Fortune 1000 Companies Sending Spam, Phishing

An anonymous reader writes "The Register takes a look at spam touting everything from Viagra to phishing sites being sent from Fortune 1000 networks. Oracle was found to have a machine pushing out a PayPal phishing scam, and BestBuy had a system sending thousands of spams a month. The Washington Post's Security Fix blog also is tracking this story, finding stock spam being pumped from ExxonMobile and from American Electric Power, among others. Another machine at IndyMac Bank was the source of spam touting generic prescription drugs. From the story: '...an IT engineer with American Electric Power, said the stock spam came from a bot-infected computer belonging to a contractor at one of its power generator plants.'"

Ratio of broadband vs dial-up

[Recovering Hater (833107)]

Once you consider how many americans are supposedly still on dial-up it stands to reason that some portion of the zombie bot-nets will be hosted on corporate americas computers instead of in the home.

Companies can restrict outbound port 25 connects.

[khasim (1285)]

Yeah, home users aren't the whole problem.

But why aren't these companies correctly firewalled? Why do they allow machines other than their email servers to make outbound port 25 connections?

Why aren't their logs monitored? Wouldn't this be easy to spot?

Even with the resources of the biggest companies, their people cannot keep their machines clean or even stop them from sending spam. Who knows what else. A spam zombie can just as easily log network traffic, passwords and anything else on their wires.

Re:Companies can restrict outbound port 25 connect

[Sparr0 (451780)]

Why would you NOT allow outbound port 25? Thats a ridiculous restriction. The office I work at has plenty of people who *GASP* check their personal email from work. When they send replies, their SPF/DomainKeys/Whatever-using ISP requires them to use the proper SMTP server. As it should be.

They have usernames/passwords, right?

[khasim (1285)]

Port 25 is usually for server to server SMTP transmissions.

If you're an end user, you should have a username/password and be using port 465 or 587 (or whatever your email admin setup).

That is why companies should block outgoing port 25 connections from everything except there own mail servers.

your use case

[Gary W. Longsine (124661)]

You don't need outbound access on port 25. Use a non-standard port for your mail server like the rest of the cool kids.

Re:

[aztracker1 (702135)]

First off.. port 587 etc traffic *CAN* be limited to only authenticated sessions, no end-delivery... also, mail servers shouldn't allow anonymous relay in any case... the only server you as a user should be connecting to outbound should be ones you authenticate to, and the 587 port is meant for this...

If the above restrictions are in place (no end-point delivery on 587, then the virii won't use it.

Re:

[bendodge (998616)]

My cable ISP requires all port 25 mail to go through their own SMTP server. It's a pretty effective spambot solution (and it's fast sending, since the server is close). But of course, GMail doesn't user port 25 (I love Google's trendbucking).

Re:

[Curien (267780)]

Well boo hoo for them. If I set network policy, I wouldn't allow people to download foreign e-mail. If the user's just getting e-mail froma POP connection, you lose the ability to check it for viruses, spam, phishing schemes, etc. Basically, you might as well let people plug laptops right into the enterprise LAN (you're NOT doing that, right?). If they want to receive e-mail at work, they should have it sent to their work address (perhaps via auto-forwarding).

Scan every e-mail at the SMTP server. Scan every

That's inbound. I'm talking outbound.

[khasim (1285)]

You are correct. All of those paths could lead to a workstation on your network being compromised. And you have great suggestions on how to protect them.

But I wasn't originally talking about inbound connections. Blocking the outbound connections would cut off the spam coming from your network.

How those machines got infected in the first place is a whole other series of discussions. And one that we really should have sometime. Preferably involving Linux and Free software at the critical points (allowing for Windows workstations).

Re:

[hedwards (940851)]

When I was in college a couple of years ago, we had a couple of computer labs. The one I am going to talk about was a mac based lab completely consisting of old world macs. What they did to limit the amount of damage that a root kit could do and make it harder for large amounts of malware to get on there was this:

In addition to the normal security setup each computer had an additional program on it. The function of the program was to reset the contents of the computer to that of a default image every single

Re:

[Curien (267780)]

Roaming profiles, FTW.

Re:

[pe1chl (90186)]

Maybe you should read up a bit on "roaming profiles", which are usually used in an enterprise environment with a Windows domain.
Those store your user settings on the server and make them available on any client where you log in. So you don't have to setup your email account or wallpaper every time you use another computer, or re-install it.

