Jump to content

Zombie machines sending spam


Recommended Posts

I understand that a large proportion of spam is now being sent by computers infected with worms that allow spammers to get control of them to send out his spam -- so called "zombie machines."

I understand that SpamCop doesn't want to get into the virus reporting business, but this is now part of the spam reporting business. For every machine that is infected, hundreds more were protected by antivirus or filtering software. For instance, it is easy to see the worms with MailWasher without even downloading them to have my antiviral program detect them.

I have been checking the headers myself, finding the originating IP, and forwarding the headers to the abuse address for the ISP in question. However, I rarely get results, and the worms seem to keep on coming for a given IP for days before stopping. (And once I got arguments from the originating ISP that the worm had not come from their system because the "From" line had a spoofed email address that would have been on another ISP if that were where it were really from -- scary who's in charge of other people's computers sometimes). I doubt the abuse addresses are the best place to send them, anyway.

Would SpamCop's reputation get these reports noticed faster? If we sent the worm headers to SpamCop, the ISP could be notified in batches (and maybe to a private address?) and the IP could get special notice on the blacklist as an infected machine.

Link to comment
Share on other sites

I doubt the abuse addresses are the best place to send them, anyway.

I think you hit the critical item right there. Some ISPs don't have a dedicated "abuse" staff to begin with. Most isps dont let the abuse staff take the immediate action of disconnection of the offending system. And as you've no doubt seen in here and in the newsgroups, there's a lot of admin staff that don't know what they're looking for to begin with ... (reference the "nothing in my e-mail logs" but then finding 3+ Gig of traffic outgoing in the firewall logs as an example)

There are some (not many that I've discovered) that have set up a "security [at] address" for issue like this, implying that they've got someone a bit more versed in things beyond the old spam stuff.

Would SpamCop's reputation get these reports noticed faster?

Actually, in the past there was some virii/trojan activity reported .. and this led to a large number fo complaints, as some abuse staff got ticked when pulling up the SpamCop reports and then finding that it wasn't a spam report .... So this activity was stopped.

Link to comment
Share on other sites

I don't know whether it helps or not, but I generally put the name of the worm in the subject line (what my virus checker has identified it as). I just mention this because it is rare for me that worms continue for more than two days from that IP address, if that long, after reporting. Perhaps I am lucky in where the worms have come from because I know others have not had such results (and there have been times when it has been much longer). Of course, once it starts there may be worms for days from lots of IP addresses.

Miss Betsy

Link to comment
Share on other sites

In my case, when I send a complaint to a cn.edu place that keeps sending viruses I can be more than certain that the only reply I get is a bunch of viruses immediately after my complaint. So I gave up hoping for a positive outcome, I just delete the files,

Link to comment
Share on other sites

Don't antiviral software companies give educational prices? I get a lot of worms from universities and K-12 programs, too. My daughter came home from school one day to say that the computer instructor had them all log into their email then put their hands in their laps and not touch anything, like there was nothing but a ten-year-old's mouse click between the worm and their system.

Link to comment
Share on other sites

If I were in education, and an edu address was sending viruses, I think I would do a little bit more than just delete.

If you can't just block that IP address, you must have staff who are corresponding with someone there who could either explain or direct you to the IT department and help translate for them.

And there is no logic that a complaint brings more viruses unless the abuse desk, itself, is infected - in which case, one definitely should try to educate.

Miss Betsy

Link to comment
Share on other sites

Don't antiviral software companies give educational prices? I get a lot of worms from universities and K-12 programs, too. My daughter came home from school one day to say that the computer instructor had them all log into their email then put their hands in their laps and not touch anything, like there was nothing but a ten-year-old's mouse click between the worm and their system.

Why don't you ask the computer instructor?

And if not, then it looks to me like a good project for the PTA!

Miss Betsy

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...