Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×

Aggressive Botnet Activities Behind Spam Increase 194

Posted by kdawson from the spam-i-am dept.
An anonymous reader writes, "A spam-sending Trojan dubbed 'SpamThru' is responsible for a vast amount of the recent botnet activity which has significantly increased spam levels to almost three out of every four emails. The developers of SpamThru employed numerous tactics to thwart detection and enhance outreach, such as releasing new strains of the Trojan at regular intervals in order to confuse traditional anti-virus signatures detection." According to MessageLabs (PDF), another contributor to the recent spam increase is a trojan dropper called "Warezov."
This discussion has been archived. No new comments can be posted.

Aggressive Botnet Activities Behind Spam Increase More

Aggressive Botnet Activities Behind Spam Increase

Comments Filter:

  • Someone's making a lot of money from this (Score:5, Interesting)

    by ShaunC ( 203807 ) * on Tuesday November 07, 2006 @03:10PM (#16755147)
    I think the Securities and Exchange Commission may turn out to be the most appropriate investigative body for SpamThru and its controllers.

    Like many others, SpamThru first showed up on my radar a few weeks ago when a massive pump-and-dump stock spam [shaunc.com] campaign flooded the inboxes of just about everyone who uses email. They're still at it today, now pumping for ticker EGLY. There's no doubt in my mind that it's the same group of folks responsible for the initial run. All of these spam runs are coming solely through botnets, and the messages - and patterns of messages - share some obvious characteristics.

    SpamThru and the recent barrage of stock scams are inextricably linked, I have no doubt about it. If and when the SEC investigates suspicious trading activity surrounding some of these stocks, they're likely to discover a trail that leads them straight to the folks responsible for SpamThru.
    • It makes me wonder if the Stock Markets of the world have a plan to deal with this kind of nearly untraceable pump-and-dumping? Will it be illegal to invest in whatever spammed stock you see in your inbox, and dump it before other suckers invest in it based on spams?

      • Re:Someone's making a lot of money from this (Score:4, Insightful)

        by a_nonamiss ( 743253 ) on Tuesday November 07, 2006 @03:31PM (#16755485)
        IANASB, but by the time you read the spam email, it's probably already too late. These people buy stocks before they blast out the spam, and sell them to the suckers that think they are going to get in early and dump later. Now, if you were really clever, you could probably figure a way to make money shorting them, but that would be unethical as well, not to mention very risky.

    • enforcement@sec.gov (Score:5, Informative)

      by RT Alec ( 608475 ) <alec@slashdot.chuckl[ ]om ['e.c' in gap]> on Tuesday November 07, 2006 @03:17PM (#16755257) Homepage Journal

      Forward the message to mailto:enforcement@sec.gov [mailto]. Use Thunderbird or another mail client that does not strip or mangle the original headers (like Outlook does).

      The SEC will devote significant resources investigating and often prosecuting the people who are behind these scams.

      • Re:enforcement@sec.gov (Score:5, Informative)

        by XSforMe ( 446716 ) on Tuesday November 07, 2006 @03:30PM (#16755475)
        If you are using outlook, you can use OLSpamCop to rescue the headers and report to pretty much anyone any spam (including enforcement@sec.gov). It is a free download available here: http://www.olspamcop.org/doc.shtml#install [olspamcop.org]

        But I seriously doubt the SEC will be interested in origin of the SPAM. More likely they will do an audit on the fraudulent symbol. It usually is much more effective than tracing the origin of the spam, and it is more likely asses will get busted and the criminals (the people who proffit from the poor schmucks buying the stock) will get sent to jail.

        Nevertheless, if you want to report and spam, use spamcop so we can mitigate the damage done from the source before it pumps more shit onto the net.

        • Re: (Score:3, Interesting)

          by RT Alec ( 608475 )

          I am not familiar with OLSpamCop, as I do not use Outlook. I am familiar with SpamCop, and how they need the detail in the headers to be intact, so I would guess that this is a workable solution.

