Aggressive Botnet Activities Behind Spam Increase 194
An anonymous reader writes, "A spam-sending Trojan dubbed 'SpamThru' is responsible for a vast amount of the recent botnet activity which has significantly increased spam levels to almost three out of every four emails. The developers of SpamThru employed numerous tactics to thwart detection and enhance outreach, such as releasing new strains of the Trojan at regular intervals in order to confuse traditional anti-virus signatures detection." According to MessageLabs (PDF), another contributor to the recent spam increase is a trojan dropper called "Warezov."
Someone's making a lot of money from this (Score:5, Interesting)
Like many others, SpamThru first showed up on my radar a few weeks ago when a massive pump-and-dump stock spam [shaunc.com] campaign flooded the inboxes of just about everyone who uses email. They're still at it today, now pumping for ticker EGLY. There's no doubt in my mind that it's the same group of folks responsible for the initial run. All of these spam runs are coming solely through botnets, and the messages - and patterns of messages - share some obvious characteristics.
SpamThru and the recent barrage of stock scams are inextricably linked, I have no doubt about it. If and when the SEC investigates suspicious trading activity surrounding some of these stocks, they're likely to discover a trail that leads them straight to the folks responsible for SpamThru.
Re: (Score:2)
Re:Someone's making a lot of money from this (Score:4, Insightful)
enforcement@sec.gov (Score:5, Informative)
Forward the message to mailto:enforcement@sec.gov [mailto]. Use Thunderbird or another mail client that does not strip or mangle the original headers (like Outlook does).
The SEC will devote significant resources investigating and often prosecuting the people who are behind these scams.
Re:enforcement@sec.gov (Score:5, Informative)
But I seriously doubt the SEC will be interested in origin of the SPAM. More likely they will do an audit on the fraudulent symbol. It usually is much more effective than tracing the origin of the spam, and it is more likely asses will get busted and the criminals (the people who proffit from the poor schmucks buying the stock) will get sent to jail.
Nevertheless, if you want to report and spam, use spamcop so we can mitigate the damage done from the source before it pumps more shit onto the net.
Re: (Score:3, Interesting)
I am not familiar with OLSpamCop, as I do not use Outlook. I am familiar with SpamCop, and how they need the detail in the headers to be intact, so I would guess that this is a workable solution.
If we take the profit out of spam, we will see less spam. To date, pump and dump spam bombs work, so the scammers continue to hire spammers to flood our inboxes. Without getting caught, the risk to scammer and spammer is zero. With the SEC pursuing the scammers, the scam becomes less profitable due to the increase
Re: (Score:2)
Re: (Score:2)
I understand the sentiment... but, isn't it usually our complaint that they poke thumbs into too many pies that would be better left to market forces?
Remember, market forces (and 'tit for tat' in general) have a tough time dealing with sophisticated frauds, especially when the perpetrators remain anonymous. Force and fraud are the very reason why we need a government.
(offtopic) sending attachments (Score:2)
It looks like your Thunderbird is configured to forward emails as attachments, but that is not the default setting, if I rememebr correctly.
In Thunderbird, others may have to go to "Message" -> "Forward As" -> "Attachment".
In Outlook 2003, I didn't find how to forward as attachment. You have to copy the headers from the properties window, and paste them in your forwarded message. Far too compl
Re: (Score:2)
Tools, Options, Preferences (tab), E-mail Options, change "When forwarding a message" to "Attach original message."
Note that I haven't actually checked to see if that really does attach the entire message, but it sure looks like it did. (Clicking Forward created a new email with the message attached, and opening the attachment I was able to get the full headers via the View, Options ("Options?" WTF?) menu item.
Re: (Score:3, Informative)
Compose a new message, then drag the message you want to forward from the Inbox (or whatever folder) into the new message windows. That's it.
If you want to see the headers of a message, open it and select "View" and "Options".
