elind Posted December 6, 2008 Posted December 6, 2008 I regularly receive one or two spam per day that get through the spamcop filter. However they are addressed to a .[dot]spamcop address (not simply mine) and by all accounts should be seen as spam, and they all have a varying but similarly random letter web link ending in .[dot]CN. I submit these manually and sometimes get a hit on the "hosting" domain of the website, sometimes not. I have noticed that if I resubmit the same spam, to spamcop, I will now get a different host domain. So I repeatedly resubmitted about 10 times, and every time got a different host for the website (although email source remained constant). Sometimes I got no website host, and sometimes there was a repeat of one of them, everywhere from .jp, to .RU to our friends at kornet and .MX and .TW and of course, Comcast. All this was within 5 minutes, on the same spam source. I don't ask for an analysis of this specific email, although I'm sure there will be more in the future; but I would appreciate an explanation of how this works. Seems like they can randomly rotate the links to their websites every few seconds (assuming the problem is not with spamcop), and given that I routinely get this spam without it being picked up by spamcop, there is something different being done here. On the other hand, if they are so damn smart, why do they bother spamming spamcop addresses??
Farelf Posted December 6, 2008 Posted December 6, 2008 ...I submit these manually and sometimes get a hit on the "hosting" domain of the website, sometimes not. I have noticed that if I resubmit the same spam, to spamcop, I will now get a different host domain. So I repeatedly resubmitted about 10 times, and every time got a different host for the website (although email source remained constant). Sometimes I got no website host, and sometimes there was a repeat of one of them, everywhere from .jp, to .RU to our friends at kornet and .MX and .TW and of course, Comcast. All this was within 5 minutes, on the same spam source.... As someone reponded to someone else in another topic recently Botnets and Fast flux are among the magic names you might be looking for. In a fair amount of recent and current spam the spamvertized url 'payload' or point of the spam is a redirector hosted on a botnet. As you observe, the active host machine, out of the pool in use, varies constantly. You can see them all if (Windows) you do a command-line nslookup on the domain name (or the subdomain.domain.tld as it is frequently used). If you would get into the habit of giving examples (or preferably of giving a tracking url for one of your reports that you are talking about), it might all seem a little more relevant to you. Instead, take one of 'mine': C:\Documents and Settings\Steve>nslookup kwc.oainx.cn ... Non-authoritative answer: Name: oainx.cn Addresses: 203.210.43.185, 62.63.163.77, 91.205.49.241, 93.177.163.15 94.176.83.182, 121.178.39.71, 122.55.127.67, 124.125.240.48 Aliases: kwc.oainx.cn This one has eight zombies (can be almost any number but 8 is fairly common) subverted to act as servers to redirect those that click on spam links to their just deserts at some 'Canadian Pharmacy' or 'Swiss Watch' or whatever website which is the real payload. These redirector sites actually do get taken down, either by the domain being locked (permanent) or the current botnet being pulled apart (temporary) - either by reporting action or by the money being paid for the spamrun having expired - or simply though them moving on so as not to excite too much flack by specific complaints. Domain registration can be automated and I've seen .CN domains advertized for as little as 14 (US) cents, IIRC. Heh, it would be ironic if that was a firesale of recycled spam domains, but I digress - point is, negligible investment and ready supply. If you do the lookup, you will often find it takes some time before the botnet resolves. The poor old SC parser is expecting only one IP address and, at best can only get the current one but if resolution takes >2 seconds for you, it is very unlikely that the parser - handling anything up to 60 or more parses a second (on a few servers) - will have a chance. But some members the botnet will resolve more readily at some times than at others and if you force the poor thing to keep doing it, eventually it will/might stumble over the line. But just for one address, to which it wants to send a report. No harm in that, the unsuspecting owner of the machine would probably welcome having it restored to his control, if his provider bothers to track him down and lead him by the hand through the process of disinfecting. If you have the facility to add your own reporting addresses, if you had the time, you could look up the reporting addresses for all of the others and add them to your reports of that spam. There are a large number of ways to get those but, once you have the IP addresses you could feed those into (like) http://www.spamcop.net/sc?track=122.55.127.67 to utilize any 'intelligence' SC is employing about the abuse address routing. So, does that explain it? Just thinking the title of this topic is probably misleading - we're not talking about the spam source (or I'm not), we're talking about the (botnet) hosting of spamvertized links. Do you mind if we change that? And no, their 'smartness' is not demonstrated. They are just tool users. The smarter specimen is he who markets the botnet. Arguably smarter (in the vulpine sense) than the perverted genius who wrote the trojan code to create and manage the botnets. There are other subjects in these forums showing some of this stuff is technically smart. So much so that the author(s) could undoubtedly make a handsome legitimate income. But that's not who is sending all that dumb spam. That is some loathsome reptile of the spotted kind as some would say, denigrating spotted reptiles in the process.
