Top Botnets Control Some 1 Million Hijacked Computers

Puskas writes "Joe Stewart is the director of malware research at SecureWorks, and presented a dire view of the current botnet landscape at the RSA conference this week. He conducted a survey of the top spamming 'nets, extrapolating their size from the volume of emails that flow across the internet. By his calculations, the top 11 networks control just over a million machines, hitting inboxes with some 100 billion messages a day. 'The botnet at the top of the chart is Srizbi. According to Stewart, this botnet — which also goes by the names "Cbeplay" and "Exchanger" — has an estimated 315,000 bots and can blast out 60 billion messages a day. While it may not have gotten the publicity that Storm has during the last year, it's built around a much more substantial collection of hijacked computers, said Stewart. In comparison, Storm's botnet counts just 85,000 machines, only 35,000 of which are set up to send spam. Storm, in fact, is No. 5 on Stewart's list.'"

Let's see some truthful tagging

[toby]

Start with "microsoft" and "windows" as the technologies which bring you the largest, most profitable botnets!

Re:Let's see some truthful tagging

[geminidomino]

I like to bash MS as much as the next, but the only reason Windows is the largest botnet host is because it has the largest market share. When you're creating a botnet, you're going for volume. If macs ever get significant market share they'll be targeted as well. Every time windows proves what a swiss-cheese POS it is, someone trots out this old canard.

That's the same reason NIMDA went after Apache, Slammer hit LAMPs... Oh, wait, they didn't.

Re:Let's see some truthful tagging

[Jeremiah+Cornelius]

Here I go again. Every time I point out real shortcomings of an Apple product, I get modded to oblivion - "There are none so blind as those who will not see." Posted from my MacBook, BTW.

'Tis no mere canard or straw man. Simple economies of scale keep the Macs out of the botnets - not Cupertino prowess.

Microsoft is Swiss Cheese, that's wrapped in foil.

Apple is Swiss Cheese labeled as "Ementhaler" - believing that the luxury branding will ward off serious scrutiny, but leaving those holes exposed.

Lo! http://www.news.com/8301-13579_3-9905095-37.html

It's like this every year. Apple leaves vulnerabilities wide enough to drive a truck through, and I've lost count of the number of these things given away as prizes to the cracking teams.

Apple patch the OS like Microsoft used to, before Slammer. The ususal culprits? QuickTime and Safari.

The guys who cracked the MacBook Air need only have coupled this with the DNS flaw in AT&T customer TwoWire routers, and a very bad situation would exist in the wild. Not trivial - but not too difficult. The hard part was finding the flaw - now it's an exercise for the Kid33z. If there were an economically feasible number of Macs to do this, you can bet it would be crime syndicates and not kids - and you'd have a happy, Apple botnet.

Re:Let's see some truthful tagging

[DJ+Jones]

You're right, NIMDA and Slammer didn't hit Apache or LAMPS. You know why? because they're both server applications not operating systems with kernel exploits.

You're comparing apples to oranges. You might have made good argument if you referenced linux, but you didn't. You also failed to realize that most botnets exploit home computer terminals, not web servers that are generally patched and monitored by knowledgeable administrators.

Now show me an OS that hasn't been exploited at least once?

Re:Let's see some truthful tagging

[Beardo+the+Bearded]

Third time posting this link in this thread:

Compromised Linux machines are an integral part of the botnet.

No technology can replace determined stupidity... or just plain arrogance.

But... you are INVINCIBLE!, right?

Re:Let's see some truthful tagging

[number6x]

Windows and Linux have market share that is on the same order of magnitude, in the server market place.

Windows may have just below 90% market share in the home user space, but how many home users have high bandwidth upload capability? Cable broadband providers block server ports upstream for home users and ADSL providers provide asynchronous bandwidth, broad download skinny upload, as well as blocking server ports upstream.

Because of this the target for spammers is the server space. There are a lot of people in medium and small businesses paying for high bandwidth connections and installing linux and MS Small Business server for themselves.

