Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Sobig Worm Attacking RBL Lists? 260

Ubi_NL writes "According to the Register there is a close correlation between the DDOS attacks on a number of anti-spam lists and the presence of the Sobig virus. Now that Monkeys.com is gone, and spamhaus.org is taking heavy blows, are the spammers actually winning the battle by using viruses?"
This discussion has been archived. No new comments can be posted.

Sobig Worm Attacking RBL Lists?

Comments Filter:
  • We don't come here for have grammar
    • I don't think this was actually off topic. I have no idea what "taking have blows" is supposed to mean
    • While grammar may be an issue, the title has a misspelled Attacking as Aattacking (or perhaps it is a Dutch spelling, since they are generous with vowels, at least we know it isn't Welsh, since if it were Welsh there wouldn't be any vowels :-)).
  • DDoS (Score:2, Interesting)

    by lbruno ( 114856 )
    Everyone on the various anti-spam mailing lists and newsgroups were thinking that these worms were creating a network of spam proxies.

    Maybe they were creating a network of DDoS zombies.
  • Useless links (Score:2, Insightful)

    by Karamchand ( 607798 )
    Why do you have put a link to spamhaus into this story? Readers might expect something new, special on their page, click on it and help using up spamhaus' valuable bandwidth.

    No point in providing useless links..
  • by Alien Conspiracy ( 43638 ) on Sunday September 28, 2003 @09:46AM (#7076901) Homepage
    If they 'win', people will stop using SMTP email as it would be useless. So even if they 'win', they 'lose' in the end anyway.
    • by Drakon ( 414580 ) * on Sunday September 28, 2003 @09:54AM (#7076937) Journal
      do you actually think SMTP would get supplanted in the near term (>5 years) with an incompatible solution?
      Do you think there won't be new and better anti-spam solutions before SMTP is supplanted?
      (if you answered yes to either of the above, your world view is distorted and you need to stop drinking so much ;-)
    • This is a very valid point. To many users, the absence of spamfilters would pretty much render the email system unusable.

      If the spammers are able to shut down spamfiltering services in this way, there will be a significant demand towards getting SMTP replaced by a smater protocol, that will not allow spamming in the form we see it today = spammers lose.

      To install new software on all mailservers is quite a task. This is likely to take time, and be quite an interruption = everyone lose.

      There's also a great
      • This is a very valid point. To many users, the absence of spamfilters would pretty much render the email system unusable.

        We're not talking about spamfilters, we're talking about RBLs, which are usually more of a problem than a solution.
        Granted that spamhaus provides more services than an RBL does (like providing names of those who should be crucified), but both the original parent of this thread and the article summary are refering to RBLs.

        If the spammers are able to shut down spamfiltering services

        • There's also a great danger that Microsoft would take advantage of the situation, and try to create a new propritary mail protocol based on Palladium, for Windows users only = everyone not using Windows lose.

          This wouldn't happen because Microsoft is not entirely stupid. This would be akin to Windows Media Player only playing WMA, or Internet Explorer only working with IIS sites.

          It would also be akin to Windows supporting Win32 instead of POSIX applications, or to new versions of MS Office having new fil

    • I think most people are moving away from using third party detection spam filters and moving towards more destination-classification systems, such as Bayesian filtering. This, in my view, is probably a good thing, as many of the third party "methods" were, to say the least, fairly scattergun, and some of their louder advocates actively hostile to criticism.

      What would be really nice would be for ISPs to give users domains, like Demon Internet does in the UK, which means solutions like mine [slashdot.org] (I believe there

      • You do not need a domain from your ISP - just use throwaway email addresses from sites like SpamGourmet [spamgourmet.com] or SneakEmail [sneakemail.com].

        However, these will only address the issue of a website or online store passing your email address around when they shouldn't (or idiots like Lycos and Yahoo who think sending emails to registered users is cool even when they have not opted in for any). It will not cope with the hardcore spammer who uses spiders to pull addresses from webpages/usenet postings or those that use random-garbage

    • I have been thinking that eventually I may just put an auto-responder on my email addresses that tell the sender 'Please PHONE me at my office'. And I'll shut off all my voicemail services. And if it is important, they will get through eventually. If it isn't, they won't bother me.

