Jump to content

What's that? We play dirty too?


Jebuz Jones

Recommended Posts

Very interesting article you quoted Jebuz!

Apart from the Good Guys Fight Back aspect, another very important one is the developing unholy alliance between spammers and virus makers. This is something I expounded on over in the Help forum, together with specific questions on spam and viruses:

http://forum.spamcop.net/forums/index.php?showtopic=1110

(By the way my spam count stays constant at about 100 per week, but my virus count has now gone up alarmingly to 2-3 per day!)

These questions were answered there as far as SpamCop policy on viruses is concerned, and I quite understand the reason that SpamCop doesn't accept virus mail reports as spam. Viruses are coming from compromised machines, usually on the network of a non-spam-friendly ISP, who shouldn't get reported as a spam-permitter. Since then I've adopted a policy of manually reporting viruses to the compromised-machine ISP, and this seems to work well: viruses from that IP stop arriving. My experience corresponds to that of Miss Betsy in the following thread:

http://forum.spamcop.net/forums/index.php?showtopic=1487

Like her, I now report viruses first, and then report spam if I have time left. (Yes, I have gingerly started reporting spam again, SpamCop may be pleased to know.) Quick reporting speeds the latter up, so I have more time to devote to the virus reports. My virus reports are fairly crude. I know enough about messaging to be able to extract the IP address of the sending machine, and look up the ISP in one of the Whoisses. However I miss SpamCop's effortless capacity to resolve an obfuscated link. No doubt a bot crawls it. But I only have one Internet PC and I am not going to risk clicking on such links with it! (Anyone who knows how to do it without risking either your system or your information, please do let me know!)

All in all, perhaps it's time for Virus Cop?

In my original thread Miss Betsy also made the point that virus mails are not usually spammed (i.e. mass-sent along open proxies/relays, with links to the site of an identifiable entity trying to sell you something or defraud you), and I must say that up to now that has been my experience too. That's logical when you think about it: spammers trying to sell or defraud are not likely to want to hit their customers/victims with an attached virus at the same time. Also identifiable spammers who send out viruses en masse are committing an offence more serious than spamming (in most countries!), so they would think twice about it.

On the other hand, as the article makes only too clear, spammers need those "zombie" machines badly. It's my guess that they, or the virus-producers working with them, will try to get these by the following strategy:

Send out spams with a link (obfuscated of course) that when clicked on, instead of or as well as leading to some awful product or scam, also runs malicious scripts which are, or are the start of, a zombifying attack on the victim's machine. Because of the aforementioned more serious legal risk, they wouldn't add this to more than a small percentage of their spams. Maybe they would keep (and of course sell) a special "known to be extra gullible" list of addictive link-clickers for this purpose (among others).

So assuming such spams are already in existence (I'm an awful pessimist), and considering the huge strategic importance to antispammers of tackling this threat, I once again would like to humbly propose that we should do something about it. Antivirus software manufacturers have completely ignored this area of malware fighting for the simple and obvious reason that there is no money to be made out of it. So the task would seem to fall to us low-cost, public-good-motivated "donkeys". What I am proposing would be a sort of carbon copy of the SpamCop robot but with the stated purpose of fighting not spam itself, but spam-, virus- and other malware-facilitated spammer-enabling.

It would tackle spammed viruses if and when they occur, and certainly at the moment concentrate on spams with links to targets containing malicious code. In the immediate future it would have the stated purpose of helping fight spam by clamping down on open proxies and relays and the means by which these are created. Of course it would also take on any other new systematic threats from viruses. By systematic I mean with a purpose consistently identifiable in terms of criminal gain, as opposed to just silly attacks which do nothing more unconstructive than format your system partition, send out copies of itself, etc. (traditional virus payloads).

Of course this is all an order of magnitude more serious than just spamming, so the reports would ultimately lead not to blacklisting the poor ISP, but to reporting the link owner to the appropriate police department (real Cops!) at least iosofar sending viruses be illegal in that country.

OK, that's my idea, but I must immediately add that I have nowhere near the knowledge, intelligence, machines, money or other resources to start anything like that. But I would like to hear reactions to the suggestion, and if enough people think it sounds like a good idea, feedback on how to start, and then who knows? Please post in the forum.

Cheers.

Link to comment
Share on other sites

You have some good ideas there, I have always said that in my case viruses cycle with spam like a seesaw....as soon as spam abades virus attacks catch up...mostly from the same source/s which have been unresponsive to my queries, so has one of my ISPs which excpicitly asked me to send them those e-mails yet has done nothing to stop them..

