Spybot S&D is clean according to Ad-Aware, which is clean according to Spybot S&D, which is clean according to Ad-Aware... The more paranoid out there will probably have more more packages in the loop, but this is definately one instance where is doesn't do any harm to use multiple packages in parallel.
I think you missed the point a little. The guy in the article is not a spammer at all - in fact John Graham-Cumming is the author of POPFile one of the most capable spam filtering tools out there. That he has managed to defeat his own tools is an incredible thing; the amount that you can learn by invalidating your own work is phenomonal. It also means that by the time spammers figure out how to circumvent the technology there is a good chance that the anti-spam tools will already have moved on to the next level.
Frankly, I think spammers are finally on the defensive; put a tuned version of the latest anti-spam software between them and your mailbox and you get no spam. I've been using SpamAssassin with Bayes and then Procmail with several custom rules in both stages for several months. Spams in inbox = zero. Hams in spamtrap = one, and that was a detailed advisory about MyDoom that included a complete sample of the worm *after* I had already added a rule to trap it.
So, we should all get some antispam software, learn how to write your own rules, and when you get a good one share it with your app's other users. Encourage others to do the same. Spammers are currently stuck between a rock and a hard place; if they send clear text Bayes has a field day, and if they obfuscate then it's obviously not legitimate either. Never mind the increasingly dubious and often outright illegal methods some spammers are resorting to to send the stuff in the first place.
Spammers have to run the (maybe slim) risk of running afoul of the law, ever diminishing rates of return, the (maybe minor) inconvenience of having to change ISPs regularly, and are maybe even flirting with organised crime. Sure some of them, and a small "some" at that, make a lot of money but a growing number of them should be taking a hard look at their amount of return for the risks they are taking. John Graham-Cumming has the right approach; we have them on the defensive, now is not the time to relax - it's the time to press the advantage.
"Score:5, Funny"? Unfortunately MemRaven isn't joking - I got one of these things too, from Korea in my case although the standard of English and spelling in the body makes me the the origin was the US. Here's the body, so you can see for yourself - the Subject was "Microsoft Security Update KB872446":
Dear Valued User!
At 2 : 12 Eastern Time on Friday-January 30, 2004, Microsoft started investigating reports of a variant of a new worm "Novarg", known as Mydoom.B.
This virus reportedly blocks access to some websites, including all Microsoft.com websites. The virus is noticed to entice mail recipients into opening a message that has a file attachment.
If the attached file is opened, worm installs malicious code on the computer user's system and sends itself to any contacts in the user's address book.
Please download the latest security patch available from Microsoft.com website or download this digitally signed attachment.
message#875438809032
Customer Service.
VINA MATSUO
MATSUO@microsoft.com
In addition, there was a set of spoofed SMTP headers from the genuine Microsoft outbound SMTP server used for their security bulletin newsletter. Naturally, the attachement (called "Windows-KB823989-x86-ENU.exe") was not "digitally signed", and was infact a trojan - bet you never saw that coming!
All in all, *very* slick. It plays on the current hype about MyDoom and the combination of the spoofed headers, "digital signing" and the offer to download from the website instead are/were no doubt sufficient to lull many who might not otherwise be taken in into the trap. The clueless n00bs who actually click on these things anyway would have had no chance. I'm actually impressed with the effort - this rank amatuer sure could learn a thing or two.
Asking the sender to process a quick math question seems a better solution to me.
Well, it does save the inconvenience of having to also solve the small issue of having to come up with a microbilling system. However, it *still* does nothing for legitimate senders of bulk mail. While a big corporate might have no problems throwing hardware at the solution, I'm sure the non-profit operators of lists for open source projects and charities etc. might not like the idea as much.
There is the Google Search Engine Appliance thing, which must have a healthy profit margin. I doubt that's going to be all that significant a contribution though - so I guess there is more profit in throse Sponsored Links than might be expected.
And when are these physicists going to learn how English and its roots work? That's a confusion of Latin and Greek and has what suspisciously looks like a double negative at the front...
