Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

New Spam Zombies Use ISPs' Mailservers

samzenpus posted more than 9 years ago | from the trust-this-mail dept.

Security 383

RMX writes "CNet's reporting that the new spam zombie PCs are no longer acting as their own mailservers, but cooperate with the ISPs' recommendation that instead of running your own mail server, to use theirs instead."

cancel ×

383 comments

Sorry! There are no comments related to the filter you selected.

FP BEOTCHES (-1, Troll)

Anonymous Coward | more than 9 years ago | (#11557629)

Re:FP BEOTCHES (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#11557702)

What does that link do?

Eh? (3, Insightful)

Anonymous Coward | more than 9 years ago | (#11557631)

Is this just doing what normal email clients do already? Why didn't they think of it earlier?

Re:Eh? (1, Insightful)

Anonymous Coward | more than 9 years ago | (#11557820)

Because you have to figure out the ip of the smtp server. Not to mention the smtp server may be throttled.

Re:Eh? (1)

JPriest (547211) | more than 9 years ago | (#11557928)

And before SPF you could get more done running the SMTP server on the infected box. Maybe this is a sign that SPF works.

Re:Eh? Because... (5, Insightful)

kd3bj (733314) | more than 9 years ago | (#11557921)

Why didn't they think of it earlier?

Because I suspect it doesn't work as well. It's pretty easy for an ISP to notice 100,000 emails from one sender pumping through their SMTP server, but relatively difficult to notice those mails when sent directly through the net. Also, outgoing servers are often set up with throttling.

Of course, nowadays, ISP's have no excuse in either scenario. There are plenty of network monitoring tools that will notice spamming.

violation of ISP contract? (4, Funny)

Starbreeze (209787) | more than 9 years ago | (#11557640)

Yeah, and then all those zombies lose their ISP accounts, and suddenly become much more aware of the need to secure their PC.

Re:violation of ISP contract? (3, Insightful)

enosys (705759) | more than 9 years ago | (#11557686)

That can also happen to zombies that send spam without using the ISP's SMTP server. If they do use the ISP's sever that should make the ISP notice sooner though.

Re:violation of ISP contract? (5, Insightful)

xtrvd (762313) | more than 9 years ago | (#11557756)

Telus, my ISP in British Columbia (Canada) already takes a fairly agressive stance on this situation. In the past few years, they have realized that their clients are idiots and will open up any attachments they get in their email clients, even those great ones with .scr's from v1agra@sh0p0ur31337store.ch.

In order to stop their networks from becoming ridden with viruses, they simply closed off the accounts of whom ever was infected. Sure people complained, but in the end, there were more people that were satisfied since their computer only needed to be infected with one virus for them to notice. Instead of having a computer with 20+ self-propagating viruses, the user only had one when they realized they needed it fixed.

Joe User's seem to ignore popups and slow-downs of their computers as long as they can still connect to the internet and check their AOL email. As soon as they're disconnected, they will call up the ISP and find out how to get their computer fixed.

If these ISP's can take the same stance against zombies becoming spam servers, it shouldn't be long until Joe User is forced to learn how to use a firewall to protect himself from being disconnected.

As soon as we have ISP's that are *more* responsible for the content going through their networks, we'll have a better internet.

Re:violation of ISP contract? (5, Insightful)

CrackerJack9 (819843) | more than 9 years ago | (#11557804)

That would be great, but for some of the same reasons Joe User isn't already securing his PC is because he doesn't know where to start, let alone how to finish.

Let's say the ISP tells him to run ZoneAlarm (firewall for PCs), he will most likely end up just saying "Allow always" to any suspicious programs requesting internet access, or "Deny always" and he'll just have to call the ISP back to figure out why Windows can't open any TCP/IP connections....it's a great fix on paper, but I think there are a lot of other factors that need to be considered before you assume you can "just tell them to become computer security experts"

Re:violation of ISP contract? (4, Interesting)

xtrvd (762313) | more than 9 years ago | (#11557927)

I agree with you on making everybody a security expert. People simply don't have enough time to learn how to use a computer, especially if they just want to check their email on it. But if they cannot use their computer without it causing problems to the rest of us on the internet by being a Spam server, they need to take responsibility somehow.

I'm going to go on a strech here. It's similar to driving a car (Please note, I said similar, not the same as). You recieve a license to use a car so that you can drive around in a controlled environment where other people reside: The public roadways. You can do what ever you want on your own environemtn (Own PC) just as you can spin doughnuts in your backyard if you really want to.

You get your license to drive on the public roadways (Networks) and if you choose to not lock your car, then somebody else will steal it and hopefully the police will either take your car away (take your computer away) or they'll take your license away if you were the one actually doing the infraction. (ISP disconnects you from the internet)

If you are caught doing something bad in a car on public roadways, you should be punished; if you choose to turn on that computer that is not secured in any way, shape, or form, you should not be allowed to take the use it. [Don't yell at me yet]. If you're not prepared to get into a car and harness its abilities, then you'll want to start with a car that's attached to a track, like those ones the 4 year olds use in amusement parks.
You can consider those tracked cars like Mac's; because with all due respect, you can't become a zombie computer without at least trying.

Until you learn to use a car, you'll never get a license to use it. Until you learn to use a computer, you shouldn't be on the internet.

My two cents.
Thanks for your insightful reply CrackerJack9.

Re:violation of ISP contract? (5, Insightful)

ErikZ (55491) | more than 9 years ago | (#11557964)


Yep. And the great thing about having a licence to use a computer is the immense power it gives the government over you.

Piss off someone in power? Take away your licence.

Mistakenly accused? Take away your licence until you clear things up.

