I get more spams to my business email box and much less to my personal email box (which I use less). I guess I increase my chances to get more spams when I leave more footprints on the Internet. This is just a guess.
As in the case of piatkow, different spammers attack to my personal and business email addresses. Spammers use my business email address as sender's email address and this doesn't happen to my personal email address.
I am surprised that spam filters cannot still get rid of the obvious and repeated spams.
Number of spams that I get to my both email addresses is still at reduced level. I hope it doesn't go up again.
McColo is back elsewhere now. Took two weeks, I was dead on.
They moved it to Estonia.
[edited by: amznVibe at 8:24 pm (utc) on Nov. 26, 2008]
|I am surprised that spam filters cannot still get rid of the obvious and repeated spams. |
It uses a honeytrap system. All mail sent to a certain email address will only be spam, as it's not a real address and I never gave it to anyone. It learns all mail sent there as spam.
After signing up to a few "free pron in your email" newsletters with the address a while ago, it is now recieving the same spam mails as my actual accounts.
Consequently, my actual accounts are shielded from most spam, even the ones that don't score high enough for my filter to actually block them.
Nice, is that one you build yourself or a commercial service?
|It learns all mail sent there as spam. |
I like your idea.
|you build yourself or a commercial service |
I host my own web and email, so it's my server but a bought in program.
Don't know if I'm allowed to say on here, so I hope you see this before it's chopped!
It's called No Spam Today. It's an SMTP filter designed to sit on a mailserver.
Estonian ISP Takes Steps To Cut [computerworld.com] Srizbi botnet
|An Estonian ISP that temporarily hosted the command-and-control servers for the Srizbi botnet, responsible for a large portion of the world's spam, has cut off those servers, according to computer security analysts. |
Starline Web Services, based in Estonia's capital Tallinn, had hosted four domain names identified as the control points for Srizbi, according to researchers from computer security firm FireEye.
Hundreds of thousands of PCs around the world infected with Srizbi, a difficult-to-remove rootkit that is used for sending spam, were programmed to seek new instructions from servers in those domains.
It seems to me that the ISPs are reacting, which has to be a good thing.
I imagine now they'll have to rewrite their kits to look at different host domains, and then attempt to reinfect.
ISP's and Hosts like money, but I don't think they like it enough to risk losing connectivity.
I'm guessing that the next stop for these hucksters will be Canada or Brazil.
OK, maybe I'm missing something but whoever allows this botnet to be hosted could obviously take a shot at taking it over and ending it once and for all.
Instead of one company after another punting them to a new ISP, they should let it sit for a while, get some security experts in and fully examine the botnet and then dismantle it once and for all.
Otherwise, we just keep playing cat and mouse.
It is or has been discussed in the past few days:
|According to FireEye, Srizbi was the only botnet operating through McColo that had a backup plan in case their master control servers were ever unplugged: The malware contained a mathematical algorithm that generates a random but unique Web site domain name that the bots would be instructed to check for new instructions and software updates from its authors. |
Shortly after McColo was taken offline, researchers at FireEye said they deciphered the instructions that told computers infected with Srizbi which domains to seek out. FireEye researchers thought this presented a unique opportunity: If they could figure out what those rescue domains would be going forward, anyone could register or otherwise set aside those domains to prevent the Srizbi authors from regaining control over their massive herd of infected machines.
The article goes on to describe legal and technical problems in commanding the trojans to uninstall themselves (as well as the expense of registering all the domains as a stop gap measure!).
Legal schmeagle, technically this is a potential threat to Homeland Security, just get them to bless the operation and covertly arrange the hosting.
Besides, I've always contended the easily solution to stop the problem is to block all internet access to the infected machines until the owner fixes the problem.
In many states you can't drive cars belching smoke on the road until you fix it so why should infected PC's belching spam be allowed online until they're fixed?
[edited by: incrediBILL at 8:31 pm (utc) on Nov. 28, 2008]
Well, when independent operators, or the US Govt. starts remotely uninstalling apps on distant computers, knowing the risk of system crashes, then there is a problem.
Have to wonder how many govt. computers have trojans - not just US Govt. but State, Municipal and/or foreign.
It is a slippery slope that you are advocating. Computer rendition. It is tempting though.
|It is a slippery slope that you are advocating. |
I understand the ethical dilemma but the computer is already compromised and if removing the trojan causes a system crash, so be it. The owner already needs to get it repaired and if it crashes it forces the point.
Actually, I'm advocating just blocking them from being online until they get the machines fixed, let the owner worry about how to get rid of the trojan.
|blocking them from being online until they get the machines fixed |
I see no ethical problem with an ISP having that in their Terms and Conditions.
I don't know of any that take such measures, though.
Some believe the ISP/Host does not know about spam operations of sites or accounts hosted. ISPs try to claim the same too. I found this really peculiar not to mention anything else.
Ok, lets see, pretty much as we have a tiny percentage of victims responding to email spam so we have another "tiny" percentage of some who will go after the spammer's assets. They also have and deploy botnets and go after the spam sites with DoS, injections etc., you name it. So the ISP does now about it right away I would say. Why do you believe he doesn't? Why he "may do" something if and only if he receives a complain? He know right away because it takes out resources, brings sites down etc. It is also "strange" that the ISP in this case, will not complain to the host where these attacks are coming from.