  • by bersl2 ( 689221 ) on Sunday September 28, 2003 @09:50AM (#7076919) Journal
    Has anybody done a disassembly of Sobig? How is it even distributed, as a binary or as a script? I don't think we should attribute Sobig to the spammers just yet.

    OTOH, I have no friggin' idea what I'm talking about...
  • by borius ( 711380 ) <borius.gmail@com> on Sunday September 28, 2003 @09:56AM (#7076951)

    With the efficiency of spam filters and widespread use of blacklists and such, how can the spammers actually make any money? It's logical that they (the spammers) should try to bring attrition to the defenses of mail servers.

    Btw, I have a novel idea for bringing spammers out of business. OK, here goes: spammers want to sell you penis enlargement programs, viagra, and pr0n right? Well, what if someone sets up a company solely dedicated to selling these things at the lowest price possible? People could just go to AllMyPerverseNeeds.com and get their fix cheaply and securely. Obviously we can't compete with Nigeria type spams, but it would bring down a lot of spam I think. So, anyone in favor of starting a non-profit Viagra depot?

    • by Anonymous Coward
      Except that selling prescription drugs without a prescription, including viagra, unapproved drugs, and counterfeit drugs is illegal in the US and many other countries. Many of the other things you see advertised by spam are also illegal many or most places. Not only is the spam annoying and often illegal, so too are the products being advertised, which are often hazardous. By selling these products openly you would be taken down very quickly. Doing business outside the US helps somewhat but shipping the
    • Well, what if someone sets up a company solely dedicated to selling these things at the lowest price possible?

      Great. They could then send emails to everyone on the internet so that they know not to buy from the spammers...
  • by Ricin ( 236107 ) on Sunday September 28, 2003 @10:01AM (#7076968)
    Look what I got yesterday (with forged headers):

    ---- quote --------------
    Dear Internet user.

    We are an organization dedicated to stopping spam. Please help us as we are
    funded solely by private donations.

    visit www.spamcop.net for full details. Or you can send your donations to:

    Julian Haight
    PO Box 25732
    Seattle, WA

    As you can see by this message unsolicited e-mail is an invasion of your
    privacy. As you can also see it can be sent anonymously

    We will continue our efforts until all spam is eliminated.

    To join please visit www.spamcop.net or contact

    We will continue to send out this message until we convince all ISP's to
    stop all spammers.

    !!!Stop low-lifes from invading your inbox with their junk!!!
    ---- end quote ------------

    If they spew out fake spam which can only be meant for slanderous purposes, would you really expect them to *not* be in the virus game. Almost all these Windows viruses, if you hexdump them, have smtp capability. It's quite thinkable that a fair amount of them are really experiments rather than 'bad things done to innocent users because the virus writer likes doing that'.

    There must be a lot of money involved in the art of spamming still. I wouldn't be surprised if spamhauses are partially means of laundering money as well (think about it). Either way, these people *are* criminals and one should consider them as such.
  • are the spammers actually winning the battle by using viruses?

    Just look at the godawful appearance of the meat, and smell the nasty stench from the can : how can you *not know* there are viruses in spam?

    Yuk ...
  • by DWormed ( 711488 )
    If the sobig worm were attacking RBLs, wouldn't someone have done a "netstat" on an infected machine and found it? I've netstatted a couple of infected machines; seen nothing even close. Maybe it's just the mail _servers_ killing the RBLs, checking all those thousands of spam mails (sometimes 4 or 5 per server PER SECOND).
    • If the sobig worm were attacking RBLs, wouldn't someone have done a "netstat" on an infected machine and found it? I've netstatted a couple of infected machines; seen nothing even close. Maybe it's just the mail _servers_ killing the RBLs, checking all those thousands of spam mails (sometimes 4 or 5 per server PER SECOND).

      DNSBL queries are cached, which is a big part of the reason for using DNS. Secondly, I would think the DNSBL administrators would know the difference between usage of their own service
      • Note that OpenRBL [openrbl.org] is back up, using a distributed proxy system to weather the DDOS (which I'm currently trying to find more info about, it is technically very interesting). You can search spamhaus records (among many others) from there.