StevenUnderwood Posted December 6, 2008 Posted December 6, 2008 I regularly receive one or two spam per day that get through the spamcop filter. However they are addressed to a .[dot]spamcop address (not simply mine) and by all accounts should be seen as spam, and they all have a varying but similarly random letter web link ending in .[dot]CN. Make sure you do not have all of spamcop.net whitelisted as well. If you look in the headers, it can tell you why it got through to your inbox. Or post a tracking URL here and we can help.
elind Posted December 6, 2008 Author Posted December 6, 2008 Thanks. I agree I should have titled this "host" instead of "source". My bad, and I didn't provide the tracking URL because I didn't want to create unnecessary work for anyone. Seems to me that the internet is designed for spammers if it is this easy for them to arrange. I wonder what legitimate uses there are for doing the same redirect methods or automated domain registration? I'll be happy to provide a tracking URL for the next one if wanted, and I will check my whitelist again. Thanks for the comprehensive education.
Miss Betsy Posted December 6, 2008 Posted December 6, 2008 The internet was not designed for spammers, but for honest people. Unfortunately, an honest person wouldn't use it the way spammers do. Redirects are used a lot by web sites to direct you to other pages. Also, if you notice the urls, many legitimate sites have dozens of websites for different purposes. So they are useful for legitimate uses. I am not technically fluent so I can't explain why these things are necessary to ordinary web use, but like the forging of the return-path, there are many features that were designed for good use that the spammers have either ruined for everybody (for instance, accepting email and then rejecting it to the return path) or twisted to use for their own ends. I, too, think that banning redirection or requiring some proof of legitimate use for multiple websites would help without making the internet too difficult to use for ordinary people. Perhaps someone will explain why this would not be possible. The reason that the internet is not re-designed is that too many people would be unable to use it since so many products are made for the present use. (that's a little simplistic, but the concept is the same). Miss Betsy
elind Posted December 6, 2008 Author Posted December 6, 2008 ......... The poor old SC parser is expecting only one IP address and, at best can only get the current one but if resolution takes >2 seconds for you, it is very unlikely that the parser - handling anything up to 60 or more parses a second (on a few servers) - will have a chance. But some members the botnet will resolve more readily at some times than at others and if you force the poor thing to keep doing it, eventually it will/might stumble over the line. But just for one address, to which it wants to send a report. No harm in that, the unsuspecting owner of the machine would probably welcome having it restored to his control, if his provider bothers to track him down and lead him by the hand through the process of disinfecting.......... I'm just wondering that if this is becoming a common method, why would not spamcop reconfigure to reanalyze several times to see if the host domain changes? If it comes up the same on the second attempt, carry on as normal. If it comes up different add that domain to the report and so on until a repeat is found, or perhaps just for a fixed number of attempts (say 8). Of course that adds overhead, but is the suggestion that spamcop has serious capacity limitations that cannot be addressed?