These guys don't have an IT department to configure things right, and they have business accounts for bandwidth that allow fast uploads with the ability to run a mail server.

This marketspace is where your spammers target. Linux and Windows have 26% and 38% marketshare respectively in the server market. I bet it is even closer in the small business market.

Windows is not the king of marketshare most people believe it to be.

And besides even if they were its still no excuse for shipping a product full of holes.

Re:Let's see some truthful tagging

[value_added]

Apple is Swiss Cheese labeled as "Ementhaler" - believing that the luxury branding will ward off serious scrutiny, but leaving those holes exposed.

Overlooking the fact that Emmental (where Emmenthaler is made) is already in Switzerland and has been for some time, I wonder how many Mac users, when feeling a bit peckish, will turn to cheesy commestibles?

And of those that do enjoy the fermented curd, how many would rather a bit of Cheddar, or Tilsit or even something like a Wensleydale to Emmenthaler? Seems to me that if you can't make up your mind, or decide which is better, a Danish Fimboe, Japanese Sage Darby, or Venezuelan beaver cheese, you might as well call it a day and say "It's runny Camembert for Everyone!", ignoring the fact that Camembert, even when it's really really runny is really awful with potted pork.

Which I think was the original subject of the article.

Re:Let's see some truthful tagging

[Jeremiah+Cornelius]

Whoops! The cat's eaten it...

Re:Let's see some truthful tagging

[Hatta]

The article notes that the linux boxes are like the generals of the botnet army. So even when compromised linux is a more powerful OS. ;)

Re:Let's see some truthful tagging

[kesuki]

Let me just point out, you can use an apple PC without running quicktime OR safari.

And Since it's based off FreeBSD, there are really easy ways to harden the OS against exploits, like with any unix or unix-a-like OS variant. (like chflag aka chattr on linux)

and if you REALLY want to harden an apple system there is Darwin.

I mean, at least someone with some common sense can add a nice layer of security for apple without adding anything more than a replacement for safari and removing quicktime.

For windows security you need to run vista, or have a hardware firewall to protect your XP machine... Is it just me or is an OS with 58 'unpatched' vulnerabilities not somehow worse?
http://www.frsirt.com/english/Unpatched-Microsoft-Vulnerabilities.php

I know the safari vulnerability is pretty serious, but is it not as equally serious as the ActiveX Control Dialog Box Security Bypass Vulnerability, that is still unpatched on XP? I mean think of the dancing bunnies problem of internet security, a dancing bunnies site could easily use the activex bypass to install malware, on millions of XP machines.

How do I tell...?

[AdamTrace]

I'm a smart software developer, so I'm pretty sure my computer is not affected (secured hardware firewall, etc). But how can I be sure?

I don't necessarily trust that a clean-virus scan means a whole lot.

What's the best way to make this determination?

Re:How do I tell...?

[Volante3192]

Put a good firewall in front of it and watch the packets go in and out. Any rogue port 25 traffic would be a big clue.

Re:How do I tell...?

[spun]

You know what destroys infection? FIRE! Good old cleansing fire. Simply stuff your computer full of old newspapers, douse it with gasoline, and light it on fire, and I guarantee that it will be free from infection.

If this either seems to drastic or fails to do the trick, just squirt a syringe full of penicillin directly into the power supply while the computer is running, that should help.

Re:How do I tell...?

[maxume]

Short of a firewall, you can use something like TCPView to look for unexplained network activity:

http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx

A rootkit can hide its activity, so this isn't as good as a firewall, but it is easier, and you'll at least be able to figure out if you have a non-rootkit infection.

Re:How do I tell...?

[Zemplar]

I'm a smart software developer, so I'm pretty sure my computer is not affected (secured hardware firewall, etc). But how can I be sure? I don't necessarily trust that a clean-virus scan means a whole lot. What's the best way to make this determination? Do you shutdown your computer by pressing "start"? If so, odds are good you're at risk.

