Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

How Hackers Identify Their Targets

Zonk posted more than 7 years ago | from the drawing-a-bead dept.

95

narramissic writes "In a recent article, security guru Brent Huston writes about research he did to get inside the minds of spammers and expose some of the processes they use to identify potential targets. Huston says that among the four common ways that spam is spread, the most common method that spammers use is via open relays. Huston's research also revealed that 'they were doing much more server analysis' than he had expected and that they take a multi-step approach: 'They scan the server for proper RFC compliance, and then they send a test message to a disposable address. Only after these are complete did they adopt the tool to dump their spam.'"

cancel ×

95 comments

How Hackers Identify Their Targets: (5, Funny)

Anonymous Coward | more than 7 years ago | (#16116821)


1) Look for SSID "Linksys"

2) Connect
3) ????
4)> Profit!

Re:How Hackers Identify Their Targets: (1)

crashelite (882844) | more than 7 years ago | (#16117590)

dood this granny has a 10 meg down and a 5 meg up SPAM CITY MAN!!!

Duh... It's so obvious... (1)

creimer (824291) | more than 7 years ago | (#16116834)

The Microsoft Windows logo is dead give away. It screams "Bite Me!"

Re:Duh... It's so obvious... (1)

JeanBaptiste (537955) | more than 7 years ago | (#16116860)

... because sendmail has never had any security vulnerabilities....

Re:Duh... It's so obvious... (3, Informative)

laffer1 (701823) | more than 7 years ago | (#16116968)

Like sendmail is the only mail server to ever have a security problem. iMail and Netscape/iPlanet/Sun One/Java Enterprise mail server comes to mind. Even the holy grail of mail servers (to some) has had issues in the past.

See http://postfix.it-austria.net/releases/official/po stfix-2.3.3.HISTORY [it-austria.net] and search for Security.

I really get sick of this sendmail bashing. There are problems with sendmail and they are trying to rewrite sendmail to solve them. There is no such thing as perfectly secure software. Even OpenBSD has had a remote security hole in 8 years :)

Re:Duh... It's so obvious... (4, Informative)

whoever57 (658626) | more than 7 years ago | (#16117465)

I really get sick of this sendmail bashing. There are problems with sendmail and they are trying to rewrite sendmail to solve them. There is no such thing as perfectly secure software.
Perfectly secure: no. But look at Secunia's reports:

Postfix 1.x:

Affected By 1 Secunia advisories

Unpatched 0% (0 of 1 Secunia advisories)

Postfix 2.x:

Affected By 0 Secunia advisories

in contrast, look at Sendmail 8:

Affected By 10 Secunia advisories

Unpatched 10% (1 of 10 Secunia advisories)

So, given that there are unpatched vulnerabilities in Sendmail, why should you wait for the team to finish re-writing the code? Now, it is possible that Sendmail has some advantages in very high volume situations (although there are some older benchmarks that show Postfix was faster), but why would you want to use an MTA that is more difficult to configure and has known vulnerabilities?

I believe the main reason that people use Sendmail is that, having gone to the trouble to learn how to configure it, they don't want to waste that effort (as well as it being the default MTA in many distributions).

Re:Duh... It's so obvious... (3, Informative)

strabo (58457) | more than 7 years ago | (#16117895)

Unpatched 10% (1 of 10 Secunia advisories)

Oooooh! Unpatched vulnerability!! Eek!

Sendmail fails to log all relevant data [secunia.com]

Critical: Not critical

Description:

Sendmail fails to log all details about connections if supplied with an IDENT of more then 95 characters.

It is possible to hide your identity from the sendmail log, if you supply an IDENT that is more than 95 characters, information about your identity however will still be written in any email you may sent. The problem is that someone may try to footprint your system, but when you check your log files, you will not be able to find the IP address and hostname of the attacker (or spammer).

Solution:

The easiest way to log these data is by enabling logging on the firewall and making sure that the time is synchronised on the firewall and mail server.

Re:Duh... It's so obvious... (1)

tubapro12 (896596) | more than 7 years ago | (#16118373)

Really? I've managed to come up with perfect security software that runs on Windows...
#include <windows.h>
int WINAPI WinMain (HINSTANCE hThisInstance, HINSTANCE hPrevInstance, LPSTR lpszArgument, int nFunsterStil)
{
ExitWindowsEx(EWX_FORCE,0);
return 0;
}

Re:Duh... It's so obvious... (4, Insightful)

daeg (828071) | more than 7 years ago | (#16116995)

It doesn't take a security vulnerability to make sendmail vulnerable... all it takes is a rookie Linux administrator configuring it and setting it up incorrectly.

Many times I imagine that rookie administrators are trying to get sendmail just to work right so they enable something they shouldn't. It works... and they never bother to address their issue correctly, or even know that they addressed it incorrectly.