          If we take the profit out of spam, we will see less spam. To date, pump and dump spam bombs work, so the scammers continue to hire spammers to flood our inboxes. Without getting caught, the risk to scammer and spammer is zero. With the SEC pursuing the scammers, the scam becomes less profitable due to the increase

      • LOL! A government entity giving a fuck about something? That'll be the day.
        • LOL! A government entity giving a fuck about something? That'll be the day.

          I understand the sentiment... but, isn't it usually our complaint that they poke thumbs into too many pies that would be better left to market forces?

          Remember, market forces (and 'tit for tat' in general) have a tough time dealing with sophisticated frauds, especially when the perpetrators remain anonymous. Force and fraud are the very reason why we need a government.

      • Use Thunderbird or another mail client that does not strip or mangle the original headers (like Outlook does).

        It looks like your Thunderbird is configured to forward emails as attachments, but that is not the default setting, if I rememebr correctly.

        In Thunderbird, others may have to go to "Message" -> "Forward As" -> "Attachment".

        In Outlook 2003, I didn't find how to forward as attachment. You have to copy the headers from the properties window, and paste them in your forwarded message. Far too compl

        • Re: (Score:2)

          by _xeno_ ( 155264 )

          Tools, Options, Preferences (tab), E-mail Options, change "When forwarding a message" to "Attach original message."

          Note that I haven't actually checked to see if that really does attach the entire message, but it sure looks like it did. (Clicking Forward created a new email with the message attached, and opening the attachment I was able to get the full headers via the View, Options ("Options?" WTF?) menu item.

        • Re: (Score:3, Informative)

          by secolactico ( 519805 )
          In Outlook 2003, I didn't find how to forward as attachment. You have to copy the headers from the properties window, and paste them in your forwarded message. Far too complicated to explain over the phone to someone who doesn't have a clue

          Compose a new message, then drag the message you want to forward from the Inbox (or whatever folder) into the new message windows. That's it.

          If you want to see the headers of a message, open it and select "View" and "Options".

          I wish outlook had a "view source" like that

      • Re: (Score:2, Interesting)

        by galaad2 ( 847861 )
        for reporting spam in thunderbird just use the Okopipi extension

        https://addons.mozilla.org/thunderbird/2672/ [mozilla.org]

        it's great for reporting spam that gets through the spam filters.

        Can be used for reporting spam to SpamCop, the FTC, FDA, SEC, ACMA (Australia) and / or Knujon.com. It also allows you to put in your own custom addresses to report spam to such as your ISP or corporate abuse address.

        What i like about it is that it bunches all the spam in a single report mail with all the spam messages a

    • Re: (Score:2)

      by Animats ( 122034 )

      Exactly. Somewhere in the list of people who traded the stock in the week or two before the spam run are the ones responsible. They can be found; that's what the U.S. Government's Financial Crimes Information Network [fincen.gov] is for. If we have to have all this Big Brother stuff, we should get some benefit from it.

      Send those stock spams to SEC Enforcement. [mailto]

  • Hold On Here (Score:5, Funny)

    by eldavojohn ( 898314 ) * <eldavojohn@noSpAM.gmail.com> on Tuesday November 07, 2006 @03:12PM (#16755161) Journal
    Now, I know what you're going to say, you're going to say this is a dupe of last week's story, Bot Nets Behind Recent Spam Surge [slashdot.org], but it's not. You see, this is Aggressive Botnet Activities Behind Spam Incease. And it's no longer recent--it's a week old.

    So you can call this a dupe, but as you can see, this has clearly changed status from recent to aggressive. Or maybe like code orange to code red, DHS style.

    But please, feel free to karma whore the comments from the old discussion into this one. Seriously, anyone get any new information on this? We've got a named virus but is there anything else new?

    • How about, "Non-geeks beginning to be aware botnets behind spam increase" ?

      • This would require /. to be able to post from the future.

        The FAR future.

        How do you know a trojan threat is over? The "mundane" media covers it.
    • Not only that, but one story was about bots being behind and increase in spam, while the other is about bots being behind an incease in spam. Totally different topics.
  • I recommend "Duh" for this article.

