Most Spam Comes From Just Six Botnets 268
Ezhenito noted some research pointing out the (maybe) surprising bit of research that 6 botnets are responsible for 85 percent of the world's spam. That seems a bit high to me, but the only aspect of spam I am an expert in is *getting* it.
Most Spam Comes from just Six Bots, not Botnets (Score:5, Informative)
Srizbi: 39%
Rustock: 20%
Mega-D: 11%
Hacktool.Spammer: 7%
Pushdo: 6%
Storm: 2%
Other: 15%
This doesn't necessarily mean that most spam comes from six botnets. Some of the bots could be used by multiple bot masters; OTOH some botmasters could control multiple botnets using different bots.
Something else I just thought of:
The botmasters are going to use the best bot available, i.e. the one enabling them to send most spam at the least cost. On the other hand, the "good guys" are fighting spam (and the bots). So whenever a certain bot starts taking over (currently Srizbi) all the good guys will focus on that one and try to shut it down. So the bot decreases in value and another, better bot will take over. Evolution at its best.
The Antivirus companies which are trying to fight the malware are also trying their best. The big difference is that while the success of a spambot can be easily measured by the customer (i.e. the botmaster), the success of an AV product is much harder to estimate. Also, the typical AV customer doesn't have the ability/time to find out which AV product is best for him. Moreover, AV products are some sort of subscription service (you buy the package and get 1 year of updates) which makes it hard to switch products. Often AV products are bundled with computers, selected by business principles and not by technical superiority.
In other words, the evolution process of malware is far superior to the one of AV products.
Re:Hmm (Score:2, Informative)
No!?
Rejecting on invalid Helo, no rDNS and checking the Spamhaus zen RBL is quite effective. Improving on that requires an admin to explicitly block known residential blocks via rDNS and IP (grumble).
Re:How much spam do you actually get? (Score:5, Informative)
Or you can put a prefix to your gmail address with a '+'. ie. "temp+john38@gmail.com" the mail still gets delivered to john38@gmail, but with 'temp+john38@gmail.com' in the 'to:' field, allowing you to filter it easily.
Comment removed (Score:4, Informative)
Is this a surprise to anyone? (Score:3, Informative)
Really, this is nowhere near as useful as the spam distribution data that is available through spamhaus, telling us who is behind the bulk of the spam, and what geographic parts of the world they are associated with. The botnet building and controlling seems to be the easy part of the spammers' game now, and we can all thank our neighbors and their new un-patched boxes on 24/7 DSL / cable connections for that.
Re:Most Spam Comes from just Six Bots, not Botnets (Score:3, Informative)
When I first configure a linux machine, constantly having to enter the root password anoys me too. My solution is to just log in as root, do all the setup neeeded, then log in as a regular user. I have just been informed by a colleague that vistas implemantation of UAC doesnt really allow this. If this is the case it is a bit of a design flaw.
Re:Most Spam Comes from just Six Bots, not Botnets (Score:5, Informative)
Everything. People run as administrator because they have to.
It's different in that a user does not have to run as root in Linux to get useful work done.
Ever tried to debug as an unprivileged user on W2K? Ever tried to install software? Just what is the Windows equivalent of sudo that ships standard with Windows XP?
Let me correct that for you: Windows won't let you do anything of substance once you're running as non-administrator. That is the problem.
Disclaimer: this situation has changed somewhat in recent years. However, considering the number of Windows user still running W2K or Windows XP (and for good reason), it's still concerning.
Re:People need to take responsibility (Score:3, Informative)
1) "static IP's" - we can already trace where all the stuff comes from - there are complete trails back to the sending machines and from there back to the perpertrators. But most of it generally comes from computers abroad, or from people attacking computers from abroad, or via proxies, all of which are subject to different laws and untouchable. Even ASKING for the details belonging to a particular IP that resides in a foreign country is unbelievably difficult. And you won't get them, but your law enforcement might. And you think you can shut them off before they cause damage because you have their IP address? Nope. It's too late. By that time, the botnet's already moved on to take advantage of the next exploit. We have dynamically updating realtime, very expensive blocklists with dedicate people to add new machines as they are found - they don't stop that much, really.
2) "Laws that require people to assume some form of responsibility when they connect a computer to the net." - in every country in the world. With similar provisions. Quickly. Not going to happen. EVER. And then you're into why do you have to take responsibility and how do you ensure it? Your kid put a virus on your machine? I'll sue you, then. No? You caught a spyware toolbar which send me spam? I'll sue you, again. You'd either sue people literally off their computer seats, everything would get thrown out of court, or you've just helped the government introduce legislation to make them monitor everything you do at your computer, with fingerprint ID required to logon.
3) "Perhaps some form of compulsory insurance policy." - For owning a computer? No. If you could tax people for being stupid, the world would be split between the bankrupt and the filthy rich.
