Most Spam Comes From Just Six Botnets

Ezhenito noted some research pointing out the (maybe) surprising bit of research that 6 botnets are responsible for 85 percent of the world's spam. That seems a bit high to me, but the only aspect of spam I am an expert in is *getting* it.

Since ISPs Love Filtering So Much...

[blcamp]

Why can't they focus thier efforts and resources on shaping traffic to block this kind of nonsense, rather than Torrents?

Re:Since ISPs Love Filtering So Much...

[AltGrendel]

1) There are "fewer" people using torrents than using email.

2) Email users include businesses that probably include a draconian SLA on the ISPs part and they don't want to mess with that.

3) And as always, it affects Profit!!!

Re:Anti-bots?

[ajs318]

In theory, yes it would.

In practice, no it wouldn't.

You'd be opening yourself up to prosecution. Even in countries without specific "misuse of computers" laws, running a program on someone else's computer is trespass. You might think that, since trespass is a civil matter, you'd only need to worry about someone who has the money to sue you taking a dim view of what you were up to. And you'd be right. But the botnet-controllers have got enough money and would be bothered to take you to court.

And I haven't even touched on the really horrifying issue: what if your benign, anti-malware malware malfunctioned, or was subverted by the next generation malignant, anti-benign-anti-malware-malware malware? You could easily end up becoming even worse than the enemy whose dirty tricks you borrowed.

Re:Most Spam Comes from just Six Bots, not Botnets

[Aaron Isotton]

(Same post as before, formatted properly)

Come on. The software bundles are *always* ludicrous. They typically include:

- A crappy "Home User"-Antivirus with huge splash screens and big colorful dialog boxes pissing you off a few times a day.
- A crappy toolbar for your browser (often Yahoo or Google, sometimes worse)
- Some "software update center" which is usually far worse than even Windows Update
- A CD Recording application which is ALWAYS crap.
- A software firewall yelling "OMG PACKET" every time someone sends an UDP broadcast on your network.
- A few "click here to sign up" icons of various services no one has ever heard of (or wants).
- Half a dozen media players fighting for world domination (and stealing file extensions from each other all the time).

Re:Since ISPs Love Filtering So Much...

[Von Helmet]

Spam affects the little guy. Torrents affect (apparently) the big guy.

Blocking known residential blocks sucks

[Nursie]

Blocking known residential blocks sucks as a solution as it removes some of the democracy of the net.

I (like others I'm sure, but maybe not so many of us these days) run a mail/web server from home. I just use it for personal mail. I have SPF and rDNS set up, I play by all the rules. Why block me because I use ADSL at home with a static IP ?

Whilst I appreciate that accepting mail from my IP is potentially a higher risk factor, blocking all residential blocks sems to me to be overkill.

Re:Most Spam Comes from just Six Bots, not Botnets

[Anonymous Coward]

Tinfoil hat much Mr. 404? An AV product can't block every threat BECAUSE Windows is closed source? That makes no sense.

The reason that they can't block every threat is that they are still signature based and have not completed the move to behavior based blocking and heuristics. The other problem - the main one - that you don't even mention is users. If someone bothered to write a 'SomeFamousPersonNaked.exe' for other OS'es - stupid users would still run it. (I do note that in today's world, the average Linux user is brighter about these things than their Windows counterparts - mostly because Linux is still in that niche role where it is dominated by computer savvy folks at least for now).

But, give that same Windows user who is stupid enough to run that EXE an Ubuntu machine and send him a version that runs on Linux AND HE WILL STILL CLICK IT. Switching OS'es doesn't make a dork not a dork. Doesn't even really matter whether the user is an admin or not on Windows or Linux - just sending mail doesn't require it and now that Vista is actually usable by many people as a standard user the malware writers will adapt and not try to own the whole machine right away.

I can see how this will be a problem for Linux users in the future if the user base continues to grow into that "stupid user" segment - at which point folks will be more than happy to write bot software for those users to run.

Re:Blocking known residential blocks sucks

[Corporate Troll]

Oh, I did that too. I resigned, I still have my own mailserver, but it simply sends everything through my ISPs smtp server. Even then, I sometimes get flagged as spam. This is, alas, a battle we have lost ages ago :-(

Re:Most Spam Comes from just Six Bots, not Botnets

[rucs_hack]

how marvelously uninformed..

There are no major spam bots for linux because linux just doesn't have that all important desktop install base. However infected linux servers are frequently used to admin botnets. Badly configured linux servers are like treasure to the botnet guys..

Microsoft don't have more bots and virii in windows because their stuff is closed source, they have it because the underlying security model of windows is, and always has been, pretty poor. For years, normal users have run windows boxes in admin mode by default. This is INSANE!!, and yet it persists.
Adding UAC hasn't helped. It was implemented so badly that people just click through the new dialogs without reading the warnings most of the time. This wouldn't happen if it didn't question almost everything you do.

The sony rootkit couldn't be detected because of a flaw in windows that allowed it to hide even from most AV products.

Most AV companies don't 'take bribes' to keep bots going, they just aren't very good these days. The way virii are fought on the desktop needs to change, and that change is very slow in coming.

Re:People need to take responsibility

[CaptainPatent]

What you have is a good idea in principle, but with potentially horrible consequences.

I would suggest some measures we can use:

1) static IP's. Then we can easily track down infected machines and take them offline.

Advertising companies are jumping for joy at this one. The more stable the IP address, the more they can bombard you with ads specially tailored for you. I like the fact that DHCP refreshes my IP every day or so, it means that sites that use web-bugs and other semi-devious methods of gathering information and (much worse) sell it to other companies, only have a very limited time frame to do so - and the fact that my IP does refresh makes them that much less able to make any profit off of me.