  • I don't know who.. (Score:3, Insightful)

    by xENoLocO ( 773565 ) * on Tuesday November 07, 2006 @03:12PM (#16755169) Homepage
    ...is getting only 75% spam.

    Mine is more like 1 real email for every 200 spam messages...
    • Without filtering I would be in trouble.
      it I get maybe 5% spam? not too much.
      Every on-line contact has a unique e-mail address, i.e. slashdot.com.1@networkboy.net, once that is on too many spam lists I re-visit the address. If I still need that contact I update the profile and add a new address: slashdot.com.2@networkboy.net, and :blackhole: the old one.
      Naturally if I no longer need the contact (was for a one-time download and such), then off to :blackhole: it goes. Works awesome!
      All the addresses forwar

      • Re: (Score:3, Insightful)

        by Scutter ( 18425 )
        Unfortunately, you may not receive the spam, but it's still sent. It's still consuming network resources in the form of bandwidth and CPU time required to filter it. Right now, my company is filtering around 20,000 messages per day, and we're fairly small, with only around 75 mailboxes.

        • Re: (Score:3, Interesting)

          by garcia ( 6573 )
          I *never* received spam (not even to SpamAssassin). Then, within the last 8 days I have seen it go through the fucking roof. Not only is SpamAssassin ignoring these e-mails (they are registering 1.0 and 2.0) but many of them seem like worthless spam to me.

          If you're going to spam me at least try to sell me something.

          The best is that I'm getting the exact same spams, within seconds, on several mailboxes on different domains at once (work, GMail, and home).

          I can't ban their IP ranges fast enough and when I d
          • ... when I do I end up blocking stuff like my wife's work IPs.
            You're sleeping on the couch tonight!

          • Re: (Score:3, Interesting)

            by CodeBuster ( 516420 )
            If you're going to spam me at least try to sell me something.

            The worthless messages are an attempt to poison your spam filters by using many common business, home, and lifestyle related keywords (whether or not these messages are actually effective at confusing the Bayesian filters is an open question). The pitch for "Vla6|2a" and that can't lose stock market "opportunity" will be in a follow on message. It is sort of like in football where there is a lead blocker and fake handoffs to confuse the defens
        • Well, I've got only a dozen or so mailboxes, and I routinely get 20,000 spams every day. SpamAssassin catches the bulk of them, but 20-50 get through each day and have to be manually sifted.

          I'd love to describe my ideal spammer punishment, but it's NSFW.

        • Re: (Score:2)

          by AaronW ( 33736 )
          Only 20K? For a while I was getting 80-100K bounced emails a day because some spammer decided he liked my domain name. Anyway, I only have a handful of accounts I use. Fortunately, all the bounces were blocked by postfix as undeliverable and I didn't even notice the load on my super fast 333MHz Pentium 2 server (no, not fast but my load hovered around 0.05). Sadly, it did kill a couple firewall routers... I think all the logging killed the flash in one router, and the new one would usually crash and bur
        • My server is not spending the time filtering it. That's the point of :blackhole: no processing at all. comes to that address? gone.
          I realise that the bandwith is consumed, but I can't really help that. What I can do is ensure that it consumes as few other resources as possible.
          -nB

        • Re: (Score:2)

          by ncc74656 ( 45571 ) *

          Unfortunately, you may not receive the spam, but it's still sent.

          That may not be entirely true, depending on where and how the filtering is done. If you're using qmail and its rblsmtpd, an SMTP session from an RBL-listed host gets cut off with a 451 before the sender starts sending the message. The exchange looks something like this:

          220 alfter.us ESMTP
          HELO spammer.com
          250 alfter.us
          MAIL FROM: spammer@spammer.com
          250 ok
          RCPT TO: me@alfter.us
          451 Blocked - see http://www.spamcop.net/bl.shtml?65.54.1 [spamcop.net]