Re:How do I tell...?

[johnny+maxwell]

I'm a smart software developer, so I'm pretty sure my computer is not affected (secured hardware firewall, etc). But how can I be sure? I firmly believe that you can never be sure. It all comes down to trust: Do you trust - morally and technicaly - the people who wrote the programs you are running and the people who compiled them and those who packaged them onto a CD or a webserver... and so on.

As it is nowadays impossible to have complete insight into all your running softwere let alone your hardware, you will never be sure. But you can have confidence :)

Re:How do I tell...?

[Jeremiah+Cornelius]

Firewalls don't help, if you navigate to a BadWare URL, and request an exploit on port 80!

Re:How do I tell...?

[Beardo+the+Bearded]

You can't.

Not even Linux boxes are safe from hacking.

An anti-virus scan is totally worthless. In fact, most systems slow your machine down so badly that they're worse than useless. Norton slows your machine down by thousands of percent!

Let's be honest here. In my lifetime, I've spent less than $100 (one hundred dollars) on my security systems. That gives me a D-Link firewall, Avast!, and Spybot. The hackers have access to the same materials. If they want to write a program that gets around my meager defences, then they can. I live only by my obscurity, enhanced by my slight tweaks to my firewall. (Dropping pings, blocking port 113, etc.) As far as a passive scan goes, I don't exist. I simply wouldn't survive a concentrated attack.

That's probably okay, though - it's like when I lock up my bike. I have a kryptonite U-lock that I put through both wheels and the frame. I also take the seat with me and remove all the shiny bits. (It also has a VHF transmitter, but that's another story.) It would take someone with a plasma torch two or three seconds to cut the bike rack and put my bike into a truck. However, that's not worth your average meth-headed bike thief's time. It's easier for him to take another bike that's not as secure. If a dedicated professional wants my bike, then he's going to get it.

The major problem with Windows is that when you take your machine home and plug it in, it can be easily compromised. The same is true with a lot of commercial-grade routers with firewalls. The default settings leave a lot to be desired. Your firewall still sort of works, but you're not getting the same level of protection that you'd get by changing some settings. Just two days ago, we had an article about the 2-wire security holes, showing that a large percentage of IDSN home users in North America are wholly unprotected against external attacks.

So why do we have what we have? It's simple. We have a lot of programs written by people who simply do not understand security issues. Windows, for example, is perfectly stable until you start to put 3rd-party software on it. Then it starts to crash because the memory is being used in two or more different ways. Take a look at some of the snippets on thedailywtf to see what sort of quality work you end up with when you have people who "can program" and can't understand basic math (if you work unpaid overtime, that's you.) writing important code for important systems.

What's required to fix it is a wholesale change in CPU architecture along with mandatory licencing and regulation for anyone who wants to program anything in any language and sell it. (If you put up a dividing wall in your house, you can get the supplies at Home Depot and DIY. If you want to sell a wall-building service to the public, you have to be licenced.)

Only once we take programming as seriously as we take bridge construction and land surveying will we start to see safer computing.

Re:How do I tell...?

[Technician]

I'm a smart software developer, so I'm pretty sure my computer is not affected (secured hardware firewall, etc). But how can I be sure?

As a smart software developer, you know not to trust a box that may be untrustworthy. You packets leave the untrusted box and must pass elsewhere where they can be monitored. Do you monitor your router traffic? That's number 1. Windows Updates may cause unexpected traffic, but the addresses will let you know if it's outgoing spam or request for updates from Microsoft.

