Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Month After Grum Botnet Takedown, Spam Back To Previous Levels

Posted by timothy on from the it's-like-the-pollen-count dept.

wiredmikey writes "It's been over a month since spam-spewing Grum botnet has been shut down, but spam experts say there hasn't been a noticeable impact on global spam volume. Symantec researchers at the time estimated that Grum was responsible for one-third of all spam being sent worldwide, and its takedown led to an immediate drop in global spam email volumes by as much as 15 to 20 percent. However, the drop was only temporary. While Grum had an estimated hundred thousand zombies sending spam, the machines were likely blocked for sending emails too frequently, or wound up on IP blacklists, said Andrew Conway, Cloudmark researcher. IP filtering is fast and cheap, and is a good first line of defense against spam, Conway said. Grum spam was easy to blacklist, and despite its size, most spam messages from the botnet probably never reached user inboxes."

47 comments

  1. In other news... by colin_faber · · Score: 1

    Spam continues to be an annoyance to anyone without an active probabilistic filter.

    1. Re:In other news... by canadiannomad · · Score: 2

      People who have bad security practices on their computers, still have bad security practices on their computers.

      or

      People with one infection on their computers, are more likely to have another.

      --
      Hmm, the humour and sarcasm seem to have been be lost on you.
    2. Re:In other news... by ackthpt · · Score: 1

      People who have bad security practices on their computers, still have bad security practices on their computers.

      or

      People with one infection on their computers, are more likely to have another.

      Operating systems with sufficient security gaps, due to interdepartmental squabbles, deviation from established use of APIs and failure to adhere to sound programming practices will create fertile ground for more bots and botnets.

      Attitude of the bot architects: go ahead, take down grum, we'll make moar

      --

      A feeling of having made the same mistake before: Deja Foobar
    3. Re:In other news... by Anonymous Coward · · Score: 0

      I use no filtering at all, and I haven't received a spam in well over a decade.

      How would a spammer get my email address? If they don't have it, they can't spam me. My friends certainly aren't going to give my email to spammers, so there's effectively no way for a spammer to get my address in the first place.

      You don't need filtering to avoid spam, you need to not be careless with your email.

    4. Re:In other news... by Anonymous Coward · · Score: 0

      Unless they keep their contact list anywhere on one of the numerous devices or services that have had security breaches.

  2. Called in reinforcements? by Nidi62 · · Score: 4, Insightful

    Is it not possible they simply have a few botnets sitting around unused ready to be activated should an active botnet go down? While the revenue of having one botnet operating with one in reserve probably wouldn't be as high as having both operating, it would give a greater guarantee of continued revenue.

    --
    The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
    1. Re:Called in reinforcements? by Chaonici · · Score: 1

      Amusingly, criminals grasp what large corporations can't: Long-term profits > short-term profits.

  3. Market simply responding to demand by cpu6502 · · Score: 1, Insightful

    A company gets shutdown, but the demand for email advertising is still there, so other companies move-in to fill the need of customers. (Same thing happened with megaupload..... shutting it down didn't stop file sharing. It just showed the U.S. government is a lackey/hitman for the Hollywood megacorps. AKA fascist.)

    --
    My AC stalker: " I personally agree with your posts most of the time, but that won't keep me from modding you troll"
    1. Re:Market simply responding to demand by ackthpt · · Score: 1

      A company gets shutdown, but the demand for email advertising is still there, so other companies move-in to fill the need of customers. (Same thing happened with megaupload..... shutting it down didn't stop file sharing. It just showed the U.S. government is a lackey/hitman for the Hollywood megacorps. AKA fascist.)

      Companies?!?

      These aren't companies, these are criminal going concerns, some well organized, but I don't expect you'll see them listed on NASDAQ any time soon.

      although facebook did get listed, so who really knows

      --

      A feeling of having made the same mistake before: Deja Foobar
    2. Re:Market simply responding to demand by Anonymous Coward · · Score: 0

      but the demand for email advertising is still there,

      This is what I don't get. Why is there "demand for email advertising"? Doesn't that mean someone, somewhere, must be buying things from spam emails? And who on earth is THAT dumb? Who are these people?

    3. Re:Market simply responding to demand by dkleinsc · · Score: 1

      It's just like busting a major-league drug dealer: You take away the crack connection in an area, and all that happens is that his competitors move in to take over what was his territory (possible with some people killed while they figure out who controls what).