Re:Duh... It's so obvious... (0)

Anonymous Coward | more than 7 years ago | (#16116986)

The Microsoft Windows logo is dead give away. It screams "Bite Me!"
Yep, it's another way of saying Stupid user lives here. Will probably not even notice.. Furthermore, the Apple logo hints about a user that is, if possible, even dumber, but also indicates that the people behind the operating system time were not.

Funny (1)

Enderandrew (866215) | more than 7 years ago | (#16116837)

I thought they build bot-nets and largely hit as many people as the can.

This article suggest that hackers are primarily spammers, when there are many tactics, the largest involves malicious code on a webpage or bot-nets distributing worms via instant messangers.

Re:Funny (1)

ZeroExistenZ (721849) | more than 7 years ago | (#16117973)

I thought they build bot-nets and largely hit as many people as the can

You mean one can of spam?

I thought they were like blond giants, breathing fire, shattering backdoors, giants taller than trees, with pointed ears like RPG elves and eyes like fire and hands with plastic claws and hooks; seen as savages, as barbarians, as beasts blood-thirsty and mad with viagra and penis enlargement pills, with braided hair, clad in furs and leather, with bare chests, with great souvenier axes which, at a single stroke, can fell a tree or cut a man in two if you cast a magical spell. And it was said they appear as though from nowhere penetrate your box to pillage, and to burn and rape, DoS, and then, among the flaming fields of botnets, as quickly, vanish to their swift ships, carrying their booty with them, whether it be bars of silver, or goblets of gold, or silken sheets, knotted and bulging with plate, and coins and gems, or merely women in digital form, bound, their clothing torn away, or any fetish porn they find pleasing.

hacker /= spammer (5, Insightful)

enlefo (738946) | more than 7 years ago | (#16116849)

The title to the story says how hackers identify there targets but the story is about spammer. They are different.

Re:hacker /= spammer (1)

StringBlade (557322) | more than 7 years ago | (#16116996)

But 'hacker' is the cool new way to say 'cracker' when talking about black-ops virus writers and spammers and other ill-behaving developers. Try as you might to change it back it's become engrained in our modern language, only the hackers will remember that hackers are the ones who come to the rescue, not the script kiddies who call themselves 'leet'.

Re:hacker /= spammer (3, Funny)

Hamilton Lovecraft (993413) | more than 7 years ago | (#16117229)

Editor and author both meant "Nazi Islamofascists".

Rating: 'Score -1, Funny' (1)

jelle (14827) | more than 7 years ago | (#16117479)

"(Score:-1, Funny)"

Do we have a new rating for bad humour?

Re:Rating: 'Score -1, Funny' (0)

Anonymous Coward | more than 7 years ago | (#16118931)

Yeah, cause you shouldn't joke about nazi islamo-facism. Unless you think about it for a second, anyways.

Re:hacker /= spammer (1)

gnaa323 (1001568) | more than 7 years ago | (#16117317)

good observation. hacking is not the same thing as spamming or sporging or flooding or mail box boming....

Re:hacker /= spammer (1)

gkhan1 (886823) | more than 7 years ago | (#16118233)

While you are correct, many spammers use botnets, which means they have infiltrated a large number of computers and installed malicious software on them. This arguably makes them hackers (some of them atleast, some can be characterized more as script kiddies). So it's not a huge error.

Also, one might argue that what spammers do is penetrate spam filters, just as other hackers penetrate computer security. It's a shaky argument, but it's not completely invalid. It all depends on how you define a hacker.

More spammers/cracker/phisher/virus cooperation (1)

billstewart (78916) | more than 7 years ago | (#16118278)

It used to be that most spammers were crackers in the sense of "dumb rednecks in their single-wides", as opposed to "politically correct term for a malicious hacker or script kiddie". They might buy a spamware product written by a hacker, but they usually weren't doing any actual cracking because it was too easy to abuse open relays or buy service from cheap dialup providers using optionally-stolen credit cards.


These days it's a lot different - crackers are using malware to turn PCs into zombies, and renting them to spammers or phishers, as well as using them for DDOS. The junk-selling spammers using open relays may be using products written by hackers, but the spamware is being a bit more clever about it. The small-time spammers aren't mostly hackers themselves, just customers; the big operations that Spamhaus's ROKSO Top Spammers list are hiring talent, as are the mafia phishers.

Re:hacker /= spammer (1)

benplaut (993145) | more than 7 years ago | (#16118301)

To the mainstream media,
hacker = someone doing bad things on the internet.

Re:hacker /= spammer (1)

PandAk EndUt 770 (1002445) | more than 7 years ago | (#16123105)

To the mainstream media,
hacker = someone doing bad things on the internet.


well,as far as i concern:
cracker = someone doing bad things on the internet/machines.while,
hacker = someone doing bad things on the internet/machines/programs to discover any vulnerabilities of those stuff and team up with particular in-charge person to tackle all the flaws and lacks.