        • Note that OpenRBL is back up, using a distributed proxy system to weather the DDOS (which I'm currently trying to find more info about, it is technically very interesting). You can search spamhaus records (among many others) from there.

          If openrbl is rotating between mirrors, that's great. However, the issue remains: spamhaus's actual web content is what's very valuable to me, and it's not mirrored anywhere. I concede that there's good reasons for centralizing the content, but it also creates a single po
      • DNSBL queries are cached, which is a big part of the reason for using DNS. Secondly, I would think the DNSBL administrators would know the difference between usage of their own service and a DDOS attack.

        Just trying to look at every possibility. I'll concede it's (rather) unlikely, but I suspect that the sobig doing the ddos is probably equally unlikely.
    • Do RBL's really get scanned per every client email received? I was under the impression that the RBL list was generated in realtime, but updated on client machines at specified intervals instead of realtime?

      Of course, I could be wrong, so I'll look forward to being corrected (flamed) soon :-)
  • Simple solution (Score:2, Informative)

    by Anonymous Coward
    Install p0f [coredump.cx] on your firewall and block all SMTP access from windows machines. How hard was that?
  • Thus, the US would feel free to invade Spamodia to free the oppressed Spamodians from the evil Spammer overlords. During the invasion, though, the major Spammers would escape, allowing them to continue their spam attacks against the anti-spam coalition forces. And other pro-spam zealots would flock to Spamodia to aid the effort.
  • by ziaz ( 542344 ) on Sunday September 28, 2003 @10:31AM (#7077084)
    I'm guessing this has already been said, but... Instead of focusing on just the spammers themselves, why not target the companies or individuals that from time to time benefit from the spam. I'm assuming there must be some way to track those people receiving money for viagra, enlargements, etc.
  • by Anonymous Coward on Sunday September 28, 2003 @10:41AM (#7077131)
    Finally this is our chance to make Congress liken spammers to cyber-terrorists, and for a reason politicians fear and know well enough to do something about it: "Now some of the spammers are even building a network of worm-ridden computers [slashdot.org], possibly at the fingertips of a madman who is willing to do anything for money, and may only be waiting to turn them into Weapons of Mass Disruption, wreaking havoc to the Nation, the Internet, and e-mail as we know it..." (spooky, huh? ;-))
    Outlaw spammers, put an end to spam. Sometimes it's as simple as that. (And it works: Haven't seen much fax spam for years...)
    Just be "Mr. Concerned Citizen" for once and send articles like this [theregister.co.uk] to your congresscritter [loc.gov] now. Let them know what spammers have already done "to your kids" (rather omit the "to your p...s" part even if you've ordered their pills and pumps) "and to your computers".
  • A secure network needs to be created where by ISPs create a special network which only allows emails to be sent to and from each other. Any email coming from relays not from the list of "acceptable" senders, the message is instantly deleted.

    It is unfortunate, however, that the majority of the spam I am receiving is from low lives who run a virus and now I get 143K size attachments being rammed to me.

    If they are going to do something there has to be a concerted effort by ISPs to work together to kill of op
    • And how are you going to certify the ISPs allowed on that network, so you won't get any spammers on the list of acceptable senders?
    • Change e-mail clients if this is a problem. Get one that can receive header information only. Delete the ones with 143K attachments on the server instead of downloading. My policy is even simpler, delete all executibles and HTML. Loosing a pretty style sheet doesn't make the message hard to read. Most of the time it makes it easier.
  • Most Spammers are Criminals, Scam Artiest and possible Terrorist anyways. So if they are caught they go to jail. So why not make a virus to stop the spam blocking sites. What is the worst that can happen, They get caught and go to jail. That is the problem of dealing with criminals when their back is to the wall they will do whatever. What they should do is a full media blitz explaining the dangers of Spam and also putting a lot of real pressure on people who keep their relays open, force them to fix it,
  • Huh ? (Score:3, Insightful)

    by phoxix ( 161744 ) on Sunday September 28, 2003 @11:04AM (#7077233)
    and spamhaus.org is taking have blows

    English ?

