Jump to content

[Resolved] Multiple hosts for the same spamvertised site


elind

Recommended Posts

.... see Software Development Life Cycle principles for spam substituting 'virus' for 'spam' various anti-spuware/malware/trojan tools fo the spam-filtering tools. ...
Another take on the evolution/morphing of malware - "skinable" interface yet - MS Malware Protection Center Threat Research & Response Blog (Journey of a Rogue, et seq.) Pity the innocents, pity us all.
Link to comment
Share on other sites

  • Replies 65
  • Created
  • Last Reply
Scan for what? Very few folks I know would put up with allowing their ISP to reach in and take a look at their hard drive contents.

Scan for malware that could be controlling your PC of course. Are you saying that can't be done?

I don't think the majority would object. That is no different from allowing Norton to do it, while slowing your PC to a crawl.

Link to comment
Share on other sites

I don't think the majority would object. That is no different from allowing Norton to do it, while slowing your PC to a crawl.

It is VERY different from allowing Norton to do it. When you run it yourself, Norton only reports to YOU, and you can run it while your computer is offline. And, anyway, if my ISP uses Norton (or fill in your favorite AV suite), why would it not also bog down your machine if your ISP triggers it to run automatically?

Personally, and based on years of past experience, I would not trust my own ISP to run an activity of this nature and to do it effectively. I can barely get them to keep my DSL nailed up all day. I'd much rather let a couple of my neighbors proxy for Russian watch pedlars (whose spam mail I can easily trap using SpamCop) than to allow the folks at Comcast (or RR, Verizon, SBC, what-have-you) regularly inspecting files on my computer.

My employer is absolutely nukkin futs about computer security, to the point where my work PC runs like a three-legged asthmatic dog. I have to live with this, because it's my employer's network and my employer's PC, and it is provided to me gratis. The situation is far, far different with a retail ISP, where customers are paying for internet service and not for a PC inspector to vet their systems. Dealing with zombified customers must be a major PITA for providers, if they are to deal with them without simply running them off to some other provider (and thereby losing business).

I think that ISPs can work on the problems more effectively with measures such as port blocking, etc., that do not involve dealing with individual customers and computers.

-- rick

Link to comment
Share on other sites

...I don't think the majority would object. That is no different from allowing Norton to do it, while slowing your PC to a crawl.
"Reasonable" is not an adjective that can be applied to the greater mass of humanity because "they" each insist on their own definition of the word. Norton has a gigantic roster of detractors by virtue of its intrusiveness. Many loathe MicroSoft for the imposition of its Windows Update program and go to great lenghts to subvert it. From the point of view of wanting to assert ownership and control of one's own machine, that all seems entirely reasonable to them. The fact that their machines are then greatly more vulnerable to being subverted from their control by the malware they are are exposed to seems not to matter to them.

Securing individual machines is very important but it is not the way to win the war. That is just nibbling the tips of the tentacles. Yes, I too have been waiting for Comcast to shower me with praise for all of my helpful reports - see http://forum.spamcop.net/forums/index.php?...ost&p=67398 for one. But they have an Augean stables to clean and no handy watercourse.

Link to comment
Share on other sites

It is VERY different from allowing Norton to do it. When you run it yourself, Norton only reports to YOU, and you can run it while your computer is offline. And, anyway, if my ISP uses Norton (or fill in your favorite AV suite), why would it not also bog down your machine if your ISP triggers it to run automatically?

I appreciate some of what you say, but the above is not the bugaboo you describe, IMHO, unless it is sold that way.

Norton does check your machine and reports to them, every time it sees that you need an update and downloads it and changes your files and registry. So does Microsoft and a host of others and we trust that they aren't also copying our secret pictures.

My reference to bogging down was just a joke dig at Norton, but more specifically there are many solutions to your concerns. You could simply be required to have installed and updated virus software from any one of participating companies, free or not, and all those systems have to do is tell your ISP OK or NOK whenever you log on, meaning scan up to date and run last night, or not.