Re:hacker /= spammer (0)

Anonymous Coward | more than 7 years ago | (#16118887)

It is a Zonk-topic. Get over it. ;-)

Re:hacker /= spammer (1)

tt074321 (1005781) | more than 7 years ago | (#16215533)

hacker /= not really bad cracker = spammer = bad

My favorite tool... (3, Funny)

$RANDOMLUSER (804576) | more than 7 years ago | (#16116855)

...for getting into the minds of spammers is a couple rounds of semi-jacketed .357 hollow-points.

Re:My favorite tool... (5, Funny)

Tackhead (54550) | more than 7 years ago | (#16116922)

> ...for getting into the minds of spammers is a couple rounds of semi-jacketed .357 hollow-points.

*BLAM!*

You have received this delivery of copper and lead because you or a friend subscribed you to the "Bullet of the Week" list.

To opt out of "Bullet of the Week", please have each spammer in your MLM's downline submit the following form in triplicate, including at least one of their own fingerprints, as well as one of your fingerprints, dipped in the bloody goo from your still-steaming remains.

Your security and privacy are important to us, so please allow 6-8 weeks for us to conduct the proper forensic analysis to verify the identity of your downline member before we can remove you from our "Bullet of the Week" list.

NOTE TO DOWNLINE MEMBERS: Pay no attention to the fact that the middle of the three forms includes the verbiage "By placing my bloody fingerprint on this form, I hereby opt in to the Bullet of the Week mailing list".

Re:My favorite tool... (1)

Chr0nik (928538) | more than 7 years ago | (#16117843)

Brilliant. This post was simply ART.

Killing spammers has been done (1)

billstewart (78916) | more than 7 years ago | (#16118294)

A few years ago, a couple of Russian-immigrant spammers in New Jersey were found murdered. General opinion was that they were running a pump&dump stock scam, and some of their "customers" got upset about losing money. There've been a few others since then.

DVR Spammers On The Rise (1)

Debonair23 (981881) | more than 7 years ago | (#16116858)

Don't forget the rising trend of using DVR players as a way to spread spam, as mentioned in an earlier Slashdot article.

Hackers != Spammers (5, Insightful)

NaNO2x (856759) | more than 7 years ago | (#16116872)

This is the type of negative image that hackers need to stop. I had a long conversation with someone on the differences between hackers and crackers and I can understand the confusion, but spammers and hackers, this is taking it a bit to far.

Re:Hackers != Spammers (1)

Abreu (173023) | more than 7 years ago | (#16116894)

Hear, Hear!

This is Slashdot, for cryin out loud! I would understand this type of glaring error in a Newsweek article, but in "News for Nerds"?

Re:Hackers != Spammers (0, Flamebait)

Threni (635302) | more than 7 years ago | (#16117024)

> This is Slashdot, for cryin out loud! I would understand this type of glaring error
> in a Newsweek article, but in "News for Nerds"?

It hasn't been `news for nerds` for a long time. There should be some sort of technical test before you're allowed to post here. I don't reallyt care what - anything from software engineering to astronomy - but something that'll keep the peasants out.

Re:Hackers != Spammers (2, Funny)

maelstrom (638) | more than 7 years ago | (#16117400)

STFU and go home. If Slashdot is only left with arrogant pricks that calls everyone "peasants", I really don't want to be here anymore. I could just as easily make the same argument about you, Slashdot was even better before the six digit noobs got here. Let's cut off all the peasants who have > 4 digits in their UI.

Re:Hackers != Spammers (1)

towsonu2003 (928663) | more than 7 years ago | (#16117614)

The more you know, the less you understand.

Re:Hackers != Spammers (0, Flamebait)

Threni (635302) | more than 7 years ago | (#16117830)

> If Slashdot is only left with arrogant pricks that calls everyone "peasants", I really don't want to be here anymore.

Don't let the door hit your ass on the way out, peasant.

Re:Hackers != Spammers (1)

karnal (22275) | more than 7 years ago | (#16117852)

*whew* Just made it....

Re:Hackers != Spammers (1)

StringBlade (557322) | more than 7 years ago | (#16118341)

Let's cut off all the peasants who have > 4 digits in their UI.
*whew* Just made it....
Hmmm...methinks you should start over with remedial math.

Re:Hackers != Spammers (1)

karnal (22275) | more than 7 years ago | (#16118792)

Slashdot was even better before the six digit noobs got here.

That's the line I was referring to, in case you really were wondering.

Re:Hackers != Spammers (1)

MrEd (60684) | more than 7 years ago | (#16118977)

Holla!

Re:Hackers != Spammers (0)

Anonymous Coward | more than 7 years ago | (#16117015)

Maybe it would be clearer if we used the terms "hackers and honkeys" instead?