Re:

[mpe (36238)]

That's a good idea except it will only work for computers that do not need to save some sort of state, those such as school labs and the like (where user data is primarily saved in the servers). Enterprise computers are not in that category. For example, setting up email accounts (outlook, thunderbird, etc) would be quite a pain in that regard, unless you use web based email (TWIG, Squirrel, OWA) which will easily eat up storage in no time. User preferences (wallpapers, screensavers, themes, recent docs) wi

Re:

[asninn (1071320)]

That'll work fine until the CEO demands to know why he can't check his mail anymore or why there suddenly is "a little bit of latency" that wasn't there before. Don't overestimate your power to "set network policy" in the face of upper management.

Re:

[StarvingSE (875139)]

I admit I am not an expert on the subject of web-based e-mail, but checking your yahoo, gmail, comcast webmail, whatever is done through the web, which uses port 80, which most likely won't be blocked by your employer. Port 25 should be restricted to a company owned e-mail server.

If your employer is allowing you to check your home e-mail through a client (outlook, thunderbird) then that is asking for trouble.

Re:Companies can restrict outbound port 25 connect

[db32 (862117)]

I seriously hope you are being sarcastic. If I ran across a firewall admin on any corporate network allowing outbound 25 from anything but the corporate email servers I would suggest canning their asses in a heartbeat. It is just stupid on so many levels. First of all checking personal email from work should be on the top 10 things of "you aren't allowed to use the corporate network for this", beyond that, outbound 25 has precious little to do with that anyways, unless they are running an email server on the corporate network in which case that should be #0 on the list since #1 assumes that your employees aren't stupid enough to use your corporate resources to run personal servers, either way a good firing would fix that in a hurry. Honestly, since most corporate networks these days are using exchange boxes, they shouldn't even really be allowing outbound 25 from ANYTHING on the internal network. A good admin will have a secured relay be it part of the firewall or a sun box or something other than allowing the win/exchange boxes from talking directly to the net.

You can argue morale issues until you are blue in the face, network security should trump that in 99% of those cases. The enterprise network exists for the sole benefit of the enterprise. Personal email, instant messages, myspace, what the hell ever, has a risk that FAR outweighs any potential benefit. If your employees can't leave their email/myspace/im friends for 8hrs a day you should probably find employees who can. There is plenty of websurfing around that doesn't involve grotesque breeches of security to keep people entertained while they are being productive. If the company is paying you so little that you can't afford your own internet access you should probably find a new job.

Re:Companies can restrict outbound port 25 connect

[paeanblack (191171)]

You can argue morale issues until you are blue in the face, network security should trump that in 99% of those cases.

That's a classic example of IT narrowmindedness. If the employees no longer care, no technical measures will secure your data. Security is everybody's business, not just yours. People will naturally protect that which they care about. No morale = no security.

As you seem to be from the school of "a good firing will fix anything". Hopefully for your own sake your boss wises up and uses a 'good firing' to adjust your attitude, because I doubt anything else will penetrate that skull.

You have to be cruel to be kind

[TapeCutter (624760)]

"No morale = no security."

Yes, but one of them came first. A company that has LAN problems does not get much done and if it happens regularly you will find your users wandering off on "LAN breaks", managers will attempt to charge the IT dept for down time, ect, frustration levels rise, experienced sysadmins are like rats on a sinking ship, and morale suffers.

Like it or not the GP is correct, IT policy is a matter of coporate "self preservation". LAN policy must be enforced from the top down with the s

Re:

[db32 (862117)]

IT narrowmindedness? Sure, whatever, I am so sick of users justifying the most insane bullshit on the network and then crying about the IT department being enforcing such harsh restrictions. Go buy your own internet access and expose your home network to whatever you want, not mine. Then on top of this its the IT departments fault when the secretary has installed 18 random mouse cursors and other malware crap and her computer runs like shit. While doing contract work I almost watched a woman get fired o

Re:

[spacefight (577141)]

If you leave Port 25 open as a company, you're basically asking for trouble....

Re:

[DrSkwid (118965)]

How to make yourself look totally ignorant about the internet in one easy post.

