Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Deconstructing a Pump-and-Dump Spam Botnet

Zonk posted more than 7 years ago | from the gaah-scary-graphics dept.

Botnet 382

Behind the Front writes "eWeek has teamed up with Joe Stewart, a senior security researcher at SecureWorks in Atlanta, to show the inner working of a massive botnet that is responsible for the recent surge of 'pump and dump' spam. It's a detailed picture of how these sleazy operations work and why they're so hard to shut down. Sobering numbers: 70,000 infected machines capable of pumping out a billion messages a day, virtually all of them for penis enlargement and stock scams. Excellent graphics, too, including one chart that shows that Windows XP Service Pack 2 is hosting nearly half the attacked machines."

Sorry! There are no comments related to the filter you selected.

Filter (4, Insightful)

insecuritiez (606865) | more than 7 years ago | (#16884074)

If more ISPs did egress filtering of email this sort of thing would be harder to do.

Re:Filter (2, Insightful)

DeGem (904883) | more than 7 years ago | (#16884136)

Your assuming that the spam is comming off a mail server the ISP is controling.

Re:Filter (1)

insecuritiez (606865) | more than 7 years ago | (#16884194)

No, I'm assuming outgoing port 25, 587, and 465 are blocked and the email MUST come off the ISP's mail server.

Re:Filter (2, Insightful)

giorgiofr (887762) | more than 7 years ago | (#16884294)

Wrong solution. If a mail server admin does not want to receive spam from residential IPs, he has the means to block before it even reaches the server. Lists of such IPs abound.

Re:Filter (0)

Anonymous Coward | more than 7 years ago | (#16884792)

How exactly does my MUA talk to my ISPs mail server if 25, 587 and 465 are blocked? What if my mail server isn't provided by the my ISP? What if I want to run my own mail server; there are plenty of legitimate reasons to do so.

Re:Filter (0)

Anonymous Coward | more than 7 years ago | (#16884214)

It is coming from the "open proxy" IPs owned by ISP, they just need to take IP down, when user calls, instruct them to get rid of the worm.

Nobody can do it or does it.

There is also kind of bribing involved I am near sure. The recent explosion of Poland, Spain at is not co-incidence.

Re:Filter (2, Insightful)

ILikeRed (141848) | more than 7 years ago | (#16884422)

No, just block port 25 to all servers other than the ISPs for dynamic IP addresses. If they do not want to use their ISPs mail server, they can purchase a static IP, or set up a proxy with a different port. If you are not capable of doing either of those things, then you should not have the privilege.

Re:Filter (4, Insightful)

RichMan (8097) | more than 7 years ago | (#16884730)

> No, just block port 25 to all servers other than the ISPs for dynamic IP addresses.

I thought I paid for IP access. Deliberate port blocking by my ISP is blocking services I pay for.

IP access means IP access, it does mean port 80 web surfing only. Any steps toward that are plain wrong.

I agree it is a wild world out there but it is a problem of weak clients. The service provider should be blind unless a client is affecting network performance beyond their paid for slice. Then the client should be totally blocked.

Re:Filter (3, Insightful)

Hognoxious (631665) | more than 7 years ago | (#16884884)

If you are not capable of doing either of those things, then you should not have the privilege.
What if I don't want to go jump through hoops, or pay double for the privelege? What if I want to acess my work mail server from home? Or a clients? Or I just want to access the email that I've been using for years via pop/smtp?

Are you one of those imbeciles at Belgacom or something? Because they implemented the same cretinous strategy (without any advance warning, I may add) as you're suggesting.

Re:Filter (1)

johnw (3725) | more than 7 years ago | (#16885256)

The problem with this approach seems to be one that could be addressed by separating the two different ways in which SMTP is used.

1) It's used by MUAs to pass mail to some sort of parent system for delivery.

2) It's used by MTAs to pass mail around between themselves - typically passing from the originator's MTA to the recipient's MTA.

If the first function was switched to a different port number (i.e. not 25) and made authenticated, then port 25 could be blocked by default for dial-up-style users without inconveniencing anyone. They would still be able to use any MTA with which they had an arrangement (subscription, work server, etc.) to take their mail for delivery but bots wouldn't be able to spew vast amounts of mail out by direct SMTP connection.

The distinction is a bit like that between a DNS query sent from a client to a resolving host, and the recursive DNS query sent from the resolving host to its peers in the DNS pool.

Please think about this before responding with vitriol.


you are missing the point (2, Insightful)

weierstrass (669421) | more than 7 years ago | (#16884138)

then they would use the massive botnets of 0wned machines for something else, that probably also wouldn't be conducive to the health and general well-being of the internet...

Re:Filter (5, Insightful)

jfengel (409917) | more than 7 years ago | (#16884174)

I hear that. It just doesn't seem unreasonable to me to cut off a customer who is sending tens of thousands of email per day. Put the very few with a legitimate reason on a white list (after a phone call) and cut the rest off until they clean up their act.

As Heinlein said, the answer to any question beginning with "Why don't they..." is "money". Presumably the ISPs figure you'll just take your business and your bot-infested computer elsewhere. But maybe if a few major ISPs got together and agreed to all do it, they'd cut off enough spam to make their customer bases happier, and attract back those customers who gave up in frustration.

Re:Filter (1)

Markspark (969445) | more than 7 years ago | (#16884576)

the university where i study supply a netconnection in all of the dorms and student housings.. should you for any reason send spam mails (loads) , use forbidden p2p apps, or get infected with a worm , they will kill your netconnection, until you have fixed the issue. This is the way all isps should work.

Re:Filter (1, Troll)

Hijacked Public (999535) | more than 7 years ago | (#16884584)

Why does it seem reasonable to you? Why shouldn't I be able to do what I want with the bandwidth I purchased?

