Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Spam IT

Malicious Spam Spikes To 'Epic' Level 130

Posted by samzenpus
from the whack-a-mole dept.
Trailrunner7 writes "There has been a huge spike in spam volume in the last few days, including a massive amount of malicious spam with infected attachments, and researchers say that levels of junk mail are now far higher than they were before the takedown of the notorious Spamit affiliate program last fall. The huge spike comes at a time when spam should, in fact, be dropping because of the takedown of the Rustock botnet, the Spamit network and other botnets. 'From the beginning of August, we have observed a huge surge of malicious spam which far exceeds anything we have seen over the past two years, including prior to the SpamIt takedown last October. The majority of the malicious spam comes from the Cutwail botnet, although Festi and Asprox are among the other contributors,' M86 researcher Rodel Mendrez said."
This discussion has been archived. No new comments can be posted.

Malicious Spam Spikes To 'Epic' Level

Comments Filter:
  • they just build it back up again, you can do this for the rest of history and still be in the same place, much like the war on drugs

    • by blair1q (305137)

      So fight fire with fire.

      Send out anti-spam spams with botnet-killer attachments.

      They'll hit the same lusers with relatively high certainty.

      • Send out anti-spam spams with botnet-killer attachments.

        Except that that is illegal. It also wouldn't solve the problem, just postpone it.

        • by Anonymous Coward

          Yup, send out massive amounts of mails to people that automatically
          whipes all Windows-partitions and installs Linux.

          People will cry and booo, until they realize their machines suddenly works. Forever.

          • Re: (Score:2, Informative)

            by blair1q (305137)

            you think linux can't be hacked. that's so cute.

            • Re:unless (Score:4, Funny)

              by EraserMouseMan (847479) on Wednesday August 17, 2011 @01:58PM (#37121950)
              Whindows partitions getting whiped and their machines whork? Suddenly? I can't whait!
            • by Quirkz (1206400)
              He also thinks that the normal botnet-infested user, presented with a Linux interface, is going to have the impression their computer "finally works" rather than "looks all weird and don't work at all." Also cute.
    • by couchslug (175151)

      And like the War on Some Drugs, both sides are making a massive profit while furthering their personal agendas.

  • by fifedrum (611338) on Wednesday August 17, 2011 @12:57PM (#37121374) Journal
    my graphs show a steady decline in spam capture rates since October, 2010. we're measuring an average daily rate about 1/2 of this time last year. (millions of mail boxes, dozens of MX servers, decent antispam filtering) We're blocking around %91.2 of mail at the perimeter as opposed to %98.8 last year.
    • by Hatta (162192) on Wednesday August 17, 2011 @01:16PM (#37121546) Journal

      The fact that you are blocking less spam is not necessarily evidence that there is less spam.

      • by fifedrum (611338) on Wednesday August 17, 2011 @01:31PM (#37121704) Journal
        you are correct, the missing data point is the volume of email considered "not spam".  This line in the graph stayed the same over the range, or within a minor fraction of a percent of the same. it's the spam counts that have dropped since 10/2010. The customer base also represents a large number of domain names, hundreds of thousands of domain names. One of our largest customers has been offering email since 1995, with many accounts in their domain being around for over a decade. I think it's a pretty solid sample of email accounts.
        • Re: (Score:3, Funny)

          by Anonymous Coward

          Am I the only person who reads this in a robot voice?

        • by Dogtanian (588974)
          Out of curiosity, what's your reason for posting in the fixed-space "tt" typeface like that? Is there a good excuse or is it just an attention-grabbing tactic?
          • by fifedrum (611338)
            sorry, just hit reply, and that's the font that came up after preview/submit. I'm not normally a LOOK AT ME!!! type of guy. Well, I am. Just in this case it was inadvertent.
            • by Dogtanian (588974)

              Out of curiosity, what's your reason for posting in the fixed-space "tt" typeface like that? Is there a good excuse or is it just an attention-grabbing tactic?

              sorry, just hit reply, and that's the font that came up after preview/submit. I'm not normally a LOOK AT ME!!! type of guy. Well, I am. Just in this case it was inadvertent.

              So you're claiming there's a bug in Slashdot that causes all your posts to appear in that typeface? Strange, because I've never heard anyone here actually complaining about that, despite you being far from the only person that does it. :-/

              • by fifedrum (611338)

                not claiming a bug, just don't remember ever setting my posting preference to "CODE". though if that's a legitimate setting, why does it bug people that it's in use and why don't more people use it?

                i changed it to plain text, because I don't like controversy.

