Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Month After Grum Botnet Takedown, Spam Back To Previous Levels

Posted by timothy on from the it's-like-the-pollen-count dept.

wiredmikey writes "It's been over a month since spam-spewing Grum botnet has been shut down, but spam experts say there hasn't been a noticeable impact on global spam volume. Symantec researchers at the time estimated that Grum was responsible for one-third of all spam being sent worldwide, and its takedown led to an immediate drop in global spam email volumes by as much as 15 to 20 percent. However, the drop was only temporary. While Grum had an estimated hundred thousand zombies sending spam, the machines were likely blocked for sending emails too frequently, or wound up on IP blacklists, said Andrew Conway, Cloudmark researcher. IP filtering is fast and cheap, and is a good first line of defense against spam, Conway said. Grum spam was easy to blacklist, and despite its size, most spam messages from the botnet probably never reached user inboxes."

28 of 47 comments (clear)

  1. In other news... by colin_faber · · Score: 1

    Spam continues to be an annoyance to anyone without an active probabilistic filter.

    1. Re:In other news... by canadiannomad · · Score: 2

      People who have bad security practices on their computers, still have bad security practices on their computers.

      or

      People with one infection on their computers, are more likely to have another.

      --
      Hmm, the humour and sarcasm seem to have been be lost on you.
    2. Re:In other news... by ackthpt · · Score: 1

      People who have bad security practices on their computers, still have bad security practices on their computers.

      or

      People with one infection on their computers, are more likely to have another.

      Operating systems with sufficient security gaps, due to interdepartmental squabbles, deviation from established use of APIs and failure to adhere to sound programming practices will create fertile ground for more bots and botnets.

      Attitude of the bot architects: go ahead, take down grum, we'll make moar

      --

      A feeling of having made the same mistake before: Deja Foobar
  2. Called in reinforcements? by Nidi62 · · Score: 4, Insightful

    Is it not possible they simply have a few botnets sitting around unused ready to be activated should an active botnet go down? While the revenue of having one botnet operating with one in reserve probably wouldn't be as high as having both operating, it would give a greater guarantee of continued revenue.

    --
    The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
    1. Re:Called in reinforcements? by Chaonici · · Score: 1

      Amusingly, criminals grasp what large corporations can't: Long-term profits > short-term profits.

  3. Market simply responding to demand by cpu6502 · · Score: 1, Insightful

    A company gets shutdown, but the demand for email advertising is still there, so other companies move-in to fill the need of customers. (Same thing happened with megaupload..... shutting it down didn't stop file sharing. It just showed the U.S. government is a lackey/hitman for the Hollywood megacorps. AKA fascist.)

    --
    My AC stalker: " I personally agree with your posts most of the time, but that won't keep me from modding you troll"
    1. Re:Market simply responding to demand by ackthpt · · Score: 1

      A company gets shutdown, but the demand for email advertising is still there, so other companies move-in to fill the need of customers. (Same thing happened with megaupload..... shutting it down didn't stop file sharing. It just showed the U.S. government is a lackey/hitman for the Hollywood megacorps. AKA fascist.)

      Companies?!?

      These aren't companies, these are criminal going concerns, some well organized, but I don't expect you'll see them listed on NASDAQ any time soon.

      although facebook did get listed, so who really knows

      --

      A feeling of having made the same mistake before: Deja Foobar
    2. Re:Market simply responding to demand by dkleinsc · · Score: 1

      It's just like busting a major-league drug dealer: You take away the crack connection in an area, and all that happens is that his competitors move in to take over what was his territory (possible with some people killed while they figure out who controls what).

      --
      I am officially gone from /. Long live http://www.soylentnews.com/
    3. Re:Market simply responding to demand by idontgno · · Score: 2, Funny

      These aren't companies, these are criminal going concerns, some well organized,

      Wait, what?. I thought you said they weren't companies. I'm confused.

      but I don't expect you'll see them listed on NASDAQ any time soon.

      Oh, they're privately-held companies. No biggie. Those are the real engines of industry and the heart of the entrepreneur class.

      Ah I see. "Criminal". The only real difference between "criminal concern" and "legitimate entrepreneur" is the size of their lobbying budget and legal departments.

