Bot Infestations Reach Nearly 1.2M

mengel writes "According to the folks at SecurityFocus the number of bot-infested systems has surged to nearly 1.2 million. This after a big drop in December when lots of people replaced/upgraded systems. Time to upgrade your spam filtering software, the onslaught is coming."

Tweaking liability laws

[Harmonious Botch]

These bots could be greatly limited with proper tweaking of liability laws. Under current laws, if I leave a pool or a car unsecured and somebody else gets injured or killed, I can be found totally or partially liable. But if I leave my computer unsecured and someone else uses it to cause harm to third parties, I'm in the clear.

Re:Tweaking liability laws

[Watson Ladd]

It would be hard to determine what constitutes appropriate security. And how are you supposed to know about a zero-day or a subtle misconfiguration? A pool is easy to secure. A car is easy to secure: Both have small threat models and physical protection is all you need. A computer is much harder to secure.

Re:

[Anonymous Coward]

True but life is hard. This is the solution to this "problem", just as having a 1 cent cost per an email sent is the solution to the spam "problem".

ISPs should immediately pull the plug too on infested machines to limit damages.

There's no reason to let innocent bystanders to suffer from the criminal neglect of some.

Re:Tweaking liability laws

[mrbcs]

I work for a small ISP and that's exactly what we do. You get two strikes. First is a warning to clean up your machine and put on antivirus software. Next time, we kick you off the network and terminate your account. Problem totally solved. We've had two people get the first warning. None kicked yet.

Re:Tweaking liability laws

[penix1]

Although it gives you a "warm fuzzy feeling"(TM) that your company isn't contributing to the bot problem, too many kicks and you soon have no customers. All that you are doing is forcing that customer to go to an ISP that won't give them the boot. It does nothing to actually solve the problem.

An alternative would be instead of cutting them off completely, offer them an antivirus solution. Although I hate them, this is what companies like AOL and NetZero are doing.

B.

Re:Tweaking liability laws

[rbochan]

...too many kicks and you soon have no customers...

To be honest with you, I _would_ use that ISP versus one that doesn't dump the garbage traffic. I consider that a damn nice feature.

Re:

[Orange Crush]

To be honest with you, I _would_ use that ISP versus one that doesn't dump the garbage traffic. I consider that a damn nice feature.

Yes, but are there nearly enough people amongst the teeming millions who feel that way too? Most don't understand that spam comes from ordinary people's compromised computers. As far as they know, AntiVirus software ought to catch and fix any problems (even if they don't update it, renew their subscription, or patch the OS.). If their computer slows to a crawl they assume

Re:

[_iris]

I would also consider their pro-active response to the bot/spam problem (let's face it, they are one in the same) in my purchasing decision. However, I'd much rather see them just rate limit that customer down to ~32 kbs because many, many people would never notice the difference between that and their spam-saturated 128-384 kbs uplink (I'm assuming DSL or cable here), but the botnet operators would find that useless.

Re:

[nuzak]

He's mentioned a grand total of two people that got The Warning. I suspect my local library is a bigger ISP than this fella's. They probably don't even do port25 blocking -- and yes, despite the reports of worms that use the smarthost MX, the vast majority still attempt a direct connection. Besides, if all worms switched to using the smarthost, the bigger ISPs that aren't currently tackling their infestation may suddenly be forced to care when all the zombies start abusing *their* resources.

Re:Tweaking liability laws

[erroneus]

A better solution would be to simply restrict their outgoing port access rather than to kick them. If they are on dialup, you just set up a dialup pool just for that (set of) logins that does not allow port 25 to go out.

All over Japan, I have found, they are blocking outgoing port 25 and it's annoying as hell but I understand why they do it.

Re:

[walt-sjc]

Why is it annoying? Get out of the 1990's and use port 587, the MSA port, instead of port 25 which should ONLY be used by servers. It's too bad that the concept of differentiating MSA / MTA came as late as it did otherwise mail clients would all be defaulting to 587 instead of 25. We enforce this internally... All DHCP desktops / notebooks are blocked from port 25 and must authenticate on port 587. No outbound port 25 except by the mail servers.

While I used to be against it ("if I pay for internet access I

Re:

[erroneus]

I would say yes to a degree but not entirely.

At least in Japan, the implementation of MSA works by translating a port 587 within the ISP network to a 25 as it leaves the network. As it turned out, it's very bad since, #1, it only takes minor tweaking to make zombies talk across 587, but additionally, if people want to use an external email server for whatever reason and THEY are using the MSA thing as well, they become unreachable since all 587 requests translate to 25 outside the network.

You might say, "t

NO! Don't do this!