    And if such a site is under attack, why on earth are you linking it on slashdot's front page ?

    Sunny Dubey

  • How cool?! (Score:4, Funny)

    by scovetta ( 632629 ) on Sunday September 28, 2003 @11:08AM (#7077263) Homepage
    How cool would it be if there was evidence that the Direct Marketing Association [the-dma.org] was behind the SoBig worm? We could sick the RIAA on them, and maybe tell SCO that the DMA was using Linux to develop it. With any luck, they could all come together and ignite like a small star, ridding the world of the lot of them!

    Only in my dreams...
  • I haven't used a news reader since the groups got bloated with spam and porn.

    My main corporate email account is bloated with spam and with moron viruses sent to "all Microsoft Customers," of which I am not. It has got so bad that I just let the account bump against its mail box limit and bounce messages off.

    Unfortunately, I have to use email for the auditability otherwise...

    If it wasn't for spam, I'd have no traffic at all most days.
  • I think the solution here is to respond with the same kind, but more forceful DDoS attack on the systems that are trying to shut the anti-spam sites down. I should think we as good network admins, code hackers, et al can do a much better job that these spammers that are obviouslly loosing the battle since they are resorting to this kind of tactic. Find the IPs of the sites, and flame back!
  • How the attack works (Score:5, Informative)

    by Skapare ( 16644 ) on Sunday September 28, 2003 @11:26AM (#7077420) Homepage

    Before the SoBig virus, each mail server receiving mail would, in the course of a day (about how long DNS black list records would be cached), get SMTP connections from a certain set of other mail servers. Most of those mail servers would be the ones from which email regularly comes in. Although people would have lots of email addresses in their address books, and even more in other files, most only regularly exchange mail with a small subset.

    Enter the SoBig virus. It gathers up email addresses, not only from the address book, but also from email contents, web cache, documents, and just about everything else. Then it sends email to them in a probably uniform distribution of selection. The number of different domains being sent to from one computer in a day is now much larger than normal (in addition to the increased traffic). At the receiving mail servers, the number of different mail servers the SoBig spam is coming from is also much larger than normal. Now mail servers are getting mail from just about every mail server that has any user with any instance of a user email address that names that receiving server.

    With the same mail servers sending mail over and over, the receiving server's DNS cache will have hits very frequently. With an increase in diversity of mail servers trying to deliver the SoBig spam, the number of cache misses goes up. Each cache miss means a query that recurses back to the DNS blacklist servers. Thus the query load on those servers goes up, effectively a DDoS.

    Additionally, most DNS servers out there are "open recursive name servers". That means they let anyone, anywhere, do a recursive lookup. Spammers can drive even more load on the DNS blacklists by sending out DNS queries (with forged source addresses, of course, so they don't have to deal with the bandwidth of the answers) to those open recursive name servers, forcing more and more queries to focus in on the authoritative servers for the DNS blacklists.

    This attack can be successful because spammers have far more network access from a wide variety of places than there are authoritative name servers for DNS blacklists (the ultimate target). And since recursive DNS lookup only has that server for a source address, all the DNS blacklists will see are queries from those open servers.

    One way to address some of this problem is to close off recursive lookups. But given that millions of networks are run by incompetent or non-existant administrators, that isn't likely to happen on the scale needed to prevent the abuse. And it won't stop lookups by the receiving mail servers trying to check out all the different SMTP connections due to the spam from the viruses.

    Blacklists will most likely end up having to be done by a means other than DNS, unless blacklist operators can manage to acquire sufficient bandwidth and server power to ride out the loads (which could very well be even greater than the GTLD servers that host "com" and "net" would see). Some form of distributing a static list file will probably happen. And, unfortunately, that means whoever gets listed will have a much harder time getting out of all those distributed lists, as many people won't be updating them as often as they should. The original reason to use DNS was to have a relatively quick means to remove a listing and have it take effect throughout the internet. By breaking the DNS mechanism, the ability to remove a listing is what suffers the most.