      --
      I am officially gone from /. Long live http://www.soylentnews.com/
    4. Re:Market simply responding to demand by idontgno · · Score: 2, Funny

      These aren't companies, these are criminal going concerns, some well organized,

      Wait, what?. I thought you said they weren't companies. I'm confused.

      but I don't expect you'll see them listed on NASDAQ any time soon.

      Oh, they're privately-held companies. No biggie. Those are the real engines of industry and the heart of the entrepreneur class.

      Ah I see. "Criminal". The only real difference between "criminal concern" and "legitimate entrepreneur" is the size of their lobbying budget and legal departments.

      --
      Welcome to the Panopticon. Used to be a prison, now it's your home.
    5. Re:Market simply responding to demand by kaws · · Score: 1

      Talk to a person who's been a bank teller for a time and I'm sure you'll hear about those kinds of people that banks have to protect them from their own idiocy.

    6. Re:Market simply responding to demand by fifedrum · · Score: 1

      facebook only got listed on an exchange because it was time for the dump in the pump-and-dump. The concerns behind it simply turned the key on the next phase, dumped their stock on useful idiots and corrupt investment banks, and walked away with their billions. They don't care about the value of the company, the fact that it's listed on an exchange, or the future of the company. They got theirs. You won't get yours.

  4. The one type of spam that still persists for me by Anonymous Coward · · Score: 0

    is spam to my craigslist postings. I've clicked the Spam button in Gmail many times, but they still show up. They use Yahoo accounts and quote snippets of your post and randomly generated (but grammatical) text to make it seem like a legitimate message. I've got to figure out a filter that will hit on those.

    1. Re:The one type of spam that still persists for me by RobertLTux · · Score: 2

      easy way to do this

      1 filter for Yahoo accounts
      2 put "land mine" phrases in your craigslist postings and set filters for those (use maybe 3 different phrases)

      so if you sell say Pottery use "Ming Dynasty" "Bull teacup set" and "Dragon Motif" as "landmines"

      set your filter for @yahoo.com with "Ming Dynasty" or "Bull teacup set" or "Dragon Motif" to be sent to Spam

      in your text warn folks to NOT copy the text of your ad when they reply

      --
      Any person using FTFY or editing my postings agrees to a US$50.00 charge
  5. Filtering != Stopping by damn_registrars · · Score: 5, Insightful

    Filtering can be a good first line defense, yes. However it will never, ever solve the spam epidemic on its own. No amount of filtering ever will.

    This is about a group that took a better step, in going after a botnet. That is more effective than filtering in the long term, but still won't do the trick.

    The long term solution comes from acknowledging that spam is an economic problem. A lot of reactionary measures (such as filtering) treat spam almost as if it is a game or a personal attack on themselves. Spammers don't give a shit who you are or what your reaction is to spam. Spammers just want to make money. Someone is paying them to send out spam. If you want to stop spam for real, you need to stop the money. If the spammers don't get paid, they don't send out spam.

    It's that simple. Everything else just kicks the can down the road.

    --
    Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
    1. Re:Filtering != Stopping by Anonymous Coward · · Score: 0

      So you recommend a surveillance state, yes? It should be easy. Just designate spammers as terrorists and use the current laws.

    2. Re:Filtering != Stopping by cpu6502 · · Score: 2

      (1) How do we stop the money? (2) And why should we bother? Spam is no more offensive than the spam I hear on the radio or TV.

      I'm more worried about the war on nude photos. Did you her about the gay UK politician whose career was destroyed? They accused him of having nude children on his computer. They couldn't find anything but one image that "looked like" a teen but was later proved to be a 22 year old. (Guilty until proved innocent.) Then they tried to go after him for having gay images on his computer but of course that's not a crime.

      The end result was the guy was fired from his job, received hate speech scrwled on his house, and now he's hiding. All because of the UK war on nude photos. (A war that also exists in Australia unfortunately.) Possession of an image, even if it's an actual murder scene, should not be a crime.

      --
      My AC stalker: " I personally agree with your posts most of the time, but that won't keep me from modding you troll"
    3. Re:Filtering != Stopping by damn_registrars · · Score: 3, Informative

      (1) How do we stop the money?