While I think ISPs should be able to do anything they want with the connections they sell, as long as they are up front about the terms, I will gravitate toward the ones who meddle less.

Re:Filter (2, Interesting)

MobyDisk (75490) | more than 7 years ago | (#16884750)

You should, and you can. Just remember that this is all about false positivies and false negatives. Let's say I ran an ISP and I cut-off everyone who sent 10,000 messages or more a day. How many legitimate users would that cut-off? 1%? .01%? .001%? If someone has a legitimate need to send 10k emails then they can give their ISP a call, declare that they have legit reason, and get their service re-enabled. I hate such systems, but if it eliminated 70,000 pwned computers and forced 70 legitimate users to make a phone call, that is a fair trade-off.

Re:Filter (2, Interesting)

aaronl (43811) | more than 7 years ago | (#16884940)

That won't work, for one of two reasons that I can think of off the top of my head. Either you'll get malware that will only spam 9000 messages per day, or you'll get customers that are cut off regularly, get pissed, and change ISPs. If you're unlucky, you'll also get some lawsuits about it, justified or not.

You're better off trying to force rate limit outgoing email, keep state on your clients, and trying to cut off outgoing SMTP for abusive hosts. However, you would then be monitoring traffic, and that might not work out so well, either.

Re:Filter (1)

gandreas (908538) | more than 7 years ago | (#16884986)

Presumably the ISPs figure you'll just take your business and your bot-infested computer elsewhere
How many people actually want to have a bot-infested computer? Wouldn't the average consumer be happier if their ISP told them "you're computer is infected, sending out spam, and possibly stealing your private information, and here's what you need to do to clean it up"? I just don't see people thinking "hey, I just want to keep run my bot infested computer without hindrance" and switch to a different ISP. I'm guessing the real money issue is that the ISPs don't want to (or don't have the resources to) help their users clean up their infested machines.

outbound email only on request (3, Interesting)

davidwr (791652) | more than 7 years ago | (#16884478)

If I were running an ISP, I'd have common ports such as IM, file-transfer/ftp/torrent, ssh, 80/443, irc, and many others allowed and all other ports blocked or restricted to certain destinations by default.

I'd have a web-page for my customers so they can click things such as:

Outgoing Email:
[x] web based [turn on port 80/443]
[x] through remote-login [turn on remote-login ports]
[x] through us [turn on mail ports, restrict to our servers]
[ ] through another server: ______ (specify list of outgoing mail servers)
[ ] through any server
  +-- [x] check here to turn this off after 7 days (recommended)

x's show defaults.

Checking the last two would bring up the relevant sections of the AUP/TOS as a reminder of the strict "no spamming" and "we will suspend outgoing mail and charge you cleanup fees if your machine is taken over" clauses.

Re:outbound email only on request (2, Funny)

dknj (441802) | more than 7 years ago | (#16885016)

and this is why you're not running an isp...

Re:Filter (1)

jandrese (485) | more than 7 years ago | (#16884616)

While that would work, it is the sledgehammer approach. You're assuming there is no legitimate reason for someone to be sending mail directly from his home account. I think a less obtrusive method would be to monitor outgoing traffic for excessive SMTP (more than 5MB in 30 minutes for 1 full hour perhaps), and if it is detected block off that customer so that all web browser traffic is redirected to the ISPs "your computer is infected, here is how to clean it" page. I think if people were made aware of this sort of thing more often they would become smarter and more careful in the long run.

If their computer stops sending port 25 mail for 15 minutes (or perhaps they click a button on the webpage saying "I've fixed it"), then they're unblocked until they send excessive mail again. This is more work than the brute force approach of just blocking the port, but I think it is better for the internet in the long run. It also allows people who want to avoid their ISPs dog slow mail server (8-12 hours to process an email?!?) an option.

Re:Filter (1)

CrazedWalrus (901897) | more than 7 years ago | (#16884974)

(8-12 hours to process an email?!?)

8-12 hours?! Sounds like someone put an internet in your tubes! Back the truck up!

Hasn't worked for me (3, Funny)

Chapter80 (926879) | more than 7 years ago | (#16884642)

Has anyone had any luck with these stock tips? None of them seem to be panning out for me. I wonder if I am not acting fast enough. I've really taken a beating on some of these.

Fortunately, I should have significantly more money to invest shortly, as soon as I get a rather large sum from a new online friend and business associate and new friend, Mr. Emmanuel Obi from Africa, of all places.

Solution to Pump and Dump (1)

shirizaki (994008) | more than 7 years ago | (#16884110)

Get pregnant, then that little piece of spam will have to provide child support for 18 years.

Yeah, but it can't post to Slashdot (1, Funny)

Anonymous Coward | more than 7 years ago | (#16884126)

Did we call or DID WE CALL IT?!?

ESNX up $3.13 from open of trading...

Class action against Microsoft (-1, Flamebait)

cdn-programmer (468978) | more than 7 years ago | (#16884148)

Why can't we organise a class action against Microsoft? It is their shitty code that is responsible for most of this... their shitty code and really poorly thought out security measures.

Then we should go after some of the large ISP who hide their brains in the sand (shit anyone) and pretend they do not know certain customer's machines are spewing night and day.

Re:Class action against Microsoft (1)

diersing (679767) | more than 7 years ago | (#16884258)

Thats crazy... that's like going after P2P admins for users sharing illegal content. It would never fly.

Re:Class action against Microsoft (2, Insightful)

cdn-programmer (468978) | more than 7 years ago | (#16884714)

Its like going after Boeing because someone put some tape over the port that allows outside air to get at the gauge that measures air pressure and estimates elevation on a 757.

You can point your finger all you want at the maintenance worker who didn't read the warnings in GIANT PRINT - but Boeing was still sued and paid.