For these reasons I have serious doubts that the viruses come randomly from compromized machines, they started caming as soon as I got on the spamlists..and they have been cycling with spam for a few months now. You would think the ISP in charge of the compromized domains would do something about it. If anything, as soon as I report to the offending ISP all I get in reply is more viruses.

Link to comment
Share on other sites

There is a VirusCop. It is software that you download and I haven't read any 'reviews' about how well it works.

I like the idea of reporting not only to the ISP, but also to someone who can use it to track down the originator. Though I am doubtful that individual reports would be useful. Perhaps the virus maps are (which I think individuals can contribute to).

My experience is just the opposite of dr007's experience. I get many more viruses on my non-spammed accounts (because I have a wide range of correspondents and my address is in lots of computers). Occasionally, after a virus attack, I will receive a spam. I wonder if the spammer harvests forged addresses from the viruses he receives?

Also, (knock on wood) the longest lag between reporting and cessation of the virus has been a week. Usually, no more come after reporting, though occasionally there will be another couple before stopping. There are reports of non-action so maybe dr007 is just unlucky.

There was one outbreak (and I forget which one) that did affect only my spammed accounts. The dumber spammers (the wannabe rich ones) also probably get viruses more often than average. It eventually stopped though.

Viruses have been around a lot longer than spam, I think. The techies just throw up their hands and say there is no doing anything with the average person who uses email. But IMHO, there has not been enough effort on the part of ISP's to educate users. And again, it is a money reason - it costs money, the ISP doesn't want to alienate a customer by cutting their access, etc.

But again, the *sender* of email is responsible and other users ought to lobby their ISP to protect them against irresponsible and incompetent senders.

Miss Betsy

Link to comment
Share on other sites

There is a VirusCop. It is software that you download and I haven't read any 'reviews' about how well it works.

I'm sorry Miss Betsy, did you mean me? Which software? Did I promise you reviews? It all sounds very interesting and I would certainly love to help!

If there is a VirusCop, please do say what and where!

And what are those "virus maps" of which you speak?

Many thanks for your comments which I ever try to learn from.

Spamnophobic

Link to comment
Share on other sites

There is a VirusCop.  It is software that you download and I haven't read any 'reviews' about how well it works.

I, too, would be interested in this. I've developed a network of traps and would to be able to contribute to a Virus source list. My network of traps also provide harvester IP address, date, and time.

Link to comment
Share on other sites

And what are those "virus maps" of which you speak?

There is quite a bit of information about viruses and worms on any anti-virus software seller site (like McAfee, Norton, TrendMicro) including maps. They also can tell you how to recognize them from subject lines (sometimes)

I forget what the address of VirusCop is - you might try googling. It is not for inexperienced people to use, however. It requires that you know what you are doing - which is why I haven't tried it. I can read the simple headers they use without trouble and it's easy to copy the headers (from message source in OE) into an email, look up the IP address, abuse address if necessary, and send. I only do what I have time for.

Miss Betsy

Link to comment
Share on other sites

However I miss SpamCop's effortless capacity to resolve an obfuscated link. No doubt a bot crawls it. But I only have one Internet PC and I am not going to risk clicking on such links with it! (Anyone who knows how to do it without risking either your system or your information, please do let me know!)

Try

http://network-tools.com

and, when it is working again, for both url unobfuscation and "safe browsing"

http://samspade.org

Also the "Sam Spade for Windows" free download is a collection of tools that runs on your PC.

Link to comment
Share on other sites

  • 2 weeks later...

In case anyone is interested, I located a spammer's database of affiliates left on an open web page in the google cache.

There are about 6,000 contacts in it with name, email, phone number, and the particular spam program they are enrolled in.

I could post it here, email it, whatever, if someone is interested.

I already provided a copy to the lawyer representing AOL in their lawsuits against the spammers, and he seemed pretty pleased with it, but too busy to talk much about it.

I found it because my name was in it-- the bastards caught me in a phishing scheme along with seven other people who thought they were dealing with McAfee. I can tell, because while everyone else is labeled with things like "Downline Builder," the seven other suckers and I are labeled "McAfee."

I feel stupid that I was one of only eight people dumb enough to fall for it.

Link to comment
Share on other sites

Would it be a good idea to purchase a spam list from a company, and then use it to send a spam saying:

"I bought your email address from this spammer. Here is his email address."

"He says you opted-in."

"Call him here, at his home phone number, and opt-out."

"If you live in his neighborhood, this is his address if you want to stop by and chat."

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...