I wish outlook had a "view source" like that
Re: (Score:2, Interesting)
https://addons.mozilla.org/thunderbird/2672/ [mozilla.org]
it's great for reporting spam that gets through the spam filters.
Can be used for reporting spam to SpamCop, the FTC, FDA, SEC, ACMA (Australia) and / or Knujon.com. It also allows you to put in your own custom addresses to report spam to such as your ISP or corporate abuse address.
What i like about it is that it bunches all the spam in a single report mail with all the spam messages a
Re: (Score:2)
Exactly. Somewhere in the list of people who traded the stock in the week or two before the spam run are the ones responsible. They can be found; that's what the U.S. Government's Financial Crimes Information Network [fincen.gov] is for. If we have to have all this Big Brother stuff, we should get some benefit from it.
Send those stock spams to SEC Enforcement. [mailto]
Don't blame the victim! (Score:5, Insightful)
Um, and do you also think scantilly clad women deserve to get raped?
A pump and dump scheme simply selects a stock with the right combination of price and volume that they think they can manipulate.
Take the EGLY.OB example (heh, it's up 6% right now). It is a low priced (under a dollar) stock, so lots of shares are cheap. It has sufficient volume (100K shares/day) to be useful. If it is too thinly traded you can't accumulate shares on the cheap. If the volume is too high, the market will keep the dumpers shares low.
So, the spammers are doing a buy-low, "advertise" (pump it up), sell-high (dump) campaign. The particular stock selected was probably just a result of a screen for the desired trading properties.
The company whose stock is manipulated (most likely) had nothing to do with it.
Re: (Score:2)
so when are we gonna see SCOX in these spam schemes???
Re: (Score:3, Funny)
THIS ST()CK is READY TO POP!!!
EGLY.OB IS ABOUT TO BLOW YOUR MINDS!
WATCH OUT HERE IT COMES!
DONT BE LEFT OUT!
Re:Someone's making a lot of money from this (Score:5, Funny)
Hot Stocks-Investor ALERT!!!
SYMBOL: MSFT
Timing is everything!
Profits of 300-400 % EXPECTED
TRADING SYMBOL: MSFT
Opening Price: $28.93
10 Day Target: $66.66
Re: (Score:2)
Re: (Score:2, Insightful)
If spammers can't broadcast commands to their networks there'd be no use in having them. And blocking incoming requests also dramatically limits the number of computers to which a bot can "phone home" to GET commands, which in turn let's them target the command and control IPs.
Given the choice of blocking the occassional geek whose too cheap to spen
Re: (Score:2, Informative)
MS does not have any 'responsibility' to make sure nobody using their OS is up to no good. Nor should they. If the precident is set that you are responsible for what people ultimately do with your product, nobody will every make anything ever again, fearing litigation. The fact that they are a monopoly is i
Re: (Score:2)
Too late. The precedent has already been set with the tobacco companies, and sooner or later, gun manufacturers are next. Also, before you mod me as troll or flame me about the "tobacco companies knowing their product was bad", which most certainly seems true based on what I have read - the users of said product simply cannot claim that they didn't
Re: (Score:2)
It's not the bots...it's the protocol (Score:4, Interesting)
IMHO it ultimately comes down to fixing SMTP.
John
Re:It's not the bots...it's the protocol (Score:4, Insightful)
You are absolutely correct - the real question is, will we fix it (meaning us geeks and maintainers of the internet to develop and implement a new and more secure mail protocol and roll it out internetwork-wide, and fast), or will we wait for the government to fix it (whatever that means in an international arena, of course)?
One choice leads furtherance of the core values of an open, but secure, internet. The other may lead to a broken design, corruption, and a failing system that does nothing to help curb the problem, and may make it worse. I leave it to you (and the future) to decide which falls where...
Catch 22 (Score:2)
You're throwing out legitimate email either way.
Re: (Score:2)
The term you're looking for but not actually using is Pigovian tax [wikipedia.org] - making people pay for the true cost of their activities.