2) Laws that require people to assume some form of responsibility when they connect a computer to the net.

And what's going to happen if they don't "take responsibility?" By what metric do we judge responsibility? It sounds like the only way to enforce this is to dig into private internet usage information. I think the last thing I want is another person snooping around in the internet garbage bin for places my computer has been and is going to.

3) Perhaps some form of compulsory insurance policy.

Mainly see the above, but in addition the last thing we need is another mandatory insurance policy.

4) Laws that require ISP's to disconnect spam bots and take some responsibility.

This one may not be a terrible idea in practice, but ISP's are currently going nuts over things like bittorrent. What's to stop them from classifying bittorrent activity as "suspected botnet activity?"

I do like the spirit of the post, but I don't think there's a clear-cut solution to the problem.

Re:Anti-bots?

[ajs318]

I came to the conclusion that the only way to stop it is for each ISP and mail server to require correct sender IP info from the sender, or bounce the message right back.

Almost. Actually, if the HELO is incorrect, or the originating machine is not registered as an MX for the domain, the proper course of action would be to return an SMTP error code -- absolutely not bounce the message back. If it's genuine, there'll be a copy on the sending machine somewhere anyway; and the bounceback from failed spamming attempts is not pretty. (Domains of mine have occasionally been used as the purported originators of spam, and the floods of "returned" mail coming "back" from clueless ISPs -- hello? see where that HELO is coming from? is that machine an MX for my domain? then WhyTF do you think this message has anything to do with me? -- are as bad as anything else.)

If more people configured their sendmail to reject bad HELOs, it would be a lot harder to send spam.

Re:Sue the companies who advertise

[oliderid]

Precisly...For example US mortgages debt. I guess the "real" businesses behind could be easily tracked but US police officers. All you have to do is respond to the SPAM and wait until you get a phone number, a bank account or whatever. Or those VIAGRA pills...If they are "officals", then you can track their production numbers to the last "official" resellers.

There are plenty of spams requiring real businesses behind. Most of these businesses are located in western countries. Why can't they track them?

Re:Anti-bots?

[Just some bastard]

An MX record isn't required for sending mail, for receiving mail there's a fallback to A if no MX is found. The problem you're describing (backscatter) is solved by SPF; if only more people configured their MTA to check that before generating a bounce :(

Re:How much spam do you actually get?

[ortholattice]

Or you can put a prefix to your gmail address with a '+'. ie. "temp+john38@gmail.com" the mail still gets delivered to john38@gmail, but with 'temp+john38@gmail.com' in the 'to:' field, allowing you to filter it easily.

Spammer's note to self: (1) duplicate all gmail addresses with dummy "+" fields purged. (2) duplicate all gmail addresses with the most common non-filtered dummy fields, such as "family" and "work". Now each gmail address will be hit with a dozen or a hundred variations, in hopes that one will get through the filter.

Re:Hmm

[eth1]

Actually, using something like the Spamhaus PBL (which pre-emptively lists IP ranges that shouldn't be sending direct-to-MX email, such as ISP dynamic ranges), you actually CAN block significant portions of these botnets.

The three of my relays that use the combined Spamhaus SBL, XBL, and PBL block about 3.5 million connection attempts per day, and let 1 million emails/day through to the next layer of filtering. (about 78% of the flow, assuming that each connection would only drop off one email) The PBL accounts for about half of those blocks.

Re:Anti-bots?

[Mister Whirly]

"You know what's worse? It'd be a quick half-hour job to fix it, if only the owners had thought to demand the Source Code."

Spoken like someone who has never actually debugged crappy code before. If I had a nickel for every time someone just needed "a half-hour" to fix a problem in code....

Double standard

[MacDork]

Yet if ISPs were blocking residential http servers, these anti-spam nerds would FLIP OUT. ISP blocked your residential smtp server? Meh *shrugs* The anti-spam crusaders are ruining the open nature of the internet. False positives are unacceptable. I'll take spam over false positives any day.

Re:Why can't we solve this problem?

[swordgeek]

Here's a one-word answer: Jurisdiction.

Basically, the Russian mafia is behind a lot of the botnet activity. They're employing talented but criminal programmers to write this stuff in a number of locations. Staff are paid for their work, and even provided benefits in some cases.

The botnet control servers are spread between a number of (mostly eastern-bloc) countries. Interpol can initiate action, but relies on the local police to carry it to the end, and the local police are...bought and paid for by the crimelords. Furthermore, if one slightly suidical policeman (or force) decides to act against the botnet operation, then all it means is that one of the tentacles is cut off. While it's busy regrowing (i.e. the data centre is being rebuilt a block away), the effect is minimal at best because there are similar systems set up in other countries.

What it would take to legally shut down the botnets is the coordinated effort of interpol and the police forces of several countries, combined with a lack of fear of organised crime. Six months later, they'd need to do the same thing again, probably with different countries. After doing this roughly three times a year for three or four years, the criminals in charge might decide to give up and move into another area--however, after the first attempt, there would be a lot of dead or injured cops showing up, and quite possibly their families as well. If you could pull off a raid like that once, do you think ANYONE would want to take part in a second raid, given the mortality rate (and peripheral damage)?

To shut them down illegally would take a well-funded and heavily armed black-ops team, to go in and start slaughtering the programmers, bombing the data centres, and (ideally) assassinating the crime lords. Basically, an anti-mafia mafia. The CIA has a history of doing this, but generally to depose governments, not criminals.