[tacokill]

STOP BLOCKING OUTBOUND PORTS! This is not a good solution.

First, its the hotels and their blocking of the outbound VPN ports (Hampton Inn/Hilton -- I am looking at you!). Anymore, it's getting to be a crapshoot as to whether I can get on my company's VPN when I staying at a hotel. The Hilton group is just the worst offender but I have seen it at other hotels too.

And now, you want to close outbound port 25. So how do I send my e-mail? We use POP3.

I ask because there are a lot of stupid peo

Re:

[erroneus]

I mean for offenders with infected machines, not everyone at large.

Re:

[evought]

"Reasonable" is linked with "customary", which changes over time and is also informed by regulation and case-law. It used to be "reasonable" in many places to put railings around pools, balconies, etc., Now it is considered necessary in many places to have rails be within certain distances of each other (to prevent children falling through or getting heads stuck) either because of codes or because of successful law suits. "Reasonable" postings about danger and liability (e.g. "No lifeguard on duty") also de

Re:

[Yartrebo]

I'm not so sure. My best estimate is that running anti-virus software would increase the risk of hacking, at least in the case of Linux. There aren't exactly many Linux viruses (and none that I know of loose in the wild), and anti-virus software, which is proprietary, is a real easy way to get something like Magic Lantern or any other approved virus/trojan on your system.

Open Source Virus Protection

[evought]

I use ClamXAV [clamxav.com] on OS X, which is based on the GPLed clamAV [clamav.net] anti-virus engine. I have also used clamAV embedded in the PostFix mail server on Linux to scan incoming email for sites I maintained. It gets decent reviews against other packages and I have been happy with it. I use a Windows variant when I am forced to deal with XP as well. Anyway, it is completely open source and all above-board. I would not touch Symantec software with 3.048 m pole these days.

The reason I use AV software on OS X is not just maso

Re:Open Source Virus Protection

[Gareth Williams]

I run a gnu/linux based operating system, and I don't forsee that I will ever run antivirus software on it. Yes, even if people actually start writing viruses that target it.

I don't look at automated breaches of security as any special case. A security breach is a security breach. Crack attempts, spyware, adware, malware, viruses, trogans, blah blah... it's all the same problem: stopping unauthorised code running on your machine.

If my mail client has a bug that allows remote code execution, the mail client is faulty and must be patched. If my browser has a bug that allows a remote site to snatch files off my local filesystem, then my browser is faulty as must be patched. If I, FSM forbid, stupidly download and run some malicious application then I am faulty and must be "patched".

I have all non-essential services turned off, I run a firewall, I keep all my applications up to date with security patches, and I only install software from my distribution's repositry.

I don't care how much money they are making for some big security companies, these "anti-virus" applications that people are so obsessed with running on windows are just an ambulance at the bottom of the cliff.

There is something fundamentally flawed with the idea of waiting until your security has already been breached and then trying to clean up after the fact. Once it's breached that's it, game over - reformat, reinstall O/S, and replace data with last known good backup.

Re:Tweaking liability laws

[gregleimbeck]

If my unsecured computer causes somebody to get injured or killed, I will take responsibility. OTOH, if my car starts spreading malware and spamming, you're SOL.

Re:

[account_deleted]

Comment removed based on user account deletion

spam for your bot

[Gary W. Longsine]

If your computer is sending me spam, it's killing me by taking away, say, one second of otherwise useful life. It's doing that millions of times a day. If we total those seconds up, you've killed several people and you're still not liable for anything.

Re:

[Yvanhoe]

I am pretty sure that if someone gets physically harmed because of a negligence on Joe's computer, someone can be found liable. Maybe Joe, maybe Microsoft, maybe Dell, maybe all of them.

Re:

[walt-sjc]

If you cause someone financial harm you can be found liable too.

Re:

[walt-sjc]

I just read what I wrote, and see that it's not clear. Note that while you "can" be found liable, it's not guaranteed. It depends on the situation / intent. For example: if your underage kids vandalize someone's car, you can be held financially liable for the damage. It's not a perfect analogy, but no analogy ever is...

Re:

[NeverVotedBush]

But if I leave my computer unsecured and someone else uses it to cause harm to third parties, I'm in the clear.

You would think the legal case could also be made to hold Microsoft liable for stolen personal information, illegal charges to credit cards, raided bank accounts, etc., when known but unpatched (i.e. no patch available) exploits to their software allow people's computers to be compromised.

Re:

[Harmonious Botch]

You would think the legal case could also be made to hold Microsoft liable for stolen personal information, illegal charges to credit cards, raided bank accounts, etc., when known but unpatched (i.e. no patch available) exploits to their software allow people's computers to be compromised.