Link to comment
Share on other sites

I appreciate some of what you say, but the above is not the bugaboo you describe, IMHO, unless it is sold that way.
I edited this reply, as it was getting too detailed and was not staying on point. The point is not to ensure that everybody has a clean PC, the point is to stop the spam activity.

Why not cut through the Gordian knot and simply block inbound port 80 and outbound port 25, as my provider (and many others) do? That way it doesn't matter how disease-ridden my computer is, it basically can't harm any of my neighbors through spam-related activity.

I really have no business contacting outside hosts via port 25, and I certainly have no business running a website (much less a name server) on a dynamic pool address. Make me pay for higher-tier static service if I want these, so you can keep a closer eye on my activities.

-- rick

Link to comment
Share on other sites

The technical significance of what you say is above my level, but if it is that simple, it sure sounds like the simplest approach.

So how does one get the good guys to work together so as to make the bad guys stick out like a sucked thumb on a dirty baby?

Link to comment
Share on other sites

<snip>

Very few folks I know would put up with allowing their ISP to reach in and take a look at their hard drive contents.

<snip>

I don't think the majority would object.

<snip>

...elind hasn't gotten support here, yet but I essentially agree with hir. If I'm a customer of an ISP, I gotta play by their rules or find another provider. True, I don't want them retrieving and storing information about the contents of my computer but I'm certainly willing to have them (in fact, I would appreciate it if they would) scan my computer (and those of all my fellow customers) for malware before they allow me on their network.
Link to comment
Share on other sites

IMHO, it is the financial bottom line that prevents ISPs from implementing many services that would prevent spam. A lot of them have come around to virus scanning (either offering it free or scanning themselves), but the problem of telling customers that they can't do something or can't get email from a certain source because it is also a spam source seems to be out of their competence. Actually, marketing and technical just can't seem to understand each other.

My solution is to charge more for having Port 80 open (which seems to rick to be something that, if closed, would fix things, but I thought there were lots of different ports) or for having your email filtered after acceptance. If someone were getting a good deal, I bet s/he would explain to correspondents why their email is not deliverable!

There certainly could be some kind of cookie or something that indicates that this computer is firewalled and that the anti-virus had been updated, but as Wazoo says, the malware can be made to lie about that. And, elind is just as technically challenged as I am. We don't use the correct technical terms to describe what we think could be done. And that's the nub - techies and end users have a hard time communicating! Although Wazoo and I manage so there is hope!

Did Comcast really make an effort to get customers to clean up machines? I thought they just made noises as if they were going to. I know several Comcast customers who would be really upset if they could be convinced that Comcast was doing nothing about botnets sending porn. Consumer consciousness is the key, I believe.

Miss Betsy

Link to comment
Share on other sites

My solution is to charge more for having Port 80 open (which seems to rick to be something that, if closed, would fix things, but I thought there were lots of different ports) or for having your email filtered after acceptance. If someone were getting a good deal, I bet s/he would explain to correspondents why their email is not deliverable!
Port 80 is the "well-known port" for web services. If port 80 is closed to inbound queries on your computer, then it is not possible to load web pages from it from the public net in the normal, unsuspicious fashion. It is possible to use a nonstandard port (e.g., http://my.website.foo:2653/) but these do attract attention and are easily spotted by filters.

My contention is that users on dynamic pool addresses (i.e., me and your grandma) have no more business running public websites on these addresses than I would have putting my little Mazda in a NASCAR race. So, just do like my provider and block 'em by closing off the port.

There certainly could be some kind of cookie or something that indicates that this computer is firewalled and that the anti-virus had been updated, but as Wazoo says, the malware can be made to lie about that.
Perzackly. Or, the user could go on a campaign with his spyware remover and decide he didn't want no stinkin cookies on his system. Many, many problems here.

And, elind is just as technically challenged as I am. We don't use the correct technical terms to describe what we think could be done. And that's the nub - techies and end users have a hard time communicating! Although Wazoo and I manage so there is hope!
Actually, elind makes his/her case pretty well. I don't disagree that enforcing virus control would be helpful, but I fear that it runs counter to the business models of the big providers (i.e., collect the customer's money and don't annoy him), and I am also not confident in the competency and probity of some of these outfits to run such programs. I think there are things that can be of much more help that are much easier to do, and don't involve the ISPs ticking off paying customers one at a time (however much some of these customers might deserve to get a kick in the pants).