Re:Hackers != Spammers??? (1)

MollyB (162595) | more than 7 years ago | (#16117151)

A bit too far?-- It is only another example of NewSpeak, which is now a juggernaut jeopardizing everything from Advertising (Belly Fat is Not Your Fault) to Politics (We fight them there so we don't have to fight them here); the list of misleading euphemisms grows as our collective mental quotient declines...

Conflating spammers and hackers because they both use computers is like saying that crooks and cops are dangerous people because they carry guns. Bad example. You get the idea.

Oh, give it up, already! (2, Interesting)

NineNine (235196) | more than 7 years ago | (#16117325)

Dude, give it up! "Hackers" now means someone doing something malicious to computers. You can say it means whatever you'd like, but that's not what the word means in common usage. That's how language works. I can tell people that I drove my banana to work today, but "banana" doesn't mean "car" just because I say so, any more than "hacker" means benign computer geek because you and a handful of "hackers" says so. I suggest you move on with your life, and pick a new word for the good guys.

Re:Oh, give it up, already! (0)

Anonymous Coward | more than 7 years ago | (#16117459)

>I suggest you move on with your life, and pick a new word for the good guys.
NO
Quit abusing the word.

Re:Oh, give it up, already! (1)

quintessentialk (926161) | more than 7 years ago | (#16117470)

Yeah! Thank you NineNine. Wishing a thing were so doesn't make it so, especially when it comes to something as dynamic and decentralized as the English language.

Re:Oh, give it up, already! (3, Insightful)

kinglink (195330) | more than 7 years ago | (#16117531)

except hackers were original and always were good, it's because of the media who has told us over and over hackers are bad.

Read "Hackers" the book, written in 1984, long before any of those media morons that you believe now had even thought of the word.

Hacker is a term of skill, cracker is a term for a person who breaks into systems. And as you say just because the media tells me a banana is a car doesn't make it so.

Re:Oh, give it up, already! (1)

Lord Ender (156273) | more than 7 years ago | (#16118343)

If "hacker" is a term for skill, then it holds no moral value. A "good" hacker is just as much a hacker as a "bad" hacker.

And good hackers are hardly ever newsworthy...

Re:Oh, give it up, already! (1)

sudog (101964) | more than 7 years ago | (#16120686)

Hacker is NOT a term merely for skill. Therefore your premise is wrong.

Re:Oh, give it up, already! (1)

kinglink (195330) | more than 7 years ago | (#16132459)

http://en.wikipedia.org/wiki/Hacker [wikipedia.org] is a good resource. Basically yes, a hacker could be either evil or good in theory. However using a rootkit, or some publicly known door to break into software isn't hacking. The hacking is the discovery of the exploits. The Cult of the Dead Cow are hackers. The people who use their software arn't. Most hackers tend to be after knowledge or knowing what they can and can't do, they arn't out to hurt people most of the time.

The list there is pretty good, the people on it are hackers.

Spammers arn't hackers either way. Virii writters could be (depending on who or what they are or why and how they are doing it.)

I don't have a noble image I just don't like the term hacker to be the same as "bad guy on the computer" because some of them (spammers) really have nothing to do with the term.

Re:Oh, give it up, already! (1)

NineNine (235196) | more than 7 years ago | (#16121076)

That's right. The meaning of the word has changed. Again, get over it.

Re:Oh, give it up, already! (1)

forgetmenot (467513) | more than 7 years ago | (#16117636)

Hear hear!

I'm a hacker in the geek sense but I also refer to the illicit type as hackers too. Like you say, words are defined by how they're used by the majority AND they can have more than meaning.

In fact, the ONLY time I ever hear the term cracker being used to refer to in the "illicit computer activity" sense is here on slashdot when some old school pedantist gets his panties in a knot. In any other context is just a bread-like product eaten with soup.

Re:Hackers != Spammers (2, Insightful)

misleb (129952) | more than 7 years ago | (#16117463)

WHen spammers have to jump through hoops and be very clever about not being tracked, aren't they hackers? Sure, there are probably many spammers who simply employ pre-made tools to spam. We can equate them with "script kiddies." But there are certainly spammers who go out of their way to find new and novel ways to get their their spam through.

-matthew

Re:Hackers != Spammers (1)

bunions (970377) | more than 7 years ago | (#16118013)

In related news, I'm also upset that 'gay' means 'homosexual' and that 'wicked' means 'awesome'

Goddammit, where's our National Ministry of Language Purity?!? Slashdot demands it!

Misattributed motivation (1)

loimprevisto (910035) | more than 7 years ago | (#16116875)

From TFA:
They know that people use fake mail systems to track them, so they have implemented subtle checks into their scanning tools to catch fake mail servers. They do this by using less common commands from the RFC and using commands in improper order to test how the system responds. Until I implemented a fully RFC-compliant mail honeypoint, they were able to quickly identify the server as bad. They would then terminate their activity. However, once I deployed a honeypoint that allowed RFC compliance, they quickly tried to adopt it for their use.