Boeing was not being irresponsible. I do not think the same can be said of Microsoft because many of the security problems have been pointed out CONSTANTLY since before 1995.

Re:Class action against Microsoft (2, Insightful)

shark72 (702619) | more than 7 years ago | (#16885232)

"Thats crazy... that's like going after P2P admins for users sharing illegal content. It would never fly."

It's not like that at all, but that's due to a distinction that's apparently too fine for some people.

Take a look at your favorite torrent tracker. Unless it's legaltorrents or something of its ilk, you know they set it up to capitalize on the huge demand for pirated material (and to make ad money off same), you know most of the traffic is pirated material, and you know that the admin knows this. Running a tracker with the belief that you will simply be able to tell the authorities that you're "not responsible for your users" might make perfect sense to a 14-year-old, but they're often unaware of a crucible in the legal profession known as "the laugh test." If it has the proper locomotion, vocalizations, and behavior, smart people don't need to be told that it's a duck.

Now, it might be funny and all to say that yes, Microsoft really does sell XP primarily for the purpose of running botnets and sending spam, but again, you, I, and everybody else know that it's simply not true. Again, the laugh test prevails.

Reminds me of Herry Potter... (-1, Flamebait)

ResidntGeek (772730) | more than 7 years ago | (#16884156)

Isn't it obvious all this stuff's coming from win32? Trojan-Proxy.Win32, Trojan-Downloader.Win32 - why don't they just chuck all the Windows users out?

Infection vs Market Share (4, Insightful)

MrSplog (956424) | more than 7 years ago | (#16884178)

The charts would be a lot more interesting if they had them compared to market share. then you've got to consider that people are more likely to target the biggest market share. i mean, how many virus writers are targeting FDOS?

Re:Infection vs Market Share (1)

Overzeetop (214511) | more than 7 years ago | (#16884318)

Well, 99.95% of the infected machines on the botnet are an identifiable variant of Windows, with 0.05% listed as "other". I'm okay with writing off the 35 machines which are not known Win* variants. It's pretty safe to say that the Windows OS is clearly the problem.

Re:Infection vs Market Share (1)

InsaneGeek (175763) | more than 7 years ago | (#16885130)

Why would you say the Windows OS is clearly the problem? The trojan *only* run on Windows, so one would expect that all of the clients are Windows. It's like saying that Linux OS is clearly the problem when looking for Linux kernel bugs and the fact that they don't affect Windows at all.

Re:Infection vs Market Share (2, Insightful)

Ilgaz (86384) | more than 7 years ago | (#16884324)

I understand what you mean. Check the hacked servers [] , almost all run Apache on Linux. Why? It has bigger marketshare on webservers.

I think the OS X, Linux, FreeBSD "I am invulnerable because of OS I run, I don't need security updates or basic sense of security" will cause problems soon just like phishing.

Re:Infection vs Market Share (1)

DanielNS84 (847393) | more than 7 years ago | (#16885046)

I'd be interested in knowing how many of those are from actual Kernel/OS vulnerabilities and how many are from people using an old version of apache. From what I understand security issues in apache are fairly consistent across operating systems. If this were the case then the operating system would not be to blame...this article is about nested botnets on users computers not a vulnerability that allows you to change content on someone's website.

That was a bad picture (5, Funny)

Overzeetop (214511) | more than 7 years ago | (#16884186)

I'm sorry, but the terms "Penis Enlargement" and "Excellent Graphics" were situated a bit too close together in that summary for my liking.

Disgusted... (0)

Anonymous Coward | more than 7 years ago | (#16884232)

OSX and Linux are not listed in the percentages of infected machines. This is an outrage. It's time we demand that these trojan and virus writers include alternative Operating systems in their designs.

Proof that Microsoft is exterting their manopoly strength to exclude other operating systems.

Rebuild the email protocol (5, Insightful)

Hoi Polloi (522990) | more than 7 years ago | (#16884276)

It is time to rebuild the email protocol. It needs to be redesigned to cope with modern systems and security needs. The pain of the transition would be worth it. It is just too easy to spoof header info now.

Re:Rebuild the email protocol (5, Funny)

LordEd (840443) | more than 7 years ago | (#16884716)

Your post advocates a

(x) technical ( ) legislative ( ) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
(x) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
(x) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

(x) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(x) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!

Re:Rebuild the email protocol (4, Insightful)

Archangel Michael (180766) | more than 7 years ago | (#16884814)

The "we can't change anything because it is too hard waaaaaaa" post.

Thank you for being a wimp.

Re:Rebuild the email protocol (1, Funny)

Anonymous Coward | more than 7 years ago | (#16885168)

That was incredibly badass...Are there other forms that I could use for such issues? I really hope you didn't just type that.

Re:Rebuild the email protocol (2, Insightful)

Renegade88 (874837) | more than 7 years ago | (#16885204)

Am I the only one who thinks this form-checkbox type of comment is trite? It's not original, it's not funny, it's annoying at best. Stop doing it.

Re:Rebuild the email protocol (1)

growse (928427) | more than 7 years ago | (#16884756)

Whilst I agree in spirit, the single problem with email now is that you have no way of knowing if a sender really is who they say they are. I can send an email to you which claims to be from Steve Ballmer and you have no way of knowing 100% if it's real or not.

I'm not sure how this would be solved with a redesign either. The only way I can think of doing it is to have a mandatory digital signature attached to the email, so you can lookup exactly who signed it and prosecute/disable signature if spam. If someone sends an email with an invalid signature, it gets rejected by the mailserver. Downside is that you need a central body to supply these signatures. Verisign perhaps? This would then mean a charge for anyone who wanted to use email, but that might be a good thing. Once you have an organisation though, you have corruption, and spammers will find a way to infiltrate this.