For example my recent URL's from my router log show the following..
192.168.1.81 168.143.175.215 www
192.168.1.81 74.125.47.164 www Google
192.168.1.81 210.50.7.243 www Doubleclick --- I'm going to have to add this to my hosts file..
192.168.1.81 8.14.216.9 www
192.168.1.81 74.125.47.164 www Google
192.168.1.81 203.34.47.165 www IDG publications
192.168.1.81 210.50.7.243 www Doubleclick
192.168.1.81 210.247.196.12 www www.facilitatedigital.com/
192.168.1.81 217.20.16.80 www
192.168.1.81 209.27.52.115 www Doubleclick
192.168.1.81 66.35.250.151 www Slashdot
192.168.1.81 209.62.176.153 www Doubleclick
192.168.1.81 74.125.47.164 www Google
192.168.1.81 74.125.47.103 www Google

It's all WWW traffic and no unexpected port 25 traffic. A simple Linksys router can give you this information. Take the addresses given and plug them in to the URL bar in your browser to see if there is any unexpected traffic. Don't trust a possibly owned machine. Go upstream and look at the traffic. Most routers will log some incomming and outgoing traffic. Check it once in a while. You machine might be clean, but the kids may have problems. The kids are at school so all recent traffic is mine. If my wife's desktop was spewing traffic, I would see the traffic from another machine's IP address.

And yes, that is my real IP address for today. I'm glad media sentry isn't in the list. ;-)

Re:How do I tell...?

[Beardo+the+Bearded]

Linux boxes are the sergeants in the Botnet army.

If you think you're immune just because you're running Linux, then you're part of the problem.

You're just as bad as someone with an unpatched HP-branded WinXP system fresh from Office Depot.

Re:How do I tell...?

[JoshJ]

Congratulations on eliminating hobbyist programming and having nothing left BUT the megacorps like Microsoft. No thanks. It's suitable for engineering firms where physical harm can be done, but it's definitely not suitable for software. This is nothing more than a legal framework for Trusted Computing.

Re:How do I tell...?

[Reapman]

Unlike the poster below, I don't believe that installing Linux makes you invincible from this... the only way I feel I can be totally secure is to monitor the network traffic.. if my computer is just sitting there, not running any apps, and there's a ton of traffic leaving my router, I know something is wrong. Not for the faint of heart however, and i'm still looking at how best to put this in place, I'm thinking OpenWRT on a Linksys Router, sending the data back to a sever for analysis.

Sadly there's no way a typical user could do this, but I don't know how else you can be sure your safe.. Although like anything, nothing is 100% a sure bet. :/

Re:How do I tell...?

[vimh42]

You had a great post up until the end.

"What's required to fix it is a wholesale change in CPU architecture along with mandatory licencing and regulation for anyone who wants to program anything in any language and sell it. (If you put up a dividing wall in your house, you can get the supplies at Home Depot and DIY. If you want to sell a wall-building service to the public, you have to be licenced.)

Only once we take programming as seriously as we take bridge construction and land surveying will we start to see safer computing."

Such suggestions are worse than the problem. Suggesting that people should need a licence to program and comparing it to bridge builders and surveyors is like suggesting people should have to get a licence to walk, just like they need a licence to drive a car.

Re:How do I tell...?

[johndmann]

Not simply hobbyists, this would cause major issues for the entire open-source world!

Re:How do I tell...?

[PitaBred]

That won't work... that'll ask them if they want to format their disk.

format c: /y

THAT is what people should type if you really want them to get hit.

Why don't the ISPs do something?

[pembo13]

They obviously don't have a problem with tracking down and monitoring people. And they apperantly have bandwidth issue. Why don't they basically mail merge to SELECT * FROM `customers` WHERE `customers`.isinfected? Simple, cheap snail mail... nothing fancy.

Re:Why don't the ISPs do something?

[Opportunist]

And that's pretty much what's wrong here. Especially if that customer is on a metered link (which is not too unheard of in many parts of Europe). He actually pays for the spam he sends! Hello? Why'd I cut off one of my best customers!

You can't even sensibly put something like that into law. How? What do you have to do to secure your machine? How are you supposed to be responsible for it? What's to be considered "justifiable expense" when it comes to security (i.e. what do you require from a user)? Do you want to force someone to run AV tools to have his bases covered?