Go up against the latest policial hotbutton that no one takes seriously? To make it serious, they come up with a new punishment. Take away your licence!

A licence to operate a computer is a horrible, horrible idea.

Re:violation of ISP contract? (1)

X0563511 (793323) | more than 9 years ago | (#11558013)

Well, if its not enforced extremely, if you can get around the licence, you obviously know enough of what your doing anyways.

Maybe ISPs should do it, instead of the government. Or something. The idea has its merits.

OH NO!!!! (1, Offtopic)

Jeremiah Cornelius (137) | more than 9 years ago | (#11557807)

It's The end of the INNERNETS!

(I know there's been rumours on 'em)

Re:OH NO!!!! (1)

EnronHaliburton2004 (815366) | more than 9 years ago | (#11557878)

It's The end of the INNERNETS!

No, it's only the end of the Nucular Innernet.

Re:violation of ISP contract? (4, Interesting)

Seumas (6865) | more than 9 years ago | (#11557884)

What kind of crappy ISP delivers messages containing *.SCR, *.CPL, *.COM, *.PIF, *.BAT and so forth to their customers?!

And yes, Joe User tends to ignore popups, because a lot of the "professionals" are idiots. We have a radio program in Portland on the weekends hosted by some "long time computer experts". Every time the topic of "how to prevent popups" comes up, the host insists that your web browser has NOTHING TO DO WITH IT. Popups are entirely a problem with your machine being infected and you need to install a good virus scanner to avoid them.

People have called up and said "no, I think they're talking about web popups that you get when you visit a website without a popup blocker". Rather than suggesting people use Firefox or something, he actually says "If you're getting popups, it is because you've done something wrong and aren't protecting your PC". He refuses to acknowledge (and has for many months) that if you visit a website without some form of popup blocker, you'll often encounter popups BECAUSE THE WEBSITE IS SENDING THEM.

I mean... it baffles me that people like this are being treated like expert professionals and they're misleading thousands of people in the process of pumping up their own misguided ego.

Re:violation of ISP contract? (1)

Tripster (23407) | more than 9 years ago | (#11557919)

What kind of crappy ISP delivers messages containing *.SCR, *.CPL, *.COM, *.PIF, *.BAT and so forth to their customers?

One that charges extra for AV and Spam protection :)

The rest of us provide it free with ClamAV and SpamAssassin.

Re:violation of ISP contract? (1)

techno-vampire (666512) | more than 9 years ago | (#11558044)

I mean... it baffles me that people like this are being treated like expert professionals and they're misleading thousands of people in the process of pumping up their own misguided ego.

Who says he's really an expert at anything? For all I know the only thing he knows is how to keep people from securing their machines so that the popup ads on the sites he hosts can get through.

Re:violation of ISP contract? (4, Interesting)

RollingThunder (88952) | more than 9 years ago | (#11557923)

Heck, we had our Telus business ADSL shut down because somebody bounced through a wireless card on an XP laptop that the dumb**** marketing director had enabled the "provide access to the internet" or whatever it is via.

Our office was only on the 4th floor, and his system was right at the window, so somebody popped through and started doing crap on the Zone servers. Telus cut us off within a day, and I was damned impressed.

I was angry too - but not at Telus. At the marketing guy and myself (for leaving open outbound access). I fixed his system, and instituted "via proxy only" outbound for port 80, and no more problems.

eat shit, rob malda (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#11557644)

How is this news?

Spammers have been doing this for years. Approximately as long as residential ISPs have been forcing all mail traffic through their SMTP servers.

I knew Slashdot took ages to get news, but this is just ridiculous.

Re:eat shit, rob malda (1)

Azeroth48 (855550) | more than 9 years ago | (#11557697)

Maybe its that the zombies are now willingly using the isp mail servers instead of being forced

Re:eat shit, rob malda (0)

Anonymous Coward | more than 9 years ago | (#11557759)

Your post is stupid in so many ways.

First of all, they've been willingly doing it as long as they've been doing it. Why would they act against their will? That's the sort of nonsense the liberals on this forum spout.

Second of all, the elaborate game theory of the spam industry dictates that an ISP's mail server, by virtue of needing to be an open relay for a particular netblock, is highly valuable as all that is needed to use it is access to that netblock. Spammers spend months acquiring lists of open relays; being able to use an ISP's smtpd is gold.

And I posted your parent, too. And I mean it. Fuck you Rob Malda, this place used to be "news for nerds", now it's "news from two weeks to a year ago, filtered for bad grammar". I spend two years fighting in Iraq and I come back and this place has turned into an utter cesspit.

EAT A DICK (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#11557856)

I spend two years fighting in Iraq and I come back and this place has turned into an utter cesspit.

This place was a cesspit two years ago, dumbass. It speaks volumes that you're just coming to this realization.

Big fucking donkey cock sucking deal, you spent two years fighting in Iraq. Why the hell did that need to be mentioned, shit for brains?

"I wasn't smart enough to involve myself with heavy drugs or crime to avoid being drafted! Yay me!"

I mean it. You're a fucking halfwit douchebag for bringing up the time you spent goose-stepping around a country that pretty much defeated itself in order to make your point that much more dramatic.

Get the fuck back on the plane, dickjam. It's infuriating to me that decent human beings are being killed daily over there while shitheels like yourself are being sent home.

hah (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#11557647)

bogus

Simple solution (4, Interesting)

MarkRose (820682) | more than 9 years ago | (#11557648)

There's a very simple solution that many webhosting companies already use -- the ISP should force their users to authenticate with the server, using secure SSL. It's good practice any way, and doing so would make even more work for the spam bots (they would have to find the user's login and password for the SMTP server).

