Fortune 1000 Companies Sending Spam, Phishing

An anonymous reader writes "The Register takes a look at spam touting everything from Viagra to phishing sites being sent from Fortune 1000 networks. Oracle was found to have a machine pushing out a PayPal phishing scam, and BestBuy had a system sending thousands of spams a month. The Washington Post's Security Fix blog also is tracking this story, finding stock spam being pumped from ExxonMobile and from American Electric Power, among others. Another machine at IndyMac Bank was the source of spam touting generic prescription drugs. From the story: '...an IT engineer with American Electric Power, said the stock spam came from a bot-infected computer belonging to a contractor at one of its power generator plants.'"

Ratio of broadband vs dial-up

[Recovering Hater]

Once you consider how many americans are supposedly still on dial-up it stands to reason that some portion of the zombie bot-nets will be hosted on corporate americas computers instead of in the home.

Re:Never attribute to malice...

[Anonymous Coward]

If you're not going to RTFA, you could at least read the summary...

maybe

[mastershake_phd]

Well laws havent stopped spammers or botnets yet, maybe big companies suing them for millions (or billions) in damages will, couldn't hurt.

Companies can restrict outbound port 25 connects.

[khasim]

Yeah, home users aren't the whole problem.

But why aren't these companies correctly firewalled? Why do they allow machines other than their email servers to make outbound port 25 connections?

Why aren't their logs monitored? Wouldn't this be easy to spot?

Even with the resources of the biggest companies, their people cannot keep their machines clean or even stop them from sending spam. Who knows what else. A spam zombie can just as easily log network traffic, passwords and anything else on their wires.

Defense in depth.

[khasim]

Those are the biggest companies that should be able to afford the best security measures.

You know what? With a couple of old boxes and Linux you could setup a smaller company so that this would never happen.

Use Linux as your firewall and restrict any outbound SMTP connections to your email server.

Use Linux and Snort to monitor crap on your network.

Use Linux as your DHCP/DNS server and lock down the IP addresses by the MAC addresses. Yes, this is labour intensive. But it will allow you to keep all your regular machines on one sub-net and all other machines (laptops and such) on a different sub-net. That way you can put a few more restrictions on those machines. And a bit more monitoring.

That way you have multiple points at which you can become aware of a problem. And multiple points where an attack will fail.

They have usernames/passwords, right?

[khasim]

Port 25 is usually for server to server SMTP transmissions.

If you're an end user, you should have a username/password and be using port 465 or 587 (or whatever your email admin setup).

That is why companies should block outgoing port 25 connections from everything except there own mail servers.

Re:Companies can restrict outbound port 25 connect

[Curien]

Well boo hoo for them. If I set network policy, I wouldn't allow people to download foreign e-mail. If the user's just getting e-mail froma POP connection, you lose the ability to check it for viruses, spam, phishing schemes, etc. Basically, you might as well let people plug laptops right into the enterprise LAN (you're NOT doing that, right?). If they want to receive e-mail at work, they should have it sent to their work address (perhaps via auto-forwarding).

Scan every e-mail at the SMTP server. Scan every download at the proxy server. Protect your network. A little bit of latency isn't going to kill anyone.

Re:Never attribute to malice...

[TopSpin]

Isn't it a lot more likely that their Windows boxe(s|n) just got zombified?

You're probably right; spammers are among the most aggressive attackers and most of the F1000 have large distributed networks where a (hopefully) small number of systems are going to be vulnerable at any moment. On the other hand, these companies can and do pay for high quality and high capacity pipes. They are also far less suspect as a source of spam, and the ISPs will certainly be reluctant ($$) to take unilateral action to deal with suspect traffic (as some do with their residential customers.)

For all of these reasons F1000 hosts are many times more effective as spam zombies than your average asymmetric DSL host, so I have no problem with people exposing carelessness or neglect among these companies. They have the resources and talent to prevent this sort of abuse. If they're not, a little bad press might help. Earlier today we all learned that some 40+ million credit/debit card accounts got downloaded from commercial IT systems. I wouldn't be surprised to learn that those same companies have a long history of unwittingly contributing bandwidth to spammers.

These same guys INVENTED spam..

[burnitdown]

In the old days, they used to mail it to you. Yeah, on paper. And then you had to throw it out, and 800 billion tons of it are rotting in a landfill somewhere. The Fortune 1000 contains some of the people least concerned about the environment, or your spam-free virgin mailbox.

Re:Companies can restrict outbound port 25 connect

[db32]

I seriously hope you are being sarcastic. If I ran across a firewall admin on any corporate network allowing outbound 25 from anything but the corporate email servers I would suggest canning their asses in a heartbeat. It is just stupid on so many levels. First of all checking personal email from work should be on the top 10 things of "you aren't allowed to use the corporate network for this", beyond that, outbound 25 has precious little to do with that anyways, unless they are running an email server on the corporate network in which case that should be #0 on the list since #1 assumes that your employees aren't stupid enough to use your corporate resources to run personal servers, either way a good firing would fix that in a hurry. Honestly, since most corporate networks these days are using exchange boxes, they shouldn't even really be allowing outbound 25 from ANYTHING on the internal network. A good admin will have a secured relay be it part of the firewall or a sun box or something other than allowing the win/exchange boxes from talking directly to the net.

You can argue morale issues until you are blue in the face, network security should trump that in 99% of those cases. The enterprise network exists for the sole benefit of the enterprise. Personal email, instant messages, myspace, what the hell ever, has a risk that FAR outweighs any potential benefit. If your employees can't leave their email/myspace/im friends for 8hrs a day you should probably find employees who can. There is plenty of websurfing around that doesn't involve grotesque breeches of security to keep people entertained while they are being productive. If the company is paying you so little that you can't afford your own internet access you should probably find a new job.