The questions are hard to answer. I would love to see some sort of legal liability for damage done by your computer, but I would like to see sensible limits. Nobody can make 100% sure all of the time that his machine is perfectly malware free. What precautions would you consider sensible demands from a user to be a "good netizen" and pull his weight to avoid the spread of botnets?

My wife's notebook is one of them

[should_be_linear]

God knows I installed on that notebook each and every Anti-Spyware, Antivirus, Anti-everything in order to get rid of it. I traveled each and every "advisory" site with my HijackThis logs, removed numerous keys from registry. Still, every now and then goddamn popup window with site "pc-on-internet.com" appears. I spent altogether perhaps 3 working days trying to remove stupid thing, there is lot of data and SW installed so I am trying to avoid re-installation. Now I am in sitting-in-the-corner-and-crying phase.

Re:My wife's notebook is one of them

[megaditto]

In your hosts file, point "pc-on-internet.com" to 66.35.250.150, then each time a window pops up treat it as a helpful reminder to take an ergonomic break.

Hmmm....

[Otter]

Stewart and others at SecureWorks believe Damballa has simply rebranded the older Bobax, which has several other nicknames besides Kraken, including "Bobic," "Oderoor," "Cotmonger" and Hacktool.Spammer."

Be that as it may, "Kraken" is a superb name (as is "Damballa" itself.). "Bobic", "Oderoor" and "Bobax" sound like open-source CMSs. "Cotmonger" sounds like a word Bart Simpson would use when suddenly breaking into a unfunny Cockney accent for no reason.

Re:Linux

[toadlife]

I switched from Windows XP to Ubuntu...Happy and secure. And still clueless about how your operating system works.

I had a botnet once

[TheRealMindChild]

I had a botnet once... didn't catch very many bots, but I got a shitload of dolphins :(

Re:Take away their licenses

[Sciros]

Please fwd me some spam selling whatever it is you're smoking.

If Windows weren't so dominant an OS then botnets would operate on other systems as well (or in its place). It's a question of ROI, nothing else.

That said, it's also not a question of an "offending operating system." It's a question of uninformed (or incompetent, or both) users. If they can't be trusted to not double-click on an xxxxx.jpg.exe file in an email, they are likely to have problems with identity theft and other non-Windows-exclusive security issues. Rather than taking away Windows, these users need to receive training in basic computer security.

Using Windows is NOT a privilege, by the way. If the user paid for it, they have a right to use it.

Cutting off internet and then asking for demonstration that... they've bought a Mac? Will this be demonstrated using ninja magic? A photo via mail?

I can't tell whether you're a Windows elitist, a Mac fanboy, or just plain mental.

This is a job for goons

[Animats]

The industry is going at this all wrong. There are only a few players left, and they're all crooks. We need a consortium of companies with spam problems to hire Kroll, Blackwater, or one of the other big international security companies to deal with the people behind the problem.

If 5% of the money spent on dealing with spam went into finding the people behind it and making them go away, the problem would go away.

Re:This is a job for goons

[darkmayo]

Do we really know who is in control of these botnets? Would love to see some spammers eat bullets but i'd like to know the ones with power are the ones that get neutralized.

Re:Just a thought...

[Umuri]

Most infections actually patch and update machines they infect. Once they get in they seal the door behind them, as well as try to remove any competing infections already on the machine. That way they don't get their zombie stolen from them.

Block outgoing TCP port 25 at ISP border routers!

If all ISPs and businesses would simply block egress tcp port 25 for all addresses on their network except approved mail servers, they would stop these botnets in their tracks.

Of course, the botnets would then be rewritten to try to discover the mail server the PC normally uses and try to use it instead. But is ISPs enforced SMTP authentication to send, it would make it more difficult. Even if the botnets got past all that, it would now be easier to track down exactly who has the infected computer.