There's also the issue of getting serious momentum going. I could set up a company, and broker a deal with Versign or someone to supply and keep a lookup database of digital signatures. A few geeks will sign up and set their mailservers to reject all mail that doesn't come with a valid signature. Thing is, they'd have to get a lot of major e-tailors to sign up to this as well, otherwise every time I buy something from Amazon, and they want to talk to me about it, I'll have no idea.

Just kicking ideas around. :)

Re:Rebuild the email protocol (1)

vertinox (846076) | more than 7 years ago | (#16885072)

It is time to rebuild the email protocol. It needs to be redesigned to cope with modern systems and security needs.

The main problem is that you would need to get everyone to get on board with it all at once.

However, I don't see why companies do this internally as it is.

For internal communication you should be using a secure system and anything external just gets put in a different mailbox or system. Still... Its a great deal of work.

thats okay, but how to detect this infection? (4, Insightful)

Anonymous Coward | more than 7 years ago | (#16884278)

Perused the article to know how to find out if my computer is infected or not but couldn't find anything. This is such an important news for Windows users, at least tell something abou thow to verify if a particular windows machine is having this problem.

Re:thats okay, but how to detect this infection? (-1, Flamebait)

Anonymous Coward | more than 7 years ago | (#16884434)

This is such an important news for Windows users, at least tell something abou thow to verify if a particular windows machine is having this problem.

It is. Get rid of it and buy a Mac. HAND.

Re:thats okay, but how to detect this infection? (0)

Anonymous Coward | more than 7 years ago | (#16884942)

Monitor the traffic. Windows Firewall has that feature of logging all communications for all IP addresses for all ports. If you are not hosting a site (which is true for most bots), and you see too many sends compared to receives or too many sends other than port 80 (http), you are probably infected.

Re:thats okay, but how to detect this infection? (0)

Anonymous Coward | more than 7 years ago | (#16885012)

As many other Linux users, I also provide tech support to family and friends who use Windows. That is why I am interested in this recent surge in spam infection.

I guess I should have ethereal handy if I want to check the traffic from a Windows host.

If you have to ask... (1)

Ayanami Rei (621112) | more than 7 years ago | (#16885018)

... then you probably are.


1) Get rid of XP. If you're going to run Windows, then run Server 2003. Try to get your company to pay for it if you can.
2) Don't disable the "MSIE Enhanced Security Configuration", whatever you do.
3) Use Firefox or Opera, never use IE, unless absolutely necessary (Windows Update)
4) Always run as a limited user. Never as a user with Administrator access. Right-click on installers and say "Run as... The Following User: Administrator" to install them.
5) Get yourself all of the SysInternals tools you can get your hands on. This can help you monitor file, registry and process access to look for unexpected behavior. Always check online to see if something is "normal" though before taking action, you don't want to kill your system accidentally.
5a) Software that requires administrator privledges to run iss probably not worth using anyway. You can special case essential software by using "Run as..." or by giving your user permissions on key files that it can't access. Use RegMon and FileMon in SysInternals to determine what the application is trying to access and give your user (or the Users group) the appropriate permissions on those files/registry keys.
6) Don't use software you haven't heard of. Free software is usually okay if it's open source, or you can independantly verify its reputation as safe and without adware or malware. Most $30 and below shareware you find through quick google searches is garbage and usually a malware vector, don't buy it.
7) Don't use Outlook to open mail. Never open unexpected attachments. Always turn off HTML email support and use plain text viewing instead.
8) Get a virus scanner. Don't use the home versions of McAfee or Symantec, they're garbage. The Norton PC suites are garbage too. Personally I use Symantec Corporate. You should try AVG, BitDefender, or F-Prot. The free versions are decent.
9) Install and periodically run SpyBot Search and Destroy.
10) Don't bother with a 3rd party firewall. Use the builtin windows firewall, or an external device. Learn how to properly use them.
11) Investigate Windows OneCare offerings. I haven't used them, but I hear they are okay. It's a service though, so pony up the cash.

This is what you have to do to protect yourself in Windows. It's no wonder people have issues.

Re:thats okay, but how to detect this infection? (2, Informative)

Bastian (66383) | more than 7 years ago | (#16885024)

Get a virus scanner, silly. I believe this trojan is detected by all of them.

I'm glad I run my own mail server (3, Informative)

zitch (1019110) | more than 7 years ago | (#16884296)

And implemented greylisting [] on it. Cut out almost %100 of the spam I have been receiving (Was up to 50 emails a day, now I think only one has gone through since I installed postgrey on my mail server in 1.5 months!). Unfortunately, this is easy to get around, so it should only be a matter of time till that is worked around and becomes useless in the spam fight. By that time, hopefully another anti-spam method comes up...

Hit the nail right between the eyes. (4, Insightful)

Rob T Firefly (844560) | more than 7 years ago | (#16884614)

This is the basic problem with any single antispam measure, or really any single computer security measure.

1. Someone comes up with a defense mechanism that works well.
2. It works so well that more people use it.
3. It becomes popular enough for the bad guys to beat, so they do.
4. The defense becomes useless, forcing someone to come up with a new defense.
5. Goto 1.

greylisting+dnsblocking f0r teh win. (2, Interesting)

Anonymous Coward | more than 7 years ago | (#16884908)

Except greylisting+dnsblocking, for which there is no defense.

If everyone greylisted, spamming operations would slow down to a crawl. If the go full speed, then the only sites which will accept their spam (or better, to escape detection, temporarily reject it after DATA) are spamtraps, which means the rest of the world becomes instantly unavailable because of dnsblocking.

If they have to slow down.. well, we win.

It's just beautiful.