Surely they could have worked a split infinitive in there as well!;)
Yeah, I know about the shutdown, but all the news I'd seem to date seem to imply the shutdown date is the 12th of February. However, it looks like the AV companies are *still* trying to understand the thing, because while trying to find out whether this is a fluke or intentional MyDoom behaviour I found this at NAI:
If the worm is run after February 1st 16:09:18 (UTC), it changes its behavior from mass mailing to initiating a denial of service attack against www.sco.com. This denial of service attack will stop on the first system startup after February 12th 02:28:57 (UTC) , and thereafter the worm's only behavior is to continue listening on TCP port 3127 (or up to 3198). Due to a bug in the code, the DoS attack will fail to start more often than not.
Obviously it's not an exact correlation in timing since that still lies in the future, but it's more plausible than the worm being shutdown because of an FBI raid on SCO.
My gut feeling is that someone has put two and two together with some wishful thinking and got five. This thing has been a trail of confusion since the start; it was a Unix hacker, it originated in Russia (but has English comments), it was written by spammers... This could simply be another layer of deception.
On the otherhand, the copies of MyDoom that have been pummelling my mail server since the start ceased entirely just after 01:00 GMT this morning, yet normal email continues to flow... Coincidence, or is there more to this story than just a hoax or confusion?
The SCO thing is just the case du jour - a new legal issue worthy of such attention will no doubt be coming to a courtroom near you, real soon. Covering SCO is obviously a lot of work, so until things quieten down I doubt we will see much coverage of the Eolas issue for example, but the site could well become *the* clearing house for all IT related law suits.
In any event With the sterling work that Pamela Jones has done on Groklaw in the matter I'm sure she could now walk into any law firm in the US and say "Hi, I run Groklaw. Can I have a job?" and not have her feet touch the floor until she signs on the bottom line.
But SCO wants the GPL declared invalid by virtue of being unconstitutional and all works currently released under the GPL places in the public domain does it not? Turning that around a bit and SCO is basically saying something along the lines of "We now believe that the GPL is and was inappropriate for us. We therefore would prefer that the code we previously released under that license be placed under a totally free license instead." Surely for a court to accept that argument, then SCO is going to have to stand by that line of thought first, and rerelease their GPL contributions (including the files at the crux of their case) under a totally unrestrictive license. And that *still* leaves the matter of whether the GPL is "unconsitutional" or not to be decided in a court.
It sure looks like SCO is damned if they do and damned if they don't to me, but I think we all knew that already.
You send them an email? That puts even more load on your server and in a way continues the problem. I too became fed up of this crap with MyDoom after bearing the brunt last time, but my approach is to block all mail from the idiots that bounce the payload as well with a hard SMTP reject on connect. Domain and IP both go into the block list and instead you just get a curt SMTP error message and we're done.
Maybe I'll removed the blocks when this blows over, maybe I won't, but they sure as hell are going to be ready and waiting for next time something like this kicks off. The worrying part is, it's not just "Mom and Pop" operations either; it's companies who should have a clue like big ISPs and large corporates. What we need is a DNSBL that lists the IPs of compromised hosts and another that lists the IPs of those that generate bounces; I'd be subscribed to both in a heartbeat.
* Currently, there are drivers for both Linux and FreeBSD.
See - Nvidia confirms it: *BSD is *not* dying after all!;)
Re:Does Andy work at SCO
on
More MyDoom Gloom
·
· Score: 2, Interesting
A couple of thoughts leapt to mind about that. Firstly the comment is in English, and the name is in English (Andre[i] would be the Russian equivalent) which kind of implies an English speaking author, despite the first capture being in Russia. Using compromised box(es) to initiate the spread of the worm would be a fairly obvious step to cover ones tracks.
Secondly, since "andy" is one of the email addresses spoofed by the worm I'm guessing that the worm's author was a) commissioned to write the worm by parties unknown, and b) included a colleague's email in the spoof list, perhaps by mistake.