      --
      Welcome to the Panopticon. Used to be a prison, now it's your home.
    4. Re:Market simply responding to demand by kaws · · Score: 1

      Talk to a person who's been a bank teller for a time and I'm sure you'll hear about those kinds of people that banks have to protect them from their own idiocy.

    5. Re:Market simply responding to demand by fifedrum · · Score: 1

      facebook only got listed on an exchange because it was time for the dump in the pump-and-dump. The concerns behind it simply turned the key on the next phase, dumped their stock on useful idiots and corrupt investment banks, and walked away with their billions. They don't care about the value of the company, the fact that it's listed on an exchange, or the future of the company. They got theirs. You won't get yours.

  4. Filtering != Stopping by damn_registrars · · Score: 5, Insightful

    Filtering can be a good first line defense, yes. However it will never, ever solve the spam epidemic on its own. No amount of filtering ever will.

    This is about a group that took a better step, in going after a botnet. That is more effective than filtering in the long term, but still won't do the trick.

    The long term solution comes from acknowledging that spam is an economic problem. A lot of reactionary measures (such as filtering) treat spam almost as if it is a game or a personal attack on themselves. Spammers don't give a shit who you are or what your reaction is to spam. Spammers just want to make money. Someone is paying them to send out spam. If you want to stop spam for real, you need to stop the money. If the spammers don't get paid, they don't send out spam.

    It's that simple. Everything else just kicks the can down the road.

    --
    Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
    1. Re:Filtering != Stopping by cpu6502 · · Score: 2

      (1) How do we stop the money? (2) And why should we bother? Spam is no more offensive than the spam I hear on the radio or TV.

      I'm more worried about the war on nude photos. Did you her about the gay UK politician whose career was destroyed? They accused him of having nude children on his computer. They couldn't find anything but one image that "looked like" a teen but was later proved to be a 22 year old. (Guilty until proved innocent.) Then they tried to go after him for having gay images on his computer but of course that's not a crime.

      The end result was the guy was fired from his job, received hate speech scrwled on his house, and now he's hiding. All because of the UK war on nude photos. (A war that also exists in Australia unfortunately.) Possession of an image, even if it's an actual murder scene, should not be a crime.

      --
      My AC stalker: " I personally agree with your posts most of the time, but that won't keep me from modding you troll"
    2. Re:Filtering != Stopping by damn_registrars · · Score: 3, Informative

      (1) How do we stop the money?

      You might be the first person who has ever asked this question when I have pointed out this dilemma here on slashdot. Most other people respond by advocating murdering the spammers in some way, shape, or form instead.

      The money can be stopped a few different ways. A few years ago a group at Georgia Tech (IIRC) found that the majority of all financial transactions executed on spamvertised sites were processed through a very short list of processing centers. Getting those guys to clean up their act would be a big step in the right direction.

      Another is to find where the spammers themselves are receiving payment (as the above method goes after the people paying the spammer instead). Following the money isn't that hard if you initiate a transaction (to track it from one end) and get useful records of who really owns the domain for the spamvertised site (which is often registered in some way to the spammer).

      I thank you for asking the question.

      (2) And why should we bother?

      The biggest argument for doing something about spam lies in the fact that spam makes the internet more expensive for everyone. Being as a large portion of all traffic is spam, it means that legitimate traffic is delayed as a result. And of course the spam also takes up space on hard drives (sometimes in replicate as it traverses from a server to a user's computer) and CPU time. Any company that is running a spam filter - be it software, hardware, or some of each - is also devoting resources to the problem that someone has to pay for.

      Spam is no more offensive than the spam I hear on the radio or TV.

      I would argue that to be an incorrect analogy for the reasons I stated above. You can turn off your radio or TV and you won't hear your local car dealer screaming at you to come buy a new car. However if you turn off your computer you are still paying your ISP to move spam around. Even worse you are paying for your ISP to build up its network infrastructure so they can deliver the bandwidth the promised you while also dealing with the avalanche of spam coming to their network every moment.

      --
      Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
    3. Re:Filtering != Stopping by heypete · · Score: 2

      Yes, but with excellent filtering and easy filter-training spam becomes less economical.