            • by _0xd0ad (1974778)

              https://slashdot.org/prefs/d2_posting [slashdot.org]

              Change "default posting style" to "plain old text".

        • I'm not saying what you are saying is false, but if I did the math right, you are saying that you are only seeing about 13.5% as much email (total) as last year?

          I got this by assuming that non-spam mail was constant, and calculating the difference between a body of mail that was 98.8% spam and 91.2% spam.

          For example, using a fixed value of 1 email for non-spam, you should be getting 83.33 spam messages at 98.8%, and only 11.36 spam messages at 91.2%. (83.33/(1+83) = .988)

          To me, a reduction down to 13.6% (1

          • by seifried (12921)
            There may be more blocking/filtering prior to actual attempted email delivery, i.e. blacklists of IPs, grey listing, DNS/IP based reputation, etc.
        • Out of curiosity, are allowed to tell us which company you work for ?

    • And how is that going for you long-term? How much time and money do you have invested in this strategy? How often do you have to adjust it?

      You may be happy with the end result, but you should also be aware on some level that what you are doing is not sustainable in the long-term. If people continue to insist on filtering only, they will never win the war on spam.
      • by fifedrum (611338)
        long term, we've been allowing into the environment roughly the same volume of email per customer for 10 years. Some spam gets through, most does not, and there are few false positives. those that are labeled false positives are most often bulk mail that people mark as junk. So IMO, it's junk mail.

        We use rules at the protocol level, DNS responses, RBLs (combined into one large RBL with miltiple return values), external reputation lists, internal dynamic reputation lists, rate limitations, and multiple feedb
    • by kwark (512736)

      Well I'm running systems a lot smaller but still for a fairly decent amount of corpotate customers. Though overall spam has been down since sep-oct last year (to about 1/4 of that time). Last couple of weeks there have been huge spikes in attempted deliveries, but 90% is stopped by using simple mail sanity checks (like a wellformed HELO) and DNS blacklists. The other 10% is stopped by greylisting.

    • by Albanach (527650)

      Or your filters could be less effective?.

      This stuff with infected attachments tends to get caught. Of course the consequences of any getting through are higher than for run of the mill spam.

      Still, I've seen a lot of spam recently containing random links to hijacked websites and sent from valid MTAs. That stuff can be hard to filter out without collateral damage.

      • by arth1 (260657)

        Or your filters could be less effective?.

        After being tired of all the malicious spam that spamassassin with razor, pyzor and dkim let through, I added a simple rule:

        if $h_content-type contains "5601-1987"
        or $h_content-type contains "windows-1251"
        then
        logwrite "$tod_log $message_id FOREIGN-SPAM sender=$sender_address \
        subject=$h_subject: recipients_count=$recipients_count \
        recipients=$recipients"
        fail text "Nobody speaks your language here"
        endif

        That simple rule cut down the spam getting through spamassa

    • by Delgul (515042)

      Strange... I run a anti-spam business and we only see spam rising on our end. Perhaps you are missing something? Like you are blocking IP ranges (which you shouldn't) and therefore not counting those attempts as spam if at all? This mistake is made by many spam 'experts' in the field at the moment. Our servers accept every message, from every source, because we can learn from large volumes and I can say for sure: The volume only dropped for a few weeks after the takedowns. After that we were back up where w

      • by fifedrum (611338)
        nope, we're counting all reasons for rejections in those figures reported, we don't block by IP except on temporary basis or what's in well established RBLs, and listings in those RBLs are all temporary (no use of permanent RBLs like that one particular one who blackmails people into paying $50 to get their IP off the list after baiting senders with subscriptions)

        Let's say you notice 10.10.10.0/24 has only ever sent junk, why not block the entire class C?

        If a reliable reputation/feedback database says that
    • by MattBurke (58682)

      You missed the point of the article. It's not saying spam volume has spiked - it hasn't - it's saying that the ratio of malicious spam (as in with a trojan attached) to harmless spam has spiked.

      • by fifedrum (611338)
        that would require actually reading the article and comprehending what I read. people ask too much around here. Sheesh ;-)
  • Obvious (Score:5, Insightful)

    by Arancaytar (966377) <arancaytar.ilyaran@gmail.com> on Wednesday August 17, 2011 @01:02PM (#37121430) Homepage

    Apparently, most of the current spam is aimed at building new botnets. Which is sort of what you'd expect after a lot of botnets are taken down.