Re:Companies can restrict outbound port 25 connect

[afidel (530433)]

Yep, that's what I came here to say. Outbound port 25 blocking is a standard for any firewall config I do. It helped me out the one time a mail server I admin got incorrectly added to a RBL, I simply told them that my outbound 25 was restricted to the one host and asked them to run a scan on it, once it came back as not being an open relay them removed me immediately. I have never had someone give me a legitimate business reason for not restricting it, and I really can't imagine one. Contractors and consult

Re:Companies can restrict outbound port 25 connect

[aztracker1 (702135)]

Many viruses that send out spam use the MAPI interface (Outlook & Outlook Express) to use the mail settings on the local machine... So blocking the port doesn't help nearly so much... though why they don't have outbound mail flagged if a user sends more than say 10 emails an hour on average is beyond me...

maybe

[mastershake_phd (1050150)]

Well laws havent stopped spammers or botnets yet, maybe big companies suing them for millions (or billions) in damages will, couldn't hurt.

ExxonMobile

[biocute (936687)]

finding stock spam being pumped from ExxonMobile

This is no spam, this is an actual stock push you insensitive clod!

Big surprise

[cdrguru (88047)]

Could it be that most users can't seem to understand that surfing to porn sites leads to malware being installed? How about clicking on random attachments leads to compromised computers?

Perhaps computers meant to be used as email appliances should really be email appliances rather than general purpose programmable (and repurposeable) computers.

The alternative to this is to figure out a way to make sure that it is impossible for users to ever install anything on their computer that will compromise it. Soun

Re:

[Detritus (11846)]

Why not just shoot all the users. We can't have the employees ruining our perfect computer network with work and stuff.

Re:Big surprise

[Frogbert (589961)]

This got me thinking. How many users are out there that know their computer was infected or screwed with while they were visiting a porn site, and are too afraid of getting fired (for looking at porn) to tell IT that something is wrong.

Food for thought.

Re:

[glwtta (532858)]

In my experience, they are fairly forthcoming in reporting malware infestations (usually "computer runs slow" is what they come to me with), and then lying through their teeth about what they've been doing to get there.

Actually, here's the complementary thought

[Moraelin (679338)]

This got me thinking. How many users are out there that know their computer was infected or screwed with while they were visiting a porn site, and are too afraid of getting fired (for looking at porn) to tell IT that something is wrong.

Food for thought.

Actually, here's another thought for you: how many got pwned by other means, but are affraid that some "lusers are idiots" type will blame it on porn? I've only skimmed through the thread and I already see two blanket generalizations to the effect that, respectively, (A) infections come from porn surfing, and (B) the user is lying through his teeth if he's saying otherwise.

The fact is, there are so many ways to get pwned today, it's not even funny. Email attachments, trojan programs packed as some cutesy screen server or utility you can download, phishing-like schemes where you're sent to a page chock-full of IE exploits, warez sites (tend to be worse than porn as infection risk goes), spyware serving ads with exploits in them, or rarely a genuine site or ad provider getting pwned and helping spread exploits (don't assume that _only_ spam zombies can possibly ever get installed when security is breached), etc.

Yes, you can say that they should have known better, but it's still not porn. And it sometimes comes with the endorsement, real or faked by a trojan who took over a friend's address book, of someone they know. E.g., every company has a wiseguy or two setting up some jokes mailing list and forwarding there anything he receives, indiscriminately, including links to other sites. And by indiscriminately, I mean here one even managed to forward a couple of business emails to that list.

Then there are malicious insider jobs. There are cases of sheer idiocy on the part of some techie or programmer or PHB. (You can occasionally read advice even on /. to the effect of leaving a backdoor to some client's machine so you can remotely debug it, for example. Or insecure stuff left in programs just on the assumption that noone will know it's there.) Etc.

Re:Actually, here's the complementary thought

[lukas84 (912874)]

The problem is, that the whole story is two sided.

It's very hard to maintain an open attitude when working in IT. Especially when you're doing Internal IT only (i mostly work for our customers, and do our internal IT as a side job).

People fuck up, and are afraid of the consequences when they fucked up - thus they will try to find something else to blame.

IT People fuck up too, and are afraid of the consequences when they fucked up - thus they try to find someone else to blame.

The consequences are that Users and IT People don't trust each other. And this is bad, very bad.

IT is something to make your users more productive, and help them to get their work done faster. A restrictive policy usually won't help you with that. My company has a very open IT policy - and i think it helps with both morale and problem resolution.

We even allow our employees to plug their own laptops into the company network. Yes, it's risky. But the problems incurred and benefits reaped are a better than properly securing this (e.G. buying 802.1x switches and segmenting clients into VLANs according to their identification).

Remember - IT is an internal service to make the company work better. IT is not an end, it's a means to achieve an end faster. You as an IT guy should think about "how do we get our employees to be more productive" and not "how do we restrict them as much as possible so that i can sit around and read dilbert all day long".