4) "Laws that require ISP's to disconnect spam bots and take some responsibility." - So now they're responsible for their users actions? They won't let you do it. If you do, they will shut themselves down and get out of the business. They ALREADY disconnect bots - it is in their interests. They ALREADY have to deny all responsibility for your actions. And they are ALREADY in deep legal grey areas because of the burden of proof of doing such things and the expense of a mistake (Sorry, Company X, I thought you sent a spam. I've just cut off your Internet by mistake. Bye-bye online business).
But the fact is that none of your measures are sensible or practical, some are even impossible, and all of them are in place in one way or another today. The fact is that every country in the world has a different idea. If we can't convince them all that death by execution or torture might be a bad idea, how the hell do you think you're going to get them to shut down botnets?
Re:How much spam do you actually get? (Score:5, Informative)
you need to put it john38+temp@gmail.com for it to work as the other way round just goes to the wrong address
Re:Most Spam Comes from just Six Bots, not Botnets (Score:5, Informative)
For better or for worse, I administer a bunch of desktops and my current build process consists of a number of automated installations (most software installations can have all the mindless "click next next next" automated away fairly easily). I am at an awkward point where I have enough machines to want to automate the process, but not enough that I can easily just buy 100 identical systems and ghost the lot. And before you ask, I don't run Active Directory so rollout through group policy is out of the question.
It looks like this process will require substantial redesigning for Vista, as there doesn't seem to be an easy programnatic way to say "do everything below this point without bothering me through UAC". Neither is there an easy programmatic way to disable UAC altogether, even on a temporary basis. (Yes, I know about the registry setting from the command line. But that needs to run from an elevated command line which, guess what, you can't set up without interaction).
The way UAC works is that normal users still can't do a bunch of things. This doesn't change; they probably won't ever see a UAC prompt. Administrators can do everything they're used to, but by default if they want to do anything administrative, UAC steps in and says "Cancel or allow?".
I can understand from Microsoft's perspective that it's somewhat pointless to create such a system and then create an easy method to work around it, but I can't believe that in the whole corporation there aren't a few people with the brains between their two ears to realise that it's a very inelegant solution which adds hassle without really solving the problem.
Re:Most Spam Comes from just Six Bots, not Botnets (Score:5, Informative)
On my non administrator account I run the following programs (Windows XP):
- World of Warcraft.
- A few other games I play once every blue moon.
- Music player, video player, encoders, editing software.
- Office.
- VPN client for my job.
- Firefox with Flash, Java, AdBlock and NoScript.
- Azureus.
- Thunderbird.
I need administrator to run these:
- Windows update (Duh!).
- Various software updates (Duh!).
How is that different from a typical Linux usage? I still need root access (via sudo or root) to update my OS and installed programs. So where is this "Windows won't let you do anything of substance once you're running as non-administrator." problem?. I can play video games, do video editing, listen to music, surf the web, use office and work from home via VPN and all that without being logged in as administrator. Where is the problem?
I am perfectly aware that there are a few programs that have trouble running as non administrator most notably CD burning/ripping stuff. You can always run them "Run as administrator" or find one that works fine. Mind you, I never bothered finding one that works well, just picked up one from Sourceforge and run it as root.
The whole Windows security "issue" is strictly educational. The underlying OS has a very solid security framework that IMHO is better than Linux because it's more granular.
Re:Since ISPs Love Filtering So Much... (Score:3, Informative)
Re:Blocking known residential blocks sucks (Score:2, Informative)
Now, I COULD let the botnet traffic in and heavily penalize it in spam points. On the other hand, I whitelist maybe two or three servers on residential IP space a year. The tradeoff in bandwidth, server resources, and filter accuracy between "allow categorized residential" and "block residential minus whitelist" is simply too favorable in the blocking direction.
Functional democracies require ways to deter griefers or at least the very worst of griefers. The spammers have made SMTP their personal playground and there is no end in sight to it. It is they who should have the blame for mail servers being configured as fortresses. It is all the mail admins can do to keep on top of their shenanigans.
Re:Most Spam Comes from just Six Bots, not Botnets (Score:3, Informative)
Linux is indeed more secure because of the higher eyeball count that comes with open source software. However, if you really want security then make sure to use older versions with backports for security fixes. Programmers introduce security flaws all the time. We are fail constantly, and our failures are made right later on - in open source.
Even the absolutely best AV product possible cannot block every threat because that problem is currently NP complete, to the best of my understanding. Such a product would not be able to block every threat on Linux or OSX either.
The Sony rootkit worked because of incompetence in both Redmond and in the AV industry. However, most people would have clicked through the "install application" screen by habit anyhow.
Microsoft should indeed make a service like the one that is integrated into the iPhone SDK: Only allow signed binaries. Average Joe cannot be expected to figure out what software is secure. Asking him for confirmation of whether he would like to install a piece of software is very much a flawed approach. Use techies mostly know how to protect ourselves. But those root kits run on Average Joe's computer, and until we can prevent him from installing that piece of malware and until he is forced to upgrade his system software and until all his applications are automatically upgraded with the latest security fixes - then we'll have these botnets.