  • Yeah, I noticed it... I only have 3 email accounts and get batches of 15-20 emails every 5-10 minutes with the Win32/Kryptik.RAM trojan virus (ups notifications and invoices) ... they go straight to spam

    • Same here. I don't check my emails much, but the infected spam rate is atrocious right now. Overall spam is about normal, I think, but more of them have infected attachments.
    • by fafaforza (248976)

      Yup, I get virus discard notices from amavis from a few mail systems and those UPS ones just skyrocketed in the past week or so. Makes sense that they'd try to rebuild that way.

  • by seven of five (578993) on Wednesday August 17, 2011 @01:16PM (#37121544) Homepage
    If these knuckleheads ever learn correct English, we're screwed.
    • If they ever learned correct English (non-copied, random, yet intelligent looking grammar), we'd lose a valuable tool in both machine AND human filtering of spam.

      But, at that point, SkyNet will kill us all anyways, so I'm not too worried just yet.

    • Most people in the (western) world speak English to some degree, but not very good. When you work in an international environment you'll get used to poor English to some degree.

    • They're not even trying anymore. The last few things to get through my spam filters have been in Thai (and, apparently, not very good Thai).
    • "If these knuckleheads ever learn correct English, we're screwed."

      Back in my WoW raiding days, an idea occurred to me that I kept to myself out of fear that someone might actually do it. I don't play WoW anymore, so I couldn't really give a damn (I know. Nice guy, huh?), but you just made me realize that gold-farmers wouldn't be the only target customers.

      The general idea is a native-English speaking person contracting out to Chinese customers to write proper sounding communications such as WoW account phish

  • by 93 Escort Wagon (326346) on Wednesday August 17, 2011 @01:22PM (#37121608)

    They must've turned it up to 11.

  • by damn_registrars (1103043) <damn.registrars@gmail.com> on Wednesday August 17, 2011 @01:27PM (#37121650) Homepage Journal
    When our anti-spam activities center on filtering received mail and chasing down the spammers themselves. Eventually someone else comes in and comes up with a different way to send spam so it gets around existing filters, which just starts a new round of whac-a-mole.

    Until we do something about the motivating factors behind spam - that is, the economics of spam - we will continue to get nowhere, while wasting more time and money on the problem.
    • by Arlet (29997)

      Sounds great, except there's not much you can do about the economics of spam.

      On the other hand, filters have become pretty good. I'm only getting a few spam messages a week that manage to get past the filters.

    • Until we do something about the motivating factors behind spam - that is, the economics of spam - we will continue to get nowhere, while wasting more time and money on the problem.

      The problem with that approach is that the economics of spam are totally slanted in favour of the spammer.

      One machine can send out MILLIONS of spam messages per day.

      And it only takes a couple of people purchasing something to make it profitable.

      Instead, focus on understanding the spam process. I was able to reduce 99%+ of spam at

      • by Jeng (926980)

        Much like an advertising campaign, spamming does not have to be profitable to those who employ spam. It only has to be profitable to the organization that is being paid to spam.

        The only people who have to buy anything are the people who buy the spamming service.

      • Until we do something about the motivating factors behind spam - that is, the economics of spam - we will continue to get nowhere, while wasting more time and money on the problem.

        The problem with that approach is that the economics of spam are totally slanted in favour of the spammer.

        We seem to view the economics of spam differently. Your view seems to be focused on the return on investment, which is certainly one aspect of spam. From my vantage point I see the important factor in spam being the ease of the spamvertised in paying the spammers, coupled to the various middlemen who also take a cut on the action.

        Spam is a very imperfect machine (thankfully). There are plenty of ways that one can approach it that would have a more meaningful and lasting impact on spam than just adjust

      • Currrently, yes. There is no punishment, and in general only modest engineering cost to setting up a new spam net. This encourages new "entrepreneurs" to enter the field, even if they make no overall profit doing so. Spam services are being _sold_ to legitimate and illegitimate clients, and the claims of profit are overblown. But since no one publishes good numbers on its success rates, they can continue lying and drumming up business to fools and criminals.

        The return on investment need not be real: it only

    • Is that like the economics of narcotics, other illicit drugs, illegal firearms? As much as I wish that spam was the same as those economies (I don't have to deal with it unless I wanted to) it isn't because it actively tries to harm me or take my stuff. It is more like that of the meth head who tries to break into you house than the drug king pin. Too bad the castle doctrine doesn't extended to spammers and virus writers.
    • by bughunter (10093)

      the economics of spam

      About $3 a can [google.com], or $4/lb.