Of course many ISPs won't do this because it will make them more directly responsible for preventing spam, preventing viruses, and keeping their customers computers clean.

Repair is not an option

[symbolset]

Once you know the PC is compromised you cannot get it back to a known good state. The best you can hope for with the various utilities is to get it workable enough to offload your data, build your recovery media and record your settings. You're actually better off removing the hdd to an external enclosure and installing fresh on a new one. You could then scan the removable device before carefully recovering the data from it. The worst possible thing you could do is eliminate the visible problems and pretend that means you have a good PC on which to do work.

What is pwned cannot be unpwned. Reinstall. Somewhere in my journal may be some helpful instructions for getting the reinstall done without becoming compromised in the process. You're not the first (or the ten thosandth) person here this has happened to.

Somebody else here will have suggested you try Linux by now, or Apple. There are no Linux or Apple botnets so they don't have this problem. The do have security vulnerabilities too, but compromising one of them is a retail, rather than a wholesale, endeavor and so less fruitful for the botmasters.

Re:Take away their licenses

[Sloppy]

That said, it's also not a question of an "offending operating system." It's a question of uninformed (or incompetent, or both) users. If they can't be trusted to not double-click on an xxxxx.jpg.exe file in an email, they are likely to have problems with identity theft and other non-Windows-exclusive security issues.

Yes, they'll have other security-related problems, so I won't dispute that users are a huge part of the problem. BUT: Windows really is a special case. Give a clueless user another OS, and they will run malware or otherwise join botnets far less often, and not because of ROI or what platforms that malware authors choose to target. Outside of Windows, most naive users do not know how to even deliberately execute an email attachment. They wouldn't just have to click on xxxx.jpg.exe; they'd have to save it and chmod +x it first, since (AFAIK) no email clients go to extra trouble to help users execute malware.

Windows and its applications have an unusual amount of "support" for running malware. (Executable-by-default is just one feature; there's also autorun, ActiveX, and fuck-knows-what-else.) These are technical (not marketshare-related) "features" of the platform, which most other OS creators have not elected to implement. Windows would be attractive to malware authors even if it had a small marketshare, because the platform is malware-friendly.

Simple answer...

[Gordonjcp]

I just block everything incoming on port 25 from IP blocks in the US, apart from a (very small) handful of whitelisted servers.

Re:Type of computer

[spazdor]

This thread was all one person.

Why?

[oni]

WHO IS CLICKING ON THE LINKS IN THESE EMAILS?

Why does spam work? Who are these stupid people and why do they click? Also, if you get 80 spam a day for the same fake product, why would pick one at random and say, "der, I think I'll go buy this!"

Can someone please tell me why?

I wish some news reporter would send out a billion spam but then, instead of taking money from the people who click, contact them and do an interview. I want to know who these people are and what the hell they are thinking.

Re:Why?

[v1]

If it costs you $500 to rent a chunk of botnet bandwidth for a few days. It blasts 1,000,000 of your spam. 25,000 of them survive all the layers of filtering (2.5%) and are viewed. 1000 of those (4%) get their link clicked on. 100 of those people (10%) actually buy the product, netting you $15 each, for a total of $1,500 in untaxable income. That's $1,000 total profit for your 30 minutes of work.

So of that 1,000,000 spam you sent, only 100 had to be actually bought for you to turn a big buck. (1-100th of 1%)

Do the math, that's why it works. Spam works due to cheap volume. Anything works if you can have cheap volume.

Most users run as root and open all attachments

[rabtech]

Regardless of platform, most users

1) Run as root, administrator, or some other super-trusted user account and completely disregard security
2) Open anything they receive in email. I've even had some users do a Save-As giving the file the correct extension to be runnable!

These are a result of fundamental flaws in the design of Windows, Unix, et al. Most operating systems assume that all programs should have the ability to do whatever the user can do. In other words, programs are as trusted as the user account they run under.