Is the corporation centralized?

[br00tus]

It is easy for me to see this for a number of reasons.

1 - Is the entire corporation's IT department centralized? HP is a F1000 company - is HP and Compaq's computer networks fully merged? Or for Citigroup, is the old Citicorp network fully merged with the Travelers network? Or were Travelers Salomon Brothers and Smith Barney networks merged before that? And so forth. Wal-Mart's corporate network is probably standardized, but a lot of companies are the resut of many mergers over the years. Or some companies are just of a type where different divisions are very different so there is no or not much centralized corporate IT.

2 - Does the corporation have a global network? Global multi-national corporations have computers all over the world, and it can be hard to have a standard network in New York, Tokyo and London (etc.) New York and Tokyo may be solid, but London may be open to problems etc.

Re:Companies can restrict outbound port 25 connect

[paeanblack]

You can argue morale issues until you are blue in the face, network security should trump that in 99% of those cases.

That's a classic example of IT narrowmindedness. If the employees no longer care, no technical measures will secure your data. Security is everybody's business, not just yours. People will naturally protect that which they care about. No morale = no security.

As you seem to be from the school of "a good firing will fix anything". Hopefully for your own sake your boss wises up and uses a 'good firing' to adjust your attitude, because I doubt anything else will penetrate that skull.

Re:Actually, here's the complementary thought

[lukas84]

The problem is, that the whole story is two sided.

It's very hard to maintain an open attitude when working in IT. Especially when you're doing Internal IT only (i mostly work for our customers, and do our internal IT as a side job).

People fuck up, and are afraid of the consequences when they fucked up - thus they will try to find something else to blame.

IT People fuck up too, and are afraid of the consequences when they fucked up - thus they try to find someone else to blame.

The consequences are that Users and IT People don't trust each other. And this is bad, very bad.

IT is something to make your users more productive, and help them to get their work done faster. A restrictive policy usually won't help you with that. My company has a very open IT policy - and i think it helps with both morale and problem resolution.

We even allow our employees to plug their own laptops into the company network. Yes, it's risky. But the problems incurred and benefits reaped are a better than properly securing this (e.G. buying 802.1x switches and segmenting clients into VLANs according to their identification).

Remember - IT is an internal service to make the company work better. IT is not an end, it's a means to achieve an end faster. You as an IT guy should think about "how do we get our employees to be more productive" and not "how do we restrict them as much as possible so that i can sit around and read dilbert all day long".

Re:Never attribute to malice...

[MooUK]

Sending email by porpoise sounds like a fun idea...

Re:Companies can restrict outbound port 25 connect

[db32]

IT narrowmindedness? Sure, whatever, I am so sick of users justifying the most insane bullshit on the network and then crying about the IT department being enforcing such harsh restrictions. Go buy your own internet access and expose your home network to whatever you want, not mine. Then on top of this its the IT departments fault when the secretary has installed 18 random mouse cursors and other malware crap and her computer runs like shit. While doing contract work I almost watched a woman get fired on the spot for that crap because they kept having to call my company in and send me out to bill them for something like $70/hr to come and fix this womans PC. Finally the boss asked me what it was and I told him she has all this garbage installed and every time I remove it she puts it back on and then I have to come back out and fix it. So...she was costing her company hundreds of dollars in support because she just HAD to have the puppy theme for IE and all the puppy cursors.

Further, since I have frequently worked on secure networks, if I catch you doing something stupid you are likely to get reprimanded and depending on the level of stupid fired, if higher up the chain catches you, or something bad happens due to your nonsense...you are looking at fired or jail. So in fact when dealing with sensitive networks that is the method because it isn't fun and games, its business, and the corporate network doesn't exist for your amusement. There is plenty you can do to kill time with a solid network with good policy, that doesn't involve installing a bunch of BS, or allowing IM/Email/etc. Unless you haven't been watching the news, data exfiltration is a major issue, and most problems are inside jobs.

I seriously don't understand this IT narrowmindedness crap that keeps coming up. Users expect their IT department to protect them. They follow the logic of "if I can do it then I must be allowed to do it and it must be ok" A good IT department lays down solid policy and enforces it. Security is everyones business, but its the IT departments job. You can bet your ass the first time something goes wrong the IT department is going to be answering alot of questions about "why didn't you have something in place to prevent this".

Exposing your network to user stupidity has nothing to do with morale. People cry this morale bullshit when trying to justify poor policy or poor behavior when its just a failure to do their job or take security seriously. We have had IPTV on the network for ages, you can watch any number of TV channels fed through the network. Live TV, and not sucking down precious internet bandwidth. But people will still bitch and moan about wanting streaming media so they can watch whatever stupid clips they find on myspace that have driveby malware installs and other such exploits and then when a good admin blocks myspace people like you will cry about how aweful and draconian it is to protect your network from threats when the users want to expose millions of dollars of equipment to risk.

I invite you to go deal with a melissa "virus" type cleanup, not even really a virus, user must interact with it and it still spread like wildfire and caused millions in damages on just the few networks I supported at the time. (In fact almost watched a guy get fired on that one too for causing the loss of 2GB of marketing images). Even better, go deal with a real virus that can spread on its own because some dumb bastard clicked on cool_mp3.scr from his webmail that he shouldn't have been using. A real outbreak costs an insane amount to contain and most of the time it could have been prevented by good policy and enforcing that policy.

My responsibility is to the security of the network, not the whim of the user.