Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Communications The Internet

Top Botnets Control Some 1 Million Hijacked Computers 250

Puskas writes "Joe Stewart is the director of malware research at SecureWorks, and presented a dire view of the current botnet landscape at the RSA conference this week. He conducted a survey of the top spamming 'nets, extrapolating their size from the volume of emails that flow across the internet. By his calculations, the top 11 networks control just over a million machines, hitting inboxes with some 100 billion messages a day. 'The botnet at the top of the chart is Srizbi. According to Stewart, this botnet — which also goes by the names "Cbeplay" and "Exchanger" — has an estimated 315,000 bots and can blast out 60 billion messages a day. While it may not have gotten the publicity that Storm has during the last year, it's built around a much more substantial collection of hijacked computers, said Stewart. In comparison, Storm's botnet counts just 85,000 machines, only 35,000 of which are set up to send spam. Storm, in fact, is No. 5 on Stewart's list.'"
This discussion has been archived. No new comments can be posted.

Top Botnets Control Some 1 Million Hijacked Computers

Comments Filter:
  • by toby ( 759 ) * on Thursday April 10, 2008 @03:01PM (#23028908) Homepage Journal
    Start with "microsoft" and "windows" as the technologies which bring you the largest, most profitable botnets!
    • Re: (Score:3, Interesting)

      Third time posting this link in this thread:

      Compromised Linux machines are an integral part of the botnet. [softpedia.com]

      No technology can replace determined stupidity... or just plain arrogance.

      But... you are INVINCIBLE!, right?
      • by Lumpy ( 12016 )
        First time posting this solution...

        http://www.sophos.com/rst-detection-tool [sophos.com]

        use the right tools and actually pay attention to your system and you are still tighter than a windows box.

        Install and forget on ANY system is foolish. pay attention and you are way more secure. and YES you can say you are secure if you pay enough attention.
      • Nope. But those Linux machines almost certainly had to be manually compromised... from TFA you linked to:

        "Linux computers are very valuable to hackers. A bot army, similar to real armies, needs a general (controller) and infantry (zombies). Linux boxes are often used as servers, which means they have a high up-time - essential for a central control point. A Windows computer, on the other hand, is found at home or as a desktop machine in an office, and these computers are regularly switched off. This makes them less attractive as controllers, but ideal for infantry, or zombies," McCourt stated.

        No, no technology can replace stupidity or arrogance. But if you have Linux with a good password, you're a lot safer than if you have Windows with a good password.

      • by Hatta ( 162192 ) on Thursday April 10, 2008 @06:41PM (#23031084) Journal
        The article notes that the linux boxes are like the generals of the botnet army. So even when compromised linux is a more powerful OS. ;)
  • How do I tell...? (Score:5, Interesting)

    by AdamTrace ( 255409 ) on Thursday April 10, 2008 @03:08PM (#23029008)
    I'm a smart software developer, so I'm pretty sure my computer is not affected (secured hardware firewall, etc). But how can I be sure?

    I don't necessarily trust that a clean-virus scan means a whole lot.

    What's the best way to make this determination?
    • Re:How do I tell...? (Score:5, Informative)

      by Volante3192 ( 953645 ) on Thursday April 10, 2008 @03:12PM (#23029056)
      Put a good firewall in front of it and watch the packets go in and out. Any rogue port 25 traffic would be a big clue.
    • by spun ( 1352 ) <loverevolutionary&yahoo,com> on Thursday April 10, 2008 @03:16PM (#23029116) Journal
      You know what destroys infection? FIRE! Good old cleansing fire. Simply stuff your computer full of old newspapers, douse it with gasoline, and light it on fire, and I guarantee that it will be free from infection.

      If this either seems to drastic or fails to do the trick, just squirt a syringe full of penicillin directly into the power supply while the computer is running, that should help.
      • Mods must be hung over again. I think I'm going to suggest this to our admin guy the next time somebody brings in some drippy little present on their laptop.