Which leads us to the inevitable conclusion that the folks who make and interpret laws have no fucking clue as to what the net really is.

Re:

[mysticgoat]

You would think the legal case could also be made to hold Microsoft liable for stolen personal information, illegal charges to credit cards, raided bank accounts, etc., when known but unpatched (i.e. no patch available) exploits to their software allow people's computers to be compromised.

I wonder if passing new laws would be necessary? Maybe we already have laws that could be used to get us to the goal of a reasonably safe internet:

Most municipalities have ordinances against "attractive nuisances", and I think the case could be made that Windows is an attractive nuisance and the owner of Windows software (not the licensee, but the actual owner) could be fined for each day of violation until he brings his property into compliance with generally accepted community standards and makes it r

Re:

[onepoint]

people might laugh, but I run AVG all the time. nightly I run MS-defender, then weekly Search and destroy, monthly I run ad-aware.

You would be surprised what I still find.
avg gets most of the real nastiest and defender gets the odd ball nasty.
Search and destroy gets the web crap and some nasty
and Ad-aware does a nice simple clean up.

works for me.

Re:Tweaking liability laws

[mrbluze]

if I leave my computer unsecured and someone else uses it to cause harm to third parties, I'm in the clear

But if you have a car which injures people because the manufacturer put in lousy breaks, lousy locks, lousy steering etc, then the car manufacturer is in trouble, right?

Whilst I agree with you, the liability laws need changing, "reasonable" attempts at securing a Windows PC (eg: using antivirus software) have proven to be a waste of time, so the onus should be on the manufacturer.

Re:

[Anonymous Coward]

so the onus should be on the manufacturer.

Ah, your sig [Do it yourself, 'cause no one else will do it yourself.] conflicts with your argument. :-)

Re:

[56ker]

Reasonable attempts include turning the inbuilt firewall in Windows on or running a software firewall as well as antivirus software.

This would provide about three warnings that a compromised machine is being used to spam (and I've cleaned a few of these in my time as a freelance computer geek)...

Re:

[Tim C]

The real problem, as I see it, is that the vast majority of computer users have absolutely no understanding whatsoever of even the most basic of good practices when it comes to using and securing a computer. Most infections are entirely avoidable, if only people would stop downloading and running executables from untrusted sources, or from trusted sources when they're not expecting them (eg an unexpected mail from a friend).

Remote exploits are actually comparatively rare; the problem would be a hell of a lo

Re:

[nuzak]

> The solution is to mount home directories noexec by default.

$ /bin/sh $HOME/.malware.sh

Re:

[nuzak]

ELF executables are more or less "scripts" for ld.so, but there's no front end executable itself other than the kernel's exec family of syscalls that can invoke one, and exec checks execution permissions. Any reasonably expressive scripting language like perl or python could manage to trampoline an executable into its own address space (hell, shell could do it by fiddling with /proc/$$/mem), but if you can write arbitrary scripts at that level, you can already perform arbitrary operations without such tric

Re:

[dattaway]

I'm sure if someone released a bot to turn everyone's computer into a large distributed mp3/dvd botnet, the entertainment cartels might take an interest in fixing our computer problems.

So who wants to write a script?

Re:Tweaking liability laws

[freedom_india]

...and get sued for millions of dollars for hosting "Shakira"?? No thanks.
RIAA/MPAA do not have any idea of technology. They would rather sue you (unwitting hosed guy) rather than sick the Secret Service on bot writers.
Good luck trying to explain child porn to a jury by stating that your XP was compromised....

Re:Tweaking liability laws

[Phroggy]

Good luck trying to explain child porn to a jury by stating that your XP was compromised....

You're forgetting, most of the members of the jury run Windows XP too.

Re:

[Bemopolis]

*coughcough* cognitive dissonance [slashdot.org] *coughcough*

Re:Tweaking liability laws

[1u3hr]

These bots could be greatly limited with proper tweaking of liability laws.

There are hundreds, perhaps thousands, of known spammers in the US. (See the ROKSO list, eg.) Barely a handful are ever prosecuted. One or two have been sentenced, trumpeted here as a victory against spammers, but really showing that being caught and punished for deliberate spamming is a very rare event. Considering that, what could a "negligent" spammer get?

ISPs can easily detect and cut off spam spewing robots. They have the right to do so in their TOS, but are just too complacent or perhaps concerned they'd have to deal with hundreds of clueless users complaining about it.

Re:

[HappyEngineer]

Are you sure there are even hundreds? I get a lot of spam, but there's very little variety in that spam. It seems to me like there are a tiny number of spammers that control a large number of zombie machines.