Now some believe, spammers rely on some zombie computers to send their spam. Spammers may go after web-servers because the resources are of much higher importance than joe doe's personal pc. They don't care much about joe doe. If joe does gets some malware installed, fair enough they may have another pc to play with. But it is just a drop in the ocean for them.
But why not go into a shopping mall and get what? 100 different wifi services? They have as many ips as they like and they can spam all they want. Far easier, cannot be detected unless the ISP monitors that and has some way of controlling it. Good luck with that.
As of the spam filters. I personally switch them off. They do more harm than good. Unfortunately many ISPs do not offer an option to control spam filters and they have them permanently on.
There were many cases I saw in the past, spam filters were blocking legitimate email messages and I could not communicate with people to do my work. And even now, I see several ISPs (eg: comcast) where they have some lousy filtering mechanism that identifies legitimate email servers and legitimate email as spam. Interesting though they respond with something like spam detected/blocked and bounce emails. I wonder what will happen if popular sites start blocking every access that comes from these ISPs. How popular ISPs are going to be afterwards? And its real easy to do. Just rdns, check the hostname. If unresolved or blacklisted then do a 403.
|Some believe the ISP/Host does not know about spam operations |
My ISP blocks outgoing SMTP, so you have to relay through their servers. This way a spammer could not operate without immediate detection.
|They also have and deploy botnets and go after the spam sites with DoS, injections etc |
Create a DoS virus to kill a virus? That wouldn't solve the problem, just move it. It would only temporarily stop the spammers, and then what do you do about the manufactured virus?
|Now some believe, spammers rely on some zombie computers to send their spam. Spammers may go after web-servers because the resources are of much higher importance than joe doe's personal pc |
Errr, no. Spammers would generally not use an email server. They are tightly locked down, and placed behind firewalls. Not to mention software security to prevent any malware infection. Spammers infact have millions of 'zombie' computers instead.
|But why not go into a shopping mall .... and they can spam all they want |
Ummm, again no. I assume by 100 different wifi services you mean corporate ones, and maybe 1 or 2 public ones.
Corporate wireless connections are incredibly secure, because they are easy to break into. It's almost like being on the outside of their network. You'd be lucky to get a single email out.
Public ones, yeah maybe. They would be open to allow users to access their own email. So well done, you have a single computer sending email. Now compare that to having millions around the world, what makes more sense?
|As of the spam filters. I personally switch them off. They do more harm than good. |
While they're not 100% accurate, you obviously don't know how to configure a spam filter.
|I wonder what will happen if popular sites start blocking every access that comes from these ISPs |
So, you're proposing to deny major ISP's access to your sites? Why? Cos their spam filters don't meet your expectations? How ridiculous is that? Really?
Wake up. That's really not going to happen. Ever.
|And its real easy to do. Just rdns, check the hostname |
What does that prove exactly? All ISP's I've seen use a simple 12-34-56-78-myisp.co.uk type rdns. That tells you nothing.
[edited by: Dabrowski at 4:52 pm (utc) on Nov. 29, 2008]
|Corporate wireless connections are incredibly secure |
Sorry, "secure wifi" is an oxymoron.
[edited by: incrediBILL at 5:30 pm (utc) on Nov. 29, 2008]
|What does that prove exactly? All ISP's I've seen use a simple 12-34-56-78-myisp.co.uk type rdns. That tells you nothing. |
And they will resolve for a forward to 188.8.131.52? I don't think so.
|Wake up. That's really not going to happen. Ever. |
It's already happening at least for sites I have access on.
I don't think is hard for an attacker to get access via wifi and send spam is very simple.
I am just stating what is happening. And the ISP knows about it isn't it?
|Create a DoS virus to kill a virus? That wouldn't solve the problem, just move it. It would only temporarily stop the spammers, and then what do you do about the manufactured virus? |
|So well done, you have a single computer sending email. Now compare that to having millions around the world, what makes more sense? |
Not sure I understand. Are you saying a spammer needs hundreds of workstations do do his dirty job? Just one system with enough resources is enough.
|Spammers would generally not use an email server. |
Actually all they need is a web-server (a web-site will do). Once they compromise it they can send plenty of spam emails. Typically sites have email services for newsletters, accounts, orders, etc. Far easier than a pc.
|Corporate wireless connections are incredibly secure |
Sorry, "secure wifi" is an oxymoron.
I think I worded that wrong. Wifi itself, yes, insecure, easy to break into, as various spotty teenagers with annoyed neighbours will tell you.
The point I meant to make is that the networks they are connected to are secure. If you can get into the wireless you may find you cannot access anything of importance without local VPN software, SSL certificate etc....
Usually corporate wireless only exists to give roaming managers access to in-house systems, and are often isolated from any other systems.
|And they will resolve for a forward to 184.108.40.206? I don't think so. |
Yes they usually will, that's what I meant. A generic ISP address of 220.127.116.11 will usually rdns to something like that.
