MX is found. The problem you're describing (backscatter) is solved by SPF; if only more people configured their MTA to check that before generating a bounce :(

Who is going to code the first FOSS "Cure" ?

[Kylere]

That targets the top 5, 10 etc botnet issues so they can be addressed specifically without having to do broad spectrum AV searches (That fail depending on product)

You have overlooked a more permanent solution.

[Dimensio]

While it may be difficult to terminate entire networks and IP address ranges, a more effective solution would be to identify the individuals who are directly responsible for sending unsolicited just e-mail through "botnets" and the individuals who are responsible for providing access to these illegally hijacked "botnets" and then kill them. Such an action would be most effective if done brutally and painfully, through acts of torture, with videos and images of the events and the aftermath released to the public as a warning to others who might engage in the same behaviour.

Re:How much spam do you actually get?

[ortholattice]

Or you can put a prefix to your gmail address with a '+'. ie. "temp+john38@gmail.com" the mail still gets delivered to john38@gmail, but with 'temp+john38@gmail.com' in the 'to:' field, allowing you to filter it easily.

Spammer's note to self: (1) duplicate all gmail addresses with dummy "+" fields purged. (2) duplicate all gmail addresses with the most common non-filtered dummy fields, such as "family" and "work". Now each gmail address will be hit with a dozen or a hundred variations, in hopes that one will get through the filter.

Re:Hmm

[eth1]

Actually, using something like the Spamhaus PBL (which pre-emptively lists IP ranges that shouldn't be sending direct-to-MX email, such as ISP dynamic ranges), you actually CAN block significant portions of these botnets.

The three of my relays that use the combined Spamhaus SBL, XBL, and PBL block about 3.5 million connection attempts per day, and let 1 million emails/day through to the next layer of filtering. (about 78% of the flow, assuming that each connection would only drop off one email) The PBL accounts for about half of those blocks.

Re:Hmm

[Kamokazi]

The second option sounds a lot easier.

Re:How much spam do you actually get?

[harry666t]

And what's the problem with running "sed 's/\+.*@gmail/@gmail/'"?

Re:Anti-bots?

[Mister+Whirly]

"You know what's worse? It'd be a quick half-hour job to fix it, if only the owners had thought to demand the Source Code."

Spoken like someone who has never actually debugged crappy code before. If I had a nickel for every time someone just needed "a half-hour" to fix a problem in code....

Re:Hmm

[graphicsguy]

Perhaps it's not a random Microsoft bash, but a reference to Bill Gates' claims in 2004 that the spam problem would be solved by 2006.

Re:Anti-bots?

[AeroIllini]

I was wondering whether it would help if Google (and maybe some of the other top 10) notified you when you showed up on one of the IP block lists with a big yellow box at the top of the page, like an IE alert: "Warning: Your computer has been reported to be a SPAM relay! Please clean up your computer with the following tools..." Yeah, it would be just like those Windows dialog box advertisements that jump around and say "Your computer is infected with a VIRUS! Click OK to run our FREE VIRUS REMOVAL SOFTWARE!" I always trust any random box that jumps up in front of me. There's no way that I, being a totally botnet'd infected Windows MSIE user, would simply be numb to the sheer number of popups and messages my computer throws at me every day. I read each and every one and carefully consider what it has to say before clicking the close button.

Re:There's the rub!

[doctorfaustus]

The most effective spam blocking technique I've found is to route all my personal email addresses through gmail using its "Get Mail From Other Addresses" function. I'm down about 10 spams a day from about 300. And the spam is saved on the gmail server so I can check it now and then for false positives. I have to say, there are very few of them. Thanks, Google....

Double standard

[MacDork]

Yet if ISPs were blocking residential http servers, these anti-spam nerds would FLIP OUT. ISP blocked your residential smtp server? Meh *shrugs* The anti-spam crusaders are ruining the open nature of the internet. False positives are unacceptable. I'll take spam over false positives any day.

Re:How much spam do you actually get?

[jfengel]

Really, you need to do it the other way around. You tell all your friends that you're john38+yeahreally@gmail.com, and you send anything without the +yeahreally to the bit bucket.

You can even give different people different +extensions, though managing the white list for them gets to be a pain. Especially since your new, improved email addresses will gradually leak into the spam books (everybody's got a friend dumb enough to push the "forward this article to a friend and sign them up for spam for life!") but it gives you some address space to play with even when you don't have direct control over the mail server.