Re:Hit the nail right between the eyes. (2, Interesting)

wawannem (591061) | more than 7 years ago | (#16885180)

Well, greylisting is suprisingly more effective than most anti-spam measures if you combine it with a decent rbl. The basic premise is that when a message comes in, the server looks at the sender, recipient, and sending host/server. If this is the first time that the greylisting server has encountered this triplet, it tells the sending server to wait X minutes (where X is most likely 5). There are 3 likely outcomes at this point. First outcome, this is a legitimate message from a legitimate server and the waiting period will be honored, then the message will be delivered appropriately and the greylisting server will mark the triplet as legitimate. The second outcome is that the message is coming from a zombie and it will not honor the waiting period because it isn't a fully implemented SMTP server, thus the message will be dropped. Lastly, it is a well-written spam attempt, but within the five minute waiting period, the sending machine will be blacklisted by the rbl to which you subscribe.

Although you may be right that the bad guys will eventually beat it, in the meantime, there are significant waiting periods involved which will likely slowdown the penetration of the spam. This penetration rate is what makes spam profitable. It basically forces servers to build up trust between each other similar to how people build trust with each other... i.e. "I've worked with this person before on this project, so I can believe in him/her" or "I've never worked with this person on this project, so I'll treat them with suspicion until he/she has proven her/himself"

Re:Hit the nail right between the eyes. (1)

zitch (1019110) | more than 7 years ago | (#16885186)

Reading through that Wikipedia article did highlight one benefit to using greylisting even after the spammers account for it; it would delay the spam and give time for the other anti-spam measures to detect it (the source and the actual text) as spam.

Unfortunately, greylisting does have several disadvantages:

1) Misconfigured mail servers attempting to send mail to a server utilizing greylisting may translate the temporary reject as a permanent reject.
2) Domains that have a large enough cluster of relay servers may attempt to send the email using different servers, eventually causing an undeliverable bounce of legitimate email.
3) The delay (up to four hours for most email servers) may be undesirable in certain situations, such as a customer-support address for a company, where response time would be important. Fortunately, at least postgrey gives a method of excluding some recipients from the greylist; emails for those addresses will go through immediately.

Re:I'm glad I run my own mail server (1)

caseih (160668) | more than 7 years ago | (#16884900)

Greylisting is no longer completely effective. Initially when I started it cut down on 100% of the spam, as you said. But now, thanks to this new botnet which does honor RFCs for e-mail, I have enlargement and stock spam coming through just fine after waiting out the delay. I won't disable greylisting though; it still keeps out a lot of spam. I'm just saying greylisting doesn't actually completely work. I agree with another poster who said SMTP is pretty much done. Too many people have ruined it for the rest of us. Time to replace the protocol completely with something less vulnerable to abuse.

"unknown country" (1, Interesting)

sarbrot (1024257) | more than 7 years ago | (#16884300)

i guess many of those from "unknown" are actually german since germanys largest ISP cannot get its head out of his arse and finally change hostnames to something.DE.. instead it is .net all the time for most germans. This also always causes great disconcert when you have to explain logs to a customer and the damn script does not base location on IP but on host..

eweek confirms it: Linux and Mac are dying! (5, Funny)

Trelane (16124) | more than 7 years ago | (#16884314)

From the graphs, it's obvious that Linux, BSD, and MacOS lumped together are only 0.05 percent of the desktop market!!

Re:eweek confirms it: Linux and Mac are dying! (2, Funny)

Overzeetop (214511) | more than 7 years ago | (#16884368)

You forgot OS/2 ;-)

Re:eweek confirms it: Linux and Mac are dying! (1)

zieroh (307208) | more than 7 years ago | (#16884564)

And AmigaOS.

Re:eweek confirms it: Linux and Mac are dying! (0)

Anonymous Coward | more than 7 years ago | (#16884610)

Sorry pal, we didn't mean to forget you.

Re:eweek confirms it: Linux and Mac are dying! (1)

Bandman (86149) | more than 7 years ago | (#16884618)

I was disappointed that there wasn't a Win 3.1x contingent. Someone has got to still be running it.

Re:eweek confirms it: Linux and Mac are dying! (1)

19061969 (939279) | more than 7 years ago | (#16885162)

Huh! Oberon always gets ignored... ;-)

Re:eweek confirms it: Linux and Mac are dying! (4, Insightful)

mrjb (547783) | more than 7 years ago | (#16884594)

Do you really think that 0.05% of all spam comes from Linux, BSD, MacOS, Solaris and OS/2 lumped together? Then I'll have to disappoint you. Look again. Windows 95 is curiously absent from the graph. How big a part of 0.05% do you think it could handle?

How can we compete? (1)

PHPee (559830) | more than 7 years ago | (#16884320)

Seeing the complexity of a botnet like this is scary. The people responsible for this kind of thing are intelligent, always evolving and don't care about any of the repercussions of their actions. It seems that any proposed solution we can come up with to combat spam will just be worked around shortly after it is implemented.

From the article:
"the Trojan comes with its own anti-virus scanner--a pirated copy of Kaspersky's security software--that removes competing malware files from the hijacked machine"

I never would have thought of something like this. Trojans fighting for territory... crazy.

The software uses proxy servers to avoid blacklisting bot IP addresses, harvests email addresses from the infected machines and randomly changes images used in image-based spam to throw off anti-spam technologies. The people behind this are clever. How can we compete effectively?

Re:How can we compete? (0)

Anonymous Coward | more than 7 years ago | (#16884390)

The people behind this are clever. How can we compete effectively?
By being more clever? Duh!

Re:How can we compete? (1)

Thansal (999464) | more than 7 years ago | (#16884732)

Create a piece of malware that installs a modified version of a free anti-malware program?
Something runs invisibly in the background, auto updates (with out informing the user) etc etc etc.

Now infect as many computers as you can (And ofcourse have it propigate itself).