      You might be the first person who has ever asked this question when I have pointed out this dilemma here on slashdot. Most other people respond by advocating murdering the spammers in some way, shape, or form instead.

      The money can be stopped a few different ways. A few years ago a group at Georgia Tech (IIRC) found that the majority of all financial transactions executed on spamvertised sites were processed through a very short list of processing centers. Getting those guys to clean up their act would be a big step in the right direction.

      Another is to find where the spammers themselves are receiving payment (as the above method goes after the people paying the spammer instead). Following the money isn't that hard if you initiate a transaction (to track it from one end) and get useful records of who really owns the domain for the spamvertised site (which is often registered in some way to the spammer).

      I thank you for asking the question.

      (2) And why should we bother?

      The biggest argument for doing something about spam lies in the fact that spam makes the internet more expensive for everyone. Being as a large portion of all traffic is spam, it means that legitimate traffic is delayed as a result. And of course the spam also takes up space on hard drives (sometimes in replicate as it traverses from a server to a user's computer) and CPU time. Any company that is running a spam filter - be it software, hardware, or some of each - is also devoting resources to the problem that someone has to pay for.

      Spam is no more offensive than the spam I hear on the radio or TV.

      I would argue that to be an incorrect analogy for the reasons I stated above. You can turn off your radio or TV and you won't hear your local car dealer screaming at you to come buy a new car. However if you turn off your computer you are still paying your ISP to move spam around. Even worse you are paying for your ISP to build up its network infrastructure so they can deliver the bandwidth the promised you while also dealing with the avalanche of spam coming to their network every moment.

      --
      Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
    4. Re:Filtering != Stopping by heypete · · Score: 2

      Yes, but with excellent filtering and easy filter-training spam becomes less economical.

      Take, for example, Gmail's spam filters: I receive thousands of spams per month (down from tens of thousands a month from year or two ago) at my personal address hosted on Google Apps. Out of all those messages, maybe one or two a month slip by the filters. I select the messages and click "mark as spam" and they're gone from my mailbox and help train the filter. This is trivial work for the user and benefits the entire community. Every single one of the "common" spams (e.g. pills, 419 scams, etc.) is caught -- the rare ones that slip by are using some new gimmick to elude filters. Once the filters are trained to detect them, that gimmick becomes useless.

      I'm an exception as receive a huge amount of spam due to having my own domain and a very trivial, widely-published-on-the-internet email address. I suspect most users have far less pre-filter spam hitting their mailbox and even less making it through.

      Same thing with blog spam: Akismet catches a similar ratio of spam, making blog spam pretty much useless. Bloggers can submit spam that was missed or innocent postings that were mistakenly flagged and the system learns, benefiting everyone. Training this filter is basically a one-click operation for site admins. I can always identify blogs that don't use Akismet because the comments at those sites are flooded with spam.

      Yes, to truly be stopped spam needs to be stopped at the source. When all it takes to send out spam is a cheap, anonymous SIM card from a mobile ISP in Nigeria, it's unlikely that there's any practical means of stopping spam at its source. When there's dozens of sites scanning the internet to find lists of open proxies ripe for abuse, it's possible to send spam with essentially no risk. Using a stolen credit card to rent a VPS allows spammers to send mail from "legitimate" IP addresses at high rates of speed with very little in the way of information that traces back to them.

      Still, having filtering "communities" like Gmail or Akismet or other similar services (I presume that Hotmail and Yahoo do something similar) can stop the huge majority of spam and make it less worthwhile for the spammers -- already it's at the point where essentially no legitimate service sends spam, unlike the situation a decade ago. Indeed, several articles I've read suggested that some spammers are migrating away from email spam to social networking spam on services like Facebook and Twitter as their filtering methods are less advanced.

    5. Re:Filtering != Stopping by Anonymous Coward · · Score: 0

      I fully support making residents of the UK keep their clothes on.

    6. Re:Filtering != Stopping by RobertLTux · · Score: 1

      or an "easy" way to stop this is to make it a Personal Felony to operate a Financial Service know to be used by any entity for an illegal purpose or to provide services for same. So if you process the CC cards for a Spammer YOU YOURSELF go to Jail and Your Bank can have its staff GO TO JAIL if it continues to provide for you.

      So if banks start getting put in the clink this kind of thing gets very expensive very fast (and as an added bonus banks could arrange to get a cut of "seized funds").