Re:Simple solution (5, Insightful)

kerrle (810808) | more than 9 years ago | (#11557676)

Or the bots could ignore that, and just send out with the default mail settings - most users would have OE set to remember password, so no real gain there.

Re:Simple solution (2, Insightful)

MarkRose (820682) | more than 9 years ago | (#11557796)

However, using authentication, ISP's can easily block users who begin to send out too many emails (most likely spam), forcing them to deal with the problem (or get the ISP to allow them to send large volumes), or at least stopping the spread of spam.

Re:Simple solution (2, Informative)

kerrle (810808) | more than 9 years ago | (#11557941)

ISP's can do that with or without SSL.

Trust me, I've set it up.

Re:Simple solution (0)

Anonymous Coward | more than 9 years ago | (#11557992)

If ISPs don't know what IP address infected users are using, who would? Surely they can block by IP as well.

Re:Simple solution (1)

unixbugs (654234) | more than 9 years ago | (#11557700)

This is also a very simple solution which webhosting companies also recieve 300 calls a day about -- the ISP is effectively censoring internet traffic, and using SSL is not something joedomain.com is willing to pay for, and doing so would make even more work for internet users (spam bots will now be crafty enough to find the user's login and password for SMTP server).

Re:Simple solution (0)

Anonymous Coward | more than 9 years ago | (#11557995)

What's so expensive about an SSL cert? The ISP can pay for theirs and sign certs for each domain that is necessary that utilizes their SMTP server. They don't have to buy a new cert for each and every person with their own domain. Sure, they might charge the user for it - but that's stupid. Which is more important, preventing spam from shaming your entire network or giving the user a cert that is - essentially - free to you?

As far as the end-user... there's nothing complex about using SSL. Most don't even know that they already are.

China and Spamming (0)

Anonymous Coward | more than 9 years ago | (#11557715)

Statistics show that China is the source of the bulk of spams [phrusa.org] . That spammers are now using the mail servers of ISPs is excellent news. ISPs can now track down the IP address and, ultimately, the physical location of the spammers. In this way, we know which IP addresses to block.

Score +1 for the rebel force. Score -1 for the Chinese empire.

Re:Simple solution (1)

enosys (705759) | more than 9 years ago | (#11557718)

Getting the user's login and password can't be that hard. One can easily find password recovery programs for Outlook Express. (I'm sure most of the people getting 0wned are using Outlook Express.)

Re:Simple solution (2, Insightful)

JVert (578547) | more than 9 years ago | (#11557774)

Agreed.

The users machine is comprimised. There is no method that can be widely adopted that will keep these programs from using the same functions that the computer does on daily basis.

Re:Simple solution (2, Insightful)

SpottedKuh (855161) | more than 9 years ago | (#11557732)

[T]he ISP should force their users to authenticate with the server, using secure SSL.

It's a shame that people are so attached to their horrid Microsoft Outlook email client. Otherwise, two problems could be solved in one fell swoop: Have users SSH into the ISP email server, and use a simple client like Pine to send and receive their email.

First, this setup would enforce strong user authentication, as the parent wisely suggested. Secondly, it would eliminate that whole host of attacks against bad email clients (eg. Outlook) that the average computer user inexplicably blames on their ISP.

Years ago, in the days of the 56K modem, the Edmonton Freenet provided email service in which people dialed in and used Pine. It worked great -- it was simple, effective, and they even provided a little manual so that all of the Pine-neophytes could learn to use the system. I remember everyone from the young to the old learning to use the system, and getting along splendidly after the rather small learning curve.

Re:Simple solution (3, Insightful)

caino59 (313096) | more than 9 years ago | (#11557757)

oh yea...pine - my mom will be all over that one!

remember, you have to keep these dumbed down for the masses.

Re:Simple solution (1)

rpozz (249652) | more than 9 years ago | (#11558034)

With the obvious exception of configuring it, Pine is relatively easy to use.

Re:Simple solution (0)

Anonymous Coward | more than 9 years ago | (#11557844)

This is asnine. Are you living in 1993? Or, really, 1991? If you look at the user community:
1) 99% (yes, these days 99%) have no clue about the command line and don't want to. If you want to run a service for the L337's that's fine, but those are the users who DON'T need help. The others will flee to the doors if you attempt to force them to learn command-line fun.
2) They want more functionality than what pine (though I'm sure you would prefer they use mailx, or even mail) provides. Like, oh, say, text formatting. Believe it or not, even e-mail benefits from being able to use legitimate underlining/italics/etc., or even a serif font instead of fixed-width san-serif.

Re:Simple solution (4, Informative)

Osty (16825) | more than 9 years ago | (#11557934)

It's a shame that people are so attached to their horrid Microsoft Outlook email client. Otherwise, two problems could be solved in one fell swoop: Have users SSH into the ISP email server, and use a simple client like Pine to send and receive their email.
First, this setup would enforce strong user authentication, as the parent wisely suggested. Secondly, it would eliminate that whole host of attacks against bad email clients (eg. Outlook) that the average computer user inexplicably blames on their ISP.

I'm going to assume you mean "Outlook Express" when you say "Outlook", otherwise your argument has no merit. Even then, Outlook Express isn't as bad as you make it out to be. For example, both Outlook and OE support SMTP-AUTH, via SSL or not (as well as both POP3 and IMAP-v4 over SSL). That addresses your first problem, which at this point is an ISP issue rather than an MTA issue. Your second point is really only valid for OE, and then only if you've never bothered to use Windows Update (in which case you're asking for other problems anyway). Outlook has blocked bad attachments since a service pack for Outlook 2000 (there have been two versions of Outlook since then, XP/2002 and 2003). Outlook 2003 (which is the only version I have installed right now, so I can only speak to other versions on memory) will also block malicious content in the body of the message itself (scripts, images linked to external sites, etc). If you're still getting infected by email viruses while using Outlook, you're either running a ridiculously old version, or you're explicitly overriding Outlook's protection mechanisms.