I will try and confirm this, I can't check on here as I do actually have proper rdns.
|He know right away because it takes out resources, brings sites down etc. |
I am just stating what is happening.
On the contrary, a DoS attack will be instantly picked up by and ISP and probably isolated. So your counter attack fails.
The spammer on the other hand, doesn't generate excessive traffic, so is not detected by ISP's until they start getting complaints.
|Are you saying a spammer needs hundreds of workstations do do his dirty job? Just one system with enough resources is enough |
Yes. Think about it, what attracts more attention, one computer sending 12 million emails, or 12 million computers sending 1 email.
And resources in this case is really server and network bandwidth. Even the most basic PC could fire out emails fast enough to keep up with it's network speed.
|Actually all they need is a web-server (a web-site will do). Once they compromise it |
And therein lies the problem. Any provider with enough resources to be attractive to a spammer will have it locked down well enough that it can't be compromised. And even if it is, the access would be logged and thus leaves a (paper) trail directly to the spammer. This is a security risk for them as they could be traced.
drawing a line...
Going back to the original discussion though, I agree with Incredibill about ISP's dumping users with malware.
People who don't comply with the law get excluded from society, why not exclude people's computers that don't comply with what should be, and maybe is, internet law? I'm sure your ISP T's have something about it.
It would also be nice if all the internet registrars could lock out all domains this botnet looks for, but that's never going to happen, and I suspect that the spammers could update their software before all domains could be excluded.
|I will try and confirm this |
ok, a friend is on a generic ISP. It's definately a users only ISP, as they don't know what a static IP is.
If his IP was 18.104.22.168, his rdns would be 4e38220c.something.hisisp.com.
They've converted the address to hex, but rdns is still valid, and would be even for dynamic IP addressing.
|On the contrary, a DoS attack will be instantly picked up by and ISP and probably isolated. So your counter attack fails. |
It's not me, its what happens for many cases. There are counter attacks against the spammers. And why it will fail? What makes you think there will be a difference if the ISP sees it? There are DoS that go on for days and days.
The whole point is the ISP knows about it and assuming he runs a legitimate business they should realize that one or more sites on their server are having illegal content. Because they can see who's the target of the DoS. In which case they shut-down the sites.
|Yes. Think about it, what attracts more attention, one computer sending 12 million emails, or 12 million computers sending 1 email. |
I see sites sending out newsletters to thousands of their clients at the same time. If that would attract attention then you wouldn't see them now isn't it? The provider/ISP will not get involved there. If he receives complains and he's legitimate yes he will take action.
There are so many web-packages there, with documented flaws and side-effects. Spammers take advantage of these because site-owners do not update the site-code often. They may not even know how to do the updates. Spammers in turn find the security holes for each of these web-packages, modify the scripts and they can use the mail services of the site. It is a disposable asset to them. It's not something they own or paid for it.
BTW for the case I mentioned earlier where I got an email bouncing back specifically stated the email was not delivered because of spam, there is a serious problem about it and it's nothing personal against the ISP (for sure they need to fix their spam filters).
The problem is this. Say you are the owner of site example.com. Mail originates from mail.example.com. Assume the site is an ecommerce one where customers open accounts, place orders etc. Now if an ISP blocks anything coming from mail.example.com, any visitor from that ISP may come into the site, place an order and never receive an email and that makes the owner of example.com look really bad. So although performing a ban by hostname is not the only option, is something the site-owner may have to do temporarily, till the issue is resolved. I hope you understand my point.
|There are DoS that go on for days and days |
LOL! Ironically, my router is telling me someone is trying to DoS me!
|People who don't comply with the law get excluded from society, why not exclude people's computers that don't comply with what should be, and maybe is, internet law? |
Server ops/isp's that allow massive amounts of spam in many cases can get their ip ranges banned outright. It happens every day throughout the world with any number of blocklists that are out there.
Mail servers/isp's can and often do blacklist according to rbl, spamcop, and many others.
There are instances, even to this day, where ecommerce solutions are affected by these filtering processes, in that the server ops/isp allows the spam and the rbl blocks the range ... the ecommerce solution is either out of business or has to find another server under a different range.
eCommerce isn't known to send unwarranted amounts of spam anyway as a rule, so the arguement in and of itself is rather moot. Conducting business requires, at times, lots of mail, and server ops/isp's know this.
Professional eCommerce solutions, i.e., Walmart, Macy's, Dusk, usually have their systems locked down fairly tight anyway, using their own mail servers. The last thing they need is to be finding their range tied up with an rbl somewhere.
It's the random quarter of a million emails coming from an even more random quarter of a million home pc's that's harder to get a handle on.
One home pc can be compromised, and send 12 spams a week as a result, for instance ... tell me then ... what isp in their right mind is going to shut that one pc down?
SpamCop.net - Total Spam Report Volume
Ya, here we go, it was nice while it lasted but the amount of incoming spam these past couple of weeks is off the charts again. I think we all knew what the outcome was going to be. It didn't take long to fill that "gaping" void, did it? ;)
| This 84 message thread spans 3 pages: < < 84 ( 1 2  ) |