Miss Betsy Posted December 6, 2008 Posted December 6, 2008 spamcop concentrates on the source IP address - the IP address the spam comes from. It does not try to keep up with the spamvertised websites. Conjectures on why this is so can be found in other topics. Miss Betsy
Farelf Posted December 6, 2008 Posted December 6, 2008 As Miss Betsy says, SC concentrates on its primary mission - and to do otherwise might compromise its capability (IMO). It is not just computer resource, spam websites are a wholly different deal. There is merit in supporting the cleaning out of the botnets, one compromised machine at a time (it has to be done until - at a minimum - such time as the botnet command and control infrastructre is permanently disabled which could be never and even the present C&C is adaptable when threatened) but the recruitment of new zombies seems to be more than able to compensate for such effort. And, all along, the true target (at the end of the redirection) is 'way outside of even the broader SC scope to report to the hosts of spamvertized sites. There are other approaches to these aspects of the spamiverse - KnujOn, Complainterator, SpamHaus, SiteAdvisor, SafeWeb (which rates SiteAdvisor as a risk ), etc. and the combinations of all the above + 'hero' web security workers who actually got the Srizbi botnet C&C off-line for a while when they got McColo Corp hosting thrown off the web (the next plan was to point McDonald's lawers at them ). We all do what we can do and hope it will be enough. If some of us, within the SC framework, can add some extra reports to pick up on the hosting the parser presently doesn't resolve then that is another 'little bit'. I think.
rconner Posted December 7, 2008 Posted December 7, 2008 I'm just wondering that if this is becoming a common method, why would not spamcop reconfigure to reanalyze several times to see if the host domain changes? If it comes up the same on the second attempt, carry on as normal. If it comes up different add that domain to the report and so on until a repeat is found, or perhaps just for a fixed number of attempts (say 8).Botnets number into the hundreds of thousands of individual computers, if the figures we hear are correct. I myself used to poke at a few, and found many of them to include over 1,000 distinct hosts before I quit, with no sign of slacking in the supply. It probably makes more sense to go after botnets at the root rather than by lopping off individual twigs and branches via SpamCop reports. This was done in the case of the McColo affair recently, and it seems to have dealt a sharp (but perhaps temporary) blow to the levels of spam appearing in SpamCop's counts (and other sources as well). Properly deciphering and completely tracing website links is a different kettle of fish from simply tracking down the IP addresses of spam sources (which, after all, are included right in the SMTP packet itself). Ultimately, you are dependent upon the spammer's own DNS services, which are often bootlegged and therefore not as fast and reliable as more orthodox DNS services (not to mention my suspicion that some of these are engineered to deflect queries from known anti-spam operations). -- rick
elind Posted December 7, 2008 Author Posted December 7, 2008 This prompts me to ask where the redirect is executed, and indeed where the spammer website is hosted? Can it be on a hijacked PC, as opposed to a dedicated web server? I was trying to imagine a website that randomly or in time sequence redirects all connections to some URL on a list, and that URL will in turn do the same thing. However that suggests that each one needs to have information identifying all the others, which would mean that many are vulnerable if one is identified. I'm just guessing here, but the above explanations have made me realize how much more I don't understand. Any clarifications or links to the same would be interesting.
rconner Posted December 7, 2008 Posted December 7, 2008 This prompts me to ask where the redirect is executed, and indeed where the spammer website is hosted? Can it be on a hijacked PC, as opposed to a dedicated web server? As I understand it, the zombie PCs are running what are called "reverse web proxies;" they can take HTTP queries from visitors, they pass them back to the actual web server for which they are proxying, and then collect the replies from the web server and pass them to the visitor. Because the transactions with the web server are on the "back end," the visitor cannot see where this web server is and can't even really be sure that he is actually being handled by a proxy. Again, as I understand, the actual web server could be any machine anywhere that has been "connected" to the proxies via the botnet command-and-control mechanism. -- rick
Spamnophobic Posted December 9, 2008 Posted December 9, 2008 To come back to one of the original questions which hasn't been addressed yet: On the other hand, if they are so damn smart, why do they bother spamming spamcop addresses??Spammers are criminals and like all criminals they "compete" with each other (to put it politely). They also "do business" with each other, which often involves selling each other lists of "verified, sure-fire genuine" e-mail addresses (millions of them on DVDs). In my opinion they often combine "business" with "competition", whereby SpamCop addresses and other lists of addresses of known spammer enemies are used to poison the lists they sell to competitors, so that these get reported and their operation is consequently less effective. Note to spammers reading this, check your lists (ctrl-F, fill in "spamcop" and "cesmail" - leave off the quotes, and hit <Enter>) to see if little Alexei has perhaps included a little present you didn't expect! (After all, he seems such a nice guy.)