If there were truly a huge number of spammers then you'd think that the average spam per day would stay roughly level. It doesn't. There are days when I get no spam at all. There are days when I get one or two messages. There are days when I suddenly get dozens of messages (usually all of the same type)

Re:

[1u3hr]

Are you sure there are even hundreds?

Well, the ROKSO [spamhaus.org] list includes "131 Spam Operations as at 3/23/07", more thna half American. Not all active 24/7 of course.

Re:

[russotto]

You can be found liable if a minor gets injured or killed in your non-secured car; that's attractive nuisance law. You can't be found liable if a thief steals your car and uses it in a bank robbery.

Re:

[fm6]

Oh, great, you want to go after all the people who "let" their computers get infested. No problem getting that law passed!

Re:

[fm6]

Jeez, I get so tired of Slashdot amateur lawyers. It doesn't matter how much legal liability all those clueless folks with infested computers have. Who's going to approach 1 million plus computer owners and tell them "fix your computer or be sued!" It would be a logistical, political, and economic nightmare.

Re:

[jonwil]

If the RIAA can get the Russians to shut down allofmp3.com, why cant we (as a society, as internet users, as ISPs who have to deal with this crap etc) use the same pressure to get the Russians, Chinese or whoever to go arrest the people who are WRITING the malware in the first place and lock them up somewhere where they have no computers or internet access and can't use their malware skills to write even more malware. If the malware is being written in the USA, we can do the same thing there too. If enough

Re:

[iSeal]

If the RIAA can get the Russians to shut down allofmp3.com, why cant we (as a society, as internet users, as ISPs who have to deal with this crap etc) use the same pressure to get the Russians, Chinese or whoever to go arrest the people who are WRITING the malware in the first place and lock them up somewhere where they have no computers or internet access and can't use their malware skills to write even more malware.

That AllofMP3 is actually still operating despite this incredible level of international

Re:

[freedom_india]

HEY !! Will you all please STOP talking about allofmp3.com ? I just refilled my subscription with 20 dollars and i hope to download that many songs (Mozart, etc) before they are killed totally.
With you guys bringing it up here, is enough initiative for any RIAA cronies to report back to their parents to renew shutdown.
Damn you guys!

Re:

[jonwil]

If the Russians truly want WTO membership, they are going to have no choice but to shut down sites like allofmp3.com (or failing that, stop allofmp3.com selling RIAA music and/or allowing western users onto their service)

On the other hand, the US has been "fighting" with South American drug lords that flood the streets of America with illegal substances for decades and they haven't been able to stop the flow there.

Hmmm....

[groovemaneuver]

This must be related somehow to Windows being the most secure operating system... :p

Re:Hmmm....

[glittalogik]

Damn those 1.2 million Linux users! Bloody hell, when will they learn?

Must be linux

[rolfwind]

because Windows is the most secure OS:

http://it.slashdot.org/article.pl?sid=07/03/22/212 1214 [slashdot.org]

Bat infestation?

[Joelfabulous]

Was I the only one whoe read it as "Bat Infestations Reach Nearly 1.2M?"

Man, are my eyes ever going fast. Stupid kerataconus.

Re:

[webweave]

Is this a Windows only thing? The article does not say.

Re:

[pallmall1]

This must be related somehow to Windows being the most secure operating system...

Yes, this is another KISS* from microsoft.

* Keep It Spamming Stupid!

Re:

[RedBear]

I see people making jokes about all these bots being Windows-based, and of course I have to assume myself that this is the case based on experience. However, neither the original article nor the site they link to seem to make any mention of any operating system, no less Windows. Are there any actual statistics for how many of these detected bots are running on Windows? It's hard to be smug about other operating systems be so much more secure without having some actual data to point to.

Well?

Re:

[godzilla808]

Several discussions of Linux Botnets:

http://lwn.net/Articles/222153/ [lwn.net]
http://blogs.securiteam.com/index.php/archives/815 [securiteam.com]
http://www.networkworld.com/community/?q=www.deb.r adcliff.com [networkworld.com]

All those bots must be coming from

[Steve--Balllmer]

all those Linux and OS X systems, since Symantec says Windows is the most secure operating system.

Forget the spam filters...

[ShaunC]

..It's more like "time to put an ad in the paper, an onslaught of new customers is coming!" I wish I still had time to do spyware removals and clean up infested computers. Easy money for those who have the time and are willing to make housecalls.

I, For One...

[NeverVotedBush]

Welcome our new botnet overlords...

Re:I, For One...

