How Hackers Identify Their Targets

narramissic writes "In a recent article, security guru Brent Huston writes about research he did to get inside the minds of spammers and expose some of the processes they use to identify potential targets. Huston says that among the four common ways that spam is spread, the most common method that spammers use is via open relays. Huston's research also revealed that 'they were doing much more server analysis' than he had expected and that they take a multi-step approach: 'They scan the server for proper RFC compliance, and then they send a test message to a disposable address. Only after these are complete did they adopt the tool to dump their spam.'"

How Hackers Identify Their Targets:

[Anonymous Coward]

1) Look for SSID "Linksys"

2) Connect
3) ????
4)> Profit!

Re:

[crashelite]

dood this granny has a 10 meg down and a 5 meg up SPAM CITY MAN!!!

Duh... It's so obvious...

[__aaclcg7560]

The Microsoft Windows logo is dead give away. It screams "Bite Me!"

Re:

[JeanBaptiste]

... because sendmail has never had any security vulnerabilities....

Re:Duh... It's so obvious...

[laffer1]

Like sendmail is the only mail server to ever have a security problem. iMail and Netscape/iPlanet/Sun One/Java Enterprise mail server comes to mind. Even the holy grail of mail servers (to some) has had issues in the past.

See http://postfix.it-austria.net/releases/official/po stfix-2.3.3.HISTORY [it-austria.net] and search for Security.

I really get sick of this sendmail bashing. There are problems with sendmail and they are trying to rewrite sendmail to solve them. There is no such thing as perfectly secure software. Even OpenBSD has had a remote security hole in 8 years :)

Re:Duh... It's so obvious...

[whoever57]

I really get sick of this sendmail bashing. There are problems with sendmail and they are trying to rewrite sendmail to solve them. There is no such thing as perfectly secure software.

Perfectly secure: no. But look at Secunia's reports:

Postfix 1.x:

Affected By 1 Secunia advisories

Unpatched 0% (0 of 1 Secunia advisories)

Postfix 2.x:

Affected By 0 Secunia advisories

in contrast, look at Sendmail 8:

Affected By 10 Secunia advisories

Unpatched 10% (1 of 10 Secunia advisories)

So, given that there are unpatched vulnerabilities in Sendmail, why should you wait for the team to finish re-writing the code? Now, it is possible that Sendmail has some advantages in very high volume situations (although there are some older benchmarks that show Postfix was faster), but why would you want to use an MTA that is more difficult to configure and has known vulnerabilities?

I believe the main reason that people use Sendmail is that, having gone to the trouble to learn how to configure it, they don't want to waste that effort (as well as it being the default MTA in many distributions).

Re:Duh... It's so obvious...

[strabo]

Unpatched 10% (1 of 10 Secunia advisories)

Oooooh! Unpatched vulnerability!! Eek!

Sendmail fails to log all relevant data [secunia.com]

Critical: Not critical

Description:

Sendmail fails to log all details about connections if supplied with an IDENT of more then 95 characters.

It is possible to hide your identity from the sendmail log, if you supply an IDENT that is more than 95 characters, information about your identity however will still be written in any email you may sent. The problem is that someone may try to footprint your system, but when you check your log files, you will not be able to find the IP address and hostname of the attacker (or spammer).

Solution:

The easiest way to log these data is by enabling logging on the firewall and making sure that the time is synchronised on the firewall and mail server.

Re:

[tubapro12]

Really? I've managed to come up with perfect security software that runs on Windows...

#include <windows.h>
int WINAPI WinMain (HINSTANCE hThisInstance, HINSTANCE hPrevInstance, LPSTR lpszArgument, int nFunsterStil)
{
ExitWindowsEx(EWX_FORCE,0);
return 0;
}

Re:Duh... It's so obvious...

[daeg]

It doesn't take a security vulnerability to make sendmail vulnerable... all it takes is a rookie Linux administrator configuring it and setting it up incorrectly.

Many times I imagine that rookie administrators are trying to get sendmail just to work right so they enable something they shouldn't. It works... and they never bother to address their issue correctly, or even know that they addressed it incorrectly.

Funny

[Enderandrew]

I thought they build bot-nets and largely hit as many people as the can.