So the question is, will Andy, whoever he is, get pissed off enough to turn his colleague in for the $250,000 reward posted by SCO and turn over a new leaf?/tinfoil Assuming he's not working for SCO of course./tinfoil
You can grab a config file for SpamAssassin here which has hundreds of spam domains listed, all in nicely optimised regular expressions. I did try this sometime back, but it rapidly became clear that this is very much an arms race. Using a new domain to act as a redirector for each spam run is a minimal overhead for a spammer - maybe they need a 0.0002% response rate instead of 0.0001% which is no big deal for the spammer.
I suppose you could write some scripts to automatically add new domains and expire those beyond a certain age, but I don't see much point. I've been writing custom SpamAssassin rules for a several months now, and for me at least the ones that give the best results by far are the general purpose ones. Sure, if you have a big spam run or something like MyDoom to deal with, then a specific rule can really help, but that seems very much an exception to the rule.
The rules I have most success with are targeting the obfuscation attempts, which is great because if the spammer omits obfuscation then Bayes has a field day instead. Even if you don't use SpamAssassin, the Wiki is great for examples of this kind of rule that you can adapt to your own engine if need be. Best of all, this is the kind of stuff that will *always* work, rather than a rule that will at best have a shelf life of a couple of months before it starts to bog down your mail gateway for no benefit.
They might be switching from GNU/Linux systems to something a little bit more suited to enterprise environments.
You must mean BSD, because you can't possibly mean MS Windows or (God forbid) SCO Unixware!;) Of course, it's probably still Linux, but they've just changed the kernel parameters enough to obfuscate the fingerprint.
According to the various AV vendors the worm isn't due to start the DDoS of sco.com until February the first, which seems to be a fairly unanimous opinion. If that's right then that spike on NetCraft's graphs isn't the DDoS, it's just all the people who read AV stories and alerts on the AV and News sites clicking on links - nothing more than a generalised Slashdotting.
The people who read these AV stories do not represent the "average" user who is more inclined to fall for the worm's social engineering. Nor would they be opening the "63 connections per second" to sco.com being touted by the AV vendors for that matter. I suspect that blip is going to pale into insignificance compared to the amount of traffic they are going to get come February. It's a fair bet that SCO will be denouncing the "Linux hackers" as being the culprits in numerous press releases as well, they may be right on that, they may not, but it's sure as hell going to get them a lot of sympathy.
This isn't going to help OSS's case at all, and the only saving grace is the February 12th cut off. Then again, I've yet to see anything about what happens to the port the worm listens on come the deactivation date, or what instructions that port might accept.
*Now* you tell me, I'd have kept the damn thing if I'd known (joke)! I've just finished updating by Virus signatures after a copy of this sucker slipped by the set I only got this morning. If you are running McAfee on your Windows boxen the latest DAT/SDAT at time of writing (4318) is NOT sufficient! You also need the Extra.DAT file which you can grab from here:
To be fair to Dean Kamen, no he didn't spout endless soundbites about how wonderful and revolutionary the Segway was going to be. On the otherhand, he didn't exactly try and mute (or at least tone down) the overzealous claims of Bezos, Jobs and the others who had been given a sneak-peek. As far as I am concerned overhyping a product directly or by proxy has the same result come the eventual release, and in the case of Segway it must have been obvious it was out of hand.
Segway could have been, and still might be, a great product if the price comes down some. There are plenty of jobs that require a human to move reasonable distances by foot, cycle or small cart that could use a Segway; mail delivery, inspection/security patrols and so on. Instead, it's at best regarded as a novelty and at worst a joke. The problem is, as you allude, far too many people repeatedly trust pundits, even when they have a demonstrable track record of having no better chance of getting it right than you or I.
And if there's one thing that "Ginger"/"It"/"Segway" should have taught us, it's that the answer to the question "anybody got anymore ideas on what this could be?" is invariably "a disappointment". Whatever it is, let's just hope they don't fall into the trap of over hyping the product like Mr. Kamen did.