Given people's experiences with OS X's admin dialogs or Vista's UAC, I'm not sure changing this assumption will lead to more security either. Most users, when presented with a dialog box, will immediately press whatever button is required to dismiss the dialog without reading it.

Even if the default is cancel, the first time they hit "naked ladies.jpg.exe", get a warning, and dismiss it they'll just figure they did something wrong and open it again, choosing the other option this time.

I'm not sure what the solution is.

Re:Most users run as root and open all attachments

[amasiancrasian]

You're right. There is no real solution to the root problem. I know Linux users who run everything as ``root." I know users who install a software without checking for known signatures of it. People will dismiss the Apple security dialog for sudo rights just to get on with the next step.

The fact is that software is a trust issue. Open source is less frightening because the code is available for all to see and many use open source code because they trust the eyes of public scrutiny and its developers.

I can't believe people still have Windows, Darwin/OS X, or Linux have more/less security bugs. Granted, Windows has had more gaping holes and an inherently flawed security system, but it's really about the trust you give into a software.

You have no way of knowing that Adobe, Sony (rootkits, remember?), or Microsoft is out there to screw you with their call-home bugs and root kits. It's not so much a system trust, but a software trust. Ultimately, Linux is just as dangerous as Windows if a commercial piece of software is released for Linux that requests you to run it as root. And many users will. The same with Apple and its UNIX-based security levels.

No matter how good a platform is, any code can be a virus or a trojan horse if software developers decide to abuse the trust between them and their users. You can say that Apache is better than IIS, or Apple OS X is better than Windows, but when users type in the password to sudo, they are inherently trusting the software developers to do the right thing, especially with closed- and commercial- software where no source code is available for public scrutiny.

Botnets-spam

[gmuslera]

There are a good chart mapping current botnets and spam at Marshall TRACE center (updated frequently afaik). That over 80% of all internet spam comes from botnets (and almost 50% of it just from srizbi) is a good sample of what is the impact of this kind of spam sources.

Re:Block outgoing TCP port 25 at ISP border router

[Jeremiah+Cornelius]

Bull.

I have a legitimate right to send SMTP from my machine - and I do so. I also run an SMTP server at home - have since 1993, when I got off of uucp.

I have never been an open relay, and access is passwd. I already have assholes at AT&T blacklisting me for no reason - and suffering their ridiculous petition process to get off their RBL.

This is the Internet. A collection of networks. ISPs are not cops, nor should they be. When you mandate this on common carriers, they become something else - and any slim protections we still have remaining will be long gone.

Re:Take away their licenses

[JoshJ]

Using Windows is NOT a privilege, by the way. If the user paid for it, they have a right to use it.

Not according to Microsoft.

Re:Take away their licenses

[jdigriz]

That said, it's also not a question of an "offending operating system." It's a question of uninformed (or incompetent, or both) users. If they can't be trusted to not double-click on an xxxxx.jpg.exe file in an email, they are likely to have problems with identity theft and other non-Windows-exclusive security issues. Rather than taking away Windows, these users need to receive training in basic computer security. Definitely they require training in basic computer security. However, once it is technically infeasible for their computer to become infected with a botnet (due to the lack of support for alternate OSes by botnet software), their remaining issues with computer security harm themselves primarily and not others.

Using Windows is NOT a privilege, by the way. If the user paid for it, they have a right to use it. Absolutely and categorically false. Property rights are not absolute. A drunk driver with a pulled driver's license does not have a right to operate a car that he purchases on a public road endangering others. By the same token, a negligent Windows user does not have the right to pollute the public Internet through willful ignorance, infecting other zombies and clogging networks with spam. He has every right to use Windows stand-alone, as you said, he paid for it.

Cutting off internet and then asking for demonstration that... they've bought a Mac? Will this be demonstrated using ninja magic? A photo via mail? This is trivial. Upon reconnection, they will be subject to stateful packet inspection as a probationary period. If they are detected to be using a Windows browser or email client, they will be summarily yanked again. If botnet activity is detected they will be yanked again. If they're clever enough to fool their User Agent strings,or run Tor, they're clever enough to operate Windows securely if they so choose.