      • Re: (Score:2)

        by misleb ( 129952 )
        I never really understood why people go out of their way to create, delete, and otherwise hassle with "spam" accounts or dummy accounts when you can just have one address with good spam filtering. It just seems like a lot of unnecessary work. I run a Spamassassin gateway that catches nearly all SPAM (80% of all email is blocked). I don't have to worry about keeping my address secret. I use it all over the place. Forums, online transactions, and even Usenet. I see almost no spam. How could some convoluted ac
        • I never really understood why people go out of their way to create, delete, and otherwise hassle with "spam" accounts or dummy accounts when you can just have one address with good spam filtering. It just seems like a lot of unnecessary work. I run a Spamassassin gateway that catches nearly all SPAM (80% of all email is blocked). I don't have to worry about keeping my address secret. I use it all over the place. Forums, online transactions, and even Usenet. I see almost no spam. How could some convoluted ac

          • Re: (Score:2)

            by misleb ( 129952 )

            By using such 'spam' accounts to trap spam and feed it to your spam filter for learning?

            Still, why bother? I mean, unless you are developing SA rules or reporting to public blacklists. The default Spamassassin rules alone are pretty good. Add in SARE and some other public rules sets and you don't even need learning. I used to use bayesian learning but found that it was much more maintenance than it was worth. Quite the opposite of what I originally thought. I thought maintaining SA rules would be a pain,

        • Re: (Score:2)

          by Octorian ( 14086 )
          Reminds me of when I first installed SpamAssassin on my mail server :)

          Of course today, no matter what I do, the majority still gets through.

          • Re: (Score:2)

            by misleb ( 129952 )
            Reminds me of when I first installed SpamAssassin on my mail server :)

            Of course today, no matter what I do, the majority still gets through.


            Then your setup is broken. Works great here, even today. I did get a couple of the stock pump-n-dump scams a few days ago (possibly related to the botnet from the article), but a little tweaking took care of that.

            -matthew
    • ...is getting only 75% spam.

      Depends. On personal accounts I don't, but on generic emails like info@ and sales@ I get flooded. Keep in mind I've never used these emails to send people emails or register for forums or lists. The simply exist for automation for other things. Spam messages that don't match those automations don't come through.

      I should more than likely change them to something like sales-something123@ but the need isn't really there.

    • Re: (Score:2)

      by Pontiac ( 135778 )
      We are running about 90% spam here.. up from 80% a few months ago.

      Latest stats from the servers are
      5.5 connections a week.
      3 million rejected on Block Lists
      2 million caught by spam filters
      500,000 messages let through (still some spam in there too)

    • Re: (Score:2)

      by ncc74656 ( 45571 ) *

      Mine is more like 1 real email for every 200 spam messages...

      You need better spam filtering. I usually see no more than two or three spams a day in my inbox, usually for weight-loss snake oil. I don't see too many pump-and-dumpers; maybe they're being filtered out more successfully.

      That's not to say that my server isn't getting bombarded with spam. For the first half of today, qmail-smtpd recorded 1054 attempts at receiving a message from somebody. Of those, only 235 were let through as legit. I'

  • And human error behind typo "incease"!

  • dupe checking (Score:3, Insightful)

    by minus_273 ( 174041 ) <{aaaaa} {at} {SPAM.yahoo.com}> on Tuesday November 07, 2006 @03:19PM (#16755287) Journal
    sites like freerepublic avoid dupes like this by having a rule that the subject of the article be used for the posting. Then, checking for a dupe is just a matter of a search for the exact same subject. Its simple and works a lot better.

    • Re: (Score:3, Funny)

      by sootman ( 158191 )
      Actually, there are protections in place, but Aggressive Botnet Activities are Behind this Dupe Increase. You just can't fight numbers!
  • What i don't get is why spam is still an issue in this day and age of the internet.

    The reason behind spam is simple : it works.

    i mean.... it just goddamn works... why otherwise would company pay hundreds of thousands to defend themselves legally and invest in various ways to get to our inbox ?

    There are stupid people out there buying from those guys, or whatever product they are advertising.

    If you cut the money income, you cut the spam...

    instead of spending $$$ and time trying to prevent spam from arriving i

    • You ... you ... you COMMUNIST! (Score:5, Insightful)

      by Opportunist ( 166417 ) on Tuesday November 07, 2006 @03:39PM (#16755649)
      You mean educate people so they don't fall for scams? So they think for themselves? So they know that offers that are too good to be true can't be true?