Moving everybody back to pine (or better, mutt, but that's my own personal preference) via ssh is not an acceptable solution. Forcing everybody through a webmail interface is only slightly better, but even that is not very desirable (see the new Outlook Live [msn.com] service from Microsoft that lets you read your hotmail email via Outlook rather than the web page, or RPC over HTTP [microsoft.com] in Exchange 2003 that lets you access corporate email without a VPN rather than using OWA).

Re:Simple solution (5, Funny)

mcc (14761) | more than 9 years ago | (#11557989)

Otherwise, two problems could be solved in one fell swoop: ... use Pine

But then they would have a third problem.

Re:Simple solution (3, Insightful)

danielcole (811536) | more than 9 years ago | (#11557735)

The simple problem of 'Remember my user id and password' negates your simple solution.

Re:Simple solution (0)

Anonymous Coward | more than 9 years ago | (#11557789)

elementary. that's how AOL trojans that were called 'Password Stealers' used to work back in 1996 or so. most users stored the password on their hard drive, so it was trivial for worms to get humonguous lists of working AOL accounts/passwords.

Re:Simple solution (2, Interesting)

Seumas (6865) | more than 9 years ago | (#11557936)

Are you saying that major ISPs don't require authentication to relay mail?! I have Comcast, but I've never used their servers (I run my own externally). What do they do then, just base whether or not to relay based on whether or not you're in their IP blocks?

That's ludicrous. POP-BEFORE-SMTP or SMTP AUTH are extremely simple to setup without any additional complexity on the user's end. If the ISPs are not protecting their mailservers, then I would suggest this is THEIR problem - not the end-user.

Why aren't they using SMTP-AUTH? (3, Informative)

PornMaster (749461) | more than 9 years ago | (#11557651)

I really don't understand why they don't just use SMTP-AUTH. This shouldn't be something that's such a huge deal... and certainly shouldn't come anywhere near what this guy said in the article...

"The e-mail infrastructure is beginning to fail," Linford warned. "You'll see huge delays in e-mail and servers collapsing. It's the beginning of the e-mail meltdown."

Re:Why aren't they using SMTP-AUTH? (3, Insightful)

LostCluster (625375) | more than 9 years ago | (#11557668)

I don't see how that solves this problem. If the mailware can read the configurations of the host's e-mail program, it can immitate any authorization you throw at it...

Re:Why aren't they using SMTP-AUTH? (4, Informative)

PornMaster (749461) | more than 9 years ago | (#11557716)

Not only does it authenticate the user, it also provides a way to revoke authorization on a per-user basis in a way that still allows the user to receive a mail explaining why they're unable to send mail -- simply shutting off the user's internet access doesn't do this, and putting in ACLs to block only port 25 from their IP probably isn't practical on many ISPs' infrastructures.

Re:Why aren't they using SMTP-AUTH? (2, Insightful)

Yobgod Ababua (68687) | more than 9 years ago | (#11557798)

Of course, if the user doesn't let their mail client "remember" their password (I never trust mail clients to remember anything for me), then the virus would indeed be unable to complete it's evil plan.

They'd need to take the time to write a more sophisticated version of the trojan that first does some keystroke logging to steal your AUTH password, -then- sends spam with it.

Once a virus allows "a remote attacker to gain complete control of your computer", there's really nothing that you could do that they won't be able to. Very disturbing how many MS virus alerts contain that very unpleasant phrase...

MMMMmmmm (2, Funny)

Azeroth48 (855550) | more than 9 years ago | (#11557658)

MMMMmmmmm Brai.... Opps MMMMmmmmm Spam

Many ISP mail servers get blacklisted now? (5, Interesting)

enosys (705759) | more than 9 years ago | (#11557662)

Will many ISP SMTP servers get automatically blacklisted because of this?

Re:Many ISP mail servers get blacklisted now? (2, Informative)

slimme (84675) | more than 9 years ago | (#11557800)

I work for a ISP and our mailservers do get blacklisted by AOL sometimes. Some of our customers complained and that is how we found out.

The ISP I work for mandates the use of their mailserver for outgoing e-mails and limits the number of mails that can be sent in a certain timeframe.

Re:Many ISP mail servers get blacklisted now? (0)

Anonymous Coward | more than 9 years ago | (#11557808)

It's already happening. My ISP has ended up on an RBL a couple times now.

Re:Many ISP mail servers get blacklisted now? (1)

1u3hr (530656) | more than 9 years ago | (#11557873)

Will many ISP SMTP servers get automatically blacklisted because of this?

You may be joking, but this is alrady happening. I can't send mail to AOL or Netscape.com becasue they claim my ISP sends too much spam, and provide no method of redress or whitelisting. Another local ISP keeps throttling my messages (not rejecting outright, but delaying) because of "too many connections from your server". In both case a combinationm of stupidity and arrogance, triggered perhaps by spambots like these, is preventing me from sending mail (personal direct mail; not bulk).

Catching the spammers is probably impossible. Catching the assholes who pay them to advertise their products is easy -- follow the money. Credit card merchant accounts require lots of ID.

Re:Many ISP mail servers get blacklisted now? (1)

Ramses0 (63476) | more than 9 years ago | (#11557974)

This is a good thing (IMHO, IANA-SysAdmin). If an ISP gets their mailserver blacklisted because their customers computers are full of crap, it encourages ISP's to take more responsibility for the traffic that's flowing through their network.