  • by Anonymous Coward

    I run a SMTP server, and have noticed a lot of SPAM traffic and hacking attempts coming from China. In addition to running OSSEC's "active response" (firewalling), I've added blocking whole ranges of IP addresses from China. Cut down on my bogus traffic by "2/3rds".

    • by jekewa (751500)

      Word. I use the IP blocks from http://ipdeny.com/ [ipdeny.com] to configure ip-filter to stop systems in the top ten malicious countries (http://www.countryipblocks.net/malicious-internet-traffic/malicious-internet-activity-the-top-10-countries/) from getting SSH and SMTP access to my servers. This dropped the amount of relay-attempted e-mail to practically nothing (by three orders of magnitude, from 10Ks of attempts to 10s of attempts), and unknown user attempts to less than a quarter of what they had been.

      Yeah, I migh

  • If everybody stopped clicking on the spam, opening the attachments, etc... suddenly it wouldn't be profitable and it would stop.

    Finished reading? Good job you didn't click on spam while u were reading this, now just do it, now just keep at it... baby steps... no viagra ftw.

  • by Anonymous Coward

    Good day,

    This is an important message to you.The lord directs me to share this with you. As you read this comment, you should sympathize with my current situation and assist me. My name is Isabella Carmel the only survivor from family of four. I was narrowly escaped from the tsunami disaster which affected my spinal cord and also my ear drum and claim the lifes of my entire family, husband (Denis caromel) and two sons (Ugo and Tom) who went for holidays in Sri-Lanka.

    Right now I am currently in Kuala Lumpur

    • Must be a good parody of spam, because I scanned it for about four seconds and thought, "that's enough for me".
  • Obviously, these are names fit for medicine:

    Cutwail - a pain blocker
    Festi - makes soft muscles hard again
    Asprox - makes your bowels work faster

  • by nimbius (983462) on Wednesday August 17, 2011 @01:46PM (#37121848) Homepage

    A security company with 11 products designed to solve your spam problem, has made a picture showing a bombastic and ludicrous increase in spam the likes of which you cannot possibly cope with. This spam targets your genitals using african money laundering transfers to smuggle a dirty bomb into your new nike jordans and boochi bags at 80% discount, and free shipping.

    It is imperative you believe this un-renound seldom-published security engineer working for a vague corporation that runs its main website on a dated version of microsoft IIS 6.0 with ASP. this company worked hard to ensure its pretty pictures had maximum market placement, and slashdot is no exception.

    • by EXrider (756168)
      Say whatever you want about the company who published the article, I didn't even RTFA. I can vouch for what they're saying though; I've seen a massive uptick in quarantined viruses lately, the most I've seen in years since the Pre-XP SP3 days. Most of them are password protected zips or exe's with multiple extensions. Overall spam volume is still lower than last year however.
      • by Clsid (564627)

        I second what the parent post is saying. I kind of thought somebody was trying to hack my accounts or something since I started receiving lots and lots of fake UPS and FedEx emails. In my particular case, the first e-mail I received made me call a company that was sending me a product, since I was already having shipping issues with them. After closer examination of the email I realized it was fake but after that day, I have been receiving 2 or 3 of those fake emails per day with a variety of themes.

  • There's still companies willing to pay for it, so there's still some greedy fucks willing to take it. The desire/benefit of getting the extra edge will prompt the greedy to distort laws/policies in order to profit from having something that others with more scruples (or who simply aren't in a position to cover their ass with expensive lawyers, to compete in terms of what they can get away with) won't have. It needs to become undesirable to carry out this practice, and for that there needs to be severe pen
  • Does this really surprise anyone. It is like a damn hydra. Chop off one head and 2 new ones grow in its place.
    • by gewalker (57809)

      You have to burn the stump after you cut off the head. This step is effective when applied to spammers too.

      • by Kittenman (971447)
        You have to bury the-head-that-never-dies under a rock. And yes, this also works for spammers.
  • First spamassassin, then whatever it thinks is ham gets fed through bogofilter (Bayesian). What comes out of that is almost pure ham. Some stragglers get through but its not a major deal.

    H.

    • by ShaunC (203807)

      That you aren't seeing the spam doesn't mean it isn't a major deal. Someone's bandwidth, drive space, etc. has to be used (even if in an ephemeral sense) long before SA shitcans the message.

    • Spamassassin is the last thing I use in my arsenal. It's too processor intensive. I use Mimedefang and sendmail checks as the first line of defense (spoofing, bad rcpt throttling, mail to system accounts, invalid helos, trustworthy RBL listings, etc.) On a typical day I *REJECT* about 5000 messages before going beyond 'HELO', 'MAIL FROM', and 'RCPT TO'. Of the rest that come though, I drop maybe 50 via spamassassin, and another 50 get flagged as spam. That's 100 things analyzed versus 5000.