        But a silver stake through the middle of the PC might work just as well.

    • Re: (Score:3, Informative)

      by maxume ( 22995 )
      Short of a firewall, you can use something like TCPView to look for unexplained network activity:

      http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx [microsoft.com]

      A rootkit can hide its activity, so this isn't as good as a firewall, but it is easier, and you'll at least be able to figure out if you have a non-rootkit infection.
      • If you want to do it right, run your traffic analysis on another host that has access to the subject host's traffic - that's the only way to know you aren't being fooled by an altered network stack. If you're doing this at home, and you have a little broadband router, consider installing OpenWRT on it so you can packet sniff at your leisure.
    • Re: (Score:3, Funny)

      by Zemplar ( 764598 )

      I'm a smart software developer, so I'm pretty sure my computer is not affected (secured hardware firewall, etc). But how can I be sure? I don't necessarily trust that a clean-virus scan means a whole lot. What's the best way to make this determination?
      Do you shutdown your computer by pressing "start"? If so, odds are good you're at risk.
    • Re: (Score:2, Insightful)

      I'm a smart software developer, so I'm pretty sure my computer is not affected (secured hardware firewall, etc). But how can I be sure?

      I firmly believe that you can never be sure. It all comes down to trust: Do you trust - morally and technicaly - the people who wrote the programs you are running and the people who compiled them and those who packaged them onto a CD or a webserver... and so on.

      As it is nowadays impossible to have complete insight into all your running softwere let alone your hardware, you will never be sure. But you can have confidence :)

    • by v1 ( 525388 )
      What's the best way to make this determination

      FORMAT it, reinstall from media, and only run updates manually from burned CDs. Then you can be as sure as possible (tho not 100%) that it's clean.

    • Re: (Score:3, Insightful)

      Firewalls don't help, if you navigate to a BadWare URL, and request an exploit on port 80!
    • by Beardo the Bearded ( 321478 ) on Thursday April 10, 2008 @03:58PM (#23029630)
      You can't.

      Not even Linux boxes are safe from hacking. [softpedia.com]

      An anti-virus scan is totally worthless. In fact, most systems slow your machine down so badly that they're worse than useless. Norton slows your machine down by thousands of percent! [codinghorror.com]

      Let's be honest here. In my lifetime, I've spent less than $100 (one hundred dollars) on my security systems. That gives me a D-Link firewall, Avast!, and Spybot. The hackers have access to the same materials. If they want to write a program that gets around my meager defences, then they can. I live only by my obscurity, enhanced by my slight tweaks to my firewall. (Dropping pings, blocking port 113, etc.) As far as a passive scan goes, I don't exist. I simply wouldn't survive a concentrated attack.

      That's probably okay, though - it's like when I lock up my bike. I have a kryptonite U-lock that I put through both wheels and the frame. I also take the seat with me and remove all the shiny bits. (It also has a VHF transmitter, but that's another story.) It would take someone with a plasma torch two or three seconds to cut the bike rack and put my bike into a truck. However, that's not worth your average meth-headed bike thief's time. It's easier for him to take another bike that's not as secure. If a dedicated professional wants my bike, then he's going to get it.

      The major problem with Windows is that when you take your machine home and plug it in, it can be easily compromised. The same is true with a lot of commercial-grade routers with firewalls. The default settings leave a lot to be desired. Your firewall still sort of works, but you're not getting the same level of protection that you'd get by changing some settings. Just two days ago, we had an article about the 2-wire security holes, showing that a large percentage of IDSN home users in North America are wholly unprotected against external attacks.

      So why do we have what we have? It's simple. We have a lot of programs written by people who simply do not understand security issues. Windows, for example, is perfectly stable until you start to put 3rd-party software on it. Then it starts to crash because the memory is being used in two or more different ways. Take a look at some of the snippets on thedailywtf to see what sort of quality work you end up with when you have people who "can program" and can't understand basic math (if you work unpaid overtime, that's you.) writing important code for important systems.