Actually, that's a really bad thing, but 90% of people are stupid, and 90% of windows installs (IMHO) are crap so it's not always the end user's fault. Maybe it's this OSX-like influence seeping in to me, but if all you want to do is check email and browse the web, your computer shouldn't catch random viruses and explode.

--Robert

SMTP Authentication (1, Redundant)

GrAfFiT (802657) | more than 9 years ago | (#11557663)

Now just force SMTP Authentication on the ISP side. They didn't implement it just for fun. Everybody put his login/password in the pop3/imap textboxes, just put your login/password in the smtp textboxes. Won't kill anyone.
Problem instantly resolved.

Re:SMTP Authentication (1)

mcrbids (148650) | more than 9 years ago | (#11557711)

Now just force SMTP Authentication on the ISP side. They didn't implement it just for fun. Everybody put his login/password in the pop3/imap textboxes, just put your login/password in the smtp textboxes. Won't kill anyone.

Also won't do much good. This is a young thread, and I've already seen several suggestions like this.

See, Outlook (Express) keeps that login information handy so that it can send a message without buggering you for said login information.

What's to say that the virus/worm won't use a COM call to tell OE to send the spam, effectively bypassing

A) SMTP-AUTH
B) SSL
C) TLS

and whatever else is set up.

What I'd suggest to the ISP is to put a virus filter on the mail server, require smtp_auth, and then block relaying for a client (with a descriptive error message) when they try to send a virus infected message.

Don't turn it on until the customer swears up and down they have CURRENT antivirus package installed.

Unnamed processes (3, Insightful)

Dancin_Santa (265275) | more than 9 years ago | (#11557664)

I was reading about the "American GI (Joe) captured in Iraq" yesterday and the same thought crossed my mind today.

If you are going to tell everyone that spam zombies (or terrorist websites) are out there, why don't you give details like processname (or website URL)?

It does no one any good if you just say, "Hey, there's a chance your computer may be infected and is a zombie spammer," if you don't also tell us the zombie process name.

Re:Unnamed processes (1)

Yobgod Ababua (68687) | more than 9 years ago | (#11557748)

Um... there's a -lot- of possible names they might be using, and more than one vector that can result in zombification.

Consult your preferred anti-virus vendor's online database for more detailed information.

Re:Unnamed processes (0)

Anonymous Coward | more than 9 years ago | (#11557813)

Consult your preferred anti-virus vendor's online database for more detailed information.

Sounds like the typical "netadmin" response. It looks like a valid and helpful response, but it is merely a passing the buck to the user who is least able to understand the issue.

Re:Unnamed processes (5, Insightful)

rusty0101 (565565) | more than 9 years ago | (#11557828)

That presumes that the process name will be pre-defined. We already have viruses that generate a new name for their executable, or library, and use that name to modify the workstation or server's database to automatically launch it each time the computer is rebooted. If this virus also is generating spam, it will be run with the process name of the executable or library, and at best you will see a process name that you don't recognize. Considering the fact that a significant percentage of the population of computer users do not even know how to bring up the task list, much less know what each process that normally runs is, is named, or does, telling them to kill off any process that looks like 'libraryname0.dll' is not going to be particularly helpful.

Your best bet is to find a personal firewall that asks you if application x is allowed to generate network traffic. Hopefully the firewall will tell you more, such as the type of traffic the application is attempting to generate, but even that can be more information than a general user is prepared to try to asses.

If your firewall tells you that 'tobmaps.exe' is trying to send e-mail to your isp's mail server, you might tell it no, don't allow that sort of traffic. If it tells you that 'tobmaps.exe' is attempting to connect to login.yahoo.com via http, you might inadvertantly allow it, even though login.yahoo.com is the first step towards sending e-mail through Yahoo.

In most cases however you can probably tell your personall firewall to block all traffic to any IRC network, unless you speicifically approve the app, and know what you are doing. Of course over time spambots are going to move on from IRC channels to Instant Messaging services, to various p2p applications, if they haven't already.

Saying 'kill off any process named xyz-abc.exe' is all well and good, but is probably going to be a one shot solution to a small subset of the people infected with a spambot.

-Rusty

This is why some isp's.. (3, Informative)

lordsilence (682367) | more than 9 years ago | (#11557667)

throttle the amount of e-mails a customer can send per time-period.. and the max amount of "BCC, CC" addressess.

It's just a hell and takes lots of time to go through contacting abuse-department of ISP's like AOL and Verizon who decide to block for very few spam-reports. Even though the damage of spambot-infested computers on your own network is limited.

Authentication (1)

Airconditioning (639167) | more than 9 years ago | (#11557669)

My ISP requires me to authenticate against their server when I send mail. In theory, that should negate the problem right?

Re:Authentication (0)

Anonymous Coward | more than 9 years ago | (#11557753)

My ISP requires me to authenticate against their server when I send mail. In theory, that should negate the problem right?

Yea, there would have to be some kind of malware on your computer that captured your password from your legitimate e-mail application.

Re:Authentication (0)

Anonymous Coward | more than 9 years ago | (#11557768)

Depends, if the zombie program can read your credentials, it could possibly use them to send mail.

Re:Authentication (2, Informative)

Todd Knarr (15451) | more than 9 years ago | (#11557986)

It probably won't. Your e-mail client likely remembers your password for you, no? So if your mail client knows the password, what's to stop the Trojan from pulling the password out of where the mail client stored it? And since you're probably using Outlook Express, the Trojan knows exactly where to go. Thank you convenience features.