turetzsr Posted December 9, 2008 Posted December 9, 2008 <snip> Spammers are criminals and like all criminals they "compete" with each other (to put it politely). They also "do business" with each other, which often involves selling each other lists of "verified, sure-fire genuine" e-mail addresses (millions of them on DVDs). <snip> ...Actually, I'd suggest a slightly different reply. See the last paragraph of Farelf's first post, above. The providers of the "'verified, sure-fire genuine' e-mail addresses" are criminals; their customers are the dupes who run the spam tools provided by (perhaps other) criminals. So I would characterize the situation as criminals providing complementary services and information to dupes rather than competing criminals doing business with each other. <g>
elind Posted December 9, 2008 Author Posted December 9, 2008 As I understand it, the zombie PCs are running what are called "reverse web proxies;" they can take HTTP queries from visitors, they pass them back to the actual web server for which they are proxying, and then collect the replies from the web server and pass them to the visitor. Because the transactions with the web server are on the "back end," the visitor cannot see where this web server is and can't even really be sure that he is actually being handled by a proxy. Again, as I understand, the actual web server could be any machine anywhere that has been "connected" to the proxies via the botnet command-and-control mechanism. I can understand that part, but not really how they can switch the target, often many times per minute, and how do they switch them off entirely so that spamcop can't see them at all for a period of time? Typically repeated submissions to spamcop will always show the same email source, but sometimes no web site host (discarded by spamcop as fake), then less than a minute later there appears a valid web host. Then next time a different one. Then none. It seems to me that even someone who wanted to buy from them would often find it was an invalid web site and move on?? I'm guessing that in the case of a redirect which is made to a non existent IP, then spamcop will not even see the redirecting PC, or that if the redirecting PC server is switched off momentarily (from the remote CC) either deliberately or while it is reconfiguring for a new redirect, then it will also not be seen by spamcop. But that would mean a master PC and IP somewhere, which would be vulnerable.... Alternatively, perhaps there is a way to change IPs in the DNS servers on the fly, and there can be a delay while that is happening. However if that is the case, are not DNS servers controlled/regulated by civil people and would that not make it relatively easy to stop? Obviously I'm making guesses here since I don't know the details of how it all works, but I'll finish by asking if anyone can tell me how this tracking number can get through to me, when 99% of all other spam is stopped in spamcop held mail. This is one of those redirecting spammers and has the same MO and type of .cn URL. It is obviously spam, so why do I still get a few per day, and essentially only of this type? http://www.spamcop.net/sc?id=z2443567788zd...ecd5fc43d76cc0z
turetzsr Posted December 9, 2008 Posted December 9, 2008 I can understand that part, but not really how they can switch the target, often many times per minute, and how do they switch them off entirely so that spamcop can't see them at all for a period of time? Typically repeated submissions to spamcop will always show the same email source, but sometimes no web site host (discarded by spamcop as fake), then less than a minute later there appears a valid web host. Then next time a different one. Then none....Have you had a chance to review the links provided by Farelf in his first post, above or are you looking for more detail than is provided there (especially in the "BotNet" article)?It seems to me that even someone who wanted to buy from them would often find it was an invalid web site and move on?? <snip> ...The SpamCop parser has far less "patience" than does a real person in waiting for a URL to resolve. <g>
rconner Posted December 9, 2008 Posted December 9, 2008 I can understand that part, but not really how they can switch the target, often many times per minute, and how do they switch them off entirely so that spamcop can't see them at all for a period of time? By setting up the DNS info for the site to point to several (anywhere from eight to twenty or more) IP addresses at a time, and giving each of these an extremely short time-to-live (TTL), say two minutes or less. Let's say that at any given ISP that people look for this website at a frequency less than the TTL time, this means that each time they ask for it their local name servers must do a refresh (which will pick up the new locations seeded into DNS). My impression is that when several IPs are returned by DNS for a given host, the one that is ultimately used by the questioner will be more or less randomly picked from this list. The fact that SpamCop can't always "see" these sites is probaby attributable to its lack of patience more than any cleverness by the spammers. If the spammer is using a substandard DNS (as is usually