      What's required to fix it is a wholesale change in CPU architecture along with mandatory licencing and regulation for anyone who wants to program anything in any language and sell it. (If you put up a dividing wall in your house, you can get the supplies at Home Depot and DIY. If you want to sell a wall-building service to the public, you have to be licenced.)

      Only once we take programming as seriously as we take bridge construction and land surveying will we start to see safer computing.
      • by JoshJ ( 1009085 ) on Thursday April 10, 2008 @04:06PM (#23029714) Journal
        Congratulations on eliminating hobbyist programming and having nothing left BUT the megacorps like Microsoft. No thanks. It's suitable for engineering firms where physical harm can be done, but it's definitely not suitable for software. This is nothing more than a legal framework for Trusted Computing.
        • Re: (Score:2, Insightful)

          by johndmann ( 946896 )
          Not simply hobbyists, this would cause major issues for the entire open-source world!
      • by vimh42 ( 981236 ) on Thursday April 10, 2008 @04:59PM (#23030172)
        You had a great post up until the end.

        "What's required to fix it is a wholesale change in CPU architecture along with mandatory licencing and regulation for anyone who wants to program anything in any language and sell it. (If you put up a dividing wall in your house, you can get the supplies at Home Depot and DIY. If you want to sell a wall-building service to the public, you have to be licenced.)

        Only once we take programming as seriously as we take bridge construction and land surveying will we start to see safer computing."


        Such suggestions are worse than the problem. Suggesting that people should need a licence to program and comparing it to bridge builders and surveyors is like suggesting people should have to get a licence to walk, just like they need a licence to drive a car.
    • Re:How do I tell...? (Score:4, Informative)

      by Technician ( 215283 ) on Thursday April 10, 2008 @03:58PM (#23029642)
      I'm a smart software developer, so I'm pretty sure my computer is not affected (secured hardware firewall, etc). But how can I be sure?

      As a smart software developer, you know not to trust a box that may be untrustworthy. You packets leave the untrusted box and must pass elsewhere where they can be monitored. Do you monitor your router traffic? That's number 1. Windows Updates may cause unexpected traffic, but the addresses will let you know if it's outgoing spam or request for updates from Microsoft.

      For example my recent URL's from my router log show the following..
      192.168.1.81 168.143.175.215 www
      192.168.1.81 74.125.47.164 www Google
      192.168.1.81 210.50.7.243 www Doubleclick --- I'm going to have to add this to my hosts file..
      192.168.1.81 8.14.216.9 www
      192.168.1.81 74.125.47.164 www Google
      192.168.1.81 203.34.47.165 www IDG publications
      192.168.1.81 210.50.7.243 www Doubleclick
      192.168.1.81 210.247.196.12 www www.facilitatedigital.com/
      192.168.1.81 217.20.16.80 www
      192.168.1.81 209.27.52.115 www Doubleclick
      192.168.1.81 66.35.250.151 www Slashdot
      192.168.1.81 209.62.176.153 www Doubleclick
      192.168.1.81 74.125.47.164 www Google
      192.168.1.81 74.125.47.103 www Google

      It's all WWW traffic and no unexpected port 25 traffic. A simple Linksys router can give you this information. Take the addresses given and plug them in to the URL bar in your browser to see if there is any unexpected traffic. Don't trust a possibly owned machine. Go upstream and look at the traffic. Most routers will log some incomming and outgoing traffic. Check it once in a while. You machine might be clean, but the kids may have problems. The kids are at school so all recent traffic is mine. If my wife's desktop was spewing traffic, I would see the traffic from another machine's IP address.