This is easier to solve (4, Insightful)

digitalgimpus (468277) | more than 9 years ago | (#11557670)

Unlike when they did it on the clients, this puts it through a limited number of gates.

ISP's will likely start limiting outbound email to x email/hr. Companies and ISP's will likely start monitoring and kill quicker.

This will benefit spammers for a very short period, then bite them in the ass.

ISP's and companies aren't going to tolerate a spike in CPU usage, and possible blacklisting if they can take care of it. They will start blocking IP's from sending mail, etc. etc.

Assuming the Zombie's ISP doesn't notice (1, Interesting)

bigtallmofo (695287) | more than 9 years ago | (#11557673)

What ISP isn't going to notice thousands if not millions of rapid-fire connections to its SMTP server?

Re:Assuming the Zombie's ISP doesn't notice (1)

thetoastman (747937) | more than 9 years ago | (#11557930)

There are a lot of second and third tier ISPs that won't notice or won't care to do anything about it. Worm and virus writers will just have to aim their target systems a bit more carefully.

You can already see this happening in the way that spammers use Usenet news servers. The big players watch their queues closely and quickly boot spammers. Other Usenet server companies give lip service to controlling spam by just cancelling (or claiming to cancel) accounts. The next day the same people are in operation with a new account on the same server.

I don't see why this wouldn't happen as virus and spambot writers become more focused. Eventually, the ISPs that don't police their queues will get blacklisted, while those that do, won't.

This of course begs the question of what constitutes policing. One way to manage this is by logging queues against IP addresses. Queue lengths generated by an IP address that are outside a certain threshhold get closer examination.

Zombie trick expected to send spam sky-high - text (1)

solafide (845228) | more than 9 years ago | (#11557677)

Maybe I won't get terrible karma for this... And look at the date before you say redundant! Spam levels are about to skyrocket, according to experts who warned this week that spammers have developed a new way of delivering their wares. According to the SpamHaus Project--a U.K.-based antispam compiler of blacklists that block 8 billion messages a day--a new piece of malicious software has been created that takes over a PC. This "zombie" computer is then used to send spam via the mail server of that PC's Internet service provider. This means the junk mail appears to come from the ISP, making it very hard for an antispam blacklist to block it. Previously, zombie PCs have been used as mail servers themselves, sending spam e-mails directly to recipients. "The Trojan is able to order proxies to send spam upstream to the ISP," said Steve Linford, director of SpamHaus. Linford believes that this Trojan horse was created by the same people who write spamming software. ISPs in the United States may have already been hit. "We've seen a surge in spam coming from major ISPs. Now all of the ISPs are having large amounts of spam going out from their mail servers," Linford said. This will cause serious problems for the e-mail infrastructure, as it is impractical to block mail with domain names from large ISPs. Linford predicts that ISPs will see a growth in the volume of bulk mail they send and receive over the next two months, with spam levels rising from 75 percent of all e-mail to around 95 percent within a year. "The e-mail infrastructure is beginning to fail," Linford warned. "You'll see huge delays in e-mail and servers collapsing. It's the beginning of the e-mail meltdown." Linford said that ISPs need to act fast to take control of the problem. "They've got to throttle the number of e-mails coming from ADSL accounts. They are going to have to act quickly to clean incoming viruses. ISPs have so much spam--they are too understaffed to call people up and tell them they have Trojans on their machines. And no one would know what you're talking about." Antispam company MessageLabs confirmed Linford's findings. "This ups the ante in the need for filters," said Mark Sunner, chief technology officer for MessageLabs. "It makes it more difficult for people who compile blacklists, which is why spammers are doing this. It will put more pressure on ISPs to take greater interest in the traffic they carry and filter at source." The Information Commissioner's Office, the United Kingdom's point-of-call to report spam, said it had received no complaints of bulk spam from ISPs. Some U.S.-based ISPs contacted by News.com said an e-mail meltdown has yet to arrive. But technicians at some of the largest Internet providers have acknowledged the issue and similar exploits in the past. Many, but not all, U.S. ISPs have blocked open relay ports, such as port 25, to shut out spammers from disseminating messages from home-operated servers. The block has helped some broadband ISPs limit the output of zombie spam, and some have noticed the new form of malware taking shape. Time Warner Cable, the nation's second largest cable company, said it had become aware of this spam "vector," as it calls it, and has mechanisms to control it, according to company spokesman Keith Cocozza. He noted that the company's ISP, called Road Runner, has outgoing e-mail limits in place, but declined to elaborate on how the company monitors and responds to this malware issue. Earthlink, which runs a dial-up and broadband service, said it noticed a gradual increase in spam volume coming from its legitimate mail servers since the beginning of 2004. The company claims it has implemented safeguards, such as authenticated SMTP servers and re-routing of legitimate e-mail, to cut down the flow. "Overall we've been able to greatly reduce the amount of spam from our network by routing activities and applying chokepoints," said Trip Cox, Earthlink's chief technology officer. Cox added that the measure have reduced spam from 30 percent of the ISP's total e-mail volume to 2 percent.

Re:Zombie trick expected to send spam sky-high - t (0)

Anonymous Coward | more than 9 years ago | (#11557720)

If you are going to karma whore, at least format the fucking article properly.

Re:Zombie trick expected to send spam sky-high - t (0)

Anonymous Coward | more than 9 years ago | (#11557723)

Ever heard of a little thing called "formatting?"

Re:Zombie trick expected to send spam sky-high - t (4, Funny)

hunterx11 (778171) | more than 9 years ago | (#11557741)

If you're karma whoring, at least have the decency to format your text. Only some people hate whores, but everybody hates ugly whores.

