Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Spammers Moving To Disposable Domains

timothy posted more than 4 years ago | from the filling-up-our-landfills dept.

Spam 147

Trailrunner7 writes "Spammers and the botnet operators they're allied with are continuing to adapt their techniques to evade security technologies, and now are using what amount to disposable domains for their activities. A new report shows that the spammers are buying dozens of domains at a time and moving from one to another as often as several times a day to prevent shutdowns. New research shows that the amount of time that a spammer uses a given domain is basically a day or less. The company looked at 60 days worth of data from their customers and found that more than 70 percent of the domains used by spammers are active for a day or less."

cancel ×

147 comments

Sorry! There are no comments related to the filter you selected.

Good, it's costing them money (2, Interesting)

Anonymous Coward | more than 4 years ago | (#32903764)

Assuming they're not "tasting" it's going to cost them about $10 a pop.

Re:Good, it's costing them money (5, Insightful)

fifedrum (611338) | more than 4 years ago | (#32903860)

except they're using disposable stolen credit cards to pay for it, so really, they don't care about the $10 a pop.

Re:Good, it's costing them money (4, Insightful)

Ambiguous Puzuma (1134017) | more than 4 years ago | (#32904962)

except they're using disposable stolen credit cards to pay for it, so really, they don't care about the $10 a pop.

Not sure why parent is modded funny; there is likely a lot of truth to it. Sony Online Entertainment discovered this [gamasutra.com] :

It isn't just issues of game balance and gold farming, Smedley says. "We're seeing a lot of stolen credit cards. Say you buy gold from a service in China -- you may not know it's in China, but you give them your credit card and buy gold only once. They use these credit card numbers to set up new accounts in these games. They buy an EverQuest account key, farm for a month, and then charge it back to the stolen credit card."

And this isn't just damaging to the consumer. "What happens is that over time, as that rate of chargebacks rises, we start getting fined. We have been fined over a million dollars since June. That's not the chargebacks themselves -- just the chargeback fine. It's brutal; it's the dirty little secret of the industry."

These temporary accounts, paid for with stolen credit cards, are additionally used to spam in-game (although spam filtering has improved the situation significantly).

It would not surprise me in the least if this applied to temporary domain registration for spam/malware purposes as well.

Re:Good, it's costing them money (1)

Monkeedude1212 (1560403) | more than 4 years ago | (#32905092)

Probably just a miss-click. You'll notice Slashdot also gave him 40% Insightful, 30% Interesting and 30% Funny, yet somehow it shows up labelled as funny. Gotta love logic errors!

Re:Good, it's costing them money (1)

GrumpySteen (1250194) | more than 4 years ago | (#32905638)

Slashdot would rather be funny than insightful

Re:Good, it's costing them money (1)

icebraining (1313345) | more than 4 years ago | (#32905776)

If you're buying gold from a shady site with a real CC, you kind of deserve what coming to you.

Re:Good, it's costing them money (1)

negRo_slim (636783) | more than 4 years ago | (#32904100)

$10 for a .com TLD maybe but there are plenty of substantially cheaper options.

Re:Good, it's costing them money (0)

Anonymous Coward | more than 4 years ago | (#32904144)

A .com only costs around $6 each using GoDaddy and coupon codes. Buying in bulk I'm sure they could even find a cheaper price.

EOL? (3, Insightful)

BrokenHalo (565198) | more than 4 years ago | (#32904380)

Maybe this is a symptom of the beginning of the end for the professional spammer. If the whole thing ends up being more trouble than it's worth, maybe these asswipes will look for an alternative source of income.

Probably premature, I know, but we can hope...

Re:EOL? (1)

localman57 (1340533) | more than 4 years ago | (#32904484)

If the whole thing ends up being more trouble than it's worth

Perhaps. But part of the problem is that a lot of these problems are originating from places where people's trouble (ie time and effort) isn't worth very much to begin with, because there aren't better paying options for employment. Think gold farming...

Re:EOL? (1)

mlts (1038732) | more than 4 years ago | (#32904524)

Be careful, spammers may move into other territory. There was a sense of victory when ISPs were successful at blacklisting spammers, then they went to bouncing IP addresses to duck blackholes.

I'd expect the next thing will be to find ways to compromise E-mail accounts en masse (hacking a server at a free E-mail provider and using accounts, or compromising a backbone SMTP server.) With the money spammers make, paying a blackhat with a 0-day would be small potatoes compared to the money rolling in.

Another thing might be resources spent for another generation of botnets, improving the subtlety aspect and perhaps only sending a limited amount of mail at a time, through hijacked accounts.

so a new rule for email filtering? (4, Interesting)

TravisHein (981987) | more than 4 years ago | (#32903774)

in addition to a commonly accepted practice of doing a reverse domain name lookup on who is sending you email, where by rejecting email from bogus domains, no domain, to now also have the mail server also do a whois lookup, and arbitrarily reject email from a domain that has been registered less than a few days ago?