[miro f]

How long before these bots link up and become nodes in a larger network? At that point they store information, react to direct stimulus and transmit to the rest of the network. Each cell might be relatively simplistic, with no goals other than self-preservation, replication and transmission of data to the other nodes. Surely, there will be fitness rewards for a node that behaves in a certain way? With a billion of them, I wonder what potential would be for emergence?

translation: Imagine a beowolf cluster of those!

How does this sqauare with Vint Cerf's speech?

[winkydink]

Didn't he say at the World Economic Forum at Dovos that as many as 25% of all machines connected to the internet were infected? That strikes me as a whole lot more than 1.2 million

Re:

[deek]

Didn't he say at the World Economic Forum at Dovos that as many as 25% of all machines connected to the internet were infected?

You should know that 87% of all statistics are just plain made up.

Re:

[clickclickdrone]

strikes me as a whole lot more than 1.2 million

Actually, the total population of the Internet is only about 2 million. Most numbers you see are just PR, the hardware manufacturers trying to talk it up to make it look busy so they can sell more kit. Most of the people you see in forums, WoW, slashdot etc are just bots. I'm one too.

Re:

[99BottlesOfBeerInMyF]

Didn't he say at the World Economic Forum at Dovos that as many as 25% of all machines connected to the internet were infected? That strikes me as a whole lot more than 1.2 million

The summary was misleading. 1.2 million was the number tracked by a given group, in contrast to 500,000 they saw with the same honeynets last week. It is not meant to be a total count and the article title should have read, "botnet activity triples from last week." I just happen to have access to (as far as I know) the largest chunk of realtime traffic analysis data on the planet from a project run by some of my coworkers. Doing some quick and dirty math Mr. Cerf's numbers are not entirely implausible. I'

Re:

[winkydink]

You're right. I went back and read the original Shadowserver article. It's the number they are tracking, not their belief of the total number of infected machines.

But my spam is way down from the Dec/Jan peak

[gvc]

Perhaps the big SEC bust [informationweek.com] actually had some effect. My personal harvest of spam has dropped recently from 1000/day to 500/day.

Re:

[Red Flayer]

My personal harvest of spam has dropped recently from 1000/day to 500/day.

I noticed the same thing recently, but to use the word 'harvest'?

Gives me the shivers, a vision of thousands of spamfarmers toiling in underground caves carefully tending their spam crops until harvest-time.

I much prefer the term 'cull', since it implies getting rid of the chaff (to mix a farm metaphor or two) as well as refers to the 'meat' connotations of spam.

ISPs take action?

[pembo13]

Why don't ISPs start sending automated physical mail to home of obvious spam bots?

Battle is now greylisting versus IP address spread

[RonBurk]

IMO, the real battle here is caused by greylisting. Greylisting plus a honeypot database of fake email addresses is clearly the most effective, automatic, general-purpose anti-spam mechanism to come along. Spammers are starting to feel the pinch (even though lots of people are still struggling with old-fashioned "filtering" mechanisms, and are still easy and fun targets).

The spammers who are starting to take on greylisting are doing so by two main mechanisms: massive distribution across IP address space, and direct use of infected PC MTAs.

The IP address spread is fairly simple to understand. If you have 100,000 zombie PCs with 100,000 IP addresses, then clearly you can send 100,000 pieces of spam without ever using the same IP address twice. That makes the honeypot database of greylisting useless, since I rely on waiting to see a given IP address send email to a known "bogus" email address to correctly identify that IP address as a spammer (in the short term, at least).

The direct use of infected PC MTAs is more difficult. If the zombie PC can programmatically use the unspecting owner's own ISP MTA to send the spam, then it becomes very difficult to distinguish that spam from real mail send from a real person (just as botnet click fraud is very difficult for Google to do anything about without also discounting some "real" clicks).

To respond to the massive distributed IP address spammer, I think a drastic increase in bogus email addresses would help, so that they have to transmit to 10 or 100 times more addresses in order to hope to reach the same # of real people. It's easier for website owners to create more bogus email addresses than it is for the spammers to infect more PCs. You basically always "drop" mail sent to a bogus address so that the spammer is convinced it went through and is getting to a "real" person (and probably even sells that address to other spammers as "verified").

That would push the spammers squarely into focussing on using the infected owner's own ISP's MTA for transmission, giving those ISPs an ever-increasing workload of bogus mail to send. Sorry, but that's where this war is headed anyway: to the point where ISPs will start charging customers to disinfect their PCs once they've been identified as botnet spam transmitters.

I'm going to start slowly increasing my spamming of spammer address databases today (e.g., by injecting more hidden text email addresses onto websites). Note that this is not a "solution" to spam (so please don't post that cute little form :-). This is just an effort to push the problem where I think it's going to end up eventually anyway: on the backs of ISPs that have not yet come to view infected customer PCs as "their" problem yet.