This article suggest that hackers are primarily spammers, when there are many tactics, the largest involves malicious code on a webpage or bot-nets distributing worms via instant messangers.

Re:

[ZeroExistenZ]

I thought they build bot-nets and largely hit as many people as the can

You mean one can of spam?

I thought they were like blond giants, breathing fire, shattering backdoors, giants taller than trees, with pointed ears like RPG elves and eyes like fire and hands with plastic claws and hooks; seen as savages, as barbarians, as beasts blood-thirsty and mad with viagra and penis enlargement pills, with braided hair, clad in furs and leather, with bare chests, with great souvenier axes which, at a single strok

hacker /= spammer

[enlefo]

The title to the story says how hackers identify there targets but the story is about spammer. They are different.

Re:

[StringBlade]

But 'hacker' is the cool new way to say 'cracker' when talking about black-ops virus writers and spammers and other ill-behaving developers. Try as you might to change it back it's become engrained in our modern language, only the hackers will remember that hackers are the ones who come to the rescue, not the script kiddies who call themselves 'leet'.

Re:

[Hamilton Lovecraft]

Editor and author both meant "Nazi Islamofascists".

Rating: 'Score -1, Funny'

[jelle]

"(Score:-1, Funny)"

Do we have a new rating for bad humour?

Re:

[gnaa323]

good observation. hacking is not the same thing as spamming or sporging or flooding or mail box boming....

Re:

[gkhan1]

While you are correct, many spammers use botnets, which means they have infiltrated a large number of computers and installed malicious software on them. This arguably makes them hackers (some of them atleast, some can be characterized more as script kiddies). So it's not a huge error.

Also, one might argue that what spammers do is penetrate spam filters, just as other hackers penetrate computer security. It's a shaky argument, but it's not completely invalid. It all depends on how you define a hacker.

More spammers/cracker/phisher/virus cooperation

[billstewart]

It used to be that most spammers were crackers in the sense of "dumb rednecks in their single-wides", as opposed to "politically correct term for a malicious hacker or script kiddie". They might buy a spamware product written by a hacker, but they usually weren't doing any actual cracking because it was too easy to abuse open relays or buy service from cheap dialup providers using optionally-stolen credit cards.

These days it's a lot different - crackers are using malware to turn PCs into zombies, and renti

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[PandAk EndUt 770]

To the mainstream media,
hacker = someone doing bad things on the internet.

well,as far as i concern:
cracker = someone doing bad things on the internet/machines.while,
hacker = someone doing bad things on the internet/machines/programs to discover any vulnerabilities of those stuff and team up with particular in-charge person to tackle all the flaws and lacks.

Re:

[tt074321]

hacker /= not really bad cracker = spammer = bad

My favorite tool...

[$RANDOMLUSER]

...for getting into the minds of spammers is a couple rounds of semi-jacketed .357 hollow-points.

Re:My favorite tool...

[Tackhead]

> ...for getting into the minds of spammers is a couple rounds of semi-jacketed .357 hollow-points.

*BLAM!*

You have received this delivery of copper and lead because you or a friend subscribed you to the "Bullet of the Week" list.

To opt out of "Bullet of the Week", please have each spammer in your MLM's downline submit the following form in triplicate, including at least one of their own fingerprints, as well as one of your fingerprints, dipped in the bloody goo from your still-steaming remains.

Your security and privacy are important to us, so please allow 6-8 weeks for us to conduct the proper forensic analysis to verify the identity of your downline member before we can remove you from our "Bullet of the Week" list.

NOTE TO DOWNLINE MEMBERS: Pay no attention to the fact that the middle of the three forms includes the verbiage "By placing my bloody fingerprint on this form, I hereby opt in to the Bullet of the Week mailing list".

Re:

[Chr0nik]

Brilliant. This post was simply ART.

Killing spammers has been done

[billstewart]

A few years ago, a couple of Russian-immigrant spammers in New Jersey were found murdered. General opinion was that they were running a pump&dump stock scam, and some of their "customers" got upset about losing money. There've been a few others since then.

DVR Spammers On The Rise

[Debonair23]

Don't forget the rising trend of using DVR players as a way to spread spam, as mentioned in an earlier Slashdot article.