Re:so a new rule for email filtering? (4, Insightful)

2obvious4u (871996) | more than 4 years ago | (#32903822)

Almost, they could have registered it weeks, months or even years earlier. You would need to see if it had X days of activity. I don't know how you would do that.

Re:so a new rule for email filtering? (3, Interesting)

fifedrum (611338) | more than 4 years ago | (#32903882)

there are email reputation providers out there who can tell you things like that. It may even be free (it is for us anyway)

Re:so a new rule for email filtering? (5, Informative)

fifedrum (611338) | more than 4 years ago | (#32904038)

This is the way our reputation provider works: If the IP hasn't been seen delivering email before (no matter it's age), it has a 0 reputation. The more email that is processed the higher the reputation and the reputation is, of course, modified down by complaints. The more complaints,the lower the reputation. Think feedback loop, or where your email goes when you click "mark as junk."

If someone else wanted to get into the game, services like spamcop could be used (who knows, maybe can already be used?) to determine domain name reputation by keeping an independent database of domain names and keeping the ratio of good to bad email handy for rapid lookups, maybe in something like dnsrbld type lookup table. It's the same as IP reputation engines, just with text domain names.

Maybe someone alread does. I know our antispam provider keeps a level of spaminess for domain names, but those are for domains that already exist. You would have to determine by policy what to do with domains that don't have a reputation.

That and implementing tighter SPF and DKIM will help eliminate this stuff.

Re:so a new rule for email filtering? (1)

XanC (644172) | more than 4 years ago | (#32904266)

Can you explain how SPF would be of any help at all here?

Re:so a new rule for email filtering? (1)

hedwards (940851) | more than 4 years ago | (#32904326)

To prevent free riding on a known good domain name from somewhere else.

Re:so a new rule for email filtering? (1)

Bert64 (520050) | more than 4 years ago | (#32904402)

Which isn't what they're doing, they are registering their own domains which means they can then create valid SPF and DKIM records for them.

Re:so a new rule for email filtering? (1)

mikael_j (106439) | more than 4 years ago | (#32904692)

Sure, they can create valid SPF records for their domains but if they're using their own machines (rented or owned) then that ISP is most likely shady and will end up getting on a few blacklists. If they're using botnets then overly broad SPF records could be filtered (since they can't control reverse DNS for the zombie machines they're using to send spam).

Re:so a new rule for email filtering? (1)

Codeyman (1098807) | more than 4 years ago | (#32905018)

Most of the reputation providers update the data often(order of minutes), paid ones even more so than free ones. surbl, spamhaus, spamcop are some well known free reputation checks. Mailshell, Symantec etc have paid ones..

Re:so a new rule for email filtering? (1)

Snowhare (263311) | more than 4 years ago | (#32903878)

The problem with this is pretty much all of the whois servers rate limit requests. Make than a very small number of requests per day and they simply quit answering. What we need is basic whois info available like domain created dates via DNS queries.

Re:so a new rule for email filtering? (1)

mikael_j (106439) | more than 4 years ago | (#32904596)

The biggest problem with using reverse lookup is that it's a horrible method. Sure, ten or fifteen years ago it was a half-decent method for filtering but these days lots of companies have broken reverse DNS pointers, even big companies (one I've seen with many companies here in Sweden is that email from user@company.se from a server claiming to be mailhost.company.se is sent from xxx.xxx.xxx.xxx for which a reverse lookup gives mailhost.company.com or something like ext-12-sthlm.se.company.com).

Personally I prefer relying on SpamAssassin to sort out the spam, it works quite well as long as you keep everything updated. Also, since july 1st I've noticed a sharp drop in the amount of spam hitting my personal mail server (down to about 25% of what it used to be).

Then there's SPF which would also seriously help if more sysadmins would just get around to implementing it.

Re:so a new rule for email filtering? (1)

Snowhare (263311) | more than 4 years ago | (#32904634)

Greylisting is to SMTP as NAT is to IPv4

An ugly hack that is required in practice to keep the net from collapsing?

Re:so a new rule for email filtering? (1)

mikael_j (106439) | more than 4 years ago | (#32904790)

I was thinking more along the lines of just "An ugly hack.". But then I've never had to resort to greylisting to deal with spam (but NAT is unfortunately necessary until we can get more people to start adopting IPv6).

Re:so a new rule for email filtering? (1)

Snowhare (263311) | more than 4 years ago | (#32905594)

On my servers, at one point, 99% of attempted spam mailings were being rejected via greylisting at the edge MXs (I'm talking order of 200K mail attempts per day - it vastly outnumbered legitimate emails). If you are big enough, it is a very important tool. It is less effective today than it was but is still is an important first layer spambot screen: Yesterday, it stopped around 3000 attempts to spam us and let through about 1000 mails. Stopping 75% of spam with *one* technique is nothing to be sneezed at.