Re:Why can't we solve this problem?

[swordgeek]

Here's a one-word answer: Jurisdiction.

Basically, the Russian mafia is behind a lot of the botnet activity. They're employing talented but criminal programmers to write this stuff in a number of locations. Staff are paid for their work, and even provided benefits in some cases.

The botnet control servers are spread between a number of (mostly eastern-bloc) countries. Interpol can initiate action, but relies on the local police to carry it to the end, and the local police are...bought and paid for by the crimelords. Furthermore, if one slightly suidical policeman (or force) decides to act against the botnet operation, then all it means is that one of the tentacles is cut off. While it's busy regrowing (i.e. the data centre is being rebuilt a block away), the effect is minimal at best because there are similar systems set up in other countries.

What it would take to legally shut down the botnets is the coordinated effort of interpol and the police forces of several countries, combined with a lack of fear of organised crime. Six months later, they'd need to do the same thing again, probably with different countries. After doing this roughly three times a year for three or four years, the criminals in charge might decide to give up and move into another area--however, after the first attempt, there would be a lot of dead or injured cops showing up, and quite possibly their families as well. If you could pull off a raid like that once, do you think ANYONE would want to take part in a second raid, given the mortality rate (and peripheral damage)?

To shut them down illegally would take a well-funded and heavily armed black-ops team, to go in and start slaughtering the programmers, bombing the data centres, and (ideally) assassinating the crime lords. Basically, an anti-mafia mafia. The CIA has a history of doing this, but generally to depose governments, not criminals.

Re:Hmm

[holyspidoo]

Bill Gates: No one is ever going to need more than 6 botnets.

Re:Hmm

[Tripster]

Not many, I run this on my servers as well and rarely hear any problems from the clients using them.

Floodgates wide open is NOT an option because when I tried that I then heard many complaints from clients about slow server and way too much spam for their liking, they seem to prefer we try and do something about the spam levels rather than simply let everything through.

Re:There's the rub!

[avronius]

Sure wish that you hadn't replied anonymously - I do appreciate your response. On one hand it's humourous, and on the other, it's validity cannot be overlooked.

Allow me to address each of your concerns in turn.
1. Users of email will not put up with it
Most users of e-mail don't care what happens between send and receive. Like the postal service, once they drop their envelope into the slot, they expect magic to happen after it leaves their hands and arrives at their intended destination. They are vociferous when their message isn't delivered, or if they receive too many messages that are "off-colour".

2. Huge existing software investment in SMTP
I don't easily discount the existing investment in smtp. I do, however, believe that the next step is to quit building barriers and start looking for alternate solutions in ernest. Adding a protocol for mail handling would require adding a layer that doesn't currently exist between mail servers.

3. Armies of worm riddled broadband-connected Windows boxes
This is, indeed, a barrier. If the new mechanism requires authentication, you will be able to easily locate and address these boxes. This isn't an ideal approach, but the other option of "not providing a patch for these hosts" isn't realistic.

4. Eternal arms race involved in all filtering approaches
I admit that I don't fully understand the implication of this comment - are you referring to the cost of funding a certification service?

5. (x) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
I freely admit that this idea was reasonably easy to come up with. What I don't understand is why there isn't more emphasis on change, and why there is so much entropy associated with it?

6. (x) Blacklists suck
7. (x) Whitelists suck
I agree with both of these. However, a central location that works for everyone would not be as bad as dozens of home-grown black/white lists.

8. (x) Why should we have to trust you and your servers?
There's no reason for you to trust anything of mine - your role is merely to get a [hopefully freely available] certificate and add the protocol [and any accompanying patches related to activating it]. When you are comfortable with [the next big thing], disable smtp and wait for the complaints to roll in.

9. (x) I don't want the government reading my email
I can't help you with this one. It's possible that the government is already reading your mail. How would this system be any different? Granted, it's close to impossible to remain anonymous in this system, but I would expect to that there will always be a sever somewhere that would offer you that option if you want it.

Re:Hmm

[Guido+del+Confuso]

You're going to have to reboot the system to reset that, as has been mentioned. However, there's an easy way to prevent this kind of thing from happening again. Once your system is up and running, log in (as root) and type "rm -rf /"

Doing this will prevent any sort of malicious command from being run in the future.