Of course, as Pigou observed, "we seldom know enough to decide in what fields and to what extent the State, on account of [the gaps between private and public costs] could interfere with individual choice." Is t
Re: (Score:2)
The more I think about this however the more I think it should be dome like car insurance. To get an IP addrress you shoulld pay a spam protection fee. Then you get citations for bad behaviour. running an open relay, 2 demerits. running windows 1 demerit, actually spamm
Make Spamming too Costly to be Practical (Score:3, Interesting)
Hold On Here (Score:5, Funny)
So you can call this a dupe, but as you can see, this has clearly changed status from recent to aggressive. Or maybe like code orange to code red, DHS style.
But please, feel free to karma whore the comments from the old discussion into this one. Seriously, anyone get any new information on this? We've got a named virus but is there anything else new?
Re: (Score:2)
How about, "Non-geeks beginning to be aware botnets behind spam increase" ?
Re: (Score:2)
The FAR future.
How do you know a trojan threat is over? The "mundane" media covers it.
Re: (Score:2)
This needs a tag. (Score:2)
Re:This needs a tag. (Score:4, Informative)
Re: (Score:2)
the only tag showing for me is !itsatrap.
So how do you get rid of !itsatrap? (Score:3, Funny)
I don't know who.. (Score:3, Insightful)
Mine is more like 1 real email for every 200 spam messages...
Re: (Score:2)
it I get maybe 5% spam? not too much.
Every on-line contact has a unique e-mail address, i.e. slashdot.com.1@networkboy.net, once that is on too many spam lists I re-visit the address. If I still need that contact I update the profile and add a new address: slashdot.com.2@networkboy.net, and
Naturally if I no longer need the contact (was for a one-time download and such), then off to
All the addresses forwar
Re: (Score:3, Insightful)
Re: (Score:3, Interesting)
If you're going to spam me at least try to sell me something.
The best is that I'm getting the exact same spams, within seconds, on several mailboxes on different domains at once (work, GMail, and home).
I can't ban their IP ranges fast enough and when I d
Re: (Score:2)
Re: (Score:3, Interesting)
The worthless messages are an attempt to poison your spam filters by using many common business, home, and lifestyle related keywords (whether or not these messages are actually effective at confusing the Bayesian filters is an open question). The pitch for "Vla6|2a" and that can't lose stock market "opportunity" will be in a follow on message. It is sort of like in football where there is a lead blocker and fake handoffs to confuse the defens
Re: (Score:2)
I'd love to describe my ideal spammer punishment, but it's NSFW.
Re: (Score:2)
Re: (Score:2)
I realise that the bandwith is consumed, but I can't really help that. What I can do is ensure that it consumes as few other resources as possible.
-nB
Re: (Score:2)
That may not be entirely true, depending on where and how the filtering is done. If you're using qmail and its rblsmtpd, an SMTP session from an RBL-listed host gets cut off with a 451 before the sender starts sending the message. The exchange looks something like this:
220 alfter.us ESMTP
HELO spammer.com
250 alfter.us
MAIL FROM: spammer@spammer.com
250 ok
RCPT TO: me@alfter.us
451 Blocked - see http://www.spamcop.net/bl.shtml?65.54.1 [spamcop.net]
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Still, why bother? I mean, unless you are developing SA rules or reporting to public blacklists. The default Spamassassin rules alone are pretty good. Add in SARE and some other public rules sets and you don't even need learning. I used to use bayesian learning but found that it was much more maintenance than it was worth. Quite the opposite of what I originally thought. I thought maintaining SA rules would be a pain,
Re: (Score:2)
Of course today, no matter what I do, the majority still gets through.
Re: (Score:2)
Then your setup is broken. Works great here, even today. I did get a couple of the stock pump-n-dump scams a few days ago (possibly related to the botnet from the article), but a little tweaking took care of that.
-matthew
Re: (Score:2)
only have to do that about once a quarter or so.