the case with these), then when SpamCop comes by to investigate, the name server will take longer to give up the info than SpamCop wants to wait, so SpamCop times out and claims that it cannot resolve the address. Generally, your own tools will wait a bit longer and will probably get the results that SpamCop is too impatient to wait for. It seems to me that even someone who wanted to buy from them would often find it was an invalid web site and move on??No, your browser will eventually find the site and load it -- SpamCop will not, because it doesn't want to wait for tardy name servers. I'm guessing that in the case of a redirect which is made to a non existent IP, then spamcop will not even see the redirecting PC, or that if the redirecting PC server is switched off momentarily (from the remote CC) either deliberately or while it is reconfiguring for a new redirect, then it will also not be seen by spamcop. But that would mean a master PC and IP somewhere, which would be vulnerable....These are not "redirects" in the sense you mean. When you resolve the website's name to an address, you set up a session with the host at that address, and you stay on it (generally) for the duration. The host is getting its data from a hidden server that you cannot see. What I think of as "redirection" is when you open a session with one host (at one IP address), which then shunts you off to another completely different host. The difference is "I'll answer your question (after I check in the back room)" vs. "I can't answer your question, go down the hall to this other office"). In the latter case, we know exactly where the "real" host is (or maybe we know), in the former we do not. Alternatively, perhaps there is a way to change IPs in the DNS servers on the fly, and there can be a delay while that is happening. Yes, changing addresses in this fashion is a routine DNS maintenance activity, although most domain administrators probably don't find it necessary to do this every two minutes. I think the "delay" you speak of is not on the name server itself, but mainly due to caching by other name servers around the world, usually you have to wait for the TTL to expire (or longer) in order for DNS changes to propagate around the public net. However if that is the case, are not DNS servers controlled/regulated by civil people and would that not make it relatively easy to stop?Spammers like these run their own DNS, or hire crooks to do it for them. DNS is an internet service like any other, there is no means to limit its use to "official" or "civil" outfits. This is actually a GOOD thing, on balance. Obviously I'm making guesses here since I don't know the details of how it all works, but I'll finish by asking if anyone can tell me how this tracking number can get through to me, when 99% of all other spam is stopped in spamcop held mail. This is one of those redirecting spammers and has the same MO and type of .cn URL. It is obviously spam, so why do I still get a few per day, and essentially only of this type?At a guess, I'd say because it came from a source IP address that was not yet on the SCBL or other defenses you might have set in your SC profile. You may simply be an "early acquirer" of this spam. By reporting it, you help get the address on the list so that the messages are blocked for later users like me. This is just a guess, though. -- rick
Rapakiwi Posted December 9, 2008 Posted December 9, 2008 The reason that the internet is not re-designed is that too many people would be unable to use it since so many products are made for the present use. (that's a little simplistic, but the concept is the same). Indeed, all good things come to an end, such as 'finger', then 'return receipts'. Because this thread began with a discussion of fast switching of ip addresses on one name server, then the fast switching of name servers themselves, I draw your attention to this proposed software change to, or 're-design' of legitimate name servers to ameliorate some of the 'fastflux' spam problem. http://tools.ietf.org/html/draft-bambenek-doubleflux-01 Note that it is already a violation of ICANN contract for a safe little site name, such as canadianpharmacy.cn, to be sold a different ip address if it is guilty of fraud. (Of course, what 'guilty of fraud' means, only ICANN knows.) :-) Rapakiwi
rconner Posted December 10, 2008 Posted December 10, 2008 I draw your attention to this proposed software change to, or 're-design' of legitimate name servers to ameliorate some of the 'fastflux' spam problem. http://tools.ietf.org/html/draft-bambenek-doubleflux-01 Thank you for the post ... this looks very interesting. Minor changes made (mostly) at the nameserver level that would slow down all the fluxing. The authors acknowledge this will not stop the behavior (or more particularly the attempts to engage in such behavior), but will put quite a dent in it for the time being. The downside would be that you couldn't publish a TTL shorter than 12 hours for your host, but from where I sit I can't think of why a normal, rational person would want to do this. It occurs to me that setting miniscule TTL values is just another of the many ways that spammers steal from the rest of us in order to prop up their operations -- by forcing our local nameservers to eat up network bandwidth in bootless and repetitive queries for their sites, bypassing the efficiencies of DNS caching. -- rick