      Take, for example, Gmail's spam filters: I receive thousands of spams per month (down from tens of thousands a month from year or two ago) at my personal address hosted on Google Apps. Out of all those messages, maybe one or two a month slip by the filters. I select the messages and click "mark as spam" and they're gone from my mailbox and help train the filter. This is trivial work for the user and benefits the entire community. Every single one of the "common" spams (e.g. pills, 419 scams, etc.) is caught -- the rare ones that slip by are using some new gimmick to elude filters. Once the filters are trained to detect them, that gimmick becomes useless.

      I'm an exception as receive a huge amount of spam due to having my own domain and a very trivial, widely-published-on-the-internet email address. I suspect most users have far less pre-filter spam hitting their mailbox and even less making it through.

      Same thing with blog spam: Akismet catches a similar ratio of spam, making blog spam pretty much useless. Bloggers can submit spam that was missed or innocent postings that were mistakenly flagged and the system learns, benefiting everyone. Training this filter is basically a one-click operation for site admins. I can always identify blogs that don't use Akismet because the comments at those sites are flooded with spam.

      Yes, to truly be stopped spam needs to be stopped at the source. When all it takes to send out spam is a cheap, anonymous SIM card from a mobile ISP in Nigeria, it's unlikely that there's any practical means of stopping spam at its source. When there's dozens of sites scanning the internet to find lists of open proxies ripe for abuse, it's possible to send spam with essentially no risk. Using a stolen credit card to rent a VPS allows spammers to send mail from "legitimate" IP addresses at high rates of speed with very little in the way of information that traces back to them.

      Still, having filtering "communities" like Gmail or Akismet or other similar services (I presume that Hotmail and Yahoo do something similar) can stop the huge majority of spam and make it less worthwhile for the spammers -- already it's at the point where essentially no legitimate service sends spam, unlike the situation a decade ago. Indeed, several articles I've read suggested that some spammers are migrating away from email spam to social networking spam on services like Facebook and Twitter as their filtering methods are less advanced.

    4. Re:Filtering != Stopping by RobertLTux · · Score: 1

      or an "easy" way to stop this is to make it a Personal Felony to operate a Financial Service know to be used by any entity for an illegal purpose or to provide services for same. So if you process the CC cards for a Spammer YOU YOURSELF go to Jail and Your Bank can have its staff GO TO JAIL if it continues to provide for you.

      So if banks start getting put in the clink this kind of thing gets very expensive very fast (and as an added bonus banks could arrange to get a cut of "seized funds").

      --
      Any person using FTFY or editing my postings agrees to a US$50.00 charge
    5. Re:Filtering != Stopping by Nyder · · Score: 1

      (1) How do we stop the money? (2) And why should we bother? Spam is no more offensive than the spam I hear on the radio or TV.

      I'm more worried about the war on nude photos. Did you her about the gay UK politician whose career was destroyed? They accused him of having nude children on his computer. They couldn't find anything but one image that "looked like" a teen but was later proved to be a 22 year old. (Guilty until proved innocent.) Then they tried to go after him for having gay images on his computer but of course that's not a crime.

      The end result was the guy was fired from his job, received hate speech scrwled on his house, and now he's hiding. All because of the UK war on nude photos. (A war that also exists in Australia unfortunately.) Possession of an image, even if it's an actual murder scene, should not be a crime.

      Well, to be fair, brits are pretty ugly and probably worse nude.

      --
      Be seeing you...
  5. Dumb move by benjfowler · · Score: 1

    They just tipped off the crooks. Simply taking them down leaves the criminals at large, and they just learn to spam better.

    Microsoft's silly and pointless lawsuits won't work either. How do you sue somebody in a different jurisdiction, with different laws, no buy-in by host government, where you don't know their names? These people are CRIMINALS, and don't give a rat's ass.

    The only way to stop this kind of criminality is hard jail time. Getting buggered rotten in the Gulag should help concentrate some minds wonderfully.

  6. Re:Something useful for Anonymous to do... by SuricouRaven · · Score: 1

    I approve of this plan. The spam may be sent anonymously, but the sites it advertises need to be accessible. Just beware of false-flag spam intended to goad attackers into targetting a legitimate competitor.