Did Comcast really make an effort to get customers to clean up machines?
Back in 2004, Comcast 'fessed up that 7/8 of the more the 800 million messages leaving their domain per day were spams. At the time, I got boatloads of spam originating from Comcast network space and that of other top cable/DSL providers from the U.S. Since then, the spam I personally received from such sources went way down. I had assumed that Comcast had taken steps (like blocking outward port 25), but this could also be due to my own provider's filtering.

-- rick

Link to comment
Share on other sites

Just for the record, I'm He, and I don't think I'm technically challenged just because I haven't studied all of this the past few years :)

Back in the good old days of Windows 98, primitive viruses and negligible spam I did create some online databases with MS SQL and other tools, as well as ....

but I digress

From my education here I think that there are two fundamental approaches to dealing with spam.

One is essentially to fight the war, but don't touch the fundamentals of the internet, and the other is to change the rules of what one can do, unrestricted, with the internet (which presumably would also include changing parts of the internet).

I think the wild west days are numbered and eventually (maybe not in my lifetime however) the business world will decide that it is in their interests too, to control the criminals.

Imagine, for example, if telephone companies could be bothered to disconnect 800 numbers selling fake graduate degrees via spam, or that credit card companies would cancel the accounts of Canadian. Pharmacy.Com. Merchant credit card accounts are not simple to get, and they are easy to identify by making one small purchase. Cut them off, including those who purchase from spammers.

The phishers for bank info..... Log on controls for this are still fairly primitive although my bank has a third level visual confirmation that it is a secure site. I don't know how good that is, but I can well imagine that if the banks are made legally responsible for any such misuse of online transactions, then they have to guarantee the funds unless they can prove it was the account holder committing fraud. Call it a kind of deposit insurance. I'm pretty sure they will spend a bit more money on security if that were the case, and Credit Card companies already do that to a large extent.

Also, if pigs could be made to fly we could solve a lot of things.

Link to comment
Share on other sites

Didn't mean to insult you. So have I written code, and I am no dummy in some other areas, but I don't use the proper terms to describe what is going on when it comes to the transfer of email. I understand the concepts, just as I do the concept of my automobile runs. But, as you point out, without study, I couldn't run a server. It makes a difference in proposing solutions. And, IMHO, some of the problem is not technical, but social - which is a whole other discussion.

And, something that hasn't been mentioned is the 'freedom' of the internet. Online, if you don't like something, you don't have to put up with it, but you don't interfere with what others do. "My server, My rules" is also "Your server, Your rules" That's one reason that spam fighting concentrates on stopping spam from being delivered rather than stopping spammers.

Miss Betsy

Link to comment
Share on other sites

...Also, if pigs could be made to fly we could solve a lot of things.
And I bet our umbrellas would of far sturdier construction.

My thought, which may be obscured in all the twists and turns, is not at all contrary to yours. There is a need to report the botnet-hosted domains in the expectation that some ISPs might act to shut down the components on their net. Those reporters with the inclination and the ability to add user-defined reports can go all the way at that level within SC and 'manually' uncover all the current A record addresses. For example, as discussed, using nslookup and the SC parser on the revealed IP addresses for abuse contacts. Rick's SC Wiki page deals with this and more.

This is never going to stop the botnet hosting IMO but it is a job that has to be done - those zombies have to be cleaned up sometime. To make a mark on the botnets means taking it further, I think - and taking it well outside of the scope of SC (and with 'other' tools and resources, discussed on these pages and elsewhere). These approaches have the potential to wipe out great swathes of the spamiverse, whether concentrating on domain registrars or on higher-level/critical network providers.