Apparently they are "still working on it", just like they have been for the last two scheduled patch releases they've had. Unfortunately, the scammers and phishers are "still working on it" as well. And yet despite this, Microsoft still spouts such choice quotes about its software security as "The tool had to to be tested before we could put it on Windows Update... it would be unfair to accuse Microsoft of tardiness." (about a five month wait for an official Blaster clean-up tool) and "Windows is far more commonly afflicted with worm infections than Linux... but Microsoft offers greater accountability and support than open source alternatives".
Well, I'll agreee with one of those points. Can you guess which?;)
It looks like Play has already tried to prevent any potential suits by the BPI. I was looking to get an R1 DVD from them and they no longer provide R1 DVDs directly from the www.play.com site, although their US arm based at the www.playusa.com site will apparently still ship to the UK. I assume they have adopted a similar position for music imports too. Whether this will stop the BPI starting a similar action against Play remains to be seen though.
Way to go BPI! Push even more of your customers into the murky waters of ever greyer imports and P2P!
It's designed to appeal directly to the politician in every fasion you can possibly do so.
Kind of in the same way that a Nigerian 419 type scam is designed to appeal directly to suckers in every fashion it is possible for them to do so. It looks like Darl and Boies might have some career opportunities other than flipping burgers when the dust settles after all...
We receive less than 10 spams/day across a user population of over one thousand. Spews alone is responsible for about 30% of the blocking.
Yes, and if you were using Osirusoft's DNSBL when they decided to shutdown and blocklist the entire Internet it would have accounted for the extra 10 spams a day as well. Of course, you wouldn't be getting any legitimate email either, but collateral damage is the whole point of the story, and makes your statistic a little meaningless. Do you know how many legitimate emails are being blocked? No, of course not, because that's the drawback of DNSBLs; you can't tell whether that SMTP connection you just refused was really spam, or a sales lead from a potential customer that just went elsewhere.
Now, don't get me wrong. I'm a firm believer in the judicious use of RBLs; I use a select few directly with the MTA and have several more adding weighted scores to inbound emails via SpamAssassin. However, it has been my experience that using too many blacklists is a waste of time; the spammers will most likely be on multiple lists anyway and you just increase the chances of getting false positives like DSL Reports. Obviously it's a YMMV issue, but for me SPEWS was also responsible for the vast majority of hits on the webform link I provided in the reject message to capture false positives. Note the past tense; I stopped using SPEWS a *long* time ago because of this, including with SpamAssassin, and I still get no spam in my inbox.
And either way, let them make up their minds whether to cancel or renew in time for the writers to at least *try* and deal with it. Remember the confusion at the end of season 4 of Babylon 5, with the is it or isn't it renewed quandry? The last thing the fans want is a rushed ending to a season to try and provide some sense of closure, followed by an entire season of lame episodes because the main story arc got wrapped up prematurely.
Slashdot Mirror
Spybot S&D is clean according to Ad-Aware, which is clean according to Spybot S&D, which is clean according to Ad-Aware... The more paranoid out there will probably have more more packages in the loop, but this is definately one instance where is doesn't do any harm to use multiple packages in parallel.
Frankly, I think spammers are finally on the defensive; put a tuned version of the latest anti-spam software between them and your mailbox and you get no spam. I've been using SpamAssassin with Bayes and then Procmail with several custom rules in both stages for several months. Spams in inbox = zero. Hams in spamtrap = one, and that was a detailed advisory about MyDoom that included a complete sample of the worm *after* I had already added a rule to trap it.
So, we should all get some antispam software, learn how to write your own rules, and when you get a good one share it with your app's other users. Encourage others to do the same. Spammers are currently stuck between a rock and a hard place; if they send clear text Bayes has a field day, and if they obfuscate then it's obviously not legitimate either. Never mind the increasingly dubious and often outright illegal methods some spammers are resorting to to send the stuff in the first place.