Farelf Posted December 10, 2008 Posted December 10, 2008 Yes, thanks Rapakiwi. And Rick. A continuing education, which is appreciated. ...The downside would be that you couldn't publish a TTL shorter than 12 hours for your host, but from where I sit I can't think of why a normal, rational person would want to do this. ...Yet some do! I can't say I understand that simple fact either. Take the very popular imdb.com (punch it into http://www.alexa.com/ traffic charts to see just how popular). http://www.squish.net/dnscheck/ shows no traversal problems yet it is "hard to get", especially outside of North America, it seems. http://www.downforeveryoneorjustme.com/ often shows it down even when it is not http://centralops.net/co/DomainDossier.aspx shows 3 hour TTL on SOA, A and NS records. The subdomains uk.imdb.com and us.imdb.com are showing 1 second, 1 minute and 10 minutes respectively! Yet they are said to be easier to reach. Now I vaguely recall something about short TTLs being good when there are server changeovers happening (though this has been going on for well over a week). Anyway there may be tech reasons for lower TTLs - temporarily at least.
elind Posted December 10, 2008 Author Posted December 10, 2008 That was interesting and informative. So what are the chances of something like that being implemented? On the subject of responsible behavior, are not botnets readily identifiable by virus detection software? Would it not be simple for reputable ISPs to require that all subscribers have such software, and indeed provide it for free if not from another source? A service provider could simply automatically trigger a scan at regular intervals, and advise how to prevent reinfection, or discontinue service if not complied with. This would not stop abuse, but it would push it to sloppy or criminal providers who would stand out more easily. As an example, the spam I get that started this thread has Comcast in all of the lists that I have investigated, and road runner in at least one. Comcast can be shamed easier that somebody in Russia.
Miss Betsy Posted December 10, 2008 Posted December 10, 2008 No, I don't think botnets are detectable by virus detection software. Virus detection software looks for viruses and trojans. Of course, the people who have infected computers could have avoided infection if they had virus protection. Many ISPs nowadays do offer free virus protection software or scan all email before delivering it. Unfortunately, some ISPs do not care if there are infected computers on their networks as long as they do not use port 25 and go thru the ISP mail server because as long as their mail servers are not blocked, it doesn't give them a problem. It takes time and money to get customers to clean infected computers. I think there are blocklists that list botnets and many ISPs do use them. Since I can't use blocklists, I don't know which ones they are. The problem is that computers are being infected faster than the blocklists can list them, I believe. My contention is that if ISPs used blocklists to reject spam email, rather than simply to identify it, then those who are not spammers would get an education about choosing reliable email service. Eventually, as you hint, there would be two internets - one where one can rely on email to be mostly spam free and one where email of any sort is accepted. However, ISPs believe that the average end user can't understand why their email was rejected or why someone can't get email from an irresponsible ISP (with some basis) and prefer to act as nannies by trying to filter out bad email before the customer gets it. If someone wants to get all their email, just in case there is a real email in it, then they would have to pay more for the bandwidth to accept it. Many of those who actually click on spam would be the frugal sort who pick the cheaper option and then never see all those great deals. In other words, there are a number of factors involved in why ISPs do not do the obvious, commonsense actions to reduce spam - most are financial; some are social; a few are technical. Miss Betsy
rconner Posted December 10, 2008 Posted December 10, 2008 On the subject of responsible behavior, are not botnets readily identifiable by virus detection software?Bot NETS cannot be detected by antivirus software (that's what SCBL et. al. are for), but individual zombie machines possibly can be. I'm not an expert here, but there is an arms race between the malware people and the antivirus people, which means that the rest of us have to make the effort to stay current. You might well be able to detect an infection on a given computer, but only if that computer had good AV software and it was VERY up-to-date. Most people are not going to bother with these, sadly, and they are the targets for the botherders. Would it not be simple for reputable ISPs to require that all subscribers have such software, and indeed provide it for free if not from another source?A lot probably do, but I don't think that it is as simple as "install once, be free forever." A