      Are you nuts? Are you aware that this would mean to the market? People able and willing to compare prices before buying, people having used cars inspected before buying them, people informing themselves about the appliances they buy and who don't blindly believe the ads.

      Do you know just how many jobs hang on the fact that 99% of the people around are suckers, incapable of sorting out their own life?
      • haha, good reply there...

        there will always be a margin of idiots, that's just a fact of life, I myself am a complete idiot in the domain of (for instance) sailing so any seasoned sailor could probably tell me anything and I'd just take his word for it.

        but in the same way i p4wn my parents at gaming i get p4wned by my nephew (and niece...sigh). there are things that just transmit themselves with time.

        I agree with several replies to my post actually but i was trying to say that people just take spam as a part

    • Re: (Score:3, Insightful)

      by rduke15 ( 721841 )
      instead of spending $$$ and time trying to prevent spam from arriving in our inbox we should spend that money and time educating the crowd

      I see you don't know much about that part of "the crowd" who falls for the spammers/phishers/etc. tricks.

      Even if you could educate them all, new suckers are born every day.

      The sad thing about it is that among them, there are even nice and clever people, who just have the particularity to be ignorant and naive in front of a computer...

    • Re: (Score:2)

      by jfengel ( 409917 )
      You're trying to hold back the ocean with a broom on this one. Spam works only because the margins are so small. The emails are essentially free because they're using somebody else's computer to do the work. So it takes only a trivial response rate to make it worth their trouble to annoy every single person on the planet. (Well, at least the 20% or so of them with net access.)

      It is astonishing that anybody with an IQ high enough to operate a computer would buy v1@.gra, but the fact is the bell curve goes w
  • Everyone's aware of the excessive spamming on myspace. Hell, I almost think the powers at be at myspace are getting a kickback with the incredible abuse.

    But just yesterday I got a 419 email(but with French context, instead of Nigerian) on my Youtube messaging system. He/she even wrote back, regardless of the fact I posted a comment on the account saying "best 419 scammer ever!", that everyone can see.

    I'll be expecting facebook spam sometime soon. Er, maybe not.
    • There was already a wave of FB spam...that may still be going on. It's mostly in those "omgz this grup is huuuge! 100,000,000 awesome beer" groups, though, so I don't see it much. Also, they've got "sponsored" news feed items now.

      Facebook is starting to degenerate into myspace parte deux.

  • Not so much regular spam, but 419 (Score:3, Interesting)

    by dr_dank ( 472072 ) on Tuesday November 07, 2006 @03:33PM (#16755517) Homepage Journal
    Personally, I haven't seen an influx of the viagra/mortgage spam as much as I've seen a sharp increase in the number of 419 scam emails of varying degrees. One of them is an account that used to get spam only very rarely. I theorize that someone else on the email service fell for the scams and word got around that there are plenty of mugus ripe for the plucking if you spam this domain.

    Has anyone else seen a rise in the amount of this type of spam?

  • Time to pull the plug (Score:4, Insightful)

    by JohnnyGTO ( 102952 ) on Tuesday November 07, 2006 @03:36PM (#16755573) Homepage
    Its time we force ISPs to pull the plug on infected client machines or block entire ISPs. There is no valid argument to support end users who refuse to clean up their machines. The argument that either they are not responsible for the infection or are unable to clean their own machines is crap. If end users don't know how to maintain their equipment then perhaps they should be off the net.

    Look at a car as an example. If I refuse to do or pay for routine maintenance it will begin to create more and more pollution and use more and more fuel. Is it the manufactures job to fix it, no, is it the road builders job, no, is it the jerks that sold me crappy fuel, only if I can catch them. So when I fail smog tests I need to either quit using the car or pay to fix it. Might not be the best analogy.