Re:Zombie trick expected to send spam sky-high - t (1)

solafide (845228) | more than 9 years ago | (#11557819)

It automatically HTML formatts it and I forget to plain-text it.

Re:Zombie trick expected to send spam sky-high - t (0)

Anonymous Coward | more than 9 years ago | (#11557805)

Dude. Paragraphs are our friends.

Bring back Make Love not Spam... (1)

bennomatic (691188) | more than 9 years ago | (#11557688)

I think that they had the right idea. The only way to stop these b@$t@rds is to hit them in the wallet. If they were physically nearby, there's somewhere else I'd like to hit them, but if you make spamming unprofitable through bandwidth usage, that'll change the whole dynamic.

I know two wrongs don't make a right, but--grrrrrrr--I HAT how these spammers work.

Re:Bring back Make Love not Spam... (2, Funny)

Requiem Aristos (152789) | more than 9 years ago | (#11557743)

> I know two wrongs don't make a right, but--grrrrrrr--I HAT how these spammers work.

I fail to see the second wrong. Perhaps you are equating legality with morality?

Polite Zombie (2)

Jim Ethanol (613572) | more than 9 years ago | (#11557707)

You gotta love a Zombie that plays by the rules...

It'll be interesting to see how this effects ISP's Service Agreements:

"The customer, nor any device connected to the customer's network will not for any reason, send emails regarding 'P3n15 Enl4rgm3n7!!!', etc.. etc.."

Buuhahaha...

Bah hah hah hah (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#11557708)


Bah hah hah hah ha. Hey, they asked for it!!

can we expand the war on terra to include spammers (5, Funny)

trolluscressida (564353) | more than 9 years ago | (#11557738)

I would love to see a Special Ops unit bust down the walls of a spammer's house, beat him, gag him, beat him again, send him to Guantanomo Bay for eternity, and than C-4 the spam servers.

Everyone should write their congressmen [house.gov] requesting this.

Re:can we expand the war on terra to include spamm (1)

theparanoidcynic (705438) | more than 9 years ago | (#11557906)

But we all know how compitent our government is on these matters . . . . .

"ONLY TERR . . . er . . . . SPAMMERS HAVE PORT 25 OPEN!!"

Email Meltdown my ass (5, Funny)

mg2 (823681) | more than 9 years ago | (#11557746)

If we just switched to a secure email system (SSL/TLS, or whatever), a lot of these dumb problems would go away.

Yes, I know some mail clients don't support this functionality, but come on. Name one of the modern clients that won't do it. Thunderbird, Mail.app, Eudora, Outlook ... they all know how.

I suppose then you just have to convince users. This, though, should be the easiest part:

Dear User,
This email is to notify you that your neighbor has been recieving your monthly e-bank statements and password confirmation emails because you are stubborn and insist on using insecure email protocols.

Incidentally, we'd like to thank you for your subscription to DAILY LESBIAN ACTION MAIL!!!1

Re:Email Meltdown my ass (1)

thetoastman (747937) | more than 9 years ago | (#11557984)

I would really like my ISP (both of them) to use SSL/TLS for email.

Unfortunately, neither of them do. Shoot, one ISP doesn't even protect its web mail client via https. Needless to say I don't send or receive ANY important mail using that ISP.

What's even more irritating about this ISP is that your account information is protected by the same username/password as your default mail account. Who knows what fun could be had with this information.

I've talked to tier two support about this issue several times for months with no change or resolution. I won't do the questionable thing and publish the ISP's name on Slashdot (or anywhere else) just yet.

Howeever, the next step is to call their corporate office and see if I can't get some attention.

email meltdown? (1)

RLiegh (247921) | more than 9 years ago | (#11557750)

Frankly, I haven't used my ISP's email regularly since 1999 or so. Instead, I've used yahoo (which already has problesm with people spamming from @yahoo.com and deals with it).

Instead of bringing about some sort of "email meltdown" won't this simply push email into being a web-based service instead of an isp-provided service?

Great (2, Funny)

bahamat (187909) | more than 9 years ago | (#11557782)

Since they're cooperating so wonderfully, has anybody thought to ask them to stop sending spam?

CAPTCHA (1)

GrAfFiT (802657) | more than 9 years ago | (#11557792)

Force users to install one of these insane Captcha thingies [rr.com] as plugin to their Outlook Express client. That would work for sure. By the way it would prevent your 6 year old son from sending stupid emails to your coworkers. Or maybe not. Yeah, they should force you to physically come to the ISP headquarters with your .eml on a floppy disk.

Global, realtime spamlist? (1)

TheDarkener (198348) | more than 9 years ago | (#11557795)

This might be a little OT, but I've been thinking about this, and I'm not sure if there is something like it...Think a global repository (Thunderbird style) of spam, which your e-mail client feeds off of. You mark something as junk, and it uploads that addition to the DB that everyone else feeds off of in realtime. Wouldn't this work? Wouldn't it virtually eliminate spam (or at least cut it back DRASTICALLY)..? You could even go a step further to allow SMTP servers to access the list as well, and nuke spam before it even gets to the end user.

Re:Global, realtime spamlist? (2, Informative)

Yobgod Ababua (68687) | more than 9 years ago | (#11557862)

So... something like Vipul's Razor?

It's not quite as trivial to set up as you suggest, because of two things...

  • first, not everyone agrees exactly on what is or isn't spam.
  • Second, and more importantly, spammers and other undesireables will attempt to poison your list.

Fortunately, people are already working together to make this work. Pyzor is another similar effort.

Spamassassin has hooks built in to interface to both Pyzor and Vipul's Razor.