Re:so a new rule for email filtering? (1)

Snowhare (263311) | more than 4 years ago | (#32905658)

Addendum: Checking my logs, the 3000 greylist stopped spam emails were what were left after *other* filters stopped an additional 156,000 spam attempts. Yes - it really has reached the point where *less than* 1% of email is legitimate.

Re:so a new rule for email filtering? (1)

mikael_j (106439) | more than 4 years ago | (#32905686)

I didn't say it wasn't effective, just that it's an ugly hack which, when improperly implemented, can be a serious annoyance (these days it's rare to see MTAs configured to cause hour-long delays but it wasn't long ago that this seemed to be more common than not when dealing with greylisting).

Re:so a new rule for email filtering? (1)

Lumpy (12016) | more than 4 years ago | (#32905562)

Better yet, all domains are rejected unless it has been up for 1 week. If the server receives a single email from that domain, let it through, if it get's 20 ro more, bounce them all. All email servers treat all domains as suspect and let in 1 email from the domain an hour until it's proven to be good, then allows more. Instantly Blacklist any new domain heard that has more than 10 emails for the customer. Instant blacklist if any email from that domain during the probation triggers the spam filters.

Come on guys it's not that hard to stop this crap.

Flag email that comes from new domains (4, Insightful)

harmonise (1484057) | more than 4 years ago | (#32903786)

Score email higher that comes from newer domains. The older the domain, the lower the score. I'm thinking spamassassin scores here.

Re:Flag email that comes from new domains (0)

Anonymous Coward | more than 4 years ago | (#32904424)

so i buy a few hundred domains today and sit on them for a couple months. Next week, I buy a few hundred more, and sit on them for a couple months plus one week. This is actually close to what they're doing now.

A couple is less than 12 (1)

tepples (727027) | more than 4 years ago | (#32905250)

so i buy a few hundred domains today and sit on them for a couple months.

"A couple" is less than 12. I think the idea is to score e-mail from a domain spammier for the first year that the domain has existed, and score it less spammy if the domain's expiration is at least 2 years in the future (indicating a substantial prepayment).

Re:Flag email that comes from new domains (1)

harmonise (1484057) | more than 4 years ago | (#32905264)

Exactly. And emails from your domains will still have a higher score than domains that are over a year old. It will also stop "domain tasting" or whatever it is called where spammers get domains for less than 24 hours without paying for them.

Filtering out new domains? (2, Interesting)

HikingStick (878216) | more than 4 years ago | (#32903808)

They obviously are making enough money to afford the registration fees. I wonder if there would be a way to greylist/blacklist new domains, though that simply might mean that spammers would sit on the domain for a period of weeks or months before using them. Still, would there be a way to flag young domains so that they end up with higher scores in various spam filters?

Making money from those buying their services (0)

Anonymous Coward | more than 4 years ago | (#32903912)

The spammers are making money from those buying their services, people who don't know how to measure increased sales from spam so there's no need to click through and buy, people who don't CARE if it's illegal because they're being paid by their company to advertise, so they don't mind if there's 0% hit rate: they've been paid and you can't prove NOBODY bought because of this (as you can't with any marketing).

They're making money from "legitimate" companies buying these spammer services.

Kill these "legitimate" companies and you kill the spammers. And, unlike the spammers, it's hard to start another company big enough to pay for these services to make the spammers' work worthwhile.

Re:Making money from those buying their services (1)

hedwards (940851) | more than 4 years ago | (#32904350)

Indeed, require them to disclose who they've contracted to and make them prove that the lists are clean. Fundamentally for such a simple to solve problem, it's taken a huge amount of time to actually fix. Sure you're not going to get smaller temporary stores shut, but there's an unacceptable number of spams for major retailers and brands out there.

Persistent little bastards... (5, Funny)

sixteenbitsamurai (1070810) | more than 4 years ago | (#32903844)

It's like an underground revolutionary movement, except selling male enhancement products.

been happening for years (5, Funny)

fifedrum (611338) | more than 4 years ago | (#32903850)

As an SA at a hosted email provider I see this on a daily basis and could list several hundred domains just from the last few days' worth of reports. They hit the big registrars, attempt to automate as much as possible, create dozens of email accounts per domain, and turn on the spigot disposing of the domains immediately in the case of sending domains, and putting off the demise of the web domains as long as possible.

Fortunately, the activity levels of the greedy spammers far outstrips the activity levels of the normal user, that said, we still see occasional drip spammers.

