Sobig Worm Attacking RBL Lists? 260
Ubi_NL writes "According to the Register there is a close correlation between the DDOS attacks on a number of anti-spam lists and the presence of the Sobig virus. Now that Monkeys.com is gone, and spamhaus.org is taking heavy blows, are the spammers actually winning the battle by using viruses?"
Re:Viruses - not necessarily. (Score:2, Informative)
Simple solution (Score:2, Informative)
Re:Not really surprising, is it? (Score:2, Informative)
Re:I hope so! (Score:1, Informative)
I agree with you on that one. Not only does the traditional open-relay lists make it easy to find open relays to abuse, but the newer broadlisting of spam-sources, which hurts unbelievably many besides the spammer, doesn't have any impact on the amount of spam I see in my mailbox every day. So you have something which doesn't work as it is expected to, which actually aids the spammers, and which is run by people so fanatically thick-sculled and narrow-minded to fix it when they make a mistake, we do have something that is far worse than the disease. If only the blacklists were run according to clear rules which includes ways to appeal or review listings, they would be somewhat better than the vigilante lists we have today.
Yes, it's me with the unfair SPEWS and SpamHaus listing... We are still listed despite having done what we're supposed to: Discovering the spammer, warning the spammer, booting the spammer and informing SPEWS and SpamHaus. They goofed and made an error in their listings (to include a different customer that never has spammed) and now they can't see that the spammer is long gone. No spam involving our networks for over 9 months now which should be evidence enough but they still haven't delisted us.
Yes, I hope those blacklists are gone soon. We don't want fanatics with a God-complex and a grudge to have the power to drive people out of business without clear justification.
"Secure" network.. (Score:2, Informative)
It is unfortunate, however, that the majority of the spam I am receiving is from low lives who run a virus and now I get 143K size attachments being rammed to me.
If they are going to do something there has to be a concerted effort by ISPs to work together to kill of open relays and people who spam rather than getting a real job; 8 to 6, crappy holidays and unreasonable pay. If 95% of people out there can live their lives like normal adults, I think that these spammers can too.
Comment removed (Score:4, Informative)
How the attack works (Score:5, Informative)
Before the SoBig virus, each mail server receiving mail would, in the course of a day (about how long DNS black list records would be cached), get SMTP connections from a certain set of other mail servers. Most of those mail servers would be the ones from which email regularly comes in. Although people would have lots of email addresses in their address books, and even more in other files, most only regularly exchange mail with a small subset.
Enter the SoBig virus. It gathers up email addresses, not only from the address book, but also from email contents, web cache, documents, and just about everything else. Then it sends email to them in a probably uniform distribution of selection. The number of different domains being sent to from one computer in a day is now much larger than normal (in addition to the increased traffic). At the receiving mail servers, the number of different mail servers the SoBig spam is coming from is also much larger than normal. Now mail servers are getting mail from just about every mail server that has any user with any instance of a user email address that names that receiving server.
With the same mail servers sending mail over and over, the receiving server's DNS cache will have hits very frequently. With an increase in diversity of mail servers trying to deliver the SoBig spam, the number of cache misses goes up. Each cache miss means a query that recurses back to the DNS blacklist servers. Thus the query load on those servers goes up, effectively a DDoS.
Additionally, most DNS servers out there are "open recursive name servers". That means they let anyone, anywhere, do a recursive lookup. Spammers can drive even more load on the DNS blacklists by sending out DNS queries (with forged source addresses, of course, so they don't have to deal with the bandwidth of the answers) to those open recursive name servers, forcing more and more queries to focus in on the authoritative servers for the DNS blacklists.
This attack can be successful because spammers have far more network access from a wide variety of places than there are authoritative name servers for DNS blacklists (the ultimate target). And since recursive DNS lookup only has that server for a source address, all the DNS blacklists will see are queries from those open servers.
One way to address some of this problem is to close off recursive lookups. But given that millions of networks are run by incompetent or non-existant administrators, that isn't likely to happen on the scale needed to prevent the abuse. And it won't stop lookups by the receiving mail servers trying to check out all the different SMTP connections due to the spam from the viruses.
Blacklists will most likely end up having to be done by a means other than DNS, unless blacklist operators can manage to acquire sufficient bandwidth and server power to ride out the loads (which could very well be even greater than the GTLD servers that host "com" and "net" would see). Some form of distributing a static list file will probably happen. And, unfortunately, that means whoever gets listed will have a much harder time getting out of all those distributed lists, as many people won't be updating them as often as they should. The original reason to use DNS was to have a relatively quick means to remove a listing and have it take effect throughout the internet. By breaking the DNS mechanism, the ability to remove a listing is what suffers the most.
What I hope will end up happening is that spammer networks and generic (dialup, cable modem, DHCP, etc) addresses get listed in distributed files, and the more transient cases still get handled by DNS. The listings in DNS would be the ones that won't be so important to big time spammers, so they would be less attractive targets of attack, and if attacked anyway, would not open up the major points spammers find easy to use (e.g. their own networks and the generic networks where open proxies are found all over the place).