-nB
Re: (Score:2)
Depends. On personal accounts I don't, but on generic emails like info@ and sales@ I get flooded. Keep in mind I've never used these emails to send people emails or register for forums or lists. The simply exist for automation for other things. Spam messages that don't match those automations don't come through.
I should more than likely change them to something like sales-something123@ but the need isn't really there.
Re: (Score:2)
Latest stats from the servers are
5.5 connections a week.
3 million rejected on Block Lists
2 million caught by spam filters
500,000 messages let through (still some spam in there too)
Re: (Score:2)
You need better spam filtering. I usually see no more than two or three spams a day in my inbox, usually for weight-loss snake oil. I don't see too many pump-and-dumpers; maybe they're being filtered out more successfully.
That's not to say that my server isn't getting bombarded with spam. For the first half of today, qmail-smtpd recorded 1054 attempts at receiving a message from somebody. Of those, only 235 were let through as legit. I'
Re: (Score:2)
human error (Score:2, Funny)
dupe checking (Score:3, Insightful)
Re: (Score:3, Funny)
What i don't get (Score:2)
The reason behind spam is simple : it works.
i mean.... it just goddamn works... why otherwise would company pay hundreds of thousands to defend themselves legally and invest in various ways to get to our inbox ?
There are stupid people out there buying from those guys, or whatever product they are advertising.
If you cut the money income, you cut the spam...
instead of spending $$$ and time trying to prevent spam from arriving i
You ... you ... you COMMUNIST! (Score:5, Insightful)
Are you nuts? Are you aware that this would mean to the market? People able and willing to compare prices before buying, people having used cars inspected before buying them, people informing themselves about the appliances they buy and who don't blindly believe the ads.
Do you know just how many jobs hang on the fact that 99% of the people around are suckers, incapable of sorting out their own life?
Re: (Score:2)
there will always be a margin of idiots, that's just a fact of life, I myself am a complete idiot in the domain of (for instance) sailing so any seasoned sailor could probably tell me anything and I'd just take his word for it.
but in the same way i p4wn my parents at gaming i get p4wned by my nephew (and niece...sigh). there are things that just transmit themselves with time.
I agree with several replies to my post actually but i was trying to say that people just take spam as a part
Re: (Score:3, Insightful)
I see you don't know much about that part of "the crowd" who falls for the spammers/phishers/etc. tricks.
Even if you could educate them all, new suckers are born every day.
The sad thing about it is that among them, there are even nice and clever people, who just have the particularity to be ignorant and naive in front of a computer...
Re: (Score:2)
It is astonishing that anybody with an IQ high enough to operate a computer would buy v1@.gra, but the fact is the bell curve goes w
MOD UP (Score:3, Insightful)
It's not the people trying to sell the crap that are the real issue, its the middle-men who sell the dream of "internet marketing".
Moreover, I blame those "Work at Home, make Million$" ads you in magazines and on TV; these are essentially proxies for Internet marketing and the people who do well in those jobs turn to botnets and other illegitimate means. Meanwhile the parent marketing company can distances themselves from them, calling them "consultants" when peo
Spam not just in email anymore (Score:2)
But just yesterday I got a 419 email(but with French context, instead of Nigerian) on my Youtube messaging system. He/she even wrote back, regardless of the fact I posted a comment on the account saying "best 419 scammer ever!", that everyone can see.
I'll be expecting facebook spam sometime soon. Er, maybe not.
Re:FB (Score:2)
Facebook is starting to degenerate into myspace parte deux.
Not so much regular spam, but 419 (Score:3, Interesting)
Has anyone else seen a rise in the amount of this type of spam?