Re:Battle is now greylisting versus IP address spr

[Anonymous Coward]

The IP address spread is fairly simple to understand. If you have 100,000 zombie PCs with 100,000 IP addresses, then clearly you can send 100,000 pieces of spam without ever using the same IP address twice. That makes the honeypot database of greylisting useless, since I rely on waiting to see a given IP address send email to a known "bogus" email address to correctly identify that IP address as a spammer (in the short term, at least).

That isn't greylisting at all (though it is useful against spam).

Greylisting is giving a "new" incoming SMTP connection a 400-series error message the first time they try to send email to you. A 400-series error means a temporary problem - please try again. When they try a second time they try to send email, you accept.

Since all legitimate email servers will retry when they get a 400-series error, a legitimate message will go through, at a cost of a time delay.

However, most spammers don't bother retrying (although some do), so you can block a lot of spam with greylisting, with very little bandwidth or CPU cost.

Re:

[nuzak]

Increasingly bots _are_ retrying greylists now, and pretty soon they all will. However, you still have a window to analyze what they tried to send you the first time and simply block them outright if and when they try again.

"systems" euphemism

[allin]

The article speaks of "bot-infested systems". Call a spade a spade. These
are bot-infested PCs running MS Windows. They make life hell for the rest of
us.

An easy fix

[davmoo]

In another reply I saw someone suggest ISPs sending automated snail mail notices to users who's machines have been owned.

I'll go one better. Cut the fucking thing off the net until the user fixes the problem.

I fail to see why it seems to hard to detect these things. When an ISP sees a machine go from sending out 4 or 5 emails a day to spitting out thousands of emails every hour, it should be obvious there's a problem.

Also, close the damn mail ports off. If a customer wants to host their own email server at home, fine...but make them call in and request that the port be opened. And make it clear that if their machine gets owned, they get cut off and fined before access will be reconnected.

And finally, spam has been a problem for years...how come the MTAs haven't been rewritten to not allow header forging, etc, in all that time? Isn't this supposed to be one of the big advantages of open source and open protocols?

Re:An easy fix

[metlin]

In another reply I saw someone suggest ISPs sending automated snail mail notices to users who's machines have been owned.

I'll go one better. Cut the fucking thing off the net until the user fixes the problem.

That's not really fair.

Most users are not technically sophisticated to do anything, even if they were told that their computers were affected.

Computers and the internet are far too prevalent today to simply cut somebody off because their boxes were compromised. If you must, blame the manufacturers for designing systems that can so easily be taken over by bots and viruses.

Most people don't really care, because to them the computer is just like the TV or the microwave - a tool that lets them do something. If the tool gets messed up and causes problems because of something, they can't be held responsible because face it, they have no clue whatsoever. If you are designing a system that you think even an idiot can use, then make sure that it is idiot-proof.

But companies want to sell $OS to your grandma, but do not want to take responsibility for what happens when things go to hell. If you are selling something to grandma, make it grandma-proof. She will open attachments, she will not have a clue about what's out there on the web -- if you are selling her a tool, make sure that it is protected against the mistakes she most likely will make.

Somehow, in the software industry, it is considered acceptable to call the users idiots and let go. Now here's the thing -- even some of the very smart people have trouble using computers simply because it is not their thing. Not everybody can be a computer geek, and nor should they expected to be.

If anything, the software manufacturers should be held responsible. Stop blaming the users already, please.

Re:

[AK Marc]

That's not really fair.

I don't blame Mary for carrying Typhoid, I just won't let her prepare food. I don't "blame" the user, but they should be kicked off the Internet until they get their computer fixed. I don't understand why you are bringing up "blame." The user is responsible for fixing their computer, regardless of who is to blame for infecting it.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[99BottlesOfBeerInMyF]

The only way to make a computer idiot proof, is to make it so that new binaries cannot be loaded onto the system. Computers are not toasters.

Toasters aren't idiot proof either and people kill themselves with them every year. That in no way excuses the fact that Windows does not have a sufficiently secure design to perform normal tasks in a normal environment in which it is likely to be placed. Believe it or not, some OS's let you run arbitrary binaries, by default, without giving those binaries access to do any useful, malicious activity.

Re:

[mysticgoat]

I agree with parent.

I also want to point out that the automotive industry went through a similar period about 35 years ago, when new cars were required to have pre-installed seat belts. It is now generally accepted that seatbelts, airbags, and less visible things like collapsing steering columns and controlled crumpling are GOOD THINGS TO HAVE IN A CAR. But at the time these were introduced, the sometimes strong argument against them was that none of these things were necessary for a well trained driver.

