Aggressive Botnet Activities Behind Spam Increase 194
An anonymous reader writes, "A spam-sending Trojan dubbed 'SpamThru' is responsible for a vast amount of the recent botnet activity which has significantly increased spam levels to almost three out of every four emails. The developers of SpamThru employed numerous tactics to thwart detection and enhance outreach, such as releasing new strains of the Trojan at regular intervals in order to confuse traditional anti-virus signatures detection." According to MessageLabs (PDF), another contributor to the recent spam increase is a trojan dropper called "Warezov."
Someone's making a lot of money from this (Score:5, Interesting)
Like many others, SpamThru first showed up on my radar a few weeks ago when a massive pump-and-dump stock spam [shaunc.com] campaign flooded the inboxes of just about everyone who uses email. They're still at it today, now pumping for ticker EGLY. There's no doubt in my mind that it's the same group of folks responsible for the initial run. All of these spam runs are coming solely through botnets, and the messages - and patterns of messages - share some obvious characteristics.
SpamThru and the recent barrage of stock scams are inextricably linked, I have no doubt about it. If and when the SEC investigates suspicious trading activity surrounding some of these stocks, they're likely to discover a trail that leads them straight to the folks responsible for SpamThru.
Re:I don't know who.. (Score:3, Interesting)
If you're going to spam me at least try to sell me something.
The best is that I'm getting the exact same spams, within seconds, on several mailboxes on different domains at once (work, GMail, and home).
I can't ban their IP ranges fast enough and when I do I end up blocking stuff like my wife's work IPs.
Not so much regular spam, but 419 (Score:3, Interesting)
Has anyone else seen a rise in the amount of this type of spam?
There's others making money too (Score:1, Interesting)
The tragedy of the commons is what occurs when there is no limit on use of public resource but iindividuals do not bear the consquence of abuse in a way that would make them modify their behaviour for the common good. The historic solution is to put a fee for admission that promotes optimal use. Now as we have all heard over and over that most propose e-mail stamp plans all fail for one reason or another. Indeed there's that ubiquitous and hilarious form letter someone always posts on slashdot whenever the latest unworkbale plan is proposed that exaplains why it won't work.
So my plan is not to have some micro payment scheme but to simply tax the origin of abuse directly. Windows Operating systems are essentially responsible for all Spam. Now if microsoft had put more effrot into securing their system then windows would have cost more to develop. So instead they are getting rich off of this since the costs of the consequences are not being borne by microsoft. Therefore there is needed a fee. The fee would be applied to cover the cost of rigorous anti-spam actions by ISPs or whomever was the appropriate cop. Alternatively it could have the effect of detering excessive monocropong of operating systems, like Windows, that makes it ripe for epidemics like this
Now before someone says well it's not microsoft's fault, their software is just as good as Linux, mac, amiga, Beos..., let me say that does not matter. Microsoft gets a market advantage and cost structure advantage by meing the mono-crop operating system. Therefore regardless of whether there security is comparabel to some other, they have a greater responsibility and a greater finaincial wherewithall to make their software be more secure. It is precisley fair to treat a monopoly with a different set of stnadards if that monopoly position is 1) the source of the problem 2) they are getting financial gain from being a monopoly.
So rather than flaming me, tell me why this is not a proper anlaysis of the problem and a possible approach to solving it. Yes it's radical. But according to earthlink I get 2000 spam messages a week. and according to this article 3/4 of the mail out there is spam. Radical solutions are called for.
Re:I don't know who.. (Score:3, Interesting)
The worthless messages are an attempt to poison your spam filters by using many common business, home, and lifestyle related keywords (whether or not these messages are actually effective at confusing the Bayesian filters is an open question). The pitch for "Vla6|2a" and that can't lose stock market "opportunity" will be in a follow on message. It is sort of like in football where there is a lead blocker and fake handoffs to confuse the defense while the ball carrier follows behind them.
The best is that I'm getting the exact same spams, within seconds, on several mailboxes on different domains at once (work, GMail, and home).I can't ban their IP ranges fast enough and when I do I end up blocking stuff like my wife's work IPs.
Witness the effectiveness of the Bot Net strategy combined with spamming. It is impossible to filter the spam based upon IP addresses if the spam zombies are extremely well distributed among the different networks on the public Internet. One cannot simply block Nextel, Verizon, and the like because some of their customers have been hijacked into the bot network by a spam trojan. This is why this new strategy is of such concern, because it is a major escalation on the part of the spammers. These asshats need to be dragged out of their dens and pistol whipped by the men in the black with the MP5s and the telescoping batons.
Re:enforcement@sec.gov (Score:3, Interesting)
I am not familiar with OLSpamCop, as I do not use Outlook. I am familiar with SpamCop, and how they need the detail in the headers to be intact, so I would guess that this is a workable solution.
If we take the profit out of spam, we will see less spam. To date, pump and dump spam bombs work, so the scammers continue to hire spammers to flood our inboxes. Without getting caught, the risk to scammer and spammer is zero. With the SEC pursuing the scammers, the scam becomes less profitable due to the increased risk. With less profit, there is less to pay the spammers, and thus (hopefully) less spam.
I met an SEC investigator at a social event not too long ago, and it did not take long for the conversation to turn to this subject. She said they take this very seriously, and submitted P&D spam has allowed them to prosecute quite a few scammers [sec.gov]. The earlier into such a campaign, the better, so they can start monitoring as soon as possible.