Hackers != Spammers

[NaNO2x]

This is the type of negative image that hackers need to stop. I had a long conversation with someone on the differences between hackers and crackers and I can understand the confusion, but spammers and hackers, this is taking it a bit to far.

Re:

[Abreu]

Hear, Hear!

This is Slashdot, for cryin out loud! I would understand this type of glaring error in a Newsweek article, but in "News for Nerds"?

Re:

[maelstrom]

STFU and go home. If Slashdot is only left with arrogant pricks that calls everyone "peasants", I really don't want to be here anymore. I could just as easily make the same argument about you, Slashdot was even better before the six digit noobs got here. Let's cut off all the peasants who have > 4 digits in their UI.

Re:

[towsonu2003]

The more you know, the less you understand.

Re:

[karnal]

*whew* Just made it....

Re:

[StringBlade]

Let's cut off all the peasants who have > 4 digits in their UI.

*whew* Just made it....

Hmmm...methinks you should start over with remedial math.

Re:

[karnal]

Slashdot was even better before the six digit noobs got here.

That's the line I was referring to, in case you really were wondering.

Re:

[MrEd]

Holla!

Re:Hackers != Spammers???

[MollyB]

A bit too far?-- It is only another example of NewSpeak, which is now a juggernaut jeopardizing everything from Advertising (Belly Fat is Not Your Fault) to Politics (We fight them there so we don't have to fight them here); the list of misleading euphemisms grows as our collective mental quotient declines...

Conflating spammers and hackers because they both use computers is like saying that crooks and cops are dangerous people because they carry guns. Bad example. You get the idea.

Oh, give it up, already!

[NineNine]

Dude, give it up! "Hackers" now means someone doing something malicious to computers. You can say it means whatever you'd like, but that's not what the word means in common usage. That's how language works. I can tell people that I drove my banana to work today, but "banana" doesn't mean "car" just because I say so, any more than "hacker" means benign computer geek because you and a handful of "hackers" says so. I suggest you move on with your life, and pick a new word for the good guys.

Re:

[quintessentialk]

Yeah! Thank you NineNine. Wishing a thing were so doesn't make it so, especially when it comes to something as dynamic and decentralized as the English language.

Re:Oh, give it up, already!

[kinglink]

except hackers were original and always were good, it's because of the media who has told us over and over hackers are bad.

Read "Hackers" the book, written in 1984, long before any of those media morons that you believe now had even thought of the word.

Hacker is a term of skill, cracker is a term for a person who breaks into systems. And as you say just because the media tells me a banana is a car doesn't make it so.

Re:

[Lord Ender]

If "hacker" is a term for skill, then it holds no moral value. A "good" hacker is just as much a hacker as a "bad" hacker.

And good hackers are hardly ever newsworthy...

Re:

[sudog]

Hacker is NOT a term merely for skill. Therefore your premise is wrong.

Re:

[kinglink]

http://en.wikipedia.org/wiki/Hacker [wikipedia.org] is a good resource. Basically yes, a hacker could be either evil or good in theory. However using a rootkit, or some publicly known door to break into software isn't hacking. The hacking is the discovery of the exploits. The Cult of the Dead Cow are hackers. The people who use their software arn't. Most hackers tend to be after knowledge or knowing what they can and can't do, they arn't out to hurt people most of the time.

The list there is pretty good, the people on

Re:

[NineNine]

That's right. The meaning of the word has changed. Again, get over it.

Re:

[forgetmenot]

Hear hear!

I'm a hacker in the geek sense but I also refer to the illicit type as hackers too. Like you say, words are defined by how they're used by the majority AND they can have more than meaning.

In fact, the ONLY time I ever hear the term cracker being used to refer to in the "illicit computer activity" sense is here on slashdot when some old school pedantist gets his panties in a knot. In any other context is just a bread-like product eaten with soup.

Re:

[misleb]

WHen spammers have to jump through hoops and be very clever about not being tracked, aren't they hackers? Sure, there are probably many spammers who simply employ pre-made tools to spam. We can equate them with "script kiddies." But there are certainly spammers who go out of their way to find new and novel ways to get their their spam through.