Long ago I proposed a pay-per-view spectacular. Pasty faced pudgy sysadmins from around the world get air dropped onto an island studded with cameras and stocked with spammers and 419 scammers... Viewers can then vote online which sysadmins get which weapons. (Please gentle viewer, let me have the M1)

Re:been happening for years (1)

phoenixwade (997892) | more than 4 years ago | (#32903908)

Long ago I proposed a pay-per-view spectacular. Pasty faced pudgy sysadmins from around the world get air dropped onto an island studded with cameras and stocked with spammers and 419 scammers... Viewers can then vote online which sysadmins get which weapons. (Please gentle viewer, let me have the M1)

I'm going for a Barrett and a tall hill or tree, this will be fun. Although I would still be partial to a rocket launcher with rockets that have painted on Smiley faces on the nose....

Re:been happening for years (1)

Locke2005 (849178) | more than 4 years ago | (#32903920)

(Please gentle viewer, let me have the M1) Sorry, you're ALL getting the aluminum bats -- much more entertaining to watch!

Re:been happening for years (4, Funny)

ajlitt (19055) | more than 4 years ago | (#32904102)

Ah, the cluebat. An elegant weapon for a less civilized luser.

Re:been happening for years (1)

Dancindan84 (1056246) | more than 4 years ago | (#32904140)

Naw, just give them lots of viagra and steroids. More poetic. /Read a similar joke somewhere about how to deal with spammers. //Not Mencia, don't kill me. I'd give credit if I could remember where from.

Re:been happening for years (1)

morgan_greywolf (835522) | more than 4 years ago | (#32904218)

Um, have you ever seen a pudgy, pasty-faced sysadmin with an aluminum bat? Think the beginning of "Bad News Bear....

Oh, I see what you did here...

Re:been happening for years (0)

Anonymous Coward | more than 4 years ago | (#32904226)

Just treat it like a Zombie Invasion, give them lawnmowers.

Re:been happening for years (1)

oldspewey (1303305) | more than 4 years ago | (#32904336)

I'll give you a big stockpile of cans of spam, plus your choice of either a big kickass slingshot, or a small trebouchet.

Re:been happening for years (1)

supercrisp (936036) | more than 4 years ago | (#32904420)

M1 is a bit old school. There are a LOT of spammers, and you'd need a higher rate of fire. I'd suggest a Saiga 12. Or if you really want the retro look, an AK-47 is still hard to beat.

Re:been happening for years (1)

Firethorn (177587) | more than 4 years ago | (#32904730)

I think he's going for quality of kills over quantity.

Besides, I figure there are fewer than you might think. Remember, one spammer can send out millions of emails in less than a day, easy.

Re:been happening for years (0)

Anonymous Coward | more than 4 years ago | (#32905350)

There's no rules against multiple bullets per spammer, is there?

Rate of fire is still king in such a scenario, especially when the pasty faced admins can't aim too well. Six bullets in the upper legs still beat one in the chest, for sheer entertainment value.

This is a new technique? (3, Insightful)

interval1066 (668936) | more than 4 years ago | (#32903856)

I could have sworn they have been using this one for a few years now.

Re:This is a new technique? (0)

Anonymous Coward | more than 4 years ago | (#32904338)

It appears that the spammers are a few years ahead of the analysts at Kaspersky Labs.

It's not new. (1)

Jay L (74152) | more than 4 years ago | (#32905180)

I left the field in 2001 and they were already doing it then. It's just cheaper now (cheaper with real money, and cheaper to buy stolen credit cards).

Validate domain ownership (4, Interesting)

Animats (122034) | more than 4 years ago | (#32903880)

When you buy a domain, you should be mailed a letter with an activation code, sent to the registrant address. No valid mailing address, no domain activation.

Re:Validate domain ownership (3, Insightful)

fifedrum (611338) | more than 4 years ago | (#32903940)

to which they'll use mules

really, there's no way around this that can't also be worked around by the spammers. Every single step is met by counter action and evasion. The only thing that works is jail time.

Re:Validate domain ownership (2, Insightful)

BitZtream (692029) | more than 4 years ago | (#32904300)

Mules at a known valid address are far easier to trace than stolen credit cards.

Re:Validate domain ownership (0)

Anonymous Coward | more than 4 years ago | (#32904488)

really, there's no way around this that can't also be worked around by the spammers. Every single step is met by counter action and evasion.

So you're saying that we should give up?

The only thing that works is jail time.

That would require us to know who to jail first.

Re:Validate domain ownership (1)

guruevi (827432) | more than 4 years ago | (#32904532)

Oh really? As in: they can make a couple of million and all they face is an extremely small chance that they get maybe 6 months in prison? Besides how do you get caught when there are no laws against it, no police force in the world cares (your company is not big enough to afford those laws) and you could be anywhere in the world, maybe in a small banana-republic where you can treat the police as your personal mercenaries for a couple of $100.