Re:enforcement@sec.gov (Score:2, Interesting)
https://addons.mozilla.org/thunderbird/2672/ [mozilla.org]
it's great for reporting spam that gets through the spam filters.
Can be used for reporting spam to SpamCop, the FTC, FDA, SEC, ACMA (Australia) and / or Knujon.com. It also allows you to put in your own custom addresses to report spam to such as your ISP or corporate abuse address.
What i like about it is that it bunches all the spam in a single report mail with all the spam messages as attachments.
Also, i filter my spam in separate junk folders for SEC / FDA / others and i report to them just the appropriate crappola.
Re:Time to pull the plug (Score:1, Interesting)
It's not the bots...it's the protocol (Score:4, Interesting)
IMHO it ultimately comes down to fixing SMTP.
John
Block email from Windows (Score:3, Interesting)
http://lcamtuf.coredump.cx/p0f.shtml [coredump.cx]
From this I can see that almost all spam comes from Windows. I'm in the process of configuring my postfix server so it will just reject any mail from a Windows box.
The only false positives I've seen so far, is a handful of legitimate emails that come from Windows Server 2003, so I may exempt that...
Note: I'm not advocating blocking email from Windows users, just email coming directly from a Windows box. If a windows user sends email through their ISP's mail server, it will get thrugoh just fine.
Re:Block email from Windows (Score:2, Interesting)
However... fingerprinting can be a very useful technique to identify a bad sender when nothing else is known about it. For example, with our connection management software, you can configure it to throttle (i.e. slow down, traffic shape, etc.) connections from Windows-based hosts if the host has no previous good reputation. See an overview of the technique in this OnLAMP article [onlamp.com] by Stas Bekman.
Re:Time to pull the plug (Score:2, Interesting)
Its time we force ISPs to pull the plug on infected client machines or block entire ISPs
Of course we have heard that the ISPs won't go after their own customers, but I have another idea. Why don't we simply bombard these ISPs with requests to please stop forwarding spam to us? I mean in a big way - as individuals through something like Blue Frog tried to do - not just a polite note from an upstream carrier. Has anyone considered that? Many of us were so encouraged by Blue Frog's efforts - until they got put out of business by the spammers. Their efforts failed, because they went directly after the spammers who turned out to be too powerful an adversary. But why don't we go after the ISPs? Certainly they have to accept some responsibility, if not all of it. It's really the ISP who is sending us the spam in the end, isn't it? They are paid agents of their customers, in effect frequently being paid to relay spam on behalf of their clients. So we bomb them with requests to stop, and make it unprofitable for them to allow themselves to be used as a spam relay ...and if there is a way to accurately verify the URL from which the spam originated (as opposed to being spoofed), bomb that too. Then the poor idiot with the infected machine will get knocked off the net and finally have to see that his computer is looked at by a professional. And if it is indeed a verifiable URL, but turns out to be only a temporary URL that was assigned for that email session - too bad. Then the ISP takes a hit again, when one of his innocent customers complains of a DOS attack.
Is there some failure in my logic???
Make Spamming too Costly to be Practical (Score:3, Interesting)
Spammers will continue to spam as long as there is money to be made in doing so. The economics are on the spammers' side. If a spammer sends out one million spams that advertises a product, and only one person out of ten thousand buys the advertised product, the spammer has made one hundred sales. These sales were generated at little cost to the spammer, and at big cost to users and internet providers. The Internet service providers have to pay the costs of storage and equipment to process the spam. Time is money, and many users spend their precious time deleting spam, upgrading filters, etc. If the user is at work, then their company has to pay for this time in lost productivity. The same thing goes for malicious software that generates popup ads, skews search engine result, etc. People can continue to use their antivirus, antispam, and antiadware programs to try to protect themselves, while the bad guys continue to get away with their spamming, pop-up advertising, and search engine skewing with impunity. Using defensive means to defend against spammers is much like putting one's hands over one's face in order to protect against the punches of a schoolyard bully. One might keep a specific blow from blackening an eye, or fattening a lip, but he or she has so far done nothing to deter the bully from throwing even more punches. The bully will continue to throw punches as long as there is satisfaction in doing so. It is only when the bully is confronted with a crowd of angry people, or a damned good fighter does he or she have an incentive to quit throwing punches. As it goes with bullies, the same thing goes with spammers. Punching back can definitely be a deterrent! Spammers will stop spamming only when the cost of spamming becomes higher than the profits made from spamming.
There have been many people who have made small steps in making spamming more expensive. These people understand that the spammers' weakest point is at their point of sale - usually a website. Many of these people have written programs called "spam vampires." These "vampires" are usually small programs or scripts embedded on a webpage, and they cause a visitor's browser to repeatedly download content from a spammer's website. These repeated downloads can cost spammer's a lot of money for bandwidth usage as well as processing power required to handle the data transfer. When enough people run "spam vampires," a spammer's website can cost a spammer money while at the same be too busy to process requests from those people who actually buy products advertised in spam. Programs that download content from spammers websites have been proven very effective. A program called, "Make Love Not Spam" was so effective, that it actually shut down many spammer's websites. "Blue Security" was another hard hitter against spammers. When "Blue Security" was up and running, many people, including me, noticed a huge decrease in the amount of spam received. Unfortunately, both Blue Securi