Re:Take away their licenses

[raju1kabir]

ISPs really should have better IDS on outgoing traffic. At the very least they should be dropping the malicious traffic

My home ISP just started outbound blocking traffic from DSL customers to port 25 a few days ago, which has stirred up some controversy. Maybe I'm just imagining things, but I believe my connection has been faster since then. We're always suffering from bandwidth problems (the downside of being on the end of a very long cable across the Pacific) so anything that eliminates our share of 100 billion daily spams clogging the line is a good thing in my book.

On mail servers I use spamdyke to immediately drop connections from end-user IP addresses (using the reject-ip-in-cc-rdns rule and Spamhaus PBL) and it's been remarkably effective.

If everyone did this, the botnets would be useless.

Re:Take away their licenses

[daveime]

No but this is the whole point (I think) ...

Anyone who has enough tech savvy to manage to save something and then chmod+x something IS NOT NAIVE !!!

Just as someone who (like myself) will always save and virus scan something before opening it IS NOT NAIVE !!!

So you defeat your own argument ... people running Linux are less likely to contract nastys for the simple reason they are more likely to be tech savvy in the first place !!!

But try telling someone who ISN'T computer literate that sorry, "you'll have to save it first and then do x,y,z before you can use it", will reply "fuck that" ... why can't I just double click it ?

And THIS is what the Linux fanboiz will not admit - it's not the O/S, it's the users.

Now admittedly, because of the market share (whether you like it or not), more people will get Windows which is by nature open rather than closed by default ... but it takes exactly the same time to lock down windows into a relatively safe platform, as it does to unlock linux into a relatively USEFUL platform.

You telling me?!

[Neanderthal+Ninny]

In the last two months I have seen a huge increase of spam from distributed locations around the world and I get them in bursts at irregular times. The new junk is the backscatter spam that they send to other people, existing or not, and resultant rejections if they don't existing gets bounced to us. I think that burst of spam is bots controllers telling their slaves to send out spam simultaneously thus the resulting spam burst on my system.
If someone can find the most of bot controllers and then "cleans" those slave systems so there are less of them so we can have some peace. I'm not advocating killing them like the Russian Mafia:
http://it.slashdot.org/article.pl?sid=07/10/11/2157244
but torture them until they relinquish the password to their system so we can find out where the slave systems are. I have no problem sending them to some gulag in some God forsaken former Communist country have them beaten the living daylights out of them.

Re:Block outgoing TCP port 25 at ISP border router

There has to be some attempt at control. Obviously too much control is a bad thing, but no control is just as bad. Anarchy doesn't work as a government, why would it work on the internet?

I do not agree with blocking port 25 traffic and only allowing designated SMTP servers, but I do believe it is the ISP's and the end user's responsibility to make sure infected machines are handled in a quick and effective manor. The ISP should monitor their network for this type of activity and contact the end user so that the problem can be addressed. If the problem isn't addressed, the end user's computer doesn't need to be on the internet.

I don't want to hear that crap about "it's my computer I can do what I want" either. You're not allowed to drive on the sidewalk just because it's your car.

Interesting approach to spam.

[John+Sokol]

A friend of mine is investigating an interesting approach to spam.

From this article it quite clear that chasing the source of the spam is quite pointless.

His research is into tracking the destination.

Spams only make sense if they can make some money from it. This means the payload(content) must lead
someplace with a URL to order, a URL with adds, or a phone number for orders.

His blog is at:
http://spamdirect.blogspot.com/

I have to push him to post some of the more interesting stuff he has discussed in E-Mails with me.

One very odd note.
My domain unmailable.com get's no spam!
without any filters and addresses even posted publicly there is just no spam to it.
I think they must remove any mail reference to unmailable assuming it must not be a real domain.