Changes to the way the internet is run would cut the ability of spammers and their support services to run, as discussed here and elsewhere too - providers limiting port access (already done by some for port 25), providers blocking suspicious outwards traffic, in terms of volume and/or content (already done by some), minimum promulgated DNS record TTL values (proposal), ICANN controlling registrars (well, it growls every now and then). And any or all the other things considered and espoused from time to time as 'permanent' solutions. With a sufficiently long viewpoint (and no sense of urgency at all) I suppose it could be said there is progress.

Just at the moment it needs a blend of all approaches and maybe always will, given the improbability of a silver bullet able to do all the things it would take to put the internet 'right' in the eyes of its critics (heck, I bet it's fine already by the actual majority of users, and always has been). As an aside - the point when SC reports are redundant seems a long way off in any event.

Link to comment
Share on other sites

IMHO, spamcop will always be needed since there will always be criminals and accidents. The intent of spamcop is to block spam while it is happening until the server admin corrects the mistake. Even with a large network of responsible email service providers, there will be times when a criminal gets lucky or a server admin gets careless and spam will sneak in. The same for end users - I make mistakes regularly and one of them might lead to getting infected (I sincerely hope not), but it is not a completely remote possibility.

We put up with the necessity of having to lock doors and show ID to ride planes and other security measures offline. It won't be any different online. If end users knew how to be good consumers, ISPs would learn to take good security measures and make sure that customers did also. Like drivers on the road, there will always be some real idiots, but sooner or later, the authorities catch up with them.

And to go back to 'scan' the customers' computers, we don't want anything that could be used by tyrants to control the use of the internet. That might also include leaving some ports open. The point being that, if they are used for spam, server admins can identify them, report, and block them until the sending network stops the computer that is sending spam. If they are being used for communication between citizens, no one is going to be bothered by them. The same is true for websites. As long as they are not advertising via spam, there should be no way to make them be taken down. As I said, there is a social side to what needs to be done.

Miss Betsy

Link to comment
Share on other sites

Didn't mean to insult you.

No offense taken. Just tooting my own horn a little, and your input is appreciated.

Since we are covering a fair amount of ground here, which I hope nobody minds, may I take the opportunity to ask a couple of questions, somewhat related.

I have been told that if connected to the internet via a router, then a firewall on the PC is redundant (and can sometimes cause network problems). Is that true?

If one is fairly good at recognizing spam and knows better than to open unrecognized attachments or strange website links, and runs something like Adaware regularly, is it really necessary to run a virus protection system all the time? Are there any risks other than stupidity?

And to go back to 'scan' the customers' computers, we don't want anything that could be used by tyrants to control the use of the internet.

I appreciate the rest of what you say, but I think this is an unrealistic fear, or at least one that you don't offer a solution for.

Tyrants don't much care what stays on your computer, and if they did they can get at it one way or another. What they care about is what comes out of your computer to someone else, and that can be seen without touching your PC.

And I bet our umbrellas would of far sturdier construction.

My thought, which may be obscured in all the twists and turns, is not at all contrary to yours. There is a need to report the botnet-hosted domains in the expectation that some ISPs might act to shut down the components on their net. Those reporters with the inclination and the ability to add user-defined reports can go all the way at that level within SC and 'manually' uncover all the current A record addresses. For example, as discussed, using nslookup and the SC parser on the revealed IP addresses for abuse contacts. Rick's SC Wiki page deals with this and more.

I've bookmarked that for future education. Thanks.

Link to comment
Share on other sites

I fear it would take something approaching an encyclopedia to cover this ground (and knowledge far in excess of mine - I have lots of opinions though, are opinions any use?)

