Most Spam Comes From Just Six Botnets 268
Ezhenito noted some research pointing out the (maybe) surprising bit of research that 6 botnets are responsible for 85 percent of the world's spam. That seems a bit high to me, but the only aspect of spam I am an expert in is *getting* it.
Since ISPs Love Filtering So Much... (Score:5, Insightful)
Why can't they focus thier efforts and resources on shaping traffic to block this kind of nonsense, rather than Torrents?
Re:Since ISPs Love Filtering So Much... (Score:3, Insightful)
1) There are "fewer" people using torrents than using email.
2) Email users include businesses that probably include a draconian SLA on the ISPs part and they don't want to mess with that.
3) And as always, it affects Profit!!!
Re:Anti-bots? (Score:5, Insightful)
In practice, no it wouldn't.
You'd be opening yourself up to prosecution. Even in countries without specific "misuse of computers" laws, running a program on someone else's computer is trespass. You might think that, since trespass is a civil matter, you'd only need to worry about someone who has the money to sue you taking a dim view of what you were up to. And you'd be right. But the botnet-controllers have got enough money and would be bothered to take you to court.
And I haven't even touched on the really horrifying issue: what if your benign, anti-malware malware malfunctioned, or was subverted by the next generation malignant, anti-benign-anti-malware-malware malware? You could easily end up becoming even worse than the enemy whose dirty tricks you borrowed.
Re:Most Spam Comes from just Six Bots, not Botnets (Score:3, Insightful)
Come on. The software bundles are *always* ludicrous. They typically include:
- A crappy "Home User"-Antivirus with huge splash screens and big colorful dialog boxes pissing you off a few times a day.
- A crappy toolbar for your browser (often Yahoo or Google, sometimes worse)
- Some "software update center" which is usually far worse than even Windows Update
- A CD Recording application which is ALWAYS crap.
- A software firewall yelling "OMG PACKET" every time someone sends an UDP broadcast on your network.
- A few "click here to sign up" icons of various services no one has ever heard of (or wants).
- Half a dozen media players fighting for world domination (and stealing file extensions from each other all the time).
Re:Since ISPs Love Filtering So Much... (Score:5, Insightful)
Spam affects the little guy. Torrents affect (apparently) the big guy.
Blocking known residential blocks sucks (Score:4, Insightful)
I (like others I'm sure, but maybe not so many of us these days) run a mail/web server from home. I just use it for personal mail. I have SPF and rDNS set up, I play by all the rules. Why block me because I use ADSL at home with a static IP ?
Whilst I appreciate that accepting mail from my IP is potentially a higher risk factor, blocking all residential blocks sems to me to be overkill.
Re:Most Spam Comes from just Six Bots, not Botnets (Score:5, Insightful)
The reason that they can't block every threat is that they are still signature based and have not completed the move to behavior based blocking and heuristics. The other problem - the main one - that you don't even mention is users. If someone bothered to write a 'SomeFamousPersonNaked.exe' for other OS'es - stupid users would still run it. (I do note that in today's world, the average Linux user is brighter about these things than their Windows counterparts - mostly because Linux is still in that niche role where it is dominated by computer savvy folks at least for now).
But, give that same Windows user who is stupid enough to run that EXE an Ubuntu machine and send him a version that runs on Linux AND HE WILL STILL CLICK IT. Switching OS'es doesn't make a dork not a dork. Doesn't even really matter whether the user is an admin or not on Windows or Linux - just sending mail doesn't require it and now that Vista is actually usable by many people as a standard user the malware writers will adapt and not try to own the whole machine right away.
I can see how this will be a problem for Linux users in the future if the user base continues to grow into that "stupid user" segment - at which point folks will be more than happy to write bot software for those users to run.
Re:Blocking known residential blocks sucks (Score:4, Insightful)
Re:Most Spam Comes from just Six Bots, not Botnets (Score:5, Insightful)
There are no major spam bots for linux because linux just doesn't have that all important desktop install base. However infected linux servers are frequently used to admin botnets. Badly configured linux servers are like treasure to the botnet guys..
Microsoft don't have more bots and virii in windows because their stuff is closed source, they have it because the underlying security model of windows is, and always has been, pretty poor. For years, normal users have run windows boxes in admin mode by default. This is INSANE!!, and yet it persists.
Adding UAC hasn't helped. It was implemented so badly that people just click through the new dialogs without reading the warnings most of the time. This wouldn't happen if it didn't question almost everything you do.
The sony rootkit couldn't be detected because of a flaw in windows that allowed it to hide even from most AV products.
Most AV companies don't 'take bribes' to keep bots going, they just aren't very good these days. The way virii are fought on the desktop needs to change, and that change is very slow in coming.
Re:People need to take responsibility (Score:5, Insightful)
1) static IP's. Then we can easily track down infected machines and take them offline.
I do like the spirit of the post, but I don't think there's a clear-cut solution to the problem.
Re:Anti-bots? (Score:4, Insightful)
If more people configured their sendmail to reject bad HELOs, it would be a lot harder to send spam.
Re:Sue the companies who advertise (Score:5, Insightful)
There are plenty of spams requiring real businesses behind. Most of these businesses are located in western countries. Why can't they track them?
Re:Anti-bots? (Score:2, Insightful)
Re:How much spam do you actually get? (Score:3, Insightful)
Spammer's note to self: (1) duplicate all gmail addresses with dummy "+" fields purged. (2) duplicate all gmail addresses with the most common non-filtered dummy fields, such as "family" and "work". Now each gmail address will be hit with a dozen or a hundred variations, in hopes that one will get through the filter.
Re:Hmm (Score:5, Insightful)
The three of my relays that use the combined Spamhaus SBL, XBL, and PBL block about 3.5 million connection attempts per day, and let 1 million emails/day through to the next layer of filtering. (about 78% of the flow, assuming that each connection would only drop off one email) The PBL accounts for about half of those blocks.
Re:Anti-bots? (Score:3, Insightful)
Spoken like someone who has never actually debugged crappy code before. If I had a nickel for every time someone just needed "a half-hour" to fix a problem in code....
Double standard (Score:3, Insightful)
Re:Why can't we solve this problem? (Score:3, Insightful)
Basically, the Russian mafia is behind a lot of the botnet activity. They're employing talented but criminal programmers to write this stuff in a number of locations. Staff are paid for their work, and even provided benefits in some cases.
The botnet control servers are spread between a number of (mostly eastern-bloc) countries. Interpol can initiate action, but relies on the local police to carry it to the end, and the local police are...bought and paid for by the crimelords. Furthermore, if one slightly suidical policeman (or force) decides to act against the botnet operation, then all it means is that one of the tentacles is cut off. While it's busy regrowing (i.e. the data centre is being rebuilt a block away), the effect is minimal at best because there are similar systems set up in other countries.
What it would take to legally shut down the botnets is the coordinated effort of interpol and the police forces of several countries, combined with a lack of fear of organised crime. Six months later, they'd need to do the same thing again, probably with different countries. After doing this roughly three times a year for three or four years, the criminals in charge might decide to give up and move into another area--however, after the first attempt, there would be a lot of dead or injured cops showing up, and quite possibly their families as well. If you could pull off a raid like that once, do you think ANYONE would want to take part in a second raid, given the mortality rate (and peripheral damage)?
To shut them down illegally would take a well-funded and heavily armed black-ops team, to go in and start slaughtering the programmers, bombing the data centres, and (ideally) assassinating the crime lords. Basically, an anti-mafia mafia. The CIA has a history of doing this, but generally to depose governments, not criminals.