If the reason spammers go through this procedure is because they're so affraid of being tracked, how does this do them any good? If they find a RFC compliant honeypot server, it's still a honeypot server and they're still being tracked...

Re:Misattributed motivation (1)

theelectron (973857) | more than 7 years ago | (#16116941)

Shhh! Or they will catch on!

Seriously though, I think the idea is that spammers think honeypots are more likely to run non-RFC compliant servers and that RFC compliant servers are more likely to be trusted by recipient servers. That'd be my guess at least.

If I had to guess... (1)

khasim (1285) | more than 7 years ago | (#16117040)

I'd say that they were looking for 3 things:

#1. Testing that it isn't someone's zombie.

#2. Making sure that it's compliant enough to get through other people's anti-spam tests.

#3. Testing the response (like nmap's ability to identify the OS) to identify the actual server instead of relying upon what it claims it is.

If they were worried about avoiding honeypots, they wouldn't be continually scanning ranges containing addresses that they had previously rejected because they were honeypots.

And for me, the majority of the spam comes from zombies. Open relays are easily tested and rejected at smtp time. There's no reason to accept email from an open relay unless you're running amazon.com or ebay.com or some such.

Perhaps it's time to begin executions (0)

Anonymous Coward | more than 7 years ago | (#16116928)

it wouldn't take more than a few dead spammers to teach 'em all a lesson.

1) identify
2) [...] (bang!)
3) peace!

Hacky Definitions (2, Insightful)

Doc Ruby (173196) | more than 7 years ago | (#16116949)

I'm a hacker. I choose my target by seeing some new device or system that does something at least kinda cool. Then I say "I bet I can make it do something else cool." Then I do it.

They're talking about "crackers", "phishers", scammers and criminals. They're not trying to make a system do anything cool, except when it damages or robs a person. Just making a system do something unexpectedly cool is irrelevant unless it takes something from a person, not the system.

Re:Hacky Definitions (2, Funny)

Anonymous Coward | more than 7 years ago | (#16117039)

I'm a hacker. I choose my target by seeing some new device or system that does something at least kinda cool. Then I say "I bet I can make it do something else cool." Then I do it.

That, of course, before the star trek rerun and while celebrating the third aniversary of the day a woman let you touch her...

Re:Hacky Definitions (-1, Flamebait)

Doc Ruby (173196) | more than 7 years ago | (#16117122)

I fucked your sister even though she's not a green space chick.

Ouch; I am disappointed (0)

Anonymous Coward | more than 7 years ago | (#16117694)

With that comment, I would guess that your IQ has dropped 50 points. Have you gone and joined the GOP?

Re:Ouch; I am disappointed (0, Offtopic)

Doc Ruby (173196) | more than 7 years ago | (#16117758)

Republicans fuck the green space chick only when she's underage, really a boy, or charging less than $45 credits per centistardate. If she's not green, she's gotta be their sister. I'm not dumb enough for any of that, but not too smart to talk shit on Slashdot.

Re:Hacky Definitions (1)

Aeamarth (943939) | more than 7 years ago | (#16117372)

What?? Enlarging your penis is not cool enough for you???

He is wrong. (0)

Anonymous Coward | more than 7 years ago | (#16116985)

Huston says that among the four common ways that spam is spread, the most common method that spammers use is via open relays.

But he says that only because his company released software related to it.
The remainder of the world knows better. The vast majority of SPAM does not arrive via open relays, but via compromised Windows machines. His second method.

Re:He is wrong. (1)

icebike (68054) | more than 7 years ago | (#16117283)

The vast majority of SPAM does not arrive via open relays, but via compromised Windows machines.

Er, ah, what's the difference again?

Re:He is wrong. (2, Insightful)

vertinox (846076) | more than 7 years ago | (#16117513)

Er, ah, what's the difference again?

One is where the person installs a mail server and doesn't know how to configure it.
The other is where someone runs an operating system and doesn't know how to use it.

Of course the latter might be more because it it was made by developers who didn't know how to write it.

Zonk, your stories have high suck ratio. (2, Insightful)

Anonymous Coward | more than 7 years ago | (#16117009)

Zonk dude/chick, not sure. About 2 out of every 3 of your stories are misinformed, not important, or just fud. I admire the 1 of 3 stories you post but damn, lay off the POST button till you get your stuff straight. Spammer = hacker... sometimes yes, but in this community hacker > spammer. That's like calling PeeWee Herman and stud for what he did back in the day.

Thanks but no thanks for this one.