Re:Validate domain ownership (1)

DragonWriter (970822) | more than 4 years ago | (#32905184)

really, there's no way around this that can't also be worked around by the spammers.

There's a fairly simple way around it on the client end (and which could easily be implemented by webmail providers); allow the user to designate "safe" domains, any mail that isn't from a known contact or a domain identified by the specific recipient as "safe" is shunted to an "unsolicited" box (or tagged "unsolicited"), essentially serving as a lower-probability "possible spam" box to a traditional Spam mailbox/tag.

Re:Validate domain ownership (1)

mlts (1038732) | more than 4 years ago | (#32905298)

The threat of jail isn't going to happen. A lot of spammers are in countries whose government doesn't give a rat's ass about computer crime, cannot afford to, or hates everyone else so much that they consider the spammers an income source for their nation.

Even in countries with computer crime laws, the good spammers will not be directly connected to machines, just like a good drug dealer is never near his stash when making transactions. They will be hiring script kiddies to do grunt work for them, or they will be using cracked wireless networks (very few home wireless networks log anything at all, perhaps at most a MAC) and will be able to do their activities without any way of being caught.

I'm sure once domain registrations become harder to get in mass quantities, we will be seeing spams from raw IP addresses, or we will see more compromised clients. Spammers have a lot of resources, so it wouldn't be far-fetched to see them trying to attack registrars, and since there are a ton out there, one will end up getting compromised and allow a lot of fake domains to appear with ease.

Re:Validate domain ownership (1)

fifedrum (611338) | more than 4 years ago | (#32905876)

they already use raw IPs, but the vast majority of MX servers reject email that doesn't resolve in reverse DNS, or doesn't have a resolvable HELO hostname, or the from address is phony.

And they already use compromised clients, see it every day.

Re:Validate domain ownership (1)

NevarMore (248971) | more than 4 years ago | (#32904582)

So when you want to register a domain for unpopular political, social, or religious activities you can be outed?

This is news??? (3, Informative)

Eggplant62 (120514) | more than 4 years ago | (#32903900)

They've been doing this since 1999 from my personal memory aiding the antispam fight. What suddenly brings this back to the fore as if it were some stunning revelation? It's an old trick that Alan Ralsky used when he was scamming and spamming.

Can't say I'm surprised (1)

ITBurnout (1845712) | more than 4 years ago | (#32903902)

A fine match for their disposable e-mails. I have to give kudos to Gmail; my personal account has not seen a single unwanted spam message since its inception. Not one. I used to check the Spam folder to see if anything legit got trashed, but now I just mainly ignore it unless I really want to see anonymous scumbags' assessments about my lack of adequate manhood.

Re:Can't say I'm surprised (2, Funny)

Zemplar (764598) | more than 4 years ago | (#32904120)

... assessments about my lack of adequate manhood.

So you're the one! I've got a bunch of email that must belong to you.

Re:Can't say I'm surprised (1)

ITBurnout (1845712) | more than 4 years ago | (#32904354)

Oops, I mean *incorrectly supposed* lack of adequate manhood. False assumptions based on zero evidence and a drive for profit. Weak, limp, flaccid assumptions.

Re:Can't say I'm surprised (1)

negRo_slim (636783) | more than 4 years ago | (#32904164)

A fine match for their disposable e-mails. I have to give kudos to Gmail; my personal account has not seen a single unwanted spam message since its inception. Not one. I used to check the Spam folder to see if anything legit got trashed, but now I just mainly ignore it unless I really want to see anonymous scumbags' assessments about my lack of adequate manhood.

Agreed. My spam folder has plenty of spam but what actually has made it to the inbox in all these years was been about 3 messages. And that's after being lambasted on a previous /. post in which I willingly gave out my email milsorgen@gmail.com. I think someone tried to sign me up for like 3 mailing lists, but other than that it was nothing but hubris.

I think the problem has been over exaggerated and we are too eager to cater to users too dumb to avoid being suckered.

I don't understand spam folders (3, Interesting)

XanC (644172) | more than 4 years ago | (#32904314)

This is why spam folders should be Considered Harmful. Effectively, it's a delivery failure without a notice. You should either accept mail or reject it, not pretend to accept it and then stash it someplace where nobody reads it.

Using a spam folder treats outright, obvious spam with more courtesy than the borderline stuff.

Re:I don't understand spam folders (0)

Anonymous Coward | more than 4 years ago | (#32904472)

Rejecting it is a feedback loop to the spammer to allow them to mutate the payload and retry in real time.

Re:I don't understand spam folders (1)

allo (1728082) | more than 4 years ago | (#32904720)

if they need to change the message, until its no more spam, then its okay that way :).