    What I hope will end up happening is that spammer networks and generic (dialup, cable modem, DHCP, etc) addresses get listed in distributed files, and the more transient cases still get handled by DNS. The listings in DNS would be the ones that won't be so important to big time spammers, so they would be less attractive targets of attack, and if attacked anyway, would not open up the major points spammers find easy to use (e.g. their own networks and the generic networks where open proxies are found all over the place).

    • You make it sound like the spammers were so shrewd as to design this ingenious "attack" scheme into the virus from the start. I highly doubt that.

      There is no evidence that the SoBig virus was written by spammers, or even that the RBL DDOS is intentional. To me it looks like the RBLs simply can't handle the load from trying to filter out this virus, plain and simple.

      Perhaps an improvement to filtering tools would be to rely as much as possible on bayesian and rule-base filters, and only contact an external
    • There's no need for a flat file. We can fix that if DNSBL users do zone transfers. I know some operators are nervous about legal issues with that (and I'm completly ignorant of what those issues are), but this is a simple technical fix for lots of DDOS attacks. DNS servers automatically update their slave zones periodically, so I don't think there would be much trouble with people not updating them like they should. The bandwidth required for a TCP zone transfer is more than a few UDP quries, but no serv
  • by terrencefw ( 605681 ) <slashdot&jamesholden,net> on Sunday September 28, 2003 @11:31AM (#7077458) Homepage
    ...and I'll say it again.

    The main problem here is that we have millions of hosts connected to the Internet that just aren't robust or secure enough to be connected to a public network (I'm mostly talking about Windows machines here, if you hadn't guessed).

    There was a discussion last week on slashdot about ISP's doing egress filtering home users's connections and I'm all in favour of that.

    Unless you're hell-bent on running a mailserver on your DSL line, there's no reason for you to go out on port 25. Even if you do run a mailserver, you should have your box forward all outbound mail to your ISP's mail relay. AOL and some other large ISPs won't accept mail from you if you don't anyway.

    IMHO ISPs have a responsibility to protect the backbones from their lame-ass customers with compromised machines.

    Reply rather than mod if you think I'm talking out of my outbound relay.

    • Mail service should be decoupled from Internet access service. There are a number of valid reasons why a customer may not want to use his ISP's mail server, such as security, reliability and performance. Many ISPs have shown that they are incompetent in running their own mail servers.
    • Seconded (with a caveat). A huge proportion of home users do not even know what an SMTP server is, let alone what is does and why they would want one. As long as the ISP makes provision for SOHO offices and "advanced" users to get such blocks removed on request I have zero problem with this. In fact, the ISP I currently use for my home connection does this, and while I had to chase the issue up (overworked support team I guess), they had no issues with removing the block. Frankly I think it's just a matt
    • I like to run sendmail on my cable modem. Don't give my ISP any ideas about blocking this port. They have screwed with me enough already (i.e. AT&T @Home blocking port 80).

      I run OpenBSD, and I'd really rather not be punished for some Win32 idiot that opens every EXE in Outlook.

  • I don't see why a spammer, even a big one, should make an effort to take out anti-spam sites. Spammers, so common opinion holds, are just there to make money - not to engage in any sort of crusade against anti-UCE groups. So what does one individual spammer have to gain? If, after a great deal of effort, a spam blacklist is taken down, all spammers share in the benefits. It doesn't seem that one individual would make enough extra profit - possible profit at some time in the future - to justify getting i
    • I agree - I doubt it's actually a spammer, but rather someone *else* who has an axe to grind against blacklists.

      Having been involved with a company that was incorrectly put on a blacklist (suspected of distributing spyware, with no proof or even attempt at proof, just one individual's speculation), I can certainly understand someone getting frustrated enough to retaliate.

  • by bigberk ( 547360 ) <bigberk@users.pc9.org> on Sunday September 28, 2003 @12:06PM (#7077704)
    Anti-spammers figured out what's going on this summer (see news.admin.net-abuse.email). These numerous Windows worms we're seeing are in fact trial software deployments (funded by major spammers) that are in the process of setting up an anonymous, distributed worldwide spam injection network.

    You may mistakenly believe, as I did in the past, that spammers are just a bunch of unemployed losers that sit around late night bulk mailing ads for scams. It turns out that in fact they're well funded losers engaged in such a lucrative industry that they can afford to hire good programmers.