service provider could simply automatically trigger a scan at regular intervals, and advise how to prevent reinfection, or discontinue service if not complied with.Many people (including me) would be uncomfortable about the notion of the provider spying on the content on my computer. Many other problems here as well: what if my computer is turned off or unplugged or off the premises? What if the scan crashes my computer in the middle of my writing my PhD dissertation or some such? What if I have a Mac or a *nix box, do I get scanned? Another nasty little problem is the fact that the zombie kit can actually subvert or cripple the AV software. So, even a clean bill of health from the software does not mean that the system isn't infected. As I understand, infected systems often must be carefully purged by an expert, or else have their disks wiped and rebuilt. Now would be a good time to point you to two entries in the SC Wiki: on Zombies and on botnets. This would not stop abuse, but it would push it to sloppy or criminal providers who would stand out more easily.I think that would be pretty much OK by the botherders, who don't need EVERY provider to be sloppy. As an example, the spam I get that started this thread has Comcast in all of the lists that I have investigated, and road runner in at least one.Comcast made a great effort several years back to get their subscribers machines to stop sending spam, so they deserve some credit for that. Maybe it is time for another push. this time in the area of botnet web proxying. I should note that there is a solution far easier than dealing with each infected machine one at a time (which for Comcast could take years): simply block inward Port 80 access (i.e., HTTP) to all users' machines. In this way, even if they remain infected, they cannot be used for web proxying. I am a customer of a major IP, and even if I open up httpd access on my box, I cannot reach it from the public network, so I would be a very poor prospect for a botnet. -- rick
Wazoo Posted December 10, 2008 Posted December 10, 2008 On the subject of responsible behavior, are not botnets readily identifiable by virus detection software? These days, there are virus, trojan, malware, ad infinium types of infections. Who hasn't yet thanked Sony for their being so helpful to put root-kit types of crap into the hands of scri_pt-kiddies? Even if there was "one" tool that covered the whole range, it was only useful 'yesterday' .... see Software Development Life Cycle principles for spam substituting 'virus' for 'spam' various anti-spuware/malware/trojan tools fo the spam-filtering tools. Even after factoring in the time delay between a 'new' bad thing being released, found or submitted, detection and possible removal tools and code released, it's still up to the end user to actually ensure that those updates make onto their system. I just had a system in here last week that hadn't had the Norton/Symantec ani-virus crap updated since 2004 (back when the 'free' use license expired .. but as far as the owner believed, she was still protected.) Would it not be simple for reputable ISPs to require that all subscribers have such software, and indeed provide it for free if not from another source? As Miss Betsy states, most do provide the software, if not links to vrious products. It's still up to the end user to d something about it. A service provider could simply automatically trigger a scan at regular intervals, Scan for what? Bery few folks I know would put up with allowing their ISP to reach in and take a look at their hard drive contents. and advise how to prevent reinfection, or discontinue service if not complied with. This would not stop abuse, but it would push it to sloppy or criminal providers who would stand out more easily. Some ISPs do monitor traffic and manage to do things about that stuff. For instance, see Proactive ISP
elind Posted December 10, 2008 Author Posted December 10, 2008 No, I don't think botnets are detectable by virus detection software. Virus detection software looks for viruses and trojans. Of course, the people who have infected computers could have avoided infection if they had virus protection. Many ISPs nowadays do offer free virus protection software or scan all email before delivering it. My bad. I did not mean detecting a "network", just an infected computer, and I believe virus detection will detect what it takes to infect a PC for a botnet. I'm not sure, but won't a firewall also prevent that misuse? Unfortunately, some ISPs do not care if there are infected computers on their networks as long as they do not use port 25 and go thru the ISP mail server because as long as their mail servers are not blocked, it doesn't give them a problem. It takes time and money to get customers to clean infected computers. Yes, but a concerted effort to identify and show who cares and who doesn't would have an effect, at least in the West; if ISPs could be shown to be able to make a significant difference by being proactive rather than simply reactive. I, for example, will be looking to see if Comcast pays any attention at all to the reports I have sent them about this ****.cn botnet.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.