Re: (Score:2)
The latter poses as a legit job doing payment processings where checks come in with the understanding that they are deposited, a percentage skimmed as a commission, and the remainder wired back to your "employers". Never mind that the checks are either bogus an
Time to pull the plug (Score:4, Insightful)
Look at a car as an example. If I refuse to do or pay for routine maintenance it will begin to create more and more pollution and use more and more fuel. Is it the manufactures job to fix it, no, is it the road builders job, no, is it the jerks that sold me crappy fuel, only if I can catch them. So when I fail smog tests I need to either quit using the car or pay to fix it. Might not be the best analogy.
Re: (Score:2, Insightful)
It doesn't. If they are on dialup, the just sign up with another company. DSL? Sign up with another DSL
Re: (Score:2)
Re: (Score:2)
Look at a car as an example. If I refuse to do or pay for routine maintenance it will begin to create more and more pollution and use more and more fuel. Is it the manufactures job to fix it, no, is it the road builders job, no, is it the jerks that sold me crappy fuel, only if I can catch them. So when I fail smog tests I need to either quit using the car or pay to fix it.
If most cars using a component from one manufacturer, say Visteon, began failing emissions tests three minutes after you started it f
Re: (Score:2)
But I still think people should be held responsible, people should realize that there is a problem with their computer when a million pop-ups flood their screen or their computer starts moving like molasses in January.
Why? That is normal. Should people realize their is a problem when their TV shows are interrupted every 15 minutes by ads?
People assume a free market is operating because the US economy i founded on this and technically, our laws are supposed to be ensuring that it is happening. They incor
Re: (Score:2)
Normal? Hardly, first pop-up my dad had on his Dell had him on the phone to me for support.
If you take a random sampling of home computer users, something like 80% of them will be using IE on Windows and they will be getting pop-ups regularly. Half of them will be infected with some sort of malware. When these people go talk to each other, pop-ups and malware symptoms are normal behavior for modern computers.
TV ads are used to support the medium and have been with use as such almost from the beginning.
Re: (Score:2)
Well most of the people I speak with seem aware they have a problem, they know that web pages and pop-ups are happening outside of their control.
Sure, but they don't know how to avoid having that condition recur or even if it can be changed.
Spambots, spam and pop-ups at best represent the least desirable part of ad revenue, at worst they are a criminal enterprise and should be treated as such.
Sure, but that does not address why people don't move to better solutions that protect them from these undes
Re: (Score:2)
When swen hit my server (by name), Microsoft covered my bandwidth bill to my provider. The interesting thing is swen is still out there abusing my DNS server.
The law in most countries says that Microsoft should recall their buggy software.
Re: (Score:2)
Who compensates them for lost revenue? Let's say they have 1000 infected machines @ $30 / month and they kill them - That's over one-third-of-a-million dollars in lost revenue in one year.
Re: (Score:2)
Yes, us Mail Admins have been using these for years. And they work well, probably reducing load by some 70% or so. But they have their problems, and aren't 100% effective. If you block 70% of spam from a source of email that's 85% spam, you still have 50% of your inbox being spam. A
Re: (Score:2)
But yeah, SPAM is a scourge. We need to treat it like one. Microsoft desperately needs to clean up their act. Someone I met recently called Windows a "virus runtime environment". It got some chuckles, but it's also true.
Re: (Score:2)
What if the car, instead of having normal rubber tires, has steel spikes that gouge holes out of the road, ruining it for everyone? Surely the road owner/steward would have something to say about allowing that car or "tires" of that type on the road.
Schwab
Re: (Score:2, Interesting)
Its time we force ISPs to pull the plug on infected client machines or block entire ISPs
Of course we have heard that the ISPs won't go after their own customers, but I have another idea. Why don't we simply bombard these ISPs with requests to please stop forwarding spam to us? I mean in a big way - as individuals through something like Blue Frog tried to do - not just a polite note from an upstream carrier. Has anyone considered that? Many of us were so encouraged by Blue Frog's efforts - until they got
"Almost" three out of four? (Score:2)
-matthew
OT: why is everything a trap today? (Score:3, Informative)
Re: (Score:3, Informative)
"Itsatrap" tagging (Score:2)
It's getting annoying that every article without any relevance gets tagged with "itsatrap". The "fud" tag is grossly overused aswell, but at least it can be perceived as mostly applicable. I'm suggesting, to conform with slashdot grammar, to counter-tag every article that has an irrelevant "itsatrap" tags with "notsatrap".