Re:I don't understand spam folders (1)

Firethorn (177587) | more than 4 years ago | (#32904564)

If I'm expecting an email from a new source, like I've signed up somewhere new, and the email doesn't show up, I'll check the spam filters.

If the new request is outright rejected, how am I supposed to get my confirmation email?

Re:I don't understand spam folders (1)

XanC (644172) | more than 4 years ago | (#32905830)

Does any email from a new source get put into a spam folder? You might want to fix that problem first.

Re:I don't understand spam folders (1)

mlts (1038732) | more than 4 years ago | (#32905496)

Rejections just allow them to keep trying E-mail addresses and/or keep trying to figure out what will jump past. However, just having a SMTP server blindly slurp all incoming mail at one end and blow it out the other may cause false positives, and maybe causing big problems with mail troubleshooting.

One needs to do both sanity checking during the E-mail transaction and post-receipt scanning. The SMTP server needs to outright rejects obvious crap, greylist suspect stuff, and tarpit mass entries that are obviously not mailing lists. So, if an attacker is trying to guess E-mail addresses, there will be a delay of 20-30 seconds after the first 3-4 attempts. If a domain is blackholed, the connection should be immediately dropped without ever getting a chance to communicate with the SMTP server. If a domain keeps trying to connect after it gets dropped, the machine should drop a DENY acl in for 10-20 minutes to minimize CPU cycles wasted.

Of course, once the E-mail makes it into an incoming spool, it should go at least through an antivirus pass. UNIX systems, this isn't an issue [1] other than to perhaps catch some obvious UNIX Trojans, but for Windows machines which will happily gobble down malformed code, this is a critical security step.

[1]: I've seen plenty of Trojan horses for UNIX, but true viruses are really rare.

Re:I don't understand spam folders (1)

XanC (644172) | more than 4 years ago | (#32905860)

Post-receipt scanning is evil. Either accept the mail and deliver it, or reject it at SMTP time.

I reject your assertion that the spambot will employ machine learning and figure a way through after a rejection.

The correct solution is to employ massive delays on the SMTP transaction if an email is spam. This is a pseudo-tarpit. The mail is eventually rejected.

Re:I don't understand spam folders (1)

maxume (22995) | more than 4 years ago | (#32905740)

People want fast, easy access to most of their real mail with the ability to easily check-up on the automated system some of the time.

Not having a spam system at all defeats the fast and easy parts of accessing the real mail, and I'm not sure there is an easier way to check-up on the system than to examine the messages that it classifies as spam.

You are correct that this occasionally moves a legitimate email into the spam folder, but apparently the typical person would rather put up with this than constantly deal with each and every spam message.

Re:I don't understand spam folders (1)

XanC (644172) | more than 4 years ago | (#32905812)

I think you're confused.

I'm not advocating going filterless. I'm saying that instead of putting "borderline" spam in a spam folder, simply reject it.

The "check-up" on the automatic system that you advocate would then be done by the sender, who gets notified that the mail didn't get delivered. If a message ends up in a spam folder, then it effectively hasn't been delivered, but nobody knows about it.

Re:I don't understand spam folders (1)

maxume (22995) | more than 4 years ago | (#32905884)

I misunderstood what you said. That isn't exactly the same as being confused.

I would respond to your clarification by saying that most receivers would probably rather be able to check up on the filter than they would trust the sender to fix the problem (for instance, imagine the fun nightmares that begin when a personal relation that the receiver doesn't care to offend starts sending them spam).

Re:Can't say I'm surprised (1)

hedwards (940851) | more than 4 years ago | (#32904396)

Rarely do I get any spam in my Gmail inbox, that being said, it's tight enough that I do have to add things to my address book fairly often to make sure that it's not listed spam. But, the rate at which they mistakenly categorize something is impressively low.

Changing domains or changing servers? (4, Insightful)

NevarMore (248971) | more than 4 years ago | (#32903968)

Its pretty trivial to have 10000 domain names pointing to 10 servers.

It also seems trivial that when a domain name is flagged to also flag its server, then when a new domain name shows up that points to a flagged server rate it appropriately.

Its a clever trick, but hardly an unfightable step in the spam-arms-race.

Re:Changing domains or changing servers? (0)

Anonymous Coward | more than 4 years ago | (#32904160)

You mean they don't need a separate mail server for each domain name? What kind of sorcery do these spammers wield?

Re:Changing domains or changing servers? (1)

amentajo (1199437) | more than 4 years ago | (#32904578)

No, they don't. There's nothing remotely resembling sorcery involved.

If you're being sarcastic... GP post is an appropriate response to this story, as the story seems to overlook the point that NevarMore is making: blocking spam by domain name is not the only way to do it.

However, when you combine this with non-static IP addresses, it can be an effective way to avoid filtering by source... though I cannot think of a good reason not to dock major points for an e-mail sent by a mail server with a non-static IP to begin with.

