Most spammers no longer use open SMTP relays. They have shifted to buying several broadband connections and pumping spam through open HTTP/Socks proxies. This gives them the advantage of being able to randomize/personalize messages to get past spam filters. Also it lets them actively test for bad addresses, since they are maintaining an end-to-end SMTP connection and can read the protocol responses. In the old method of "relay rape" the bouncebacks never made it back to the spammers, so their list integrity would degrade over time.
More and more worms and viruses are going to crush
the internet under their weight if they are not stopped somehow. It's somewhat akin to the wild west here... there is no "law" that can contain these hostile entities. It's up to the town affected to form a posse and take care of business.
An look at ethical issues involved in "hacking-back" was written by a cow-orker of mine.
It looks at different ethical systems and how they might be applied here.
Why not just create the Uninstall.pky file? Seems like it'd be harder for a luser to screw up...
That's actually what the de-fizzer executable was designed to do. Unfortunately, it looks like there are timing/logic issues with the update that haven't been worked out (different threads of the worm are run conditionally, at different times)
Another vector that people (including myself) are
working on is using the "PING" buffer overflow
to launch the self-destruct mechanism from the
IRC server.
My submission:
2003-05-15 16:36:12 Fizzer Worm Self-Destruct Sequence Triggered by Fizzer Task Force (articles,security) (rejected)
This is the primary method of spam distribution today.
If the spammers are smart, they are staying away
from the Sobig.a proxies on port 1180/1182 due to
the fact they will allow anti-spammers to quickly track down the spammer's real IP address. If it truly is
a handful of big time spammers sending the bulk of the email, one could make a pretty big impact on them
this way.
"It's untraceable. I hate to put that in print, but it's the truth."
If the spammer uses the proxy/trojan installed by Sobig.a which listens on port 1180 (socks) and 1182 (http), it's very traceable. You need only the password
to the proxy management station (it's "zaq123") and you can watch the traffic or shut it down altogether.
Spammers almost always use proxy servers to disguise their true IP address. This blind dependence on an army of proxies is actually a weakness. The more proxies they use, the more likely one is actually a honeypot (honeyproxy). Recently it was discovered that the Internet is being seeded with hidden proxy servers by the Sobig.a (BigBoss) virus. Unfortunately for the spammers, the password for the proxy server console was also discovered, allowing anti-spammers to watch their comings and goings and log their true IP addresses. Not that I recommend doing that, (as it could be illegal in most countries), but the password is here:
Most spammers don't send hundreds of thousands of emails from their own connection. Generally they use open relays to propagate a few messages each with a huge RCPT list. So, tarpitting does nothing to the spammer directly. However, tarpitting the open relay does accomplish something - it could cause a huge backlog of mail, eventually letting the relay choke off its own resources as spammers kept trying to dump messages on it. This would cause some indirect pain to the spammers, as finding open relays that could deliver mail quickly would be difficult. It might also alert the mail administrator to the problem, thus encouraging them to close their server to relaying.
And you would not need to roll this out on most of the net. If the large ISP and webmail providers started doing this it would have a significant impact. Much of the spammer's distribution list consists of a few domains; yahoo, hotmail, aol, etc. If the large providers implemented tarpits it could quickly damage the ready supply of open relays for spammers.
I found this pretty cool, but I'm too lazy to do the math each time. So here's a short perl script I whipped up to decode the barcodes in the form of sststsstst, etc.