-matthew

Re:

[bunions]

In related news, I'm also upset that 'gay' means 'homosexual' and that 'wicked' means 'awesome'

Goddammit, where's our National Ministry of Language Purity?!? Slashdot demands it!

Misattributed motivation

[loimprevisto]

From TFA:

They know that people use fake mail systems to track them, so they have implemented subtle checks into their scanning tools to catch fake mail servers. They do this by using less common commands from the RFC and using commands in improper order to test how the system responds. Until I implemented a fully RFC-compliant mail honeypoint, they were able to quickly identify the server as bad. They would then terminate their activity. However, once I deployed a honeypoint that allowed RFC compliance, t

Re:

[theelectron]

Shhh! Or they will catch on!

Seriously though, I think the idea is that spammers think honeypots are more likely to run non-RFC compliant servers and that RFC compliant servers are more likely to be trusted by recipient servers. That'd be my guess at least.

If I had to guess...

[khasim]

I'd say that they were looking for 3 things:

#1. Testing that it isn't someone's zombie.

#2. Making sure that it's compliant enough to get through other people's anti-spam tests.

#3. Testing the response (like nmap's ability to identify the OS) to identify the actual server instead of relying upon what it claims it is.

If they were worried about avoiding honeypots, they wouldn't be continually scanning ranges containing addresses that they had previously rejected because they were honeypots.

And for me, the majo

Hacky Definitions

[Doc Ruby]

I'm a hacker. I choose my target by seeing some new device or system that does something at least kinda cool. Then I say "I bet I can make it do something else cool." Then I do it.

They're talking about "crackers", "phishers", scammers and criminals. They're not trying to make a system do anything cool, except when it damages or robs a person. Just making a system do something unexpectedly cool is irrelevant unless it takes something from a person, not the system.

Re:

[Anonymous Coward]

I'm a hacker. I choose my target by seeing some new device or system that does something at least kinda cool. Then I say "I bet I can make it do something else cool." Then I do it.

That, of course, before the star trek rerun and while celebrating the third aniversary of the day a woman let you touch her...

Re:

[Doc Ruby]

Republicans fuck the green space chick only when she's underage, really a boy, or charging less than $45 credits per centistardate. If she's not green, she's gotta be their sister. I'm not dumb enough for any of that, but not too smart to talk shit on Slashdot.

Re:

[Aeamarth]

What?? Enlarging your penis is not cool enough for you???

Re:

[icebike]

The vast majority of SPAM does not arrive via open relays, but via compromised Windows machines.

Er, ah, what's the difference again?

Re:

[vertinox]

Er, ah, what's the difference again?

One is where the person installs a mail server and doesn't know how to configure it.
The other is where someone runs an operating system and doesn't know how to use it.

Of course the latter might be more because it it was made by developers who didn't know how to write it.

Zonk, your stories have high suck ratio.

[Anonymous Coward]

Zonk dude/chick, not sure. About 2 out of every 3 of your stories are misinformed, not important, or just fud. I admire the 1 of 3 stories you post but damn, lay off the POST button till you get your stuff straight. Spammer = hacker... sometimes yes, but in this community hacker > spammer. That's like calling PeeWee Herman and stud for what he did back in the day.

Thanks but no thanks for this one.

ORDB.org

[Itninja]

the most common method that spammers use is via open relays.

That's certainly true. Personally, I think corporations that continue to run open relay mail server should be fined. Especailly since you can just to ordb.org and see if you indeed are running on O.R.

Possible Solution

[daeg]

One possible solution to at least domestic-originated spam from open relays is to create a small government-contracted group of server administrators. Their sole job would to be to identify open relays and provide short-term aid to organizations with such open relays. Many of the smaller, vulnerable servers likely do not have a full time administrator, or even a part time one, for that matter.

Re:

[The Blow Leprechaun]

Another thing to do is, when you receive spam mail, to run the domain name through a whois lookup and possibly get the name of an administrator for the server, and contact them about it to make sure they're aware of potential problems with their system. It won't always work, but it might sometimes. http://www.dnsstuff.com/ [dnsstuff.com] for those of you who don't have whois as a basic utility.

