Bot Nets Behind Recent Spam Surge

gsslay writes "Everyone must have noticed a surge in spam recently, particularly for stock pump 'n' dump scams. The Register reports that anti-spam companies have seen a 30% increase in the last two months and, more worryingly, more of this spam is getting through to mailboxes due to the spammers' change in tactics. Rather than use unsecured mail relays spammers are using bot nets, making spam harder to identify and eliminate. Bounced spam is also on the up, and some experts reckon it's past time to start worrying. "

Not noticing the increase

[suso]

Honestly, it was past time to start worrying about 2 years ago. Two years ago I was had the feeling that the rising amount of spam was going to cause significant problems to the point where mail servers would no longer be maintainable and the internet may become unuseable. But now here we are, nothing truely significant. More spam taking more space and driving the load up a bit on servers, but not necessarily cripling everything as we expected.

    I also haven't really noticed this increase that people have talked about lately. On average I receive over 11,000 spam messages a month to my primary email account. Here is the count per month for the past two and a half years:

2004-07: 9088
2004-08: 9057
2004-09: 8990
2004-10: 14318
2004-11: 9910
2004-12: 11521
2005-01: 11251
2005-02: 9381
2005-03: 10843
2005-04: 10084
2005-05: 11785
2005-06: 10987
2005-07: 10505
2005-08: 9333
2005-09: 9704
2005-10: 12329
2005-11: 12394
2005-12: 14934
2006-01: 13764
2006-02: 13235
2006-03: 14562
2006-04: 11946
2006-05: 14204
2006-06: 13801
2006-07: 9671
2006-08: 10395
2006-09: 11373
2006-10: 12221

Re:How to they make money

[Nos.]

Pick a penny stock, but it cheap. SPAM a bunch of people, and hopefully, get them to buy the stock. The increased demand for the stock causes it to go up. Spammer sells, and thus profits.

Original article

[TomatoMan]

Credit where credit is due: this article is from SecurityFocus. The Register just scraped it.

http://www.securityfocus.com/news/11420 [securityfocus.com]

New Sophisticated eBay Phising Spam Scam Wrinkle

[Nova Express]

Today I finally got an ebay phising scam spam e-mail that was almost good enough to fool me, if I hadn't been paying attention:

1. It looked like a real question from eBay.
2. It was actually for a real item I had listed (albeit a closed auction listing).
3. The contact name was a real eBay bidder, and clicking on the linked name brought up the actual eBay user's page.
4. BUT...clicking on the response button took you to a sign-in page on a phising site.

Most of the eBay phising attempts I get are pretty laughable, but this was good enough to be worth warning about, as someone has finally written a sophisticated enough phising bot to send these out based on listings.

So, if you weren't already doing this before, to answer eBay mail, go in through your MyEbay link rather than any mail link to answer eBay mail.

Re:SPAM processing - server meltdown

[LinuxDon]

Wouldn't DNS blacklists be something for you?
It would certainly solve your load problem.
There are a couple of providers who can provide the lists commercially for heavy load mailservers.

See my post earlier today at: http://ask.slashdot.org/comments.pl?sid=203971&cid =16671889 [slashdot.org]

(Ps. I'm just a very happy blacklist user)

sendmail w/Joe Jobs

[nuintari]

We have seen a huge increase in the number of Joe Jobs [wikipedia.org] lately, and as a consequence, our postmaster mail is filling up at record pace. Yesterday, I saw bounce notices from a single Joe Job coming in at several thousand a minute. Literally, thunderbird could not open my postmaster folder. I had to copy /dev/null into it, wait a few seconds, and open it with mutt if I wanted to see any of the data. Over fifty 50% of our processing time was spent sending mail to the postmaster admins, and we had a backlog of 25,000 messages. Our dual mail server beast could not keep up, fortunately, we found out why.

By default, sendmail uses a single queue runner. We found this, and not amavis, was our bottleneck. The single queue runner is fine for low and medium volumes, but fails miserably when presented with a huge volume of mail. So we fired 4 queue runners instead, and increased the number of available amavis children to compensate. The queue runners each have a behavior:

1) the default sendmail queue runner, starts at the front of the queue, and runs serial through it, then starts over.
2) tries to find the oldest members of the queue and process them first. Keeps stuff from being left alone for very long.
3) tries to find letters that are all going to the same mail server, and send them together. This one is awesome, as it opens a single tcp connection, and sends as many letters as it can. No time waiting for tcp handshaking per letter.
4) hops around the queue at random, and sends messages.

The combination of these four queue runners, and we have seen a huge increase in the load average on our mail servers, but we have also seen a great boost to performance. We are still seeing tons of postmaster bounces from Joe Jobs, but we aren't being slugged out by them anymore. If your mail server seems to be under performing, try this, it really does help.

Re:Smarter Spammers

[Bastian]

Won't reply to all of your points because you're right, but I have thoughts on a few:

1) Spelling is not a skill they possess.
Spammers don't have to even try to be intelligent about the content of their e-mail, because the people they're looking to make money off of aren't the kind of people who have decent spelling skills.

3) The idea of 'doubling the flood' all the time, choking the internet and making email unusable, is plain dumb and equivivalent to sawing off the branch you're sitting on - if nobody can use email, nobody will be seeing your next spam.
Two thoughts: Classic prisoner's dilemma, and selfishness. (ie, "Who cares if I broke the internet? I made this fat stack o' cash!")

4) Doing business that annoys 99% of everybody else and breaking the law in the process is both dumb and asking for trouble. You will be shut down, you will lose your money and you will not get much sympathy anywhere, including from the courts. Wonder whether spammers or pedophiles are getting the worst treatment in the slammer these days... ;)
If that were the case, then how come nobody has been able to curb spam, spammers routinely get away with extremely blatant practices like DDoS attacking antispam servers and using viruses to create zombie armies? How come spammers are continuing to make money almost unchecked?

5) Seeing interviews with spammers usually reveals that they're really stupid in every way of the word. Some may have a certain extent of technical knowledge, but as people they're bordering on the moron/retard level.
???

6) Smart people can strike it rich using regular sales methods with no need for spamming. Only those too dumb for that have the need for spamming.
A good number of folks feel that regular sales methods - annoying advertisements, billboards everywhere, planting "I'm ugly" mind viruses in children's brains so they'll buy more beauty products and who cares if it's also creating an eating disorder epidemic, planned obsolesence and congenital wastefulness, squeezing every penny you can out of workers in 3rd world sweatshopss, etc. are at least as troublesome and unethical as spam.

Forward it to the SEC

[Cadre]

Actually, couldn't that be used as a good way to trace the spammers?

It is. When you receive an investment related SPAM email, forward it to enforcement@sec.gov (go here for more information on reporting investment related SPAM email to U.S. Securities and Exchange Commission [sec.gov]).

Re:Major increase for me

[Xochil]

Not sure which CN/KR blocks you found...but if you want a complete listing, go to my site at:

http://www.okean.com/antispam/sinokorea.html [okean.com]

--Mike

Re:I can't help but wonder but...

[mgblst]

Just to clarify, you can lose 8% a day, the Scammers can make 4-6% a day. I thought that I need to point this out, in case some silly fool gets the idea of following the scammers advice.

Allofmp3 sold their email address list

[klossner]

At about the time that allofmp3.com [allofmp3.com] lost their credit card charging rights, I started to receive this spam at an address I set up just for their service announcements. Nobody else has it, so it's clear that allofmp3 monetized their email address list.