#!/usr/bin/perl
use strict; my @digitcode; my ($sum, $maxdigits, $checksum); my %codes = ( ttsss => '0', ssstt => '1', sstst => '2', sstts => '3', stsst => '4', ststs => '5', sttss => '6', tssst => '7', tssts => '8', tstss => '9'); chomp(my $code = <STDIN>); if ($code =~/[^st]/) { print "Invalid code (use combinations of s and t only)\n"; exit } if ($code !~ s/^t(.*)t$/$1/i) { print "Framing bars not present!\n"; exit } $maxdigits = length($code) / 5; print "Decoding $maxdigits digit zip code...\n"; my @codestring = split(//, $code); for (0..$maxdigits - 2) { $digitcode[$_] = join("", @codestring[$_ * 5.. $_ * 5 + 4]); print "$codes{$digitcode[$_]}"; if ($_ == 4) { print "-" } $sum += $codes{$digitcode[$_]}; } print "\n"; $checksum = join("",@codestring[($maxdigits - 1) * 5.. ($maxdigits - 1) * 5 + 4]); $sum += $codes{$checksum}; if ($sum % 10) { print "Checksum invalid!\n"; exit }
After reading the article, I just checked my snailmail. Lo and behold, I have a letter from "Domain Registry of America" (not my actual registrar), encouraging me to renew my domain name now, to avoid any "Registrar Lock". This
letter is even shadier than Verisign's, because
it doesn't even mention the word "transfer" in
any large print. The small print on the back is
literally too small for me to read without getting a headache. The renewal price? Why, only
$25 a year, twice what I'm paying now. What a
bargain!
If you don't want to shell out the money for
a heat bender, you can use a propane torch. It
takes a little skill, but with practice you can
learn how to move the flame back and forth over
the bending point evenly with the correct speed
and temperature until the plastic begins to bend
with gravity. Don't force the bend or it will
have ugly cracks inside the plastic at the bend.
Don't hold the heat on it too long or the acrylic will bubble. (Hint, move the flame past the edges on the plastic on each pass) And always work in a well-ventilated area.
All the cutouts were shaped with needle files (roughly eight hours of hand work there) and meticulously polished with sandpaper and Novus #2 polish. The polishing took maybe another three hours, but the results were well worth it.
Dude, that's insane. Polishing acrylic edges is best done with a propane torch flame. Takes only a few seconds and produces much nicer results.
Verisign tells my friend he should ask the previous owner to use the transfer documents to transfer the domain to my friend
That's funny, considering that Verisign won't let you transfer domains after they expire. I suspect if the original owner tried to, they would tell him he needs to renew with them first, so they can get an extra $70 for doing nothing. They tried to do it to me, but I said fsck that. Now my previous domain is owned by a porn site operator who re-registered it with another registrar before I
could. That's where the domain your friend wants will probably
end up too.
I believe they've intentionally broken the system for information update via email in order to
force people into dealing with them via
fax and phone. Of course, this "expedited
service" costs $30 a pop. Run, don't walk
away from Network Solutions. My personal
recommendation is 000domains.com
Cool. I've also discovered he is typo-squatting
on "mindsrping.com" also. I was pretty sure he
was doing this widely. I was glad to see this article posted; but I wasn't too surprised.
I couldn't get my domain transferred to another
registrar by Network Solutions because they delayed processing my transfer until after it
expired, then told me I couldn't transfer it
because it had expired!
I decided to let the name expire and then re-register it with a better registrar. I thought
it wouldn't be a problem, because it was an
obscure name.
Well, this same scumbag who took your old domain
now has my old personal site, and is using it
for porn ads. Apparently he is using a bot
to repeatedly check for newly expiring domains,
hoping to capitalize on the traffic from people's
old bookmarks/search engine listings. I'm calling this "expire-squatting".
I filed a complaint with the FTC because of this
and because he was using hostile "mousetrapping"
javascript code to force open new windows whenever
you close one. The FTC had previously shut down
another one of these jerks, so I thought it might
help.
Well, the FTC sent me back an email saying that
they don't investigate individual complaints, but
will act if they see a pattern of fraudulent
behavior emerge.
I found a 16M AGP nVidia Riva TnT 128 card on Pricewatch
a few months ago for $29. Using nVidia's XFree86 driver,
here is the output of the Mesa "gears" demo running on
a Linux 2.4/XFree86 4.1.0/Celeron 800 system:
At default 256x256 DRI window size:
4253 frames in 5.000 seconds = 850.600 FPS
Full screen (DRI windowed) 1024x768
589 frames in 5.000 seconds = 117.800 FPS
Obviously the frame rate numbers aren't going to be
as high in Quake as in a simple demo, and this is not the ultimate "gamer" card, but still, that's a lot of bang for
29 bucks, and would be very acceptable for your
average user.