    The series of windows worms we've seen this year had preset expiry dates -- ending each of the carefully released wild tests. The most recent versions (swen) have very efficient SMTP engines built-in; these are not amateur projects.

    Thanks to Microsoft's monopoly of operating systems, spammers can easily deploy software around the world that relays spam. swen demonstrated the power of this software; many people were DDoS'd off the net. I alone received over 40,000 emails carrying the worm.

    Except an all-out-spamwar to break out in 2004.
    • >Except an all-out-spamwar to break out in 2004.

      How about an all out virus war? Write a virus that stealth installs AVG and let it run loose. I can't wait to see the Symantec advisory on that:

      "This trojan installs a competitor's product. Here is the remove tool and a link to buy our product."
  • Ok it's off the wall out of the box anti-spam tactic time (I generally get critisised for attempting to solve this problem).

    SPAM is successful because of a simple formula:

    (Number of messages sent + cost of sending) / time = $$

    Why not simply slightly revise the SMTP standard to only permit a fixed number of messages per sender over a period of time? For example only allow say 20 recipients per message per day? If you need more than that, then perhaps have some form of payment system? Isn't it a bit rid
  • by Pig Hogger ( 10379 ) <pig DOT hogger AT gmail DOT com> on Sunday September 28, 2003 @01:06PM (#7078168) Journal
    The idea is to provide a distributed RBL, using only proven recipes and technology.

    The list is a re-emplementation of a DNS-dased RBL, so to allow current MTAs to access it without modification.

    The RBL servers are distributed, PRIVATE AND SECRET, in order to avoid being DDOSed. The servers are ordinary BIND, whose zone file is updated by a process to be implemented.

    Those willing to use the RBL service have to run their own DNS server - they are free, however, to allow other trusted people to use their services; only them are going to be affected by an eventual DDOS, but not other users of the DRBL.

    The RBL information is distributed via USENET. USENET has proven it's ability to survive all sorts of attacks in the past. It has survived the church of scientology, therefore it will survive chickenboners. It's distributed nature makes it quite invulnerable to the kind of DDOS attacks that currently affect centralized DNS RBLs.

    The list maintainer posts PGP-signed updates to USENET via a network of trusted volunteers who do it from dynamic IP addresses of disposable dialup accounts. For safety, the IP addresses are changed immediately following the posting of updates, in order to avoid being DDOSed.

    Authentification agaisnt spoofing and flood attempts is provided by the PGP signature.

    The RBL users then scan USENET for the updates, who, once authenticated, are used to update the zone files on their private and secret DNS servers.

    • The list maintainer posts PGP-signed updates to USENET

      Are you suggesting publishing entire lists of vulnerable hosts in the clear?

      If I was a spammer, I wouldn't exactly be unhappy about that. No need to do port 25 scanning for open relays any more, just get 'em off Usenet where the good guys posted them!

      • The list maintainer posts PGP-signed updates to USENET
        Are you suggesting publishing entire lists of vulnerable hosts in the clear?
        The hosts list could be public-key encrypted, with the list maintainer providing the decryption key only to verified RBL members.
        That kind of defeats the anonymous/distributed purpose, I guess.
        • You obviously both haven't read the proposal. The list is updated IN THE CLEAR, so there is NO WAY of telling who uses it. The updates are PGP-signed for authentication purposes. Having it encrypted totally defeats the purpose of having it widespreadly used. If there would be a list of registered users, that would represent a terrific single point of failure that would be mecilessly DDOSed if it would ever be unveiled to spammers.
  • This virus proves, one more time (for the millionth time) that spammers are an evil, unrepentant bunch of psychopats - they will shirk from nothing in order to shove spam down our throats, and attack anything and anyone that could stop them.

    So, in the face of this spammers' blatant endevour, what is the level of interest of /. readers? Less than 180 comments. And very few moderations (which means, few reads). So if even the /. crowd is un-interested, how can we hope to awaken the masses from their slumber

Think of it! With VLSI we can pack 100 ENIACs in 1 sq. cm.!