Re:

[flyingfsck (986395)]

I can click on anything using any of my computers and I don't get infected with crapware. This is how it should be. You cannot blame the users for the idiotic security flaws of rotten computer systems.

Make them pay!

[Tijaska (740114)]

If corporates host boxes that pump out spam, sue them! Their firewalls shouldn't allow emails to flow out of their networks except from one of their approved mail gateways, which should require user authentication before accepting mail, and which should apply reasonable limits like 300 emails sent per source IP address per day, except for the corporate's own spam machine (a.k.a. marketing). Corporates should be held accountable for choosing cheesy software that allows viruses to take over their boxes, and

Re:

[flyingfsck (986395)]

Yup - with a helluvalot of effort, even Windoze can be made secure. Here is the manual:
http://www.microsoft.com/downloads/details.aspx?Fa milyID=d39d0028-7093-495c-80da-2b5b29a54bd8&Displa yLang=en [microsoft.com]

If you do it right once, then ghost it, you can make as many secure PCs as you need.

Admins who don't secure corporate PCs are just lazy, stupid or both...

Little problem..

[cheros (223479)]

Admins who don't secure corporate PCs are just lazy, stupid or both...

You're assuming two things here which aren't always true in corporate life:

1. Admins have control over all the machines on their network. That's a good theory, but even in the story above you'll find the problem to be unauthorised connections. In well managed setups that won't happen often, but it only takes one idiot to make a mess. Worse, sometimes you have an embedded system that is overlooked. Photocopiers, phone

I guess

[iminplaya (723125)]

As long as it wasn't the computer controlling the inanimate carbon rod, we should all be okay, right?

These same guys INVENTED spam..

[burnitdown (1076427)]

In the old days, they used to mail it to you. Yeah, on paper. And then you had to throw it out, and 800 billion tons of it are rotting in a landfill somewhere. The Fortune 1000 contains some of the people least concerned about the environment, or your spam-free virgin mailbox.

Reminds me of when I first started my current job,

[BurningFeetMan (991589)]

The PC hadn't been turned on in about 6 months. Apparently the dude who I was replacing was into Russian brides and err, certain types of ethnic pr0n, and had got the sack for various dodgy reasons 6 months prior to my instalment. Anywho, in the 6 months that this computer was un-manned, my company installed Norton across all other PC's.

My 2nd day was interesting, when I first turned on the computer. EVERYONE who had the Norton running detected all sorts of network worms and virusiis's (:P) the second I'd booted into Win XP. I thought,
"Oh crap, here we go. Time to clean up this mess..."
and began a search for *.jpg. Kapow, tonnes of hairy pr0n, selected all and shift deleted.

Next, it was time to install the company antivirus software, which was Norton. The next couple of days were spent trying to free my infected system of all sorts of goodies. I started by enabling the Norton Mail Monitor, and oh my, how funny!

"Scanning out going mail, Scanning out go-Scanning out going mai-Scaning out g-Scan"

The WHOLE screen filled up with Norton "scanning out going mail" boxes, like, 100's of them. This was my first job outside of the IT industry, and a big WELCOME TO THE REAL WORLD for me. So yes, what's the point of my story? Well, Russian brides are hairy. OH, and not all companies have IT departments, let alone competent IT staff who can source and cease zombie machines from operating.

Re:Reminds me of when I first started my current j

[David Off (101038)]

Why didn't anyone pick up his PC was spewing viri etc when he was still using it? I don't understand why they didn't just ghost his machine like most companies do? After all there can't have been much worth saving if the m/c hadn't been turned on in weeks. I also think this "surfing dodgy sites" == "malware" is a bit overplayed. First of all a good proxy could block a lot of this stuff, such as executing certain types of Javascript and secondly unless someone is installing stuff by clicking on pop-ups or wh

(contractor at one of its power generator plants)

[colfer (619105)]

D'oh!

Good bye erection dysfunction

[RealityNews (1080601)]

The Register takes a look at spam touting everything from Viagra to phishing sites being sent from Fortune 1000 networks.

So I will finally be able to get viagra from reliable Internet sources? God bless you, capitalism!

Corrupt [corrupt.org]

Maybe it's time

[dreamchaser (49529)]

Maybe it's time for individuals and corporations to be held libel for what their computers spew. Got a botnet sending phishing emails from your business? Boom, big fine. Got an infected home machine sending out spam? Boom, a somewhat smaller fine.