Re:Changing domains or changing servers? (1)

EdIII (1114411) | more than 4 years ago | (#32905584)

though I cannot think of a good reason not to dock major points for an e-mail sent by a mail server with a non-static IP to begin with.

I cannot think of a good reason to even start talking with a non-static IP to begin with. Spamhaus has a PBL [spamhaus.org] (Policy Block List) and if an IP address is on it I just terminate the connection.

I know some people will say, "but now you prevent the common man from running a mail server!". Correct. It is unfortunate to create such a barrier to entry, but I feel that if you want to operate a mail server responsibly you will use a static IP. Spammers suck, and they have forced us to make it pretty difficult to deliver legitimate email. My own personal mail server is operating in a datacenter, but I pay $5 for a static IP address at home. I could be running a mail server there if I wanted to as well.

To expand upon NevarMore's point, domain names are only a small piece. I use several RBL's to determine if I even want to start a conversation with another mail server. Afterwards, it is all about the weight, or as you said, "points".

I believe what the article refers to is Spammer's attempts to mitigate the points being assigned to their emails from the message level domain checks. That can remove some of the negative points against their spam, but does nothing against the IP address checks that can be performed as well on the mail server, and even on the IP address lookups for those domains.

IMO, the spammers are just looking to get a little more spam through, and don't think this is a way to defeat anything. Just a higher success rate of getting their spam to the Inbox. Awful lot of work, effort, and money being spent to do it too. Which is why I am convinced it is not advertising dollars from the companies marketing the products, but attempts at hijacking machines motivating them instead. Using them to conduct more serious crime such as identity theft and stealing financial information is a lot more profitable then some two-bit Viagra company paying them to deliver the spam.

Re:Changing domains or changing servers? (1)

mlts (1038732) | more than 4 years ago | (#32905574)

Then a spammer will DoS a legit site by using the ISP they use for an attack. It may be useful, but can easily be used by blackhats to sully the name and reputation of a legit site, especially if the attacker does a joe job and sends E-mail from that site's normal outgoing server's SMTP server that is shared.

And spammers will do this. I have helped small businesses who got threatened with their domain contacts being the in the fake From: headers of a spammer, who threatened to send out spam in their name unless they paid a sum via e-gold. I would bet a spammer would love access to a machine that other legit domains send from, just to sully their name as part of a extortion racket.

ahhh, but what are the resolved addresses? (2, Insightful)

swschrad (312009) | more than 4 years ago | (#32903970)

if, for instance, they keep coming from the block reserved by {scumpuppy.net}, for instance, you know who to blacklist by range.

One maybe bad aspect of IPv6? (4, Insightful)

JSBiff (87824) | more than 4 years ago | (#32904090)

This got me to thinking. In a world where IPv6 provides an astronomical number of subnet blocks, what's to keep spammers and malware distributors from jumping from IP block to IP block the way they jump from domain to domain?

Re:One maybe bad aspect of IPv6? (2, Interesting)

shentino (1139071) | more than 4 years ago | (#32904328)

To make a TCP connection both ends have to have routable addresses.

Sooner or later either they'll all have common subnets, or they'll cause a noticeable spike in routing traffic.

Mod parent (and GP) up. (2, Insightful)

khasim (1285) | more than 4 years ago | (#32905230)

IPv6 will cause a huge problem with existing blacklists.

It won't cause any problems with whitelists (which should be checked PRIOR to the blacklists).

But they're still going to have to go through routers. So we're going to have to work on hacks that identify the routers that the communication is traversing. Then you should be able to see the "gateways" to the spammy networks and adjust the scoring.

Doh, just block by IP. (0)

Anonymous Coward | more than 4 years ago | (#32904106)

Who in their right mind looks at DNS info?

This reminds me of (1)

Anon-Admin (443764) | more than 4 years ago | (#32904216)

This reminds me of the copyright protection on the Commodore 64 games and the game crackers.

No matter what you can come up with, the spammers will find a way around. RBL's, disposable domains, IP banning => IP Spoofing, the list goes on. This may not be a winnable fight.

I hate to say that because I have had my e-mail address for 10 years now and average 300 spam messages a day. Thanks to Spam assassin and a probability filter I can knock it down to only 3 or 4 a day getting through.

Maybe it is time to stop fighting the spammers and start training the users!

Re:This reminds me of (1)

Firethorn (177587) | more than 4 years ago | (#32904682)

Maybe it is time to stop fighting the spammers and start training the users!

Consider, scammers have been using the same tactics for centuries, often simply updated to keep up with modern communication techniques.

'Male Enhancement'? Snake Oil, just no longer sold personally with the attendant risk of getting lynched.
Nigerian scheme? Fake ransom demands.