ORDB.org (1)

Itninja (937614) | more than 7 years ago | (#16117017)

the most common method that spammers use is via open relays.
That's certainly true. Personally, I think corporations that continue to run open relay mail server should be fined. Especailly since you can just to ordb.org and see if you indeed are running on O.R.

Possible Solution (1)

daeg (828071) | more than 7 years ago | (#16117035)

One possible solution to at least domestic-originated spam from open relays is to create a small government-contracted group of server administrators. Their sole job would to be to identify open relays and provide short-term aid to organizations with such open relays. Many of the smaller, vulnerable servers likely do not have a full time administrator, or even a part time one, for that matter.

Re:Possible Solution (1)

The Blow Leprechaun (1003106) | more than 7 years ago | (#16117092)

Another thing to do is, when you receive spam mail, to run the domain name through a whois lookup and possibly get the name of an administrator for the server, and contact them about it to make sure they're aware of potential problems with their system. It won't always work, but it might sometimes. http://www.dnsstuff.com/ [dnsstuff.com] for those of you who don't have whois as a basic utility.

Re:Possible Solution (2, Informative)

mernisse (224328) | more than 7 years ago | (#16117760)

while this sounds like a "good idea" it's probably not.

#1 - alot of the time the ip address listed on the whois info is for the networking technical contact, in teeny weenie organizations this might be the same as the sysadmin, but often it's not. And in the end you'll end up wasting a bunch
of people's time trying to figure out what the hell you're talking about and who to route your message to.

#2 - most oranizations small enough to be an exception to #1 probably don't have sysadmins and will be doubly confused.

If you really want to report spam (which... well don't get me started) then I'd suggest using the abuse contact of the
originating domain. They're much more likely to know what the hell you're talking about and much more likely to get it
fixed.

--mernisse
(abuse@ for a major nationwide ISP)

Re:Possible Solution (1)

oldosadmin (759103) | more than 7 years ago | (#16119805)

As someone who works for an Emarketing company (one of the good guys, no spam), I gotta second that -- sending your spam to abuse@ the domain that sent it can be extremely effective. Someone sent out some UCE from an account recently, and we got an a abuse@ email about it, investigated it, and disabled the account.

abuse@ works, and is excellent.

The Article is WRONG (3, Informative)

E++99 (880734) | more than 7 years ago | (#16117037)

While I don't doubt the writer's observation that "continuous scans for open mail systems are ongoing in most IP blocks," his claim that this is the method that generates the bulk of spam is wrong. As someone who gets about 200 spams a day over three domains, and successfully blocks over 99% of it without using any techniques that can create false positives, I can tell you that well over 90% of spam comes from "servers" on IP addresses allocated for dial-up, dsl, cable or the like. In other words, either spammers running their own server software on an ISP account, or, more likely, botnets.

Something Else (1)

temojen (678985) | more than 7 years ago | (#16119070)

Unless things have changed in the few months since I stopped admining a mail server, most DO NOT do any verification that the email was actually sent. At one point last year our server was experiencing serious slowdowns because some spammer was trying to send thousands of phishing emails, all of which were rejected with the standard "550 We do not relay". We just ended up adding their botnet's IPs to our firewall reject list.

Re:The Article is WRONG (1)

sudog (101964) | more than 7 years ago | (#16120696)

Oh yea? Well I get 0 spams a day, no false positive, no filtering, and the effort I expend doing it is less than typing in one line of 10-20 characters of text every two weeks. :P

So there.. and stuff.

Re:The Article is WRONG (0)

Anonymous Coward | more than 7 years ago | (#16122621)

Ditto that. Security expert my ass. He should ask people at the front line and look at some mail logs. Ours are full of attempts from home broadband accounts and filtered out using the dialup/broadband blacklists.

This is news? (0)

Anonymous Coward | more than 7 years ago | (#16117053)

Tell me the name of a single MTA admin who couldn't have told him all of this and more. Really, there are 16 year olds in the security field with more expertise than this guy. Would you buy computer security services from someone this cluess?

Hacker = Spammer? (1)

sdaemon (25357) | more than 7 years ago | (#16117103)

Gah.

Re:Hacker = Spammer? (1)

it072091 (1003798) | more than 7 years ago | (#16138499)

hacker is a 'good person' that try to test the system either secure enough from the intruder to do something bad to the system. and for spammer,their responsible to send an unwanted message to everyone.

Re:Hacker = Spammer? (1)

IT071961_nurashikin (1003615) | more than 7 years ago | (#16147162)

i agree with that opion. but the bad hacker we call it cracker...

How everyone identifies their targets... (0)

Anonymous Coward | more than 7 years ago | (#16117141)

asl?

They do? (1)

remembertomorrow (959064) | more than 7 years ago | (#16117205)

I was under the impression that infected Windows machines just randomly scanned blocks of IPs looking for more services/machines to exploit.