There yah go, we have solved the malware problem!

Note: I don't ACTUALY endorse this idea. I don't believe in the ends justifying the means. Personaly I think that computer manufacturers/MS (and MS has been doing this, and I am glad that they have) should step up to the problem. I also think that our education system should step up and educate users (aka, the general population) about basic computer security.

Re:How can we compete? (1)

ummit (248909) | more than 7 years ago | (#16885108)

The people behind this are clever. How can we compete effectively?

By competing at all, by being remotely clever ourselves, because at the moment we're not.

These botnet clients all rely on viruses and other sorts of malware to propagate, of course. Now: where is it written that computers must be vulnerable to viruses? You can say that no software is perfect and that bugs are inevitable, but that's missing the point: the popular, "modern" computer operating systems are specifically designed in a way that ends up making it very easy to write viruses and other infectious code. We hand the virus writers the exact tools they need, on a silver platter.

Why is it even possible for your email client to run code out of an email message you've just received? How often do you want to do that legitimately? How different would the computing landscape be if that capability simply didn't exist?

Why is it even possible for a website to install code on your machine simply by visiting it? How often do you want to do that legitimately? How different would the computing landscape be if that capability simply didn't exist?

C'mon (3, Insightful)

Tarlus (1000874) | more than 7 years ago | (#16884364)

Well of course Windows is going to be in the majority of affected machines... There is a dramatically higher number of people in the world using Windows than any other OS, so... wouldn't it make sense?

As a proud user of Kubuntu, I can relate to /.'s tendency to point out everything that appears to be wrong with Windows... but come on, isn't it a little much to explicitly point it out in this case?

Re:C'mon (0)

Anonymous Coward | more than 7 years ago | (#16884536)

Well of course Windows is going to be in the majority of affected machines... There is a dramatically higher number of people in the world using Windows than any other OS, so... wouldn't it make sense?

Nice troll. I'll bite. So you think other operating systems have 0.06% market share?

99.95% Windows (1)

pedestrian crossing (802349) | more than 7 years ago | (#16884542)

Well of course Windows is going to be in the majority of affected machines... There is a dramatically higher number of people in the world using Windows than any other OS, so... wouldn't it make sense?

As a proud user of Kubuntu, I can relate to /.'s tendency to point out everything that appears to be wrong with Windows... but come on, isn't it a little much to explicitly point it out in this case?

According to their chart, 99.95% of the systems on the botnet run Windows in some form. Unless all other desktop operating systems only have .05% combined market share, maybe there is a correlation between the security of Windows and the botnet problem.

Re:C'mon (3, Insightful)

Mark Hood (1630) | more than 7 years ago | (#16884632)

Actually, the dig was at Windows XP SP2 in particular - not just Windows generally.

If these bots have control over 'the most secure Windows yet' [] , then that is worthy of note.


PS Yes, I know the link is from 2004 - but they've not released anything since, so it must still be true, right?

Re:C'mon (1)

InsaneGeek (175763) | more than 7 years ago | (#16885002)

I think the problem is that there really is nothing inherrent in Linux, etc that would prevent them from being part of a botnet if I run a trojan. As a Linux user I can open up a port >1024 and my .profile or .xinitrc can run a botnet program without me noticing it. Grandma is just as likely to click on a "run this" spam message on Linux as she is on XP, just right now there are limited number of uninformed Grandma's running Linux so people aren't creating programs for it.

Probably the bigger reason for this specific case is that the spam-thru trojan doesn't run on anything other than a windows! So the stupid people trying to compare it the infection rate of any other OS is very, very *stupid*.

Re:C'mon (1)

A.K.A_Magnet (860822) | more than 7 years ago | (#16885188)

You're assuming a remote exploit in the web browser or mail client. Currently, your grandma opens an attached file in a mail and gets infected. With GNU/Linux, she would have to set it "executable" before being able to run it. She doesn't know how to do that (hopefully) so she won't get infected.

Programs should be installed system-wide by an administrator (you?), and from a trusted source (signed apt repositories).

This is a huge difference with Windows and its security model. By default on Windows, all ".exe/.vbs/etc" files are executable.

Re:C'mon (1)

mrjb (547783) | more than 7 years ago | (#16884678)

come on, isn't it a little much to explicitly point it out in this case?
No :)

I'm just surprised that those spams still ... (4, Insightful)

Jawood (1024129) | more than 7 years ago | (#16884408)

work. After all, the folks who are doing the "advertising" must be getting some sort of return.

Which leads me to wonder about the folks who actually believe that those penis enlargement pills work.

And as far as the "pump and dump" spam goes, are there folks who beleive those spams? Or are they of the mindset of the "greater sucker"? Meaning, if I buy this stock now, after this spam circulates, there will be others who buy this shit stock and push up the price allowing me to make money.

Yeah, I know the guy who originates the "buy" recomendation is hoping for everyone to buy the stock, but what makes some of the recipients think they'll make out?

Re:I'm just surprised that those spams still ... (0)

Anonymous Coward | more than 7 years ago | (#16884720)

I am amazed, too. Everytime I get one, I forward it to '' as well
as '' and my ISP's "missed-spam" address. How effective is this? Well,
it DOES make me feel like I'm helping in a miniscule way, in the hope that at least
the SEC's systems will be able to get enough data to figure out who's doing it, and/or
enough evidence to make the perps REALLY miserable if/when they're caught.

How well does the spam work? I don't know offhand. However, there was an article in
a newspaper in South Florida this morning reporting on a court case in which a trio
of telemarketers selling Internet kiosks on TV were convicted of fraud and ordered to
pay roughly USD 22 Million (total) in restitution to 738 victims. So, unfortunately,
P.T. Barnum continues to be right...