      And yes, that is my real IP address for today. I'm glad media sentry isn't in the list. ;-)
    • Re: (Score:3, Interesting)

      by Reapman ( 740286 )
      Unlike the poster below, I don't believe that installing Linux makes you invincible from this... the only way I feel I can be totally secure is to monitor the network traffic.. if my computer is just sitting there, not running any apps, and there's a ton of traffic leaving my router, I know something is wrong. Not for the faint of heart however, and i'm still looking at how best to put this in place, I'm thinking OpenWRT on a Linksys Router, sending the data back to a sever for analysis.

      Sadly there's no wa
    • by dave562 ( 969951 )
      Check the connection monitor on your firewall and make sure that you don't have any outgoing connections that you didn't initiate. The common wisdom is that you can't reliably determine whether or not a machine is infected by checking the machine itself. You need a piece of hardware outside of the machine to check it out with. If you still insist on checking your machine, you can use a program like TCPView from SysInternals to check the status of the ports on your machine. Similar to firewall connection
    • Securing the hardware and firewalling ins't enough. One thing you can do is to monitor traffic, mostly outbound, then I've heard tell that alot of the newer bots are trying to hide their activity by waiting until the user (in this case you) establishes a connection to the outside world, in this way they are attempting to mask their phone home by riding along with your outbound packets.

      Best way, know your OS, know the processes running and what they are for, know how much memory they should be consuming, t
  • by pembo13 ( 770295 ) on Thursday April 10, 2008 @03:10PM (#23029026) Homepage
    They obviously don't have a problem with tracking down and monitoring people. And they apperantly have bandwidth issue. Why don't they basically mail merge to SELECT * FROM `customers` WHERE `customers`.isinfected? Simple, cheap snail mail... nothing fancy.
    • by Himring ( 646324 )
      Because there's no music involved. If you really want your computer analyzed, even brought before people and talked about indepth, then put music files on it. It's especially helpful if you are an unprivileged child and/or handicapped....

    • by Anonymous Coward
      If all ISPs and businesses would simply block egress tcp port 25 for all addresses on their network except approved mail servers, they would stop these botnets in their tracks.

      Of course, the botnets would then be rewritten to try to discover the mail server the PC normally uses and try to use it instead. But is ISPs enforced SMTP authentication to send, it would make it more difficult. Even if the botnets got past all that, it would now be easier to track down exactly who has the infected computer.

      Of cours
      • by Jeremiah Cornelius ( 137 ) * on Thursday April 10, 2008 @04:06PM (#23029712) Homepage Journal
        Bull.

        I have a legitimate right to send SMTP from my machine - and I do so. I also run an SMTP server at home - have since 1993, when I got off of uucp.

        I have never been an open relay, and access is passwd. I already have assholes at AT&T blacklisting me for no reason - and suffering their ridiculous petition process to get off their RBL.

        This is the Internet. A collection of networks. ISPs are not cops, nor should they be. When you mandate this on common carriers, they become something else - and any slim protections we still have remaining will be long gone.
        • Re: (Score:2, Insightful)

          by Anonymous Coward
          There has to be some attempt at control. Obviously too much control is a bad thing, but no control is just as bad. Anarchy doesn't work as a government, why would it work on the internet?

          I do not agree with blocking port 25 traffic and only allowing designated SMTP servers, but I do believe it is the ISP's and the end user's responsibility to make sure infected machines are handled in a quick and effective manor. The ISP should monitor their network for this type of activity and contact the end user so that
    • by jimicus ( 737525 )
      Probably because they don't want customers to start thinking "This internet is more trouble than it's worth - I'm going to cancel it".

      And it's rather hard to charge a monthly fee if you've cut the customer off.
      • Re: (Score:3, Interesting)

        by Opportunist ( 166417 )
        And that's pretty much what's wrong here. Especially if that customer is on a metered link (which is not too unheard of in many parts of Europe). He actually pays for the spam he sends! Hello? Why'd I cut off one of my best customers!