    • Re: (Score:2, Insightful)

      by Anonymous Coward
      We've had this argument OVER and OVER again. ISP's WILL NOT start knocking people off their nets. Why would they? They are the CUSTOMER !!! Let's see... I'm an ISP. I have LOTS of customers with spyware on their machines. They end up sending tons of emails. So I'll shut them off, lose some significant portion of them as customer, STOP GETTING PAID by them? And how exactly does this benefit me?

      It doesn't. If they are on dialup, the just sign up with another company. DSL? Sign up with another DSL

      • Re: (Score:2)

        by cr0sh ( 43134 )
        Read the TOS of your provider - most have language to the effect that if you (which I read as "the machine(s) which you control") use their service to send malicious or illegal content, or to use the system in a way which is detrimental to the network as a whole, that your service can be cut off. Sadly, despite this claim in the TOS, they rarely enforce it (because as you note, AC, it makes them money - even though bandwidth for such activity must be through the roof).

    • Look at a car as an example. If I refuse to do or pay for routine maintenance it will begin to create more and more pollution and use more and more fuel. Is it the manufactures job to fix it, no, is it the road builders job, no, is it the jerks that sold me crappy fuel, only if I can catch them. So when I fail smog tests I need to either quit using the car or pay to fix it.

      If most cars using a component from one manufacturer, say Visteon, began failing emissions tests three minutes after you started it f

    • Its time we force ISPs to pull the plug on infected client machines or block entire ISPs.

      Who compensates them for lost revenue? Let's say they have 1000 infected machines @ $30 / month and they kill them - That's over one-third-of-a-million dollars in lost revenue in one year.

    • Re: (Score:2)

      by mcrbids ( 148650 )
      You sir, have rediscovered the principle long known as the "blacklist", or "Realtime Black List" or RBL. There are quite a number of these: a quick google search [google.com] turns up well over 4 MILLION PAGES devoted to the subject of "rbl".

      Yes, us Mail Admins have been using these for years. And they work well, probably reducing load by some 70% or so. But they have their problems, and aren't 100% effective. If you block 70% of spam from a source of email that's 85% spam, you still have 50% of your inbox being spam. A

    • Re: (Score:2)

      by raddan ( 519638 )
      Yeah, here's the valid argument: common carrier status. ISPs are going to argue that it shouldn't be their responsiblity. This is where your analogy fails-- ISPs are the road; your machine is the car. LIke you said, the road builders have nothing to do with your shitty car.

      But yeah, SPAM is a scourge. We need to treat it like one. Microsoft desperately needs to clean up their act. Someone I met recently called Windows a "virus runtime environment". It got some chuckles, but it's also true.

      • Re: (Score:2)

        by ewhac ( 5844 )
        ISPs are the road; your machine is the car. LIke you said, the road builders have nothing to do with your shitty car.

        What if the car, instead of having normal rubber tires, has steel spikes that gouge holes out of the road, ruining it for everyone? Surely the road owner/steward would have something to say about allowing that car or "tires" of that type on the road.

        Schwab

    • Re: (Score:2, Interesting)

      by TropicalCoder ( 898500 )

      Its time we force ISPs to pull the plug on infected client machines or block entire ISPs

      Of course we have heard that the ISPs won't go after their own customers, but I have another idea. Why don't we simply bombard these ISPs with requests to please stop forwarding spam to us? I mean in a big way - as individuals through something like Blue Frog tried to do - not just a polite note from an upstream carrier. Has anyone considered that? Many of us were so encouraged by Blue Frog's efforts - until they got

  • I've been seeing over 80% SPAM in the last couple months. And that is just what is being blocked (spamassassin). The actual number is a little higher. Sad, really.

    -matthew

  • OT: why is everything a trap today? (Score:3, Informative)

    by Mateo_LeFou ( 859634 ) on Tuesday November 07, 2006 @03:51PM (#16755917) Homepage
    Is there a joke I'm not in on?

    • Re: (Score:3, Informative)

      by necro2607 ( 771790 )
      This page [x-entertainment.com] explains the "it's a trap" inside joke well enough, although I don't know what the deal is behind tagging comments with itsatrap today in particular.
  • [Note, this post is referring to the tags that can be found amongst others, on this article, so this is a general-issue post not an offtopic one. Thank you.]