Re:

[mernisse]

while this sounds like a "good idea" it's probably not.

#1 - alot of the time the ip address listed on the whois info is for the networking technical contact, in teeny weenie organizations this might be the same as the sysadmin, but often it's not. And in the end you'll end up wasting a bunch
of people's time trying to figure out what the hell you're talking about and who to route your message to.

#2 - most oranizations small enough to be an exception to #1 probably don't have sysadmins and will be doubly con

Re:

[oldosadmin]

As someone who works for an Emarketing company (one of the good guys, no spam), I gotta second that -- sending your spam to abuse@ the domain that sent it can be extremely effective. Someone sent out some UCE from an account recently, and we got an a abuse@ email about it, investigated it, and disabled the account.

abuse@ works, and is excellent.

The Article is WRONG

[E++99]

While I don't doubt the writer's observation that "continuous scans for open mail systems are ongoing in most IP blocks," his claim that this is the method that generates the bulk of spam is wrong. As someone who gets about 200 spams a day over three domains, and successfully blocks over 99% of it without using any techniques that can create false positives, I can tell you that well over 90% of spam comes from "servers" on IP addresses allocated for dial-up, dsl, cable or the like. In other words, either spammers running their own server software on an ISP account, or, more likely, botnets.

Something Else

[temojen]

Unless things have changed in the few months since I stopped admining a mail server, most DO NOT do any verification that the email was actually sent. At one point last year our server was experiencing serious slowdowns because some spammer was trying to send thousands of phishing emails, all of which were rejected with the standard "550 We do not relay". We just ended up adding their botnet's IPs to our firewall reject list.

Re:

[sudog]

Oh yea? Well I get 0 spams a day, no false positive, no filtering, and the effort I expend doing it is less than typing in one line of 10-20 characters of text every two weeks. :P

So there.. and stuff.

Hacker = Spammer?

[sdaemon]

Gah.

Re:

[it072091]

hacker is a 'good person' that try to test the system either secure enough from the intruder to do something bad to the system. and for spammer,their responsible to send an unwanted message to everyone.

Re:

[IT071961_nurashikin]

i agree with that opion. but the bad hacker we call it cracker...

They do?

[remembertomorrow]

I was under the impression that infected Windows machines just randomly scanned blocks of IPs looking for more services/machines to exploit.

Well, that's what my <insert service here> logs tell me anyways.

Test your own mail server

[perp]

abuse.net [abuse.net] will test your mail server for you. It tries many ways of relaying and displays a report that you can print out and show your boss how secure your server is :-)

Fancy posting a link?

[iamacat]

ooo

My experience is slightly different

[The Famous Brett Wat]

I'm doing anti-spam research, and although this sort of thing isn't my direct interest, I have dabbled enough to have implemented my own SMTP honeypot from scratch. My experience in doing so, and in tracking spam generally, is rather different from this article.

In the first instance, I'm surprised that botnets aren't listed as the #1 distribution vector for spam. Any computer criminal worth his salt uses a botnet these days. The really hard-core phishers not only distribute their spam that way, but reverse-proxy their websites through the botnet.

Open relays, on the other hand, seem to be relatively small beans in terms of actual spam distribution. Sure, I got a lot of hostile traffic on my SMTP honeypot, but it was a lot of sound and fury signifying nothing. Nearly all the relay-exploiting activity originated in Korea and sent non-English (presumably Korean) spam.

As for their testing of RFC-compliance -- what a joke! Most of the relay-testers I encountered couldn't even get SMTP syntax right: I had to adjust my parser to allow extra whitespace and other brain damage. What they test for is delivery. As far as I can tell, they don't give a damn about anything else but whether the mail passes through your system and into their test account (typically a free webmail account, like Yahoo!). I found that when I manually forwarded a test message out of my honeypot to the test address, I would get a flurry of mail representing an actual spam run (not just a relay test message). It gives one a certain smug satisfaction to know that you've just null-routed an entire spam run -- the first couple of times, at least. After that you realise that it's about as significant as taking a piss in the Pacific, and stop wasting your time.

The article says of the web-form distribution vector that "the spammer community maintains a database or list of vulnerable forms". I think their database is called "Google", or something like that. I get constant attempts at compromise on my phpBB forum, and I think that works the same way. Why maintain a database when you can just plug an identifying phrase into a search engine?