I made the mistake of waiting until the last day
it was valid to request the change. The new registrar sent the request in to NetSol, and,
two days later, NetSol replied and said "This
domain is expired, so we won't let you transfer it". WTF? If they hadn't sat on my request for
two days it wouldn't have been expired!
So, weeks later, even though it expired, my domain
name is still working, under NetSol control. So
I can't just go re-register it. They want to make
it next to impossible to transfer a domain away
from them. Well, they can fsck themselves, I will
just lose the domain if I have to; they will never
get any of my money again.
The registrar I tried to transfer to, 000domains.com has a policy stating that they
will charge a 3.95 fee for requests to NetSol for
domain transfers that don't go through because
they are expired. However, they recognized NetSol's shadiness in this transaction, and did
not charge me the fee. I have nothing
but good things to say about their service. They
were extremely responsive in their email and refunding my money for the failed transfer.
I have registered a new primary domain with them for $13.50 a year and I recommend them to everyone I know.
You mention the environment and labor laws as
reasons for voting for the Green party instead
of voting Libertarian. First off, the biggest polluters in the world are the U.S. and state governments. Scale them back and you've already taken out a big chunk of pollution.
The other factor you are worried about (as I see it) is large corporations, in terms of the way
they abuse the environment and workers (thus
the need for environmental and labor laws).But if you return personal and fiscal responsibility to corporate decision-makers you can eliminate those abuses. At some point in the corporate chain,
someone made the decision to cheat workers, or
to dump the chemicals in the river. That person
should be held liable for whatever damages he has
caused.
With liberty comes responsibility. And that should apply to CEOs as well as Joe Schmoes.
Taco is right, both major parties have blown it.
I'll be voting Libertarian from now on. Should you?
Ask yourself:
Who is a better candidate to run my life?
a) George Bush
b) Al Gore
c) Me
If you chose "c", then you are probably a Libertarian. Everyone who is tired of seeing the
Gov't take away our liberties one at a time
should check out the
Libertarian Party
The beta of IBM TopPage for Linux looks pretty good. It's not a native port, but still very impressive.
Re:A strange thought...
on
Pirate DNS?
·
· Score: 1
You don't need to set up your own root server to point your own users to a different IP address for microsoft.com, just add the microsoft.com zone to your zone files and your named.conf as if you owned it, point it to some alternate IP addresses and you're done.
That would definately explain the hokey account of how he got the information. I hear a lot of people saying "This is fake" and "Where are the details". I'm guessing they didn't read past the first page, because there are REAMS of incriminating information on those pages- ICQ logs, emails, URLs, passwords. If this is a hoax, someone spent a LOT of time creating it. I'm pretty convinced that this is real information from the spammers' computers. How it was obtained may be questionable.
Perhaps the story writer was not the actual cracker, but a friend of said cracker, and got the details skewed.
this comment from the article: The wheels are then derated to - that is, run at - 50 percent of maximum speed made you think: "Ooh! I could overclock that puppy!"
Slashdot Mirror
Here are some articles covering proxy abuse and the Sobig virus/Spam connection which detail some of the current techniques of spammers and how to fight them.
An look at ethical issues involved in "hacking-back" was written by a cow-orker of mine. It looks at different ethical systems and how they might be applied here.
It's called "Crossing the Line: Ethics for the Security Professional"
That's actually what the de-fizzer executable was designed to do. Unfortunately, it looks like there are timing/logic issues with the update that haven't been worked out (different threads of the worm are run conditionally, at different times)
Another vector that people (including myself) are working on is using the "PING" buffer overflow to launch the self-destruct mechanism from the IRC server.