Maybe ISPs should just start running spamassassin (or something similar) on all outgoing email and blocking everything that scores too high... this would slow down their servers slightly, but would cut spam drastically across the board.

Death of the net predicted - pictures at 11. (2, Funny)

Michael Woodhams (112247) | more than 9 years ago | (#11557799)

"The e-mail infrastructure is beginning to fail," Linford warned. "You'll see huge delays in e-mail and servers collapsing. It's the beginning of the e-mail meltdown."

We're winning (5, Insightful)

SiliconEntity (448450) | more than 9 years ago | (#11557802)

This is the best sign yet that we're winning the war on spam. This is exactly what measures like SPF were designed to induce - forcing zombies to go through the ISP rather than sending mail themselves.

Now all the ISPs have to do is to filter and detect sudden jumps in email traffic. It will be easy for them to detect systems which have been infected. This will catch the small number of users who suddenly start running high volume email lists from their home systems, but those cases will be few enough that they can be dealt with manually.

This is the beginning of the end for the zombie spam problem!

Re:We're winning (1)

Anarchitect_in_oz (771448) | more than 9 years ago | (#11557981)

You would have to say this is a win for SPF, greylisting and the other methods which push for proper mail sending behaviour.

Is spam such a huge problem, really? (1)

JanneM (7445) | more than 9 years ago | (#11557836)

For me, the amount of spam I receive has gone down steadily for the past year, on all my email accounts, as ISPs and other email providers have improved their filtering capabilities.

Looking at my spam folder, I get between five and eight spam mail per day delivered, most of which I never saw since I also filter locally with spamassassin (this does not count those tagged as spam by my ISPs). A year ago, the number would have been ten to twenty times higher.

If anything, I get the distinct impression that if we aren't defeating the spammers, we certainly aren't losing either.

Re:Is spam such a huge problem, really? (1)

Tripster (23407) | more than 9 years ago | (#11557901)

I've managed to cut incoming spam to two ISP MTAs by about 75% by moving SpamAssassin to the SMTP level, anything over a 10.0 is refused at the door.

RBLs already stop a large percentage before it even reaches the SpamAssassin check, so even if the spammer switch to using ISP MTAs when they can the SpamAssassin bit will likely still result in refusal.

It is pissing off the spammers .. to get past the RBLs only to be stopped by SA means they have to make their junk more and more legit looking and that is tough when new versions of SA tag any included domains quickly.

Re:Is spam such a huge problem, really? Yes! (2, Insightful)

kd3bj (733314) | more than 9 years ago | (#11558000)

As an ISP, I can tell you that for the last two years we put all of our R&D money into fighting spam. For us, that's about $100/yr per customer. That's a lot of money pissed away, and it's damn near bankrupting us.

But more significantly, it represents a massive opportunity cost. There are all sorts of cool things we could have created for our users that we haven't been able to get to because we were tied up with weekly SpamAssasin upgrades. Spam is short circuiting the work of a lot of the most brilliant people into totally profitless endeavors.

Not surprised.... (1)

Skylark-101 (462524) | more than 9 years ago | (#11557850)

Not difficult, just do a MX lookup on the current host DNS and then use the results for a SMTP host. I've been wondering how long it would take for the virus writers to figure this one out. Most Blacklists have a list of zombie IPs, so SMTP servers will just start getting on them now.

Most ISPs have limits (3, Interesting)

appleprophet (233330) | more than 9 years ago | (#11557854)

First of all, most ISPs require you to authetenticate in some way. Either they require a login/password or more often, they wait until you check your POP3 email and give you a 30 minute window to send email without authentication.

Secondly, ISPs often have a limit to how fast you can send mail or how many per day you can send.

I don't really see this as a problem.

Re:Most ISPs have limits (1)

SirTalon42 (751509) | more than 9 years ago | (#11557931)

Though ISP's like comcast DONT require authentication (and authentication doesn't work that well for users like me who WANT it), they allow you to spoof your e-mail address, and I don't believe they have and caps on e-mails.

Re:Most ISPs have limits (1)

Newtonian_p (412461) | more than 9 years ago | (#11557933)

First of all, most ISPs require you to authetenticate in some way.

In my experience, most ISPs only require you to be on their network in order to use their SMTP server. No authentication required.

Anti-Virus? (1)

peeledback (649168) | more than 9 years ago | (#11557855)

Wouldn't an anti/virus program fix this? Are all the zombies unprotected machines? If so, couldn't the ISP's (I know Cox does) disconnect their service until the problem is fixed? (Or at least temporarily let them back on to download an A/V program)

inbound smtp cannot be filtered easily (0)

Anonymous Coward | more than 9 years ago | (#11557868)

this is #oldnews... spammers have been doing this for 5 years... they just look at the mx, and connect like a normal client.
the easiest way is to use an rbl/sbl/xbl blacklist service. Some mail firewalls easily integrate this -
barracudanetworks.com

Simple ISP baserd Solution (1)

OleManRiver (733406) | more than 9 years ago | (#11558019)

I think the only way to cut down on spam without making everyone change email clients, or re-write the protocols, is to enforce ISP based spam blocking.

This means that an ISPs customers must use the mail server of their ISP - otherwise all their STMP trafic gets dumped. Second, the ISP must monitor how many outbound messages a customers computer is sending. If they go above a email a minute (perhaps averaged out over an hour? half an hour?) their SMTP access is blocked, either permanently (until the customer rings the ISP) or for a set amount of time, afte which access is restored. If they keep tripping out their SMTP access, the ISP should block them automatically.

When the user calls the ISP complaining about how they can't send email, the ISP must have good staff able to walk them through downloading, installing and configuring anti-virus and firewall utilities.

your thoughts?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>