Well, that's what my <insert service here> logs tell me anyways.

WTF? (0)

Anonymous Coward | more than 7 years ago | (#16117213)

WTF is this 'hackers' business about? Seriously, what kind of an asshole is this Zonk guy to equate spammers and hackers? He makes himself sound like a damn n00b. Dumbass.

Test your own mail server (2, Informative)

perp (114928) | more than 7 years ago | (#16118032)

abuse.net [abuse.net] will test your mail server for you. It tries many ways of relaying and displays a report that you can print out and show your boss how secure your server is :-)

Fancy posting a link? (1)

iamacat (583406) | more than 7 years ago | (#16118125)

ooo

My experience is slightly different (2, Interesting)

The Famous Brett Wat (12688) | more than 7 years ago | (#16118544)

I'm doing anti-spam research, and although this sort of thing isn't my direct interest, I have dabbled enough to have implemented my own SMTP honeypot from scratch. My experience in doing so, and in tracking spam generally, is rather different from this article.

In the first instance, I'm surprised that botnets aren't listed as the #1 distribution vector for spam. Any computer criminal worth his salt uses a botnet these days. The really hard-core phishers not only distribute their spam that way, but reverse-proxy their websites through the botnet.

Open relays, on the other hand, seem to be relatively small beans in terms of actual spam distribution. Sure, I got a lot of hostile traffic on my SMTP honeypot, but it was a lot of sound and fury signifying nothing. Nearly all the relay-exploiting activity originated in Korea and sent non-English (presumably Korean) spam.

As for their testing of RFC-compliance -- what a joke! Most of the relay-testers I encountered couldn't even get SMTP syntax right: I had to adjust my parser to allow extra whitespace and other brain damage. What they test for is delivery. As far as I can tell, they don't give a damn about anything else but whether the mail passes through your system and into their test account (typically a free webmail account, like Yahoo!). I found that when I manually forwarded a test message out of my honeypot to the test address, I would get a flurry of mail representing an actual spam run (not just a relay test message). It gives one a certain smug satisfaction to know that you've just null-routed an entire spam run -- the first couple of times, at least. After that you realise that it's about as significant as taking a piss in the Pacific, and stop wasting your time.

The article says of the web-form distribution vector that "the spammer community maintains a database or list of vulnerable forms". I think their database is called "Google", or something like that. I get constant attempts at compromise on my phpBB forum, and I think that works the same way. Why maintain a database when you can just plug an identifying phrase into a search engine?

I should mention that the spam experience can vary distinctly from person to person, so my different experience doesn't necessarily indicate sloppy research on the part of this reporter. The article gives me the impression that this is his first foray into spam research, however.

Re:My experience is slightly different (1)

thogard (43403) | more than 7 years ago | (#16119869)

I've noticed a second tier of testing that spamers use. They will often use their test account several times in the 1st 100 or so messages.

When spamers sell their services to the suckers that pay them, they will often do a free run of 10,000 to 100,000 and those end up with a very high hit rate on the suckers server so it looks like they will get far more when they pay up for the 800 million messages.

Its almost election time. Have you asked your running Attorney General why they haven't busted anyone for selling drugs to school kids over the net?

Much ado about almost nothing (1)

udippel (562132) | more than 7 years ago | (#16118657)

The whole article doesn't sound all too sound IMHO.

Except - maybe - the level that spammers take to test the MTA for RFC compliance. But then, after all, is that worth an article and a mention on /. ?

Here we still get plenty of spam from webmail and stuff. Here I couldn't confirm the 90% 'all open relay' thingy. As long as 'open relay' indicates a proper box, meant and setup as SMTPd and relaying. Personally, I don't call an owned clickety-click box an open relay. Call Redmond.

How Hackers Identify Their Target? (1)

IT074859 (1002970) | more than 7 years ago | (#16123996)

Hackers attack on the any digital system goes through various stages. Below list defines the outline of a generic hacker attack: 1)Inventory of the targets. Hackers identify the possible attack targets inside a network system. 2)Assess the vulnerability. Once they identify the targets, hackers will attempt to determine if the company has any vulnerability. 3)Estimate exploits against the vulnerability. Finding vulnerability does not mean a hacker can execute an attack. The person must create an exploit that can take advantage of the vulnerability. 4)Establish who can attack the target. The hacker determines the company players that can either use another person or be used themselves to execute the attack. Execute attack. A hacker breaks into the system. 5)Cover electronic tracks. Some criminals erase all traces of their presence in order to delay forensics or make forensics more complex.