Is the corporation centralized?

[br00tus (528477)]

It is easy for me to see this for a number of reasons.

1 - Is the entire corporation's IT department centralized? HP is a F1000 company - is HP and Compaq's computer networks fully merged? Or for Citigroup, is the old Citicorp network fully merged with the Travelers network? Or were Travelers Salomon Brothers and Smith Barney networks merged before that? And so forth. Wal-Mart's corporate network is probably standardized, but a lot of companies are the resut of many mergers over the years. Or some companies are just of a type where different divisions are very different so there is no or not much centralized corporate IT.

2 - Does the corporation have a global network? Global multi-national corporations have computers all over the world, and it can be hard to have a standard network in New York, Tokyo and London (etc.) New York and Tokyo may be solid, but London may be open to problems etc.

Defense in depth.

[khasim (1285)]

Those are the biggest companies that should be able to afford the best security measures.

You know what? With a couple of old boxes and Linux you could setup a smaller company so that this would never happen.

Use Linux as your firewall and restrict any outbound SMTP connections to your email server.

Use Linux and Snort to monitor crap on your network.

Use Linux as your DHCP/DNS server and lock down the IP addresses by the MAC addresses. Yes, this is labour intensive. But it will allow you to keep all your regul

Re:

[csk_1975 (721546)]

What I don't understand is why you would have outbound filtering at all for any desktop machines. Having any routes from any desktop to anywhere near the Internet is asking for trouble. Default route them to a dead end occupied by a snort box. Proxy all valid Internet traffic via servers specifically setup for this purpose. Allow those servers to have routes to the Internet or better yet to secondary proxies located in your DMZ and filter inbound and outbound connections from those servers. Have an internal

Re:Not suprising to me

[Bonker (243350)]

Also, frequent laptop-toting business travelers (almost universally salesmen) also have more limited access to their local IT techs.

For example, I've worked fairly frequently with a poor lady who was a salesman for a remote market. She lived there rather than near my office. Her email account got suspended at least once a week due to the fact that her laptop had syphilis, gonorrhea, warts, crabs, and just about every virus and worm known to man.

Phone walk-throughs just didn't help with this lady and the local ISP (mandated by accounting) blocked any ports that could be used to remotely administer her machine. Finally we had her fed-ex it to us for cleanup, wipe, and reinstall of a fairly-well locked down windows system with our (accountant selected) workstation antivirus app.

This cycle continued four or five times. Her Antivirus app somehow got disabled and her machine became Typhoid Mary. She shipped the Laptop back and we tried to lock it down as securely as possible.

Ultimately, we discovered that an internet cafe she frequented was infected with a particularly nasty spam-bot worm that our particular antivirus app didn't catch (An AnnaK variant, IIRC). We used this as evidence to override the accountant's selected cheapo antivirus with something that worked a little better.

Re:

[flyingfsck (986395)]

Yup - I worked at a small company where the viruses always originated from the CEO's laptop.

Re:Never attribute to malice...

[TopSpin (753)]

Isn't it a lot more likely that their Windows boxe(s|n) just got zombified?

You're probably right; spammers are among the most aggressive attackers and most of the F1000 have large distributed networks where a (hopefully) small number of systems are going to be vulnerable at any moment. On the other hand, these companies can and do pay for high quality and high capacity pipes. They are also far less suspect as a source of spam, and the ISPs will certainly be reluctant ($$) to take unilateral action to deal with suspect traffic (as some do with their residential customers.)

For all of these reasons F1000 hosts are many times more effective as spam zombies than your average asymmetric DSL host, so I have no problem with people exposing carelessness or neglect among these companies. They have the resources and talent to prevent this sort of abuse. If they're not, a little bad press might help. Earlier today we all learned that some 40+ million credit/debit card accounts got downloaded from commercial IT systems. I wouldn't be surprised to learn that those same companies have a long history of unwittingly contributing bandwidth to spammers.

Re:

[gmuslera (3436)]

Im not worried about spam sent by those machines. If you assume that all those machines are not sending spam because their usual user send it on pourpose, then means that all those fortune 1000 companies have maybe a lot of people with sensible information/passwords/access regarding their internal network, with compromised PCs (that have keyloggers, bots picking orders from their master, etc).

Having botnets composed by home users with their hobby pcs is bad enough, now when that botnet have a good numbers o

Re:

[MooUK (905450)]

Sending email by porpoise sounds like a fun idea...