My submission:
2003-05-15 16:36:12 Fizzer Worm Self-Destruct Sequence Triggered by Fizzer Task Force (articles,security) (rejected)
This is the primary method of spam distribution today. If the spammers are smart, they are staying away from the Sobig.a proxies on port 1180/1182 due to the fact they will allow anti-spammers to quickly track down the spammer's real IP address. If it truly is a handful of big time spammers sending the bulk of the email, one could make a pretty big impact on them this way.
If the spammer uses the proxy/trojan installed by Sobig.a which listens on port 1180 (socks) and 1182 (http), it's very traceable. You need only the password to the proxy management station (it's "zaq123") and you can watch the traffic or shut it down altogether.
See this analysis of Sobig and Spam for more details.
Of course, this MBIWYL (may be illegal where you live)
http://www.lurhq.com/sobig.html
And you would not need to roll this out on most of the net. If the large ISP and webmail providers started doing this it would have a significant impact. Much of the spammer's distribution list consists of a few domains; yahoo, hotmail, aol, etc. If the large providers implemented tarpits it could quickly damage the ready supply of open relays for spammers.
I found this pretty cool, but I'm too lazy to do the math each time. So here's a short perl script I whipped up to decode the barcodes in the form of sststsstst, etc.
/[^st]/) { print "Invalid code (use combinations of s and t only)\n"; exit } .. $_ * 5 + 4]); .. ($maxdigits - 1) * 5 + 4]);
#!/usr/bin/perl
use strict;
my @digitcode;
my ($sum, $maxdigits, $checksum);
my %codes = ( ttsss => '0', ssstt => '1', sstst => '2', sstts => '3',
stsst => '4', ststs => '5', sttss => '6', tssst => '7', tssts => '8',
tstss => '9');
chomp(my $code = <STDIN>);
if ($code =~
if ($code !~ s/^t(.*)t$/$1/i) { print "Framing bars not present!\n"; exit }
$maxdigits = length($code) / 5;
print "Decoding $maxdigits digit zip code...\n";
my @codestring = split(//, $code);
for (0..$maxdigits - 2) {
$digitcode[$_] = join("", @codestring[$_ * 5
print "$codes{$digitcode[$_]}";
if ($_ == 4) { print "-" }
$sum += $codes{$digitcode[$_]};
}
print "\n";
$checksum = join("",@codestring[($maxdigits - 1) * 5
$sum += $codes{$checksum};
if ($sum % 10) { print "Checksum invalid!\n"; exit }
After reading the article, I just checked my snailmail. Lo and behold, I have a letter from "Domain Registry of America" (not my actual registrar), encouraging me to renew my domain name now, to avoid any "Registrar Lock". This letter is even shadier than Verisign's, because it doesn't even mention the word "transfer" in any large print. The small print on the back is literally too small for me to read without getting a headache. The renewal price? Why, only $25 a year, twice what I'm paying now. What a bargain!
If you don't want to shell out the money for a heat bender, you can use a propane torch. It takes a little skill, but with practice you can learn how to move the flame back and forth over the bending point evenly with the correct speed and temperature until the plastic begins to bend with gravity. Don't force the bend or it will have ugly cracks inside the plastic at the bend. Don't hold the heat on it too long or the acrylic will bubble. (Hint, move the flame past the edges on the plastic on each pass) And always work in a well-ventilated area.
All the cutouts were shaped with needle files (roughly eight hours of hand work there) and meticulously polished with sandpaper and Novus #2 polish. The polishing took maybe another three hours, but the results were well worth it.
Dude, that's insane. Polishing acrylic edges is best done with a propane torch flame. Takes only a few seconds and produces much nicer results.
That's funny, considering that Verisign won't let you transfer domains after they expire. I suspect if the original owner tried to, they would tell him he needs to renew with them first, so they can get an extra $70 for doing nothing. They tried to do it to me, but I said fsck that. Now my previous domain is owned by a porn site operator who re-registered it with another registrar before I could. That's where the domain your friend wants will probably end up too.
