Botnet spam promotes Ron Paul for prez

[rconner]

Submitted without political comment is this story on arstechnica.

Apparently a U.S.-based botherder decided to use his machinery to do a bit of political promotion that was (so says Paul's campaign) not solicited by Paul any more so than by the estimated "millions" of people who received it.

An earlier arstechnica story on this incident goes a bit farther out on the limb:

But online, the libertarian candidate seems to have an almost cult-like following. But how much of that is real? Much of Ron Paul's online support may be at least partially manufactured by overenthusiastic supporters, as some researchers say that spammers have recently stepped up their efforts to gain support for their favorite candidate.

Hmm...

-- rick

[DavidT]

Apparently a U.S.-based botherder decided to use his machinery to do a bit of political promotion that was (so says Paul's campaign) not solicited by Paul any more so than by the estimated "millions" of people who received it.

I was one of the millions who received those botnet-generated messages promoting the Libertarian in Republican's clothing. :-)

DT

[Wazoo]

Top spam Botnets Exposed

Collectively the top botnets are capable of sending over 100 billion spams per day

In the last four years, spambots have made a transition from proxy-based spamming to template-based spamming. The first proxy-based spam botnet was Sobig, circa 2003, and it was quite impressive for its day. However, spammers rapidly discovered that even though they were able to disguise their origin by proxying through infected hosts, they still had to expend a lot of resources (and money) maintaining banks of machines and network connectivity to pump spam through the proxy servers day and night. In addition, the introduction of consumer-level NAT routers caused many of these proxies to be unreachable from the Internet, since the infected computers had private (RFC1918) IP addresses.

Around 2004 we saw the first template-based spamming botnets, designed to solve this problem. By sending bots a spam template along with a list of email addresses, the work (and wait) of connecting to remote mailservers could be offloaded to each individual bot. With the switch to a template-based system, spam botnet efficiency increases exponentially.

Botnet Fight Goes on

The largest and fastest-growing network is called Srizbi. With an estimated 315,000 bots, it can send as many as 60 billion messages per day. Last fall it made headlines when it sent out unauthorized spam messages promoting presidential candidate Ron Paul.

Telafici believes that unless it becomes more expensive to run a botnet, nothing will change. It's simply too profitable to run these networks, and when someone like Owen Walker is arrested, there's always another criminal ready to take his place.

So how to stop the problem? One panelist had an idea that may not sit well with everyone: Internet Service Providers should knock users off the network unless their patches are up-to-date. Because most botnet attacks target known software bugs, having your patches up-to-date, especially for popular products like Internet Explorer, Firefox, WinZip, and QuickTime, can make a real difference.

The only drawback: a good chunk of the Internet population would be knocked offline until they patched.

"We need home users to be responsible," he said. "Yes blame the users... because they present an imminent danger to others."

[rconner]

So how to stop the problem? One panelist had an idea that may not sit well with everyone: Internet Service Providers should knock users off the network unless their patches are up-to-date. Because most botnet attacks target known software bugs, having your patches up-to-date, especially for popular products like Internet Explorer, Firefox, WinZip, and QuickTime, can make a real difference.

The panelist needs to purchase a clue or two. This sounds like an awful lot of work. First, the ISP has to have a database of the "patch levels" of these apps (and there will be far more than four of them, I imagine), then it has to have have to have a way to "sniff" that its subscribers are not up to date. Not at all obvious how this would be done.

More practical I think just to put up the blocks when problems are detected or reported -- or, to be proactive and block incoming HTTP, incoming BIND, and outgoing SMTP right now. Much simpler.

-- rick

[Miss Betsy]

The panelist needs to purchase a clue or two. This sounds like an awful lot of work. First, the ISP has to have a database of the "patch levels" of these apps (and there will be far more than four of them, I imagine), then it has to have have to have a way to "sniff" that its subscribers are not up to date. Not at all obvious how this would be done.

More practical I think just to put up the blocks when problems are detected or reported -- or, to be proactive and block incoming HTTP, incoming BIND, and outgoing SMTP right now. Much simpler.-

Spoken like a true techie!!

I agree that 'sniffing out' sounds like a technical nightmare. However, there might be other solutions that would make end users be more responsible for knowing how to use the internet safely.

For instance, ISPs often offer 'free' anti-virus software nowadays and if you accept, then you get updated automatically. ISPs could offer a selection of browsers and other tools needed to use the internet and keep them updated automatically for you. And I do know of ISPs who when they detect outgoing SMTP, do take the user off the internet until the user gets it fixed. The only problem with the 'free' software that ISPs offer now is that the end user doesn't have a choice so the ISP gives the option to refuse the 'free' part so that technically minded people can build their own defenses.

IOW, instead of IE coming with the computer, it comes with your internet provider service. Would it be technically possible for one to only be able to download those free internet tools that are commonly hacked through your provider who would then set up automatic updates? Perhaps, those who can do it themselves, can get a discount?

Miss Betsy

[turetzsr]

The panelist needs to purchase a clue or two. This sounds like an awful lot of work. First, the ISP has to have a database of the "patch levels" of these apps (and there will be far more than four of them, I imagine), then it has to have have to have a way to "sniff" that its subscribers are not up to date. Not at all obvious how this would be done.