  7. It's ALIVE!! by fustakrakich · · Score: 1

    Literally.. The internet is living blob of goo... with all its viral infections and everything. It's time to dissect it in the biology lab, with all the other frogs.

    --
    “He’s not deformed, he’s just drunk!”
  8. This conflicts with what I see (I do anti-spam) by Khopesh · · Score: 2

    I only see one publicly visible spam volume graph supporting this claim: SpamHaus CBL (look at the "Last quarter" graph).

    SpamCop and SenderBase suggest the overall trend is still down, though I'm not convinced this is related to Grum -- it appears Grum just wasn't as major a player as people thought.

    The other graphs I have bookmarked, from McAfee (click the "Historic Data" tab) and Symantec, are inconclusive.

    --
    Use my userscript to add story images to Slashdot. There's no going back.
  9. Go after the money by SgtChaireBourne · · Score: 1

    Shut down the spammers at the source go after the money. The companies that are advertised in the spam have real contact information in order for them to fleece customers. This contact information can be used to trace the spammers' clients. Cut out the clients and the spammers have to go into another business.

    No one thing is going to take down the spam problem all by itself. But you can't continue to ignore the origin of the flow of money. Cut the money off at the source: the spammers' clients.

    Next step is go after the source of the bot nets: the Windows hosts upon which they grow and thrive. Get rid of those, get everyone on Linux, BSD or OS X and the bot nets go away.

    --
    Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
    1. Re:Go after the money by John+Bokma · · Score: 1

      Shut down the spammers at the source go after the money.

      Yup, the source are the countless ISPs who prefer money over whining "net cops". Quite some spam I get nowadays originates at ISPs like Dimenoc, iWeb, MediaTemple... As long as their customers pay they are happy to provide their services.

      --

      Perl Programmer for hire
    2. Re:Go after the money by SgtChaireBourne · · Score: 1

      The ISPs might also be part of the problem but I am thinking specifically those whose products are advertised via spam. Come down on them and the market for spam goes away. They are the ones that are financing the whole fiasco.

      --
      Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
    3. Re:Go after the money by John+Bokma · · Score: 1

      Personally I think it's way easier to go after the ISPs. Currently they can provide the infrastructure without much penalty. If ISPs can be forced to take down sites of people who advertise via spam, it will hurt those people as well (they have to move, which costs money).

      --

      Perl Programmer for hire
    4. Re:Go after the money by damn_registrars · · Score: 1
      I agree with you, for the most part.

      Cut the money off at the source: the spammers' clients.

      That's one place. Don't forget the spammers pay bills, too. I've seen times when the spammers (usually under pseudonyms) will register the spamvertised domain name, too. There is almost always a morally-impaired registrar (and ISP) on the take in the process.

      Get rid of those, get everyone on Linux, BSD or OS X and the bot nets go away.

      As much as I would love to bear witness to the end of MS Windows, I don't think that will happen. And even if this afternoon was the end of Windows, it wouldn't be the end of botnets. You would still have lazy system managers who would be running those under root and all times, which would become easy infection targets. Still others would be so terribly insecure that they'd be compromised quickly.

      In other words, an OS that starts out secure does not automatically remain secure. And the botnet masters will find the insecure boxes.

      --
      Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
  10. Heh by ThatsNotPudding · · Score: 1

    I wonder if Romney would be against the idea of microtaxes on bulk emails. Probably. I can see the TV ad now : Romney is Pro-Spam!

  11. Re:The one type of spam that still persists for me by RobertLTux · · Score: 2

    easy way to do this

    1 filter for Yahoo accounts
    2 put "land mine" phrases in your craigslist postings and set filters for those (use maybe 3 different phrases)

    so if you sell say Pottery use "Ming Dynasty" "Bull teacup set" and "Dragon Motif" as "landmines"

    set your filter for @yahoo.com with "Ming Dynasty" or "Bull teacup set" or "Dragon Motif" to be sent to Spam

    in your text warn folks to NOT copy the text of your ad when they reply

    --
    Any person using FTFY or editing my postings agrees to a US$50.00 charge