Spammers have to run the (maybe slim) risk of running afoul of the law, ever diminishing rates of return, the (maybe minor) inconvenience of having to change ISPs regularly, and are maybe even flirting with organised crime. Sure some of them, and a small "some" at that, make a lot of money but a growing number of them should be taking a hard look at their amount of return for the risks they are taking. John Graham-Cumming has the right approach; we have them on the defensive, now is not the time to relax - it's the time to press the advantage.
All in all, *very* slick. It plays on the current hype about MyDoom and the combination of the spoofed headers, "digital signing" and the offer to download from the website instead are/were no doubt sufficient to lull many who might not otherwise be taken in into the trap. The clueless n00bs who actually click on these things anyway would have had no chance. I'm actually impressed with the effort - this rank amatuer sure could learn a thing or two.
Well, it does save the inconvenience of having to also solve the small issue of having to come up with a microbilling system. However, it *still* does nothing for legitimate senders of bulk mail. While a big corporate might have no problems throwing hardware at the solution, I'm sure the non-profit operators of lists for open source projects and charities etc. might not like the idea as much.
Daimler Chrysler - 71m Euros in 1991
Deutche Post - 24m Euros in 1991
Volkswagen - 91m Euros in 2000
But in any case, Microsoft is not the record - Roche was fined 462m Euros for anti-trust in 2001. Google for more...
There is the Google Search Engine Appliance thing, which must have a healthy profit margin. I doubt that's going to be all that significant a contribution though - so I guess there is more profit in throse Sponsored Links than might be expected.
Surely they could have worked a split infinitive in there as well! ;)
On the otherhand, the copies of MyDoom that have been pummelling my mail server since the start ceased entirely just after 01:00 GMT this morning, yet normal email continues to flow... Coincidence, or is there more to this story than just a hoax or confusion?
In any event With the sterling work that Pamela Jones has done on Groklaw in the matter I'm sure she could now walk into any law firm in the US and say "Hi, I run Groklaw. Can I have a job?" and not have her feet touch the floor until she signs on the bottom line.
It sure looks like SCO is damned if they do and damned if they don't to me, but I think we all knew that already.
Maybe I'll removed the blocks when this blows over, maybe I won't, but they sure as hell are going to be ready and waiting for next time something like this kicks off. The worrying part is, it's not just "Mom and Pop" operations either; it's companies who should have a clue like big ISPs and large corporates. What we need is a DNSBL that lists the IPs of compromised hosts and another that lists the IPs of those that generate bounces; I'd be subscribed to both in a heartbeat.
* Currently, there are drivers for both Linux and FreeBSD.
See - Nvidia confirms it: *BSD is *not* dying after all! ;)
Secondly, since "andy" is one of the email addresses spoofed by the worm I'm guessing that the worm's author was a) commissioned to write the worm by parties unknown, and b) included a colleague's email in the spoof list, perhaps by mistake.
So the question is, will Andy, whoever he is, get pissed off enough to turn his colleague in for the $250,000 reward posted by SCO and turn over a new leaf? /tinfoil Assuming he's not working for SCO of course. /tinfoil
I suppose you could write some scripts to automatically add new domains and expire those beyond a certain age, but I don't see much point. I've been writing custom SpamAssassin rules for a several months now, and for me at least the ones that give the best results by far are the general purpose ones. Sure, if you have a big spam run or something like MyDoom to deal with, then a specific rule can really help, but that seems very much an exception to the rule.
The rules I have most success with are targeting the obfuscation attempts, which is great because if the spammer omits obfuscation then Bayes has a field day instead. Even if you don't use SpamAssassin, the Wiki is great for examples of this kind of rule that you can adapt to your own engine if need be. Best of all, this is the kind of stuff that will *always* work, rather than a rule that will at best have a shelf life of a couple of months before it starts to bog down your mail gateway for no benefit.