Re:I'm just surprised that those spams still ... (2, Interesting)

artifex2004 (766107) | more than 7 years ago | (#16884818)

Yeah, I know the guy who originates the "buy" recomendation is hoping for everyone to buy the stock, but what makes some of the recipients think they'll make out?

There are plenty of idiots out there with access to both internet and credit cards. Really.
And a lot of them also think that if someone has your email, they must know you from somewhere.

When I worked at a brokerage firm, people used to call me and ask for advice (which I couldn't give, not being licensed) on how much to invest in whatever stock they got emailed that day.

Okay, so now there are statistics..... (2, Interesting)

zappepcs (820751) | more than 7 years ago | (#16884482)

But when, if ever, will anyone shut down the MS machine? Never is when. MS is far to invested into large corporations and government institutions to ever have anyone, never mind MS, say, all windows products must be updated or dumped. Its just not going to happen. If you owe the bank $1000 dollars, you are in trouble if you're late on the payments, if you owe the bank $10,000,000,000 dollars and you're late, the bank is in trouble.

Right now, the later is more the case. If MS had to upgrade or recall all XP products, it would cause a large harm to the economy, not just MS's bottom line. Think of what would have to be spent on the upgrades or change outs?

Too many people have invested in MS products to just shut it down, and just like England won't wake up one morning and start driving on the right side of the road, MS products will remain in service. (I'm not trying to imply that the left side is the incorrect one, just illustrating the size of the problem)

Reports like this do seem to show MS in a very bad light, but how it gets fixed will be even more interesting. When government types want to show they are doing something about spam, will they do anything to make MS responsible, or make MS fix it? Probably not, so the real answer to spam, or answers, is to implement measures that do not rely on the end user, or the end user's OS to fix it.

IMO, This means that ISP's are going to have to sandbox segments of their networks to throttle spam, and that cost will be passed on to consumers, or possibly will be borne by the ISP for bragging rights about having less spam than any other ISP, in much the same way that the Bell companies used to do advertising about what they are spending to improve services for consumers.

This also leaves me with a suspicion about the marketing team for Vista? How better to fix XP SP2 than to upgrade to Vista?

Re:Okay, so now there are statistics..... (0)

Anonymous Coward | more than 7 years ago | (#16884802)

England won't wake up one morning and start driving on the right side of the road
No, they'll change gradually. :-)

Re:Okay, so now there are statistics..... (1)

Pooh22 (145970) | more than 7 years ago | (#16885172)

The end-users need incentives to not polute the (digital) environment, so sending bills in return for sending spam is helpful.

In order to make it acceptable, an ISP could start by dealing out points first (adding or subtracting, like traffic violations cause points to be taken off your license in some countries). They could give positive rewards for not sending spam and eventually charge people when they do send spam.

I don't see any other way, because people just don't learn if it's for free.


Blue Frog, where are you? (1)

ppentz (1028640) | more than 7 years ago | (#16884658)

Blue Security had a good thing going with their "Blue Frog" software. At one time there was an open source version being developed. Anyone know the status?

Re:Blue Frog, where are you? (1)

Mathiasdm (803983) | more than 7 years ago | (#16885114)

Sadly, there's not much going on anymore.

It's the Okopipi project, btw.

Hmm, maybe they shouldn't have worded it this way (1)

xiong.chiamiov (871823) | more than 7 years ago | (#16884728)

virtually all of them for penis enlargement ... Excellent graphics, too,

nmap? (2, Interesting)

goarilla (908067) | more than 7 years ago | (#16884740)

I wonder tho how they ... know which os the bots are running?
i mean i use nmap, and other portscanners myself but the OS detection
is just a sane guess and far from perfect

I also wonder what the 0.05 % of other OS'es are because i do think
this malware is written on the win32 api, so i rather guess these were inconclusive
OS fingerprinting and/or *Nix systems running a virtual machine or ... wine ...
if this is possible (i'm not trying to troll here)

And if this is possible i do want to know what kind of measures the users of these non conclusive
Os fingerprinting scans used because ... it would stop many script-kiddies from trying to automatic crack your machines, if they can't find which OS you're running ...

Anyone has some tips about this in particular
How do i fool commonly used portscanners etc ... in their OS detection ... on Windows and *Nix systems?

Re:nmap? (1)

ummit (248909) | more than 7 years ago | (#16885210)

The OS stats had nothing to do with probing the machines from the outside, before infection, with nmap or the like. They were reported by the botnet client, running on the infected machine, after infection. If you've got code running on a machine, it's pretty easy to definitively figure out what OS and version it's running, without resorting to externally-visible fingerprints.

where does it end? (1)

ummit (248909) | more than 7 years ago | (#16884742)

I hope I'm not being Chicken Little [] , but there's much worse that botherds could do with their botnets than just sending stock scam and penis pill spam. I'm wondering if the only solution won't be for major governments to take major action (perhaps under the guise of national security), and I'm not sure this would be a bad thing. What if it were made a (minor) crime to operate a computer that's vulnerable to being a botnet node? The only question would be, who would pay for the cleanup: the vulnerable machine owners, Microsoft, or taxpayers?

Re:where does it end? (1)

King_TJ (85913) | more than 7 years ago | (#16885084)

Nope! Not a viable or reasonable solution. You think the RIAA looks bad now for suing grandmas and small kids?!?

Think of all the computer users out there who did nothing more than purchase a brand new PC in order to use it exactly for its "intended purposes". (writing school papers, getting on the Internet to read web sites and do email, and play a few games) The fact that they get hijacked and serve as part of a bot-net while being used as-advertised means the fault doesn't lie with the end-user!