... I have been told that if connected to the internet via a router, then a firewall on the PC is redundant (and can sometimes cause network problems). Is that true?
NAT-enabled routers offer a degree of isolation from the internet which is good for security but certainly not the total solution. There are different (software) firewalls obviously and mine, behind a NAT, logs numerous blockings of inwards (and outwards) connections which might be harmful and it does so on a frequent basis. I wouldn't recommend connecting to the internet without a firewall enabled but confess I have little idea how severe the supposed threats might be. "Mostly harmless" I suspect but without knowing much more ... Sure, firewalls can be a pain - but NATs interfere with/prevent some legitimate types of internet interaction as well, which is just to say it is an unavoidable double whammy - having both is good IMO.
If one is fairly good at recognizing spam and knows better than to open unrecognized attachments or strange website links, and runs something like Adaware regularly, is it really necessary to run a virus protection system all the time? Are there any risks other than stupidity?...
Depends to a considerable degree on the state of your operating system and applications patching, on the extent to which you have your browser(s) locked down, the population of your hosts file and the permissions attaching to your computer account. There are, reportedly, malicious sites which specialize in trying to slip a trojan downloader onto your machine as you smugly refrain from authorizing the plea to download some fake CODEC that it is flashing at you. The other side of the coin - AV protection is mostly only as good as the virus definitions and they can never lead the threat - there's always a new, unrecognized variety (and virus authors have optimized their processes to keep morphing and mutating the things). But 'auto protect' is infinitely better nothing. A Sandbox virtual environment is surely the safest way to venture into the internet but most would feel that is taking things a bit far (others note that even that protection is less than complete).

Stupidity will guarantee infection but smart people still use all the protection they can get. In the end maybe the only difference between stupid and smart is how long it takes to get infected (well, armed with that attitude you would survive better than most.)

Some first thoughts for (hopefully) further comment by others. Maybe we should spit these into a new topic?

Link to comment
Share on other sites

...Actually, I'd suggest a slightly different reply. See the last paragraph of Farelf's first post, above.
Whether or not you consider dupes to be criminals, my answer to the question why spammers should spam overtly antispam people like the holders of SpamCop e-mail accounts, is that often spammers are unknowingly using lists "poisoned" with spamfighters' addresses. With all due respect (you are obviously an e-mail professional whereas I am not), Farelf's response did not directly address the question "why should anyone send spam to SpamCop users?" which is a question I asked myself for quite a while until this explanation dawned on me. If I understand correctly, Farelf's response addresses the use of botnets, not the question of why spammers should spam SpamCop users.

Meanwhile, this discussion has taken off in a way I haven't seen on this forum for several years and which I have found absolutely rivetting reading. As you can tell, it takes me longer to put together a contribution than it does the members with thousands or tens of thousands of contributions here, so rather than trying to contribute my thoughts on malware and botnets at this moment, I'll wait to see what happens to the discussion. On the one hand its diversity is Loungeworthy. On the other its potential to inform readers about many questions related to reporting makes it a valuable resource where it is. However, having recently had, in spite of very stringent precautions, to do with something that looks like a Trojan, and having investigated it quite deeply, I have a few comments and conclusions to contribute to this discussion, so I'll await to which section it goes with interest.

Best discussion in several years!

Cheers,

Penny

Link to comment
Share on other sites

Glad you are enjoying yourself too.

To answer Farelf on splitting out, I appreciate that a forum that also functions as a reference source needs to be managed logically and no doubt most if not all of this ground has been touched on elsewhere already, but for an occasional visitor like me it is more enjoyable to have an open ended discussion that can be more easily followed and back referenced. However that's not my call, so please do what you think is best for the forum.

I do however have some thoughts on why I feel the reasons given for spamming spamcop accounts are unsatisfactory, without knowing how spammers think.

No doubt some Nigerian scammers get shafted with bad lists, but I strongly suspect that the spammers are closely connected with the sellers of watches, Viagra and all the rest (come to think though, I do believe there is less porn spam than there used to be). After all, in any business it is best to have a piece of the whole chain, rather than just a part of it.

Also, it is trivially simple to filter out spamcop addresses, and probably not much harder to do the same with those who report spam (put a unique key in the message that comes back). A sucker buyer probably has no access to the actual list and cannot verify even how many addresses are on the list (if they did have access they could copy and resell the list) and they will not just buy the list in most cases; they also buy the mailing, meaning use of a botnet controlled by the seller.

In that situation it seems that all they do is shoot themselves in the foot because their network will be degraded by those reports that are acted on and I doubt a single spamcop addressee will be a customer. We know the spammers are technically savvy, so the question remains; what is the point? I think we are missing something here.