I believe they've intentionally broken the system for information update via email in order to force people into dealing with them via fax and phone. Of course, this "expedited service" costs $30 a pop. Run, don't walk away from Network Solutions. My personal recommendation is 000domains.com
Cool. I've also discovered he is typo-squatting on "mindsrping.com" also. I was pretty sure he was doing this widely. I was glad to see this article posted; but I wasn't too surprised.
I decided to let the name expire and then re-register it with a better registrar. I thought it wouldn't be a problem, because it was an obscure name.
Well, this same scumbag who took your old domain now has my old personal site, and is using it for porn ads. Apparently he is using a bot to repeatedly check for newly expiring domains, hoping to capitalize on the traffic from people's old bookmarks/search engine listings. I'm calling this "expire-squatting".
I filed a complaint with the FTC because of this and because he was using hostile "mousetrapping" javascript code to force open new windows whenever you close one. The FTC had previously shut down another one of these jerks, so I thought it might help.
Well, the FTC sent me back an email saying that they don't investigate individual complaints, but will act if they see a pattern of fraudulent behavior emerge.
So, go report this at the FTC website, and maybe you can push this over the threshold for FTC action.
At default 256x256 DRI window size:
4253 frames in 5.000 seconds = 850.600 FPS
Full screen (DRI windowed) 1024x768
589 frames in 5.000 seconds = 117.800 FPS
Obviously the frame rate numbers aren't going to be as high in Quake as in a simple demo, and this is not the ultimate "gamer" card, but still, that's a lot of bang for 29 bucks, and would be very acceptable for your average user.
So, weeks later, even though it expired, my domain name is still working, under NetSol control. So I can't just go re-register it. They want to make it next to impossible to transfer a domain away from them. Well, they can fsck themselves, I will just lose the domain if I have to; they will never get any of my money again.
The registrar I tried to transfer to, 000domains.com has a policy stating that they will charge a 3.95 fee for requests to NetSol for domain transfers that don't go through because they are expired. However, they recognized NetSol's shadiness in this transaction, and did not charge me the fee. I have nothing but good things to say about their service. They were extremely responsive in their email and refunding my money for the failed transfer. I have registered a new primary domain with them for $13.50 a year and I recommend them to everyone I know.
The other factor you are worried about (as I see it) is large corporations, in terms of the way they abuse the environment and workers (thus the need for environmental and labor laws).But if you return personal and fiscal responsibility to corporate decision-makers you can eliminate those abuses. At some point in the corporate chain, someone made the decision to cheat workers, or to dump the chemicals in the river. That person should be held liable for whatever damages he has caused.
With liberty comes responsibility. And that should apply to CEOs as well as Joe Schmoes.
Ask yourself:
Who is a better candidate to run my life?
a) George Bush
b) Al Gore
c) Me
If you chose "c", then you are probably a Libertarian. Everyone who is tired of seeing the Gov't take away our liberties one at a time should check out the Libertarian Party
The beta of IBM TopPage for Linux looks pretty good. It's not a native port, but still very impressive.
You don't need to set up your own root server to point your own users to a different IP address for microsoft.com, just add the microsoft.com zone to your zone files and your named.conf as if you owned it, point it to some alternate IP addresses and you're done.
Username: cypherpunks
Password: cypherpunks
That would definately explain the hokey account of how he got the information. I hear a lot of people saying "This is fake" and "Where are the details". I'm guessing they didn't read past the first page, because there are REAMS of incriminating information on those pages- ICQ logs, emails, URLs, passwords. If this is a hoax, someone spent a LOT of time creating it. I'm pretty convinced that this is real information from the spammers' computers. How it was obtained may be questionable.
Perhaps the story writer was not the actual cracker, but a friend of said cracker, and got the details skewed.
this comment from the article: The wheels are then derated to - that is, run at - 50 percent of maximum speed made you think: "Ooh! I could
overclock that puppy!"
According to this guy CompUSA's cost on these is only $25. I wonder what that actual cost of producing
these suckers is.