Hacker!=Spammer (1)

IT074859 (1002970) | more than 7 years ago | (#16124054)

Whoah!!!..this is way huge gap!...Hacker does not congregate spammer and spammer does not congregate hacker..Spammer uses the vulnerability of the MTA which does not recognize the sender even a fake ONES. The MTA only authenticate the recipients...So, which one poser more threat to DIGITAL SYSTEM?..HACKER OR SPAMMER???....

thinking like a hacker (1)

IT071961_nurashikin (1003615) | more than 7 years ago | (#16136210)

my personal opinion base on research that i have done...Thinking like a successful hacker is not much different from thinking like a good developer. The most successful hackers follow a specific methodology that they have developed over time. They apply patience and carefully document every step of their work, much like developers. The hacker's objective is to compromise the intended target or application. The hacker begins with little or no information about the target; however, by the end of the analysis,the attacker will have constructed a detailed roadmap that will allow them to compromise the target. This can only be achieved through careful analysis and a methodical approach to investigating the soon-to-be-victim. The hacker's systematic method generally Perform a footprint analysis, Enumerate information, Obtain access through user manipulatio, Escalate privileges,Gather additional passwords and secrets, Install backdoors and also Leverage the compromised system

spammer (1)

pk075843 (1003786) | more than 7 years ago | (#16137549)

1. Find temporary authorized and valid accounts with ISPs
2. Send spam through compromise hosts
3. Broaden using web forms
4. Spread through open relays

how hacker identify their target (1)

intanit072062 (1003346) | more than 7 years ago | (#16147068)

i don't really get it.why the article talks about spam whereas the title is about hacker.isn't hacker and spammer are two different thing?or i'm the one who get it wrong.

Crackers are now target home users for cash (1)

pk075841 (1004284) | more than 7 years ago | (#16199705)

According to the latest edition of Symantec's Internet Security Threat Report, malicious hackers are increasingly using bot-networks, modular malicious code and targeted attacks on web applications and web browsers. On average, Symantec monitored 1,402 DoS attacks per day in 2005, a 51 per cent was increased over that recorded in the first half of 2005.

Crackers are now target home users for cash. Consumers at home are now on the main target of malicious hackers intent on enriching themselves. Vulnerabilities are happen in desktop applications. Crackers are using a variety of methods excusing detection and remain on infected systems for longer. The most popular attack targets are Client-side applications such as web browsers and email clients. For example the cracker spread the spam, the most common method that spammers use is via open relays. The hackers scan the server and then send a message to a not reusable target address. Then after all this complete they can easily spread the spam broadly.

Crackers are now target home users for cash (1)

pk075841 (1004284) | more than 7 years ago | (#16200781)

According to the latest edition of Symantec's Internet Security Threat Report, malicious hackers are increasingly using bot-networks, modular malicious code and targeted attacks on web applications and web browsers. These bot-networks can be used not only to spread malicious code, but to send spam or phishing messages, download adware and spyware, launch denial of service attacks, or harvest confidential user information. On average, Symantec monitored 1,402 DoS attacks per day in 2005, a 51 per cent was increased over that recorded in the first half of 2005. Crackers are now target home users for cash. Consumers at home are now on the main target of malicious hackers intent on inspiring themselves. Vulnerabilities are happen in desktop applications. Crackers are using a range of methods excusing detection and remain on infected systems for longer period. The most popular attack targets are Client-side applications such as web browsers and email clients. For example the cracker spread the spam, the most common method that spammers use is via open relays. The hackers scan the server and then send a message to a not reusable target address. Then after all this complete they can easily spread the spam broadly. For those users who did not update their PC randomly using anti-virus or anti adware and spyware, the risks to be detected are increased.

Crackers target home users (1)

pk075841 (1004284) | more than 7 years ago | (#16201851)

According to the latest edition of Symantec's Internet Security Threat Report, malicious hackers are increasingly using bot-networks, modular malicious code and targeted attacks on web applications and web browsers. These bot-networks can be used not only to spread malicious code, but to send spam or phishing messages, download adware and spyware, launch denial of service attacks, or harvest confidential user information. On average, Symantec monitored 1,402 DoS attacks per day in 2005, a 51 per cent was increased over that recorded in the first half of 2005. Crackers are now target home users for cash. Consumers at home are now on the main target of malicious hackers intent on inspiring themselves. Vulnerabilities are happen in desktop applications. Crackers are using a range of methods excusing detection and remain on infected systems for longer period. The most popular attack targets are Client-side applications such as web browsers and email clients. For example the cracker spread the spam, the most common method that spammers use is via open relays. The hackers scan the server and then send a message to a not reusable target address. Then after all this complete they can easily spread the spam broadly. For those users who did not update their PC randomly using anti-virus or anti adware and spyware, the risks to be detected are increased.

here are some url for prevent crack attempts :

http://www.gabrielvilla.com/blog/ [gabrielvilla.com]
http://mobileoffice.about.com/od/mobilesecurity/a/ hackproof.htm [about.com]
http://3d2f.com/programs/15-673-anti-hack-download .shtml [3d2f.com]

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...