        You can't even sensibly put something like that into law. How? What do you have to do to secure your machine? How are you supposed to be responsible for it? What's to be considered "justifiable expense" when it comes to security (i.e. what do you require from a user)? Do you wa
  • by should_be_linear ( 779431 ) on Thursday April 10, 2008 @03:13PM (#23029074)
    God knows I installed on that notebook each and every Anti-Spyware, Antivirus, Anti-everything in order to get rid of it. I traveled each and every "advisory" site with my HijackThis logs, removed numerous keys from registry. Still, every now and then goddamn popup window with site "pc-on-internet.com" appears. I spent altogether perhaps 3 working days trying to remove stupid thing, there is lot of data and SW installed so I am trying to avoid re-installation. Now I am in sitting-in-the-corner-and-crying phase.
    • Make an image of your machine periodically. That way it is quicker and less painful to do a restore than a reinstall.
    • by megaditto ( 982598 ) on Thursday April 10, 2008 @03:33PM (#23029350)
      In your hosts file, point "pc-on-internet.com" to 66.35.250.150, then each time a window pops up treat it as a helpful reminder to take an ergonomic break.
      • In your hosts file, point "pc-on-internet.com" to 66.35.250.150, then each time a window pops up treat it as a helpful reminder to take an ergonomic break.

        I know it was a joke, but you hit on a good thing to try: a HOSTS file [mvps.org] that could block many of these things from getting out.
    • by symbolset ( 646467 ) on Thursday April 10, 2008 @03:38PM (#23029386) Journal

      Once you know the PC is compromised you cannot get it back to a known good state. The best you can hope for with the various utilities is to get it workable enough to offload your data, build your recovery media and record your settings. You're actually better off removing the hdd to an external enclosure and installing fresh on a new one. You could then scan the removable device before carefully recovering the data from it. The worst possible thing you could do is eliminate the visible problems and pretend that means you have a good PC on which to do work.

      What is pwned cannot be unpwned. Reinstall. Somewhere in my journal may be some helpful instructions for getting the reinstall done without becoming compromised in the process. You're not the first (or the ten thosandth) person here this has happened to.

      Somebody else here will have suggested you try Linux by now, or Apple. There are no Linux or Apple botnets so they don't have this problem. The do have security vulnerabilities too, but compromising one of them is a retail, rather than a wholesale, endeavor and so less fruitful for the botmasters.

      • by oni ( 41625 )
        The worst possible thing you could do is eliminate the visible problems and pretend that means you have a good PC on which to do work.

        This is *so* true. You know what, I once saw a system administrator respond to a known compromise (discovered by the presence of drop-site files) by "deleting the files the hacker uploaded and installing all windows patches"

        There are just so many things wrong with that sentence that I don't even know where to start. "How did the hackers get in?" "I'm not sure, but I delete
    • I spent altogether perhaps 3 working days trying to remove stupid thing

      Those programs are so complex, so woven in the fabric of Windows, I've never seen a repair work. You have to reformat the drive...not just reformat, but blow away the partitions and recreate them, then reinstal Windows, plus scanning the data files recovered with Knoppix.

      Even then I won't warranty it. The hackers you're up against today are organized, professional programmers making big $$$ who do this for a living, not some 15 ye

    • by v1 ( 525388 )
      I went to that URL and followed the link and it seems to give you an EXE to uninstall their malware. But then are you that brave? ;) I'm on a mac so that whole process was a lot less worrysome. I can send you the EXE if you like.