We've tried educating people; I think there are certain types of people more suseptable than others. Perhaps they need a financial guardian or something. Along with the compulsive gamblers and such. :(

It's not a bad idea, I try avoiding scam training; it's at least partially effective. Still, I think that one one approach will fix this.

Ergo:
1. Train Users
2. Some sort of domain/server blacklist
3. Automatic spam filters
4. domain/server authentication
5. Lawsuits; jail time
6. Hitmen, reopen gladiator games featuring spammers, etc...

Should keep the spam problem under control.

Re:This reminds me of (1)

vlueboy (1799360) | more than 4 years ago | (#32904782)

Some of my early-day mistakes were to sign up on innocent-sounding sites for joke e-mails, IQ tests, and free-greeting-card sites ... and my e-mail during warranty registration to legit companies that later sold my address to shady partners. I even signed up for email "news" at an anime site even though they promised all content was pending as they were "still awaiting delivery of our giant robots." I realized I'd been had, but they did put up a legit page 5 years later [archive.org] , and I'm sure they sold my email addy many times over in those five years, even if their promise for news was never fulfilled.

A quick web search for my email address surprised me with a single site cloning my [defunct Geocities] page where I naively used it a decade ago. It's good to see from your post that I don't get as much SPAM as I deserve for my paranoia-free Windows 98 days :)

Hey Timothy, Welcome to 1999 (1, Informative)

BitZtream (692029) | more than 4 years ago | (#32904340)

Really ... spammers are moving to disposable domains ...

All those fja3lgah12.com email addresses I've been seeing for the last 10 or so years have been bots on real domains then eh?

Seriously Tim, if you think something is new and exciting then you are experiencing one of two things, either its not really old and its actually common knowledge to everyone BUT you and the website your viewing ... or ... the website you're viewing is wrong.

Think that EVERY TIME you go to post stories to the front page and we'll do a lot better. I'll make it simplier, just based on your history as an editor ... when you think a story is good to post, you're wrong.

Domain Age (0, Redundant)

Bert64 (520050) | more than 4 years ago | (#32904368)

Surely spam filters can just check for domains which are less than a few days old...

No! (2, Funny)

night_flyer (453866) | more than 4 years ago | (#32904540)

Really? Are you serious? And this is news how?

Catch Them! (1)

b4upoo (166390) | more than 4 years ago | (#32904542)

Since the usual idea of spam is to get people to send money somewhere why not send a cop to that point and grab the account holders. Fines plus prison time should discourage them.

Re: Catch Them! (1)

Joce640k (829181) | more than 4 years ago | (#32904658)

The 'somewhere' is usually a place where cops can't (or don't) do that.

Levels of accountability (3, Insightful)

aapold (753705) | more than 4 years ago | (#32904654)

If a bar sells beer to an underage person, they get in trouble. Roll the layers back and put it on them to institute their own methods of verification or face consequences for not doing so. As it is, they practically have a vested business interest in continuing to sell them these domains.

surprise (1)

xmousex (661995) | more than 4 years ago | (#32904798)

What is this??? Slashdot news from the late 90s??? Also the matrix is a good movie, i hope the sequels are just as good.

well (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#32905064)

This is what happens when you let niggers free

Basically sockpuppetry with domains (0)

Anonymous Coward | more than 4 years ago | (#32905206)

Just like trolls and vandals create accounts that are going to be banned anyway so they don't care what they do with them.

I create plenty of of them on Wikipedia everyday to harass admins and stewards. Just click on create account and make an account with a stupid name and then immediately log out and create another one up to six a day until your IP range gets check user blocked. I go the whole of T-Mobile blocked from editing Wikipedia.

Not Even Remotely New (4, Insightful)

damn_registrars (1103043) | more than 4 years ago | (#32905852)

Anybody who has ever really looked at the spam they've received knows this has been going on for years. Spammers buying domains in bulk for quick switching is a very old game. Fortunately as this gets more attention we get a little bit closer to paying attention to something we can do something about (for a little while longer anyways):

Registrars. We have often pointed to the spammers, the ISPs, and the spamvertised domains as groups who make money off of spam. We have for various reasons frequently overlooked the registrars who are taking in a profit on the deal as well. There have been registrars in bed with spammers for almost as long as we have had spammers.

The big difference though is that we could do something about the registrars - if we really wanted to. The registrars are supposed to keep valid data on their customers, and are supposed to adhere to specific ICANN guidelines (at least for specific TLDs). If the registrars couldn't register anything in the TLDs they want, they would think twice about knowingly dealing with spammers.

Anonymous Coward (0)

Anonymous Coward | more than 4 years ago | (#32905856)

Its simple. Just add a new rule (which has to be coded) for SMTP to not except incoming emails from any domain if that domain is less than a month old. Obviously this number days/months, etc can be configurable.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?