      --
      Any person using FTFY or editing my postings agrees to a US$50.00 charge
    7. Re:Filtering != Stopping by Anonymous Coward · · Score: 0

      Take, for example, Gmail's spam filters

      Stop for a moment and think to yourself: why does Google emphasiss spam-filtering so much, to the degree that they purchased Postini?

      Two answers I can think of:

      1. They have a business motive to destroy spam as a channel and replace it with something they control ( AdSense )
      2. It encourages people like you to use their service, giving them lots of juicy data about you and your company. They probably know more about your corporate strategy than your managers.

      You might be happy with that trade-off. I am not.

    8. Re:Filtering != Stopping by Nyder · · Score: 1

      (1) How do we stop the money? (2) And why should we bother? Spam is no more offensive than the spam I hear on the radio or TV.

      I'm more worried about the war on nude photos. Did you her about the gay UK politician whose career was destroyed? They accused him of having nude children on his computer. They couldn't find anything but one image that "looked like" a teen but was later proved to be a 22 year old. (Guilty until proved innocent.) Then they tried to go after him for having gay images on his computer but of course that's not a crime.

      The end result was the guy was fired from his job, received hate speech scrwled on his house, and now he's hiding. All because of the UK war on nude photos. (A war that also exists in Australia unfortunately.) Possession of an image, even if it's an actual murder scene, should not be a crime.

      Well, to be fair, brits are pretty ugly and probably worse nude.

      --
      Be seeing you...
  6. Dumb move by benjfowler · · Score: 1

    They just tipped off the crooks. Simply taking them down leaves the criminals at large, and they just learn to spam better.

    Microsoft's silly and pointless lawsuits won't work either. How do you sue somebody in a different jurisdiction, with different laws, no buy-in by host government, where you don't know their names? These people are CRIMINALS, and don't give a rat's ass.

    The only way to stop this kind of criminality is hard jail time. Getting buggered rotten in the Gulag should help concentrate some minds wonderfully.

  7. Something useful for Anonymous to do... by Anonymous Coward · · Score: 0

    Hack the sites selling via spam and publish identifying data for the purchasers.

    1. Re:Something useful for Anonymous to do... by SuricouRaven · · Score: 1

      I approve of this plan. The spam may be sent anonymously, but the sites it advertises need to be accessible. Just beware of false-flag spam intended to goad attackers into targetting a legitimate competitor.

  8. test by Anonymous Coward · · Score: 0

    delete me

  9. spam? in 2012? by Anonymous Coward · · Score: 0

    I thought that after several decades of spam, people would generally be smart enough to only give their email addresses to friends and family so that it wouldn't get on spammers lists in the first place. That plus using throw-away accounts when you need one for a web forum or something and you can be spam-free. I don't think I have received even one single spam since at least the 1990s. Spam is a 20th-century problem, not a 21st century problem.

  10. ALL SPAMMERS MUST DIE by Anonymous Coward · · Score: 0

    ALL SPAMMERS MUST DIE

  11. It's ALIVE!! by fustakrakich · · Score: 1

    Literally.. The internet is living blob of goo... with all its viral infections and everything. It's time to dissect it in the biology lab, with all the other frogs.

    --
    “He’s not deformed, he’s just drunk!”
  12. This conflicts with what I see (I do anti-spam) by Khopesh · · Score: 2

    I only see one publicly visible spam volume graph supporting this claim: SpamHaus CBL (look at the "Last quarter" graph).

    SpamCop and SenderBase suggest the overall trend is still down, though I'm not convinced this is related to Grum -- it appears Grum just wasn't as major a player as people thought.

    The other graphs I have bookmarked, from McAfee (click the "Historic Data" tab) and Symantec, are inconclusive.

    --
    Use my userscript to add story images to Slashdot. There's no going back.
    1. Re:This conflicts with what I see (I do anti-spam) by Anonymous Coward · · Score: 0

      This is a general problem with all the "company xxx sees that" claims on news forums.
      Symantic may think something about spam in general, but they really don't know anything about that.
      They only know about what they see in their own filters, and that is not a representative sample of the internet as a whole.

      It is just like the "web statistic company xxx claims that browser yyy has overtaken browser zzz".
      Also really easy to disprove on another company's statistics.