PS. Two days and I haven't received any more of the common ***.cn lists that started this. Maybe taking the time to report as many of the hosts as I could has had an effect, but I'm not holding my breath yet.

Link to comment
Share on other sites

... In that situation it seems that all they do is shoot themselves in the foot because their network will be degraded by those reports that are acted on and I doubt a single spamcop addressee will be a customer. We know the spammers are technically savvy, so the question remains; what is the point? I think we are missing something here.
No, I don't take it for granted they are technically savvy. These days it's like growing mushrooms for fun and profit - when they get into the spamming game they buy a 'kit' (toolset and addresses, though not necessarily from the same source). When you buy a kit you blindly trust the spores are all mushroom, without the occasional toadstool. Which is a good bet when the vendor is accountable. How about when he's not?

It's not just SC addresses that are 'poison', there are all sorts of spamtrap addresses and forwarding addresses used for nothing else but bringing grief to spammers but evidently they too stay on the 'million' lists just about for ever.

PS. Two days and I haven't received any more of the common ***.cn lists that started this. Maybe taking the time to report as many of the hosts as I could has had an effect, but I'm not holding my breath yet.
Do you want some of mine? Depends what list your address is on, and who bought it, I think. :P I like to think the little extinctions such as you note herald the end of another spammer career - and that you did, indeed, make a difference. But the spamiverse abhors a vacuum, another will pop up soon enough. These are just the 'serf/tenant farmers' of the spam world. The lights are still on in the manor house.

At the end of the day, while the physical world is generally more complicated than we allow for, I think maybe the social world is often more simple (bringing spammers into the ranks of humanity for the purposes of discussion only).

Link to comment
Share on other sites

No, I don't take it for granted they are technically savvy. These days it's like growing mushrooms for fun and profit - when they get into the spamming game they buy a 'kit' (toolset and addresses, though not necessarily from the same source). When you buy a kit you blindly trust the spores are all mushroom, without the occasional toadstool. Which is a good bet when the vendor is accountable. How about when he's not?

OK, but can you really buy a kit to first find and catch zombie PCs and then construct a network of them and then manage things like the changing DNS scenarios we have been talking about and simultaneously manage a counterfeit watch business? I'm no fool, but that seems way past what used to be simple scams like the random mailings from Nigeria. I just checked out a bank phishing spam (which was trapped by spamcop) and this one too has the DNS ploy. So far only Comcast, Charter, Theplanet and Earthlink. Note no RU, CN or BR. None of this, coupled with what they do with idiot's bank accounts, seems like a kit operation to me; but I'm just going by gut feel.

It's not just SC addresses that are 'poison', there are all sorts of spamtrap addresses and forwarding addresses used for nothing else but bringing grief to spammers but evidently they too stay on the 'million' lists just about for ever.Do you want some of mine?

:unsure: No thanks. Of course my other email accounts that are filtered are not spamcop accounts, but the majority of what I get is still to the spamcop account. That is probably because I don't much care where I give it out.

Depends what list your address is on, and who bought it, I think. :P I like to think the little extinctions such as you note herald the end of another spammer career - and that you did, indeed, make a difference.

That gives me a fuzzy feeling.

:rolleyes:

Link to comment
Share on other sites

Offline, there is a 'business' called Sheets that sells a sure fire way to earn a fortune. It is enough inside the law to be able to buy infomercials on TV because it is true that if you buy a 'fixer upper' house at a bargain price and fix it up enough to sell, you can make a living. But where they make the money is on selling the 'how to' books which most people never even open and most of the rest give up after being ridiculed by legitimate realtors. My theory (since I have not researched it) is that a lot of the money in spamming is in selling the lists, the list of 'products' that can be sold to the 'wannabe' rich. It is also my theory that spam goes up on the weekend because that's when the wannaberich have time to try out their new toy. As soon as they do, they probably find out that their ISP doesn't allow spamming or that it is not as lucrative as they thought and they give it up (or lose their connectivity). That's why sometimes people get spam with no body or whatever because someone has not figured out how to use it yet. IMHO, a certain proportion of spam comes from these people who wouldn't know that spamcop addresses are in their super-duper mailing list. Another proportion comes from those who just want to beat the filters as a game - they don't care if anything is ever sold - they just count how many idiots respond.