      If you are u

      • by fafaforza (248976)

        Sure, but SMTP checks will only go so far. They are very basic, often not even able to run a check against more than 1 line at a time. SpamAssassin filters are pretty detailed, so they do play a role, and I personally am surprised at the number of senders that don't seem to get a bounceback from a 5xx error. Instead they'll waste our helpdesk time to be told something was rejected due to an RBL, etc. So in that respect, checking against an RBL, adding a match to the score and tagging it can end up being

        • Did you even read my post? Spamassassin is used, but it is the last thing used. If people are not getting an error back, then the sender's mail server is misconfigured or a zombie anyway, and we don't want mail from them.

          • by fafaforza (248976)

            And did you read mine? Obviously the sender not getting a bounce is their problem, but they still end up on YOUR helpdesk, wasting YOUR time. I was also responding to your comment on having defenses at the SMTP level, and I commented that they are basic, and can result in the aforementioned issue, so it isn't always the best solution. It is cheap in terms of processing, but has it's own drawbacks.

  • by Tony Isaac (1301187) on Wednesday August 17, 2011 @02:13PM (#37122082) Homepage

    Overall spam volume is down, based on M86 Security and others. http://www.m86security.com/labs/spam_statistics.asp [m86security.com]

    My own spam rates via GMail, and my own domain, show spam rates down by 50% since last year.

    It might depend on who you read. Try googling "spam statistics" and you'll get quite a mix of "spam is up," "spam is down."

  • So, then...they're purple?

  • They are compromising accounts now, using, in part, the data collected by the lulzsec breaches. I have several friends using yahoo who have now sent me spam messages. Their old tactics have been rendered ineffective by spam fighting efforts, so now they are doing this.

  • I'm currently getting mountains of spam exhorting me to remodel my home, buy a new patio deck, buy business cards, even find a new apartment. Stuff that looks like junk mail I'd get on paper, except that it's cluttering up my email. Lots comes from some filth calling themselves Eclipse Media Online, who hope I enjoyed receiving their garbage. Yeah, right.

    I actually do like getting email from companies I do business with, everybody from Mouser [mouser.com] to Sephora [sephora.com]. Emails from Barefoot Tess [barefoottess.com] tend to be hard on my ban

    • by mjwx (966435)

      I actually do like getting email from companies I do business with

      Indeed, I like being notified to when my favourite businesses are having sales, I've saved thousands thanks to signing up to mailing lists for Singapore Airlines, Air Asia, Malaysian Air Services and that's just for travel.

      But this is solicited commercial email, I want to receive this and if I dont I can unsubscribe.

      It's the unsolicited stuff, such as VividWireless that I never want to hear from again, they dont have an unsubscribe fe

  • I was right!

    I knew that lunch meat was up to no good. I could swear it was eying me suspiciously every time I opened the fridge. I should be wearing the aluminum foil, not the foodstuffs.

  • I'd open my Inbox and only find legitimate emails in it. Then the current spike in spam started. Deadly? No. It's nithing that Ctrl-click-click-click-...-Delete can't handle. Annoying? Yep. And a little insulting. Do these bozo spammers really think I'm -- or anyone for that matter -- going to open an attachment from an email that has the same Subject: line as eight other emails in my Inbox? And do they really think that all of my UPS shipments have been going to the wrong address? Or that I would be expec

  • I have a four point plan that I guarantee will eliminate spam once and for all:

    1. Find the spammers and kill them.
    2. Find anyone buys spammer's services and kill them.
    3. Find anyone who is stupid enough to allow their PC to become infected more than twice and kill them.
    4. Find Steve Ballmer and Darl McBride and kill them.

    Okay its actually a three point plan. I just added Ballmer and McBride because I don't like them.

  • Epic, huh? Really? Did it destroy Troy, or get lost at sea for ten years? Is it anywhere near that epic level of magnitude? I don't think so.

  • I've gotten spam in the last three days for the first time in many, many months. Ubuntu/Thunderbird/POP
  • MS should now focus on the next 2 biggest ones...and keep at it, until the bad guys see there is no money to make any more with malware!
    I hope MS jumps on the security good guy band wagon for awhile, and thinks less of the bottom line

The IQ of the group is the lowest IQ of a member of the group divided by the number of people in the group.

Working...