Re:

[freedom_india]

If you are that illiterate, then you should not be let loose on the 'net. It is for you guys there's something called AOL.
No, am serious. If i don't know to read STOP signs and road signs, i would not be given a driving license. Same way, if i don't know how to manage my system, i should be knocked off the 'net.
Anyways AOL thrives on people like these and send them cute bills for $129.99 every month.

Re:An easy fix

[repvik]

If anything, the software manufacturers should be held responsible. Stop blaming the users already, please.

Sure, the software manufacturers have some fault in this. But ignorance from the user doesn't help.
I would propose the following to an ISP:

1. Firewall the infestation from the internet
2. Give the user access to the mailserver to *download mail only*
3. Redirect all browsing attempts to a local server that serves step-by-step guides and ready-packaged tools to remove any virus infections/malware. Put up a helpful "send us a mail if these instructions doesn't help" form and leave any phone no. clearly visible.

Re:

[pavera]

I completely agree with the sentiment of your post. And, there are some ISPs who do just that. I worked for one and implemented the policy. It is easy to do, and easy to implement. The problem is this: unless all ISPs do it, it will never stick. We lost every single customer we cut off. We would disconnect there service and redirect their browser to say "You have a virus, please remove it and call us to restore your internet access".

Well, we would always get an incredibly pissed off customer who woul

Re:

[Phroggy]

I fail to see why it seems to hard to detect these things. When an ISP sees a machine go from sending out 4 or 5 emails a day to spitting out thousands of emails every hour, it should be obvious there's a problem.

Also, close the damn mail ports off. If a customer wants to host their own email server at home, fine...but make them call in and request that the port be opened. And make it clear that if their machine gets owned, they get cut off and fined before access will be reconnected.

You can't look at these as two separate issues.

Currently, most ISPs are not monitoring what you send out on port 25. They have no technical means to do so, and acquiring that ability would be prohibitively expensive. ISPs can monitor what you send out through their SMTP relay server (most don't analyze the patterns proactively, but they can review the logs when they get a complaint) but generally botnets don't relay through the ISP's server.

But you're absolutely right about ISPs blocking outgoing access

Re:

[repvik]

Port 25 can't require authentication, but if bots can't connect to port 25 because it's firewalled on their end, then we're making some progress.

WTF? So how the heck does my mailserver figure out if I'm authenticated or not? SMTP authentication can be done whether or not it's on port 25, 587 or any other port.

Re:

[Vskye]

I'll go one better. Cut the fucking thing off the net until the user fixes the problem.

This is exactly what we do. The rule at our company is simple. 3 strike policy, and your out. If you send out a shitload of spam, etc we suspend the account. They then call in and bitch, we explain the situation and how they can resolve it by setting up a firewall, anti-virus software, etc. Or, refer them to a local computer tech to reinstall the OS, etc. If it happens again, strike 2. We inform them that they ha

Re:

[CodeBuster]

I'll go one better. Cut the fucking thing off the net until the user fixes the problem.

Then you will get lots of calls from irrate customers complaining that their "Internet" isn't working and can't you fix it for them by pushing some magic button at your office? If you have spent any time in customer support for an ISP then you know that the level of ignorance people display concerning their PCs is astounding. In fact most people probably know more about their cars, and they don't know much about them

Re:

[caluml]

I fail to see why it seems to hard to detect these things. When an ISP sees a machine go from sending out 4 or 5 emails a day to spitting out thousands of emails every hour, it should be obvious there's a problem.

iptables -A FORWARD -p tcp --dport 25 -m limit --limit 5/min -j ACCEPT
iptables -A FORWARD -p tcp --dport 25 -j REJECT

Re:

[jgerry]

Cut the fucking thing off the net until the user fixes the problem.

One problem with doing this, from the ISP's standpoint, is that they are GUARANTEED to generate a phone call to tech support once the account is shut down. And it's going to be multiple calls, over several days / weeks, while the issue is worked out on the customer's end. Everything I've ever seen regarding profit margins for ISPs says that once you generate a single support incident for a customer, you've lost money on that account for the

How's Vista doing on this?

[Animats]

The big question: how many infected systems are running Vista? If there are a significant number of infected Vista systems, Microsoft blew it again. (Remember, Microsoft said that Windows 95 was going to fix security. Then Windows XP was going to fix security. Then Vista...)

On the other hand, if Vista systems aren't being turned into zombies, we may be at the beginning of the end.