    It's getting annoying that every article without any relevance gets tagged with "itsatrap". The "fud" tag is grossly overused aswell, but at least it can be perceived as mostly applicable. I'm suggesting, to conform with slashdot grammar, to counter-tag every article that has an irrelevant "itsatrap" tags with "notsatrap".
  • What's behind the increase in link spam on blogs/message boards?
  • I love the way they say spammers are gearing up for the holiday season. Man, if I get nothing but viagra and penny stocks for Christmas, I'm going to be upset.

  • I've been inundated so heavily and for so long, I don't remember a time when I only got three spams out of every four emails. I recently tried outsourcing my anti-spam filtering to a third-party supplier. That supplier proxies the SMTP connections and closes them when it detects spam, as opposed to most outsourcers, who store-and-forward the messages.

    Because my mail gateways couldn't handle the crushing load of spam I was seeing, I'd hoped that this outsourcer would save me. I was wrong. It turned out

    • Re: (Score:2)

      by Pontiac ( 135778 )
      We run a Clustered pair of St Bernard ePrism 2000's..
      I wish we had 3 of em.. The load gets a bit high at peak mail hours.

      Out latest numbers are
      5.5 million connections a week
      3 million rejected by block lists
      2 million by spam filters
      500,000 sent through (still a little spam in there)

      Our post lunch spike is about 40k pr hour but peak mailfow is the 1am spam fest at 80k pr hour.
  • Ah, that would be same Messagelabs that inundates me with backscatter spam [wikipedia.org].

  • Block email from Windows (Score:3, Interesting)

    by rohanl ( 152781 ) on Tuesday November 07, 2006 @06:02PM (#16758531)
    Since all this extra spam is coming from botnets running on Windows, just block all email coming directly from a Windows box. I've been experimenting with host fingerprinting using p0f

        http://lcamtuf.coredump.cx/p0f.shtml [coredump.cx]

    From this I can see that almost all spam comes from Windows. I'm in the process of configuring my postfix server so it will just reject any mail from a Windows box.

    The only false positives I've seen so far, is a handful of legitimate emails that come from Windows Server 2003, so I may exempt that...

    Note: I'm not advocating blocking email from Windows users, just email coming directly from a Windows box. If a windows user sends email through their ISP's mail server, it will get thrugoh just fine.

    • Re: (Score:2, Interesting)

      by ttul ( 193303 ) *
      For personal usage, this is a reasonable technique. Our research has shown that 95% of deliveries from Windows machines are spam. However, if you are considering using fingerprinting in a business or service provider setting, rejecting connections from Windows machines is a bad bad horrible idea. Microsoft Exchange is run by almost as many companies as Sendmail these days (trust me, we've surveyed 400,000 mail servers [networkworld.com] to determine this). Blocking them all will result in many unhappy end users.

      However...
  • I was wondering what if someone setup "Bot Bait". That is, put a PC out on the Internet completely unprotected and let it get infected with a wide variety of spambots.

    Then, you watch to see who is attempting to control the bots. Someone, somewhere must be sending the "attack!" command, and maybe you could trace the command back the origin of the perpetrator. Gather some evidence, and bring the long arm of the law upon the dude.

    If you can't touch the perpetrator, you could start taking down his botnet. Once
  • Thank god there are so many fine young programmers out there (usually East European or Russian) who are using their great skills to make life a little bit more miserable. Spaciba!

  • My server uses fairly sophisticated set of anti-spam defenses and most of the crap gets rejected. But the hi-jacked IP addresses keep coming back.

    There is ought to be a way to notify their abuse-departments quickly and automatically (better than SpamCop).

    Perhaps, by sending syslog messages their way? They will then be able to capture a bit of outgoing SMTP-traffic of the accused IP, analyze it (using a Bayesian-based method, for example), and block the SMTP-traffic, if the analysis confirms the complain

Slashdot Top Deals

The rule on staying alive as a program manager is to give 'em a number or give 'em a date, but never give 'em both at once.

Close