<snip>

...Indeed, I can well imagine that running an ISP is a lot of work. One has to purchase and maintain servers and the software necessary to operate, support and secure them. One has to be able to manage a potentially large customer base. One has to have (well, maybe not has to, but should <g>) some support people knowledgeable about the servers and software and how to interact with customers without losing them. But often there are tools to help. I'm not familiar with the hardware and software generally used in the internet service provider industry, but Microsoft System Center Configuration Manager 2007 has capabilities to ensure compliant client configurations and I rather imagine that the competing vendors selling to internet service providers have (or would have, if there were sufficient pressure from ISPs) similar tools.

[rconner]

Microsoft System Center Configuration Manager 2007 has capabilities to ensure compliant client configurations and I rather imagine that the competing vendors selling to internet service providers have (or would have, if there were sufficient pressure from ISPs) similar tools.

The MS solution would perhaps handle MS based systems, but not Macs or *nixes. In the latter case, in particular, things could get particularly knotty. Every *nix box is different, I've lost count of how many browsers, mail clients, etc. are out there, and that doesn't even take into account the "infrastructure" inetd daemons which may exhibit problems. Plus, I doubt that a scan could reveal problems with password security, running as root, etc. (which would be problems for *nixes and perhaps Mac OS X as well).

If the problem we face is unauthorized network access by (or to) botnets, I think it would be far simpler to deal with matters at that level. No doubt this would inconvenience many users to some degree, but I think it would be far easier and more reliable than tracking individual users and their software apps. I'm not at all trying to let the ISPs off the hook because the problem is "too hard" to solve, rather I'm suggesting that the problem may be susceptible to simpler solutions.

We all know that nearly all spam is being sent via bots, using direct communications to MX hosts via port 25. It seems to me that simply closing up port 25 to outside hosts (not to the ISPs own mail hosts) would stop this stuff pretty quickly and effectively (yes, the botherders might start to use the other SMTP port -- whose number escapes me right now -- but I suspect that this may also yield to some simple countermeasures).

I could be oversimplifying here. I know enough about networking to be attracted to port blocking, but possibly not enough about problems individual iSPs might have in programming their routers, etc. SMTP port blocking also would make it hard for those who (like me) have mail accounts outside their ISP, but again there are ways to deal with this. I actually think this might be a moneymaking opportunity for the ISPs, they could charge extra for "premium" unblocked service.

Same applies in spades to incoming traffic on HTTP and DNS ports, which we also find to be a feature of botnet spam (although possibly not as prevalent now as it was a year or so ago). There seems to be little reason why a home user should be allowed to have inward HTTP connections, and far less for incoming DNS. Why not just block these ports for ALL incoming traffic to pool addresses? Again, the ISPs could charge extra for premium unblocked service if they were so inclined.

To sum up, port blocking is (I think) relatively much simpler to implement, and would also be OS-neutral and less intrusive to individual users & their computers. There may be problems I don't see, and I'll be happy to hear about them from anyone more familiar with the topic.

In the mean time, it would certainly also help to offer users free anti-malware programs and even configuration-checking software as you and Miss Betsy have suggested.

-- rick

[Miss Betsy]

I think that the problem with a technical solution, such as blocking ports, is that it is only good until the spammers find another way. It is an 'arms' war so to speak. I don't know how many ports there are - and I thought that the botnets were already sending via unauthorized ports - but I think that there are too many to block plus making them unusable for whatever they are used for now.

IMHO, the reason that the 'war' against spam has not been won is because the end user is aware. If there were 'conscious raising' the way that Ralph Nader did with the automobile industry, there would be consumer demand for ISPs who were responsible - and made their customers responsible also. I know a lot of Comcast customers who would be appalled that they were supporting an ISP who allows porn to be broadcast. They are the kind of people who would switch ISPs if they understood (and probably get firewalled also which they probably aren't so that they don't contribute to the problem).

Miss Betsy

[Telarin]

(yes, the botherders might start to use the other SMTP port -- whose number escapes me right now -- but I suspect that this may also yield to some simple countermeasures).

Actually, it is not as simple as "using the other port". Port 25 is the SMTP port, the alternate port is used only for authenticated relaying when a client cannot access Port 25 of a mail server they need to send from. I don't know of any mail server software that will actually accept outside mail for delivery to a local user on the alternate port.

[rconner]

Actually, it is not as simple as "using the other port". Port 25 is the SMTP port, the alternate port is used only for authenticated relaying when a client cannot access Port 25 of a mail server they need to send from. I don't know of any mail server software that will actually accept outside mail for delivery to a local user on the alternate port.

Aha, so an MX host does not (or is not supposed to) expose the alternate port, and "authenticated" means you would need a user name and password in any case.

-- rick

[DavidT]

BTW, I have some vinyl Ron Paul banners in the trunk of my car...maybe I should put them on eBay. His devotee's were putting them up in all sorts of illegal and annoying places in the city where I live, so I cut them down and put them in my trunk. I also got the city's sign enforcement squad to do their job and take down a bunch of them. I consider such unauthorized sign-posting to be "visual spam." ;-)

DT

[rconner]

I consider such unauthorized sign-posting to be "visual spam." ;-)

I read a website once about Herbalife, whose sellers often use such signs (as well as "hot pockets" that stick to various surfaces to hold leaflets). The author there used the term "street spam." Similar principle: Trying to do one's own advertising at the expense of others.

-- rick

On edit: corrected goofy spelling errror.

[Miss Betsy]

My husband also dislikes 'street spam' - there is an organization dedicated to eliminating street spam Citizens Against Ugly Street spam that I learned about in the ngs years ago.

Miss Betsy