Put yourself in the shoes of "Joe User" for a moment, if you will. You know nothing about software programming. You simply purchased your new Dell/HP/IBM/Acer/whatever because it was recommended to you as a "good computer", and your kid's school said they needed one for homework assignments. Now, you're looking at being charged with a crime for not properly securing a flawed Microsoft OS against someone's botnet?? What would constitute "properly securing" the machine, anyway? In court, you'd certainly be able to argue that this amounts to a demand you start a new career as a software developer and get hired at Microsoft, or else you can't comply!

It's amazing how complex pump and dump schemes are (2, Interesting)

antifoidulus (807088) | more than 7 years ago | (#16884758)

getting. A few weeks back I read an article that stated that some crackers had managed to get into the accounts of some of TD Waterhouse's investment clients. Since most of these accounts were retirement accounts liquidating them and stealing all the assets would have been difficult, required a lot of paperwork, and ran a much higher risk of getting caught. So instead what the attackers did was liquidate all the assets of the victims and then used those assets to buy a bunch of pump and dump stocks(high demand low supply=much higher prices). Pumped the value of the stock up significantly then as the name suggests, dumped it.
As much as I think they are scum for doing so, you have to admit that was pretty creative....

how effective is it? (1)

RingDev (879105) | more than 7 years ago | (#16884820)

Do these pump and dump scams even work? If so, by what kind of margins?


Re:how effective is it? (1)

mgblst (80109) | more than 7 years ago | (#16885080)

Yes, 7.

What is the Top500 ranking? (1, Interesting)

Thagg (9904) | more than 7 years ago | (#16884838)

This network of some 73,000 machines has to rank as one of, if not the, leading supercomputer in the world. Why aren't they ranked in the Top500 list?


I don't know what to worry over (1)

Provocateur (133110) | more than 7 years ago | (#16884842)

From the impressive slideshow
a) That spam trojans are out there and running rampant on infected machines
b) That a country named 'Unknown' is second only to the US when it comes to the Top 20 spam locales
c) that there haven't been a lot of respondents to the penis-enlargement emails, hence the widespread marketing campaign

Completely random thought (new windows patch?) (1)

gmarsh (839707) | more than 7 years ago | (#16884868)

Since most infected computers on this botnet are XP SP2 and likely have Windows Firewall enabled on them... How hard can it be for MS to code up a patch to the firewall code that detects outgoing connections to TCP port 25 (SMTP) and throws a warning on the screen? Send the patch out over Windows Update. Your average Hotmail/Yahoo/Gmail user won't ever notice. People who use Outlook Express or some other SMTP-sending client may have to click a "yes, I'm actually sending e-mail" button when they send e-mail and suffer half a second of annoyance, and that's just assuming you alarm on every outgoing SMTP connection. There are probably better ways to do it. Something like this would completely wreck SpamThru's functionality, wouldn't it? Just a thought.

How many of the 70,000 are elderly? (2, Interesting)

AceCaseOR (594637) | more than 7 years ago | (#16884898)

I recently helped an elderly neighbor secure her computer (I was paid for this service, and I make sure I do get paid every time I get called over for help) by installing some good firewall and anti-virus programs (as well as setting up Firefox and Thunderbird for their primary browsers. When I ran a virus scan on her computer (I installed AVG, as her McAfee subscription had expired), I found several viruses and malware programs on there, all of which I removed, which came with games she downloaded (stuff like mahjong and solitaire). I regret not writing down what viruses she had gotten infected with, so I could find out what she did.

I did the same thing on my grandmother's computer as well (when she was alive), and odds are there are a lot of seniors who are online and engage in a lot of bad habits that we know are bad - including running IE with minimal protections, opening strange attachments, and so forth. This is not a new problem, and, frankly, a problem that only education (or getting 75% of seniors to switch to Mac OS or Linux) can fix.

Re:How many of the 70,000 are elderly? (1)

xiong.chiamiov (871823) | more than 7 years ago | (#16885128)

I completely agree with this. However, it's not just the elderly, but a lot of us young 'uns as well. So many people I know are clueless when it comes to things. Of course, they shouldn't *have* to know so much (preferably), but right now the predominant OS is ahem not secure. Though, of course, I'm sure we're all familiar with social engineering. The user is the sysadmin's worst security nightmare.

Limits (1)

DMorritt (923396) | more than 7 years ago | (#16884930)

youd be surprised the limits people go round to send legitimate emails, a company i worked for had a rate limit of x per 30 seconds and xx per 10 min period. even the legit customers phoned for advice on how to get around it.

Short positions (1)

bperkins (12056) | more than 7 years ago | (#16885008)

If it were possible to take short positions on these stocks, and people would chort rather than buy the stocks that are pumped, then the financial incentive for the pump and dumpers would go away, as would the spam.

Blue Frog (1)

Mathiasdm (803983) | more than 7 years ago | (#16885054)

Too bad it died...

govt action (1)

MooseTick (895855) | more than 7 years ago | (#16885100)

I don't see why the government doesnt go after companies using spam as a selling technique. They still have to recieve money somehow and that can be traced. If the G would shut a few down and lock a few people up for a deacade then there would be a lot less spamming going on.

How do these bots spread? (1)

jonwil (467024) | more than 7 years ago | (#16885268)

Email? (in which case why dont more ISPs run good email virus scanners? Is there a free (as in beer) email virus scanner out there for those email server admins who cant afford to buy one? (or are there reasons other than cost as to why email server admins and ISPs and stuff arent routinely scanning email as a matter of couse?)

Exploits in the OS? (why arent ISPs blocking ports like MS-RPC and MS file sharing (things that shouldnt be going out over the internet anyway) for example)?

Is there something the SEC can do? (perhaps finding the people who buy the stock, pay the spammers to send the spams, sit back and watch whilst their stock becomes a lot more valuable and then proceed to sell it all. (IANAL or a stockbroker but I dont think you can buy/own stock without at least some way to tell who you are).
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?