Spammers have had to resort to more and more desperate efforts to keep spamming. In the late 1990s, spammers could just buy a big pipe and start sending. That's dead. Then there was spamming through open relays. That's essentially dead. There used to be a significant amount of "legitimate spam". That was killed by the combination of CAN-SPAM and spam filters - if it comes from a known spam source, it gets deleted, and if the sender lies about the source, they've committed a felony. China finally cracked down on "bulletproof hosting". (There are some "bulletproof hosting" outfits left [bullet-pro...osting.com], but most are gone and some of the remaining ones may be sting operations.) Zombies are about the only way left to spam in bulk. And note how few different spams there are. The number of actual spammers left isn't that large. It's small enough for law enforcement to target.

If the zombie problem can be cracked, which ought to be possible, spamming may drop to a minor problem.

Re:

[gujo-odori]

China cracked down on bullet-proof hosting? As a person who has been in the anti-spam business for over four years now, all I can say to that is:

BAAAAAAAAAAAAAAAAAAAAAAAAAAAHAHAHAHAHAHAHAAAAAAAAA AAAAAA!!!

Seriously, though, China remains a huge source of spam. Some may be zombies, I'm sure, but commercial spammers in China, operating on IPs with no forward or reverse DNS are very common. They've cracked down on bullet-proof hosting like they've cracked down on pirate DVDs: not really at all, just a little w

Re:

[99BottlesOfBeerInMyF]

But others are installed by user action, either when the user installed something else, or as a result of the user being tricked into running a program. This second type will never go away, no matter how secure the OS is, and it could affect a Linux or MacOS user just as easily as a Vista noob. As they say in tech support, the problem is between the chair and the keyboard.

I strongly disagree with this. There will always be exploits and trojans, the point is not to make them impossible, but to make them very rare and hard to exploit. With Vista, MS has finally pulled their security almost up to the granularity of user accounts, which was too little granularity many years ago. That does not mean others cannot do better. Look at an SELinux setup. The user downloads and installs an application they think is one thing, but which is secretly some sort of malware. With Vista it c

Bullshit

[Tablizer]

The bot problem is way exaggerated. They are very rare even insi FREE V1AGRA WITH YOUR LOW MORTGAGE!

These numbers are too low by at least100x

[Arrogant-Bastard]

My own experiments show much larger numbers: in January 2007,
one such experiment revealed a confirmed 1.8M bots with another .7M probable/possible. The number of bots worldwide has been
estimated by others as in the range of 100M (Evron et.al. 70M;
Cerf, 140M) so I very much question the methodology used here.

I wouldn't be suprised in the least if the worldwide numbers were
much higher. But there's no way they're less than ~100M.

Re:

[gvc]

Look in the incoming/outgoing connection log on your Linksys (or whatever) broadband router. If you see connections to all sorts of places you shouldn't -- especially on port 25, yank your ethernet cable and consult a professional.

No broadband router? Go buy one. They're free (after rebate, of course!)

Re:Computer bots

[Technician]

How does one know if their computer (or relative's, etc.) is infected by a bot? Are there special diagnostic tools for that?

There are 3 things to look for.
1 Is it running Windows?
2 Is it connected to the Internet?
3 Has it been on for more than 20 minutes?

Re:

[winkydink]

Not true. Most modern bots are designed to stay under the radar. A zombie PC is worth money and it makes sense to keep control of it as long as possible. So most newer malware uses system resources sparingly.

Re:

[bcc123]

Absolute majority of spam now comes from desktops infected with mailing software. So no, in this case, the spammer won't simply relay through the ISP's mail servers. The reason they infect boxes in the first place is so that they can mail directly from all those IPs. The reasoning in your link is really outdated.

Re:

[jonwil]

What the bots are doing is instead of directly sending spam out to the wide world from the zombie machine, they are reading the SMTP server settings from mail clients like Outlook and relaying mail through that instead (to avoid blocks on port 25 by ISPs)

Re:

[stu42j]

Actually, one of the nice things about PBL is the "Self-Service Removal Mechanism". If you are running an outgoing mail server on your pseudo-static dsl ip address, you can easily remove it from the PBL.

Even if spammers can send spam through ISP relays, most of them don't (at least not yet). Just yesterday, 23 spams were blocked by PBL on just my personal email address. I'm sure that many people see much higher results.

Re:

[nuzak]

> The Spamhaus PBL is bad for maintaining a decentralized Internet.

Too god damned bad. Since the current SMTP-based mail architecture lacks usable end-to-end authentication, we're expected to trust any random idiot on random connections, and hey look what we got. If you want your decentralized net back, go do it on another protocol, because as far as decentralization goes, the spammers ruined this one.

Re:

[Nethead]

If it cuts down the spam....