Link Spambots (Score:2)
I love the way.... (Score:2)
96% of my mail is spam (Score:2)
I've been inundated so heavily and for so long, I don't remember a time when I only got three spams out of every four emails. I recently tried outsourcing my anti-spam filtering to a third-party supplier. That supplier proxies the SMTP connections and closes them when it detects spam, as opposed to most outsourcers, who store-and-forward the messages.
Because my mail gateways couldn't handle the crushing load of spam I was seeing, I'd hoped that this outsourcer would save me. I was wrong. It turned out
Re: (Score:2)
I wish we had 3 of em.. The load gets a bit high at peak mail hours.
Out latest numbers are
5.5 million connections a week
3 million rejected by block lists
2 million by spam filters
500,000 sent through (still a little spam in there)
Our post lunch spike is about 40k pr hour but peak mailfow is the 1am spam fest at 80k pr hour.
Messagelabs (Score:2)
Block email from Windows (Score:3, Interesting)
http://lcamtuf.coredump.cx/p0f.shtml [coredump.cx]
From this I can see that almost all spam comes from Windows. I'm in the process of configuring my postfix server so it will just reject any mail from a Windows box.
The only false positives I've seen so far, is a handful of legitimate emails that come from Windows Server 2003, so I may exempt that...
Note: I'm not advocating blocking email from Windows users, just email coming directly from a Windows box. If a windows user sends email through their ISP's mail server, it will get thrugoh just fine.
Re: (Score:2, Interesting)
However...
Re: (Score:2)
But how many of them are running Exchange on Windows 98?
I agree that this may be a bit extreme for an ISP/business mail server, but I am doing this for my own personal domain. For a commercial server, you could use the fingerprinting to add a X-HostFingerprint header, and use that in your existing spam filtering to increase the spam score.
I'm still in the process of collecting statistics on this, before I flick the switch. But as I sai
Gotta Question... (Score:2)
Then, you watch to see who is attempting to control the bots. Someone, somewhere must be sending the "attack!" command, and maybe you could trace the command back the origin of the perpetrator. Gather some evidence, and bring the long arm of the law upon the dude.
If you can't touch the perpetrator, you could start taking down his botnet. Once
Hard working hackers (Score:2)
Instant feedback to the ABUSE-departments... (Score:2)
My server uses fairly sophisticated set of anti-spam defenses and most of the crap gets rejected. But the hi-jacked IP addresses keep coming back.
There is ought to be a way to notify their abuse-departments quickly and automatically (better than SpamCop).
Perhaps, by sending syslog messages their way? They will then be able to capture a bit of outgoing SMTP-traffic of the accused IP, analyze it (using a Bayesian-based method, for example), and block the SMTP-traffic, if the analysis confirms the complain
Re: (Score:2)
Given how fat Americans are becoming, I'd think a little slimming would do us some good.
Oh, you meant slimed!
Re: (Score:2)
5.5 million connections a week
3 million rejected by block lists
2 million by spam filters
500,000 sent through (still a little spam in there)
Our post lunch spike is about 40k pr hour but peak mailfow is the 1am spam fest at 80k pr hour.
Re: (Score:2)
I'm the mail admin at a university.
>Our spam percentage over the past year has climbed from about 80% to 91.7% this past month (October 2006)
We only accepted 9.25% of attempts to send mail to our domains in October.
Figures for this year are:
Month Rejected Virus Accepted Total % Accepted
Jan 1537406 21956 462832 2022194 22.89%
Feb 1570777 11907 532155 2114839 25.16%
Mar 1566575 14544 649630 2230749 29.12%
Apr 1807829