I should mention that the spam experience can vary distinctly from person to person, so my different experience doesn't necessarily indicate sloppy research on the part of this reporter. The article gives me the impression that this is his first foray into spam research, however.

Re:

[thogard]

I've noticed a second tier of testing that spamers use. They will often use their test account several times in the 1st 100 or so messages.

When spamers sell their services to the suckers that pay them, they will often do a free run of 10,000 to 100,000 and those end up with a very high hit rate on the suckers server so it looks like they will get far more when they pay up for the 800 million messages.

Its almost election time. Have you asked your running Attorney General why they haven't busted anyone for

Much ado about almost nothing

[udippel]

The whole article doesn't sound all too sound IMHO.

Except - maybe - the level that spammers take to test the MTA for RFC compliance. But then, after all, is that worth an article and a mention on /. ?

Here we still get plenty of spam from webmail and stuff. Here I couldn't confirm the 90% 'all open relay' thingy. As long as 'open relay' indicates a proper box, meant and setup as SMTPd and relaying. Personally, I don't call an owned clickety-click box an open relay. Call Redmond.

How Hackers Identify Their Target?

[IT074859]

Hackers attack on the any digital system goes through various stages. Below list defines the outline of a generic hacker attack: 1)Inventory of the targets. Hackers identify the possible attack targets inside a network system. 2)Assess the vulnerability. Once they identify the targets, hackers will attempt to determine if the company has any vulnerability. 3)Estimate exploits against the vulnerability. Finding vulnerability does not mean a hacker can execute an attack. The person must create an exploit t

Hacker!=Spammer

[IT074859]

Whoah!!!..this is way huge gap!...Hacker does not congregate spammer and spammer does not congregate hacker..Spammer uses the vulnerability of the MTA which does not recognize the sender even a fake ONES. The MTA only authenticate the recipients...So, which one poser more threat to DIGITAL SYSTEM?..HACKER OR SPAMMER???....

thinking like a hacker

[IT071961_nurashikin]

my personal opinion base on research that i have done...Thinking like a successful hacker is not much different from thinking like a good developer. The most successful hackers follow a specific methodology that they have developed over time. They apply patience and carefully document every step of their work, much like developers. The hacker's objective is to compromise the intended target or application. The hacker begins with little or no information about the target; however, by the end of the analysis

spammer

[pk075843]

1. Find temporary authorized and valid accounts with ISPs
2. Send spam through compromise hosts
3. Broaden using web forms
4. Spread through open relays

how hacker identify their target

[intanit072062]

i don't really get it.why the article talks about spam whereas the title is about hacker.isn't hacker and spammer are two different thing?or i'm the one who get it wrong.

Crackers are now target home users for cash

[pk075841]

According to the latest edition of Symantec's Internet Security Threat Report, malicious hackers are increasingly using bot-networks, modular malicious code and targeted attacks on web applications and web browsers. On average, Symantec monitored 1,402 DoS attacks per day in 2005, a 51 per cent was increased over that recorded in the first half of 2005.

Crackers are now target home users for cash. Consumers at home are now on the main target of malicious hackers intent on enriching themselves. Vulnerabilitie

Crackers are now target home users for cash

[pk075841]

According to the latest edition of Symantec's Internet Security Threat Report, malicious hackers are increasingly using bot-networks, modular malicious code and targeted attacks on web applications and web browsers. These bot-networks can be used not only to spread malicious code, but to send spam or phishing messages, download adware and spyware, launch denial of service attacks, or harvest confidential user information. On average, Symantec monitored 1,402 DoS attacks per day in 2005, a 51 per cent was in

Crackers target home users

[pk075841]

According to the latest edition of Symantec's Internet Security Threat Report, malicious hackers are increasingly using bot-networks, modular malicious code and targeted attacks on web applications and web browsers. These bot-networks can be used not only to spread malicious code, but to send spam or phishing messages, download adware and spyware, launch denial of service attacks, or harvest confidential user information. On average, Symantec monitored 1,402 DoS attacks per day in 2005, a 51 per cent was in