Re:Sue the companies who advertise (Score:2, Informative)
Re:Most Spam Comes from just Six Bots, not Botnets (Score:3, Informative)
It's called, "runas". It is a Windows program that allows you to run an arbitrary program as any other user (if you know the password, of course).
That's not what I've observed. Back when I was using Windows 2K, I regularly ran as an ordinary user. Most programs worked just fine. Almost all of the Windows programs worked under a regular user, except for the ones that genuinely needed Admin access.
You can install software as an unprivileged user if you don't require Admin access to write to the directory you are installing to. So for example, if you install into your "My Documents" folder, you do not need Admin access. If, however, you want to install to "Program Files", then you need Admin access, unless you have altered Program Files to be editable by everyone. It pretty much works exactly like it does on Linux.
Now that I've gotten your inaccuracies out of the way, I'd like to point out that Windows, and many of the program written for it, don't seem to understand Least User Authority. The main goof Microsoft did was give the regular user Admin privileges at install-time. Windows requires Admin privileges just to look at the clock/calendar. Many programs written for Windows need to be manually "finessed" after installing, so that they can work properly for regular user accounts.
Re:Most Spam Comes from just Six Bots, not Botnets (Score:3, Informative)
I have no doubt that Windows has nice foundations, but this never seems to translate into my experience as an end-user. I use a W2K machine at work and quite frankly I spend probably close to 10% of my time there as an administrator. I need to set Thunderbird to be the default mail reader or something. Most of it is just installing new software.
Quite frankly, I've yet to find Windows as good as sudo when it comes to limiting my time as root. On Linux, if I need to execute a 2 second command as root, I run sudo and it takes 2 seconds. On Windows, somehow it's more involved. I end up logging out and logging in as administrator. Then I end up browsing (yikes!) to the download site as administrator to download the installer.
I'm sure it's possible to do all this as a non-privileged user, but Microsoft seems to be trying their hardest to make it inconvenient. Whatever their theoretical underpinnings, Microsoft could take some UI lessons from the Linux folks. They shouldn't be working against the user.
Re:Hmm (Score:5, Informative)
Re:There's the rub! (Score:3, Informative)
Re:How much spam do you actually get? (Score:3, Informative)
You can even give different people different +extensions, though managing the white list for them gets to be a pain. Especially since your new, improved email addresses will gradually leak into the spam books (everybody's got a friend dumb enough to push the "forward this article to a friend and sign them up for spam for life!") but it gives you some address space to play with even when you don't have direct control over the mail server.
Re:Most Spam Comes from just Six Bots, not Botnets (Score:3, Informative)
The -u (user) option causes sudo to run the specified command as a user other than root. To specify a uid instead of a username, use #uid.
Re:Most Spam Comes from just Six Bots, not Botnets (Score:-1, Informative)
> stupid users would still run it.
No. There are reasons why 'stupid users' on Windows would run this, but these don't apply to other systems:
1) Windows hides the file type: the file _looks_ as if it were an image file, they are usually xx.jpg.exe and are listed as xxx.jpg.
2) Microsoft decided that clicking on an attachment will do whatever is necessary: show an image, open a
3) On Windows a
On Windows outlook express, clicking on xxx.jpg may give a 'do you want to do this' but dismissing that unread (because they come up all the time) will _run_the_program_.
On others OSes the file will be passed to the image viewer which will say it isn't a jpg. The only way to get it to run is to save it to disk, chmod +x, and then the user can start the program.
Windows is so convenient, viruses are just one click away. With Linux you have to use the arcane and obscure command line just to get a virus.
Re:Hmm (Score:3, Informative)
Floodgates wide open is NOT an option because when I tried that I then heard many complaints from clients about slow server and way too much spam for their liking, they seem to prefer we try and do something about the spam levels rather than simply let everything through.
Re:Most Spam Comes from just Six Bots, not Botnets (Score:3, Informative)
OS yes, but you don't have to be root to install or update programs. I've seen lots of systems where programs were owned by bin, public or some other user. But more importantly, modern distributions like Ubuntu encourage you to use sudo, and that's almost infinitely safer than actually logging in as root.
Installing new software. I'm a programmer, and I often need to install some new tool. For that reason, all programmers at my work have Administrator rights on their standard Windows login. In linux, I could install those tools in ~/bin, and while I'm sure that's usually technically possible in Windows (though some programs really do not like to be installed in \Documents and settings\, if only for a the spaces in the directory name), it is at the very least very uncommon.
The real problem here may not be technological, but cultural. In unix culture, it's common for users to install stuff in ~/bin, but in Windows culture, that's uncommon. It's much more common to give everybody who needs to install stuff Administrator rights. And that's where your technically sound security model breaks down.