The Nigerian scammers are pretty savvy actually and spend a lot of time and effort to evade filters because the return, if they catch a sucker, is pretty good. And you would be surprised at the people who bite! In order for the scammer to make money, the ones who 'bite' have to have something in a bank account, you know.

And, when you are sending out millions of spam, it doesn't matter how many are going to people who might know what you are doing. If you are 'bullet proof', who cares if they report you? Even spamcop email account holders have been known to 'bite' on phishes.

As I said, I am not technically fluent, but I do know that if you are on a network with other computers, it is a headache to have a firewall besides the router because you have to configure it to allow you to connect with the other computers or you can't share files or printers. Since I can't do that easily, I haven't had an additional firewall (except the one that comes with Windows which seems to be already configured to allow you to share files and printers). The router is supposed to be configured to protect you, but since I don't know how you can be sure it is, it always worries me a little. However, I have shared a network behind a router and haven't had problems (except once).

And, about the tyrants. I don't see how someone could detect emails sent from one place to another place outside of regular email servers unless they were already suspicious of you. It is easy enough to track emails from one email server to another, but email traffic from a computer that is not supposed to be sending email to another computer that is not supposed to be accepting email would seem to me to be difficult to discover unless you were looking for it. Some of us still remember the book, 1984, and don't like the idea, even for the 'good of society' of anything resembling 'Big Brother'.

Miss Betsy

Link to comment
Share on other sites

OK, but can you really buy a kit to first find and catch zombie PCs and then construct a network of them and then manage things like the changing DNS scenarios we have been talking about and simultaneously manage a counterfeit watch business?
My impression is that the botnets are run by specialists, who resell the services to those who need to blast out some messages or get some "bulletproof" hosting. These outfits often show up on public websites touting these services.

So, you don't really need the know-how as long as you have the money to pay those who have it.

-- rick

Link to comment
Share on other sites

...My impression is that the botnets are run by specialists, who resell the services to those who need to blast out some messages or get some "bulletproof" hosting. ...
That's my impression too. The 'kits' are mass mailers and suchlike, allowing the non-technical to effectively use the botnets they hire. There are virus manufacturing apps which allow non-progammers to build their own, perhaps with trojan/back-door capability (ref somewhere in the http://blogs.technet.com/mmpc/ blog, which I mentioned recently). But it is still a long step between that and setting up a botnet. That's where the savvy resides but the savvy folk are not usually those sending the spam in that model.

As Miss Betsy says, the 'Nigerian' 419 scammers are a different matter, particularly the 'targetting' kind. The more effective of them are experts in 'human factors' and I think that is where their 'talents' lie, knowing how to manipulate individuals (those who can handle groups go into politics instead and victimize whole countries). When it comes to their use of the internet a 410er is just another consumer and generally a low-volume one at that. They would (and used to and sometimes revert to) manage perfectly well with letters and faxes instead of the internet. The internet mostly just gives them a lower-cost, almost effortless access to their victims. When it comes to volume, whenever they put that up a notch, they lower their ability to convince and connive.

Link to comment
Share on other sites

My impression is that the botnets are run by specialists, who resell the services to those who need to blast out some messages or get some "bulletproof" hosting. These outfits often show up on public websites touting these services.

So, you don't really need the know-how as long as you have the money to pay those who have it.

No time to read everything this morning, but this is my point, or what I imagine, exactly. That in turn means that the service specialists control the lists (only a fool would sell a list that someone else could then do with as they please), which means they are harming their own assets (zombies etc.) by knowingly sending out spam to recipients who are guaranteed to report them and who will not buy from the spam sites and who will actually compromise the spam websites as well.

This is the part that I don't understand and why, with all due respect, I have trouble accepting the explanations I have seen so far.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.


×
×
  • Create New...