You must mean BSD, because you can't possibly mean MS Windows or (God forbid) SCO Unixware! ;) Of course, it's probably still Linux, but they've just changed the kernel parameters enough to obfuscate the fingerprint.
The people who read these AV stories do not represent the "average" user who is more inclined to fall for the worm's social engineering. Nor would they be opening the "63 connections per second" to sco.com being touted by the AV vendors for that matter. I suspect that blip is going to pale into insignificance compared to the amount of traffic they are going to get come February. It's a fair bet that SCO will be denouncing the "Linux hackers" as being the culprits in numerous press releases as well, they may be right on that, they may not, but it's sure as hell going to get them a lot of sympathy.
This isn't going to help OSS's case at all, and the only saving grace is the February 12th cut off. Then again, I've yet to see anything about what happens to the port the worm listens on come the deactivation date, or what instructions that port might accept.
http://vil.nai.com/vil/content/v_100983.htm
(Scroll down for the download links to the updates), or the 4319 DAT/SDAT when it becomes available.
Segway could have been, and still might be, a great product if the price comes down some. There are plenty of jobs that require a human to move reasonable distances by foot, cycle or small cart that could use a Segway; mail delivery, inspection/security patrols and so on. Instead, it's at best regarded as a novelty and at worst a joke. The problem is, as you allude, far too many people repeatedly trust pundits, even when they have a demonstrable track record of having no better chance of getting it right than you or I.
And if there's one thing that "Ginger"/"It"/"Segway" should have taught us, it's that the answer to the question "anybody got anymore ideas on what this could be?" is invariably "a disappointment". Whatever it is, let's just hope they don't fall into the trap of over hyping the product like Mr. Kamen did.
Apparently they are "still working on it", just like they have been for the last two scheduled patch releases they've had. Unfortunately, the scammers and phishers are "still working on it" as well. And yet despite this, Microsoft still spouts such choice quotes about its software security as "The tool had to to be tested before we could put it on Windows Update... it would be unfair to accuse Microsoft of tardiness." (about a five month wait for an official Blaster clean-up tool) and "Windows is far more commonly afflicted with worm infections than Linux... but Microsoft offers greater accountability and support than open source alternatives".
Well, I'll agreee with one of those points. Can you guess which? ;)
Way to go BPI! Push even more of your customers into the murky waters of ever greyer imports and P2P!
Kind of in the same way that a Nigerian 419 type scam is designed to appeal directly to suckers in every fashion it is possible for them to do so. It looks like Darl and Boies might have some career opportunities other than flipping burgers when the dust settles after all...
Yes, and if you were using Osirusoft's DNSBL when they decided to shutdown and blocklist the entire Internet it would have accounted for the extra 10 spams a day as well. Of course, you wouldn't be getting any legitimate email either, but collateral damage is the whole point of the story, and makes your statistic a little meaningless. Do you know how many legitimate emails are being blocked? No, of course not, because that's the drawback of DNSBLs; you can't tell whether that SMTP connection you just refused was really spam, or a sales lead from a potential customer that just went elsewhere.
Now, don't get me wrong. I'm a firm believer in the judicious use of RBLs; I use a select few directly with the MTA and have several more adding weighted scores to inbound emails via SpamAssassin. However, it has been my experience that using too many blacklists is a waste of time; the spammers will most likely be on multiple lists anyway and you just increase the chances of getting false positives like DSL Reports. Obviously it's a YMMV issue, but for me SPEWS was also responsible for the vast majority of hits on the webform link I provided in the reject message to capture false positives. Note the past tense; I stopped using SPEWS a *long* time ago because of this, including with SpamAssassin, and I still get no spam in my inbox.
And either way, let them make up their minds whether to cancel or renew in time for the writers to at least *try* and deal with it. Remember the confusion at the end of season 4 of Babylon 5, with the is it or isn't it renewed quandry? The last thing the fans want is a rushed ending to a season to try and provide some sense of closure, followed by an entire season of lame episodes because the main story arc got wrapped up prematurely.