  13. Go after the money by SgtChaireBourne · · Score: 1

    Shut down the spammers at the source go after the money. The companies that are advertised in the spam have real contact information in order for them to fleece customers. This contact information can be used to trace the spammers' clients. Cut out the clients and the spammers have to go into another business.

    No one thing is going to take down the spam problem all by itself. But you can't continue to ignore the origin of the flow of money. Cut the money off at the source: the spammers' clients.

    Next step is go after the source of the bot nets: the Windows hosts upon which they grow and thrive. Get rid of those, get everyone on Linux, BSD or OS X and the bot nets go away.

    --
    Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
    1. Re:Go after the money by John+Bokma · · Score: 1

      Shut down the spammers at the source go after the money.

      Yup, the source are the countless ISPs who prefer money over whining "net cops". Quite some spam I get nowadays originates at ISPs like Dimenoc, iWeb, MediaTemple... As long as their customers pay they are happy to provide their services.

      --

      Perl Programmer for hire
    2. Re:Go after the money by SgtChaireBourne · · Score: 1

      The ISPs might also be part of the problem but I am thinking specifically those whose products are advertised via spam. Come down on them and the market for spam goes away. They are the ones that are financing the whole fiasco.

      --
      Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
    3. Re:Go after the money by John+Bokma · · Score: 1

      Personally I think it's way easier to go after the ISPs. Currently they can provide the infrastructure without much penalty. If ISPs can be forced to take down sites of people who advertise via spam, it will hurt those people as well (they have to move, which costs money).

      --

      Perl Programmer for hire
    4. Re:Go after the money by damn_registrars · · Score: 1
      I agree with you, for the most part.

      Cut the money off at the source: the spammers' clients.

      That's one place. Don't forget the spammers pay bills, too. I've seen times when the spammers (usually under pseudonyms) will register the spamvertised domain name, too. There is almost always a morally-impaired registrar (and ISP) on the take in the process.

      Get rid of those, get everyone on Linux, BSD or OS X and the bot nets go away.

      As much as I would love to bear witness to the end of MS Windows, I don't think that will happen. And even if this afternoon was the end of Windows, it wouldn't be the end of botnets. You would still have lazy system managers who would be running those under root and all times, which would become easy infection targets. Still others would be so terribly insecure that they'd be compromised quickly.

      In other words, an OS that starts out secure does not automatically remain secure. And the botnet masters will find the insecure boxes.

      --
      Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
  14. Heh by ThatsNotPudding · · Score: 1

    I wonder if Romney would be against the idea of microtaxes on bulk emails. Probably. I can see the TV ad now : Romney is Pro-Spam!

  15. Two for one by Anonymous Coward · · Score: 0

    Span traffic back to normal one month after take down? Simple, take down two botnets per month.

  16. Why would things change? by Anonymous Coward · · Score: 0

    Why would the takedown of any given botnet cut the levels of spam, beyond a short term blip? What makes anyone think this would happen?

    The botnet owners aren't the ones who are sending the spam -- they're selling their services to third parties who are the ones who are actually responsible for the junk.

    If you take down a botnet, sure it hurts the owners of that botnet, because they won't get the commission payments any more, but the actual spammers don't care; they just move on to the next available botnet. There may be a short-term dip, as they have to make the effort to find an alternative, but that's as much effect at you're going to have.

    Killing the botnets is a good thing, but don't expect it to result in less spam.

    1. Re:Why would things change? by Anonymous Coward · · Score: 0

      Until you kill the last botnet, of course.
      However I think botnets are not a real problem for spam, because spam from botnets is so easily blocked.
      Botnet spammers basically keep a lot of hardware busy, but do not deliver any spam to people that do not want to have spam.

  17. The Only Way to Make it Stop by Anonymous Coward · · Score: 0

    Until we start executing spammers, spam will always come back to previous levels. Kill spammers. Seriously. Murderers, rapists, and pedophiles target a relatively small number of victims. Spammers affect the lives of millions of people - PER INSTANCE OF CRIME. Spammers should receive nothing but the death penalty, quickly and efficiently - no messing around.

  18. from hackers with love by Anonymous Coward · · Score: 0

    haha hehe hoho there coming to take my botnet away haha hehe hoho
    hahaha
    im sorry this planets people in charge are a fraking joke