    • by jandrese ( 485 )
      My wife's laptop got the same thing. I'd clear out all of the spyware and stuff that was found, but after a couple of days it would be reinstalled. Clearly the machine was rooted and whoever it was used the rootkit to install that crap. The only way to get rid of it was to reinstall Windows (and not a lame "repair", but a full on reinstall).
    • Still, every now and then goddamn popup window with site "pc-on-internet.com" appears. I spent altogether perhaps 3 working days trying to remove stupid thing,

      So why did you leave it with a connection? The first thing I do with a rogue PC is block it's MAC address at the router, then work on it. When fixed or thing it's fixed, I turn on the address and monitor the router log for unexpected traffic. Unexpected port 25 traffic from that machine gets it shut back down for a more robust fix including a refor
    • by dave562 ( 969951 )
      The unfortunate reality with PC infections is that once your box is compromised you need to pave and rebuild the thing. Backup your data (not the executables) and format the box. Install decent AV software next time and use a secure browser (either IE7 or Firefox) and you will be fine.
  • Hmmm.... (Score:5, Funny)

    by Otter ( 3800 ) on Thursday April 10, 2008 @03:14PM (#23029094) Journal
    Stewart and others at SecureWorks believe Damballa has simply rebranded the older Bobax, which has several other nicknames besides Kraken, including "Bobic," "Oderoor," "Cotmonger" and Hacktool.Spammer."

    Be that as it may, "Kraken" is a superb name (as is "Damballa" itself.). "Bobic", "Oderoor" and "Bobax" sound like open-source CMSs. "Cotmonger" sounds like a word Bart Simpson would use when suddenly breaking into a unfunny Cockney accent for no reason.

  • by TheRealMindChild ( 743925 ) on Thursday April 10, 2008 @03:17PM (#23029136) Homepage Journal
    I had a botnet once... didn't catch very many bots, but I got a shitload of dolphins :(
  • by Animats ( 122034 ) on Thursday April 10, 2008 @03:22PM (#23029204) Homepage

    The industry is going at this all wrong. There are only a few players left, and they're all crooks. We need a consortium of companies with spam problems to hire Kroll [kroll.com], Blackwater [blackwaterusa.com], or one of the other big international security companies to deal with the people behind the problem.

    If 5% of the money spent on dealing with spam went into finding the people behind it and making them go away, the problem would go away.

    • Re: (Score:3, Interesting)

      by darkmayo ( 251580 )
      Do we really know who is in control of these botnets? Would love to see some spammers eat bullets but i'd like to know the ones with power are the ones that get neutralized.
    • Hate the Sin, But Not the Sinner

      Seriously though, if you manage to stop these top spammers, then before you say, "Good riddance," new players will take up their space. If there's opportunity in this space, people will keep coming. There's no way you can get rid of spammers by stopping a handful of people .. however big they are in the spamming world.
  • Simple answer... (Score:3, Informative)

    by Gordonjcp ( 186804 ) on Thursday April 10, 2008 @03:38PM (#23029390) Homepage
    I just block everything incoming on port 25 from IP blocks in the US, apart from a (very small) handful of whitelisted servers.
  • Why? (Score:3, Interesting)

    by oni ( 41625 ) on Thursday April 10, 2008 @03:49PM (#23029518) Homepage
    WHO IS CLICKING ON THE LINKS IN THESE EMAILS?

    Why does spam work? Who are these stupid people and why do they click? Also, if you get 80 spam a day for the same fake product, why would pick one at random and say, "der, I think I'll go buy this!"

    Can someone please tell me why?

    I wish some news reporter would send out a billion spam but then, instead of taking money from the people who click, contact them and do an interview. I want to know who these people are and what the hell they are thinking.
    • by Hatta ( 162192 )
      The world is filled with extremely stupid people. Something like 30% of people still approve of the job GWB is doing for instance.
    • Re:Why? (Score:5, Insightful)

      by v1 ( 525388 ) on Thursday April 10, 2008 @04:14PM (#23029772) Homepage Journal
      If it costs you $500 to rent a chunk of botnet bandwidth for a few days. It blasts 1,000,000 of your spam. 25,000 of them survive all the layers of filtering (2.5%) and are viewed. 1000 of those (4%) get their link clicked on. 100 of those people (10%) actually buy the product, netting you $15 each, for a total of $1,500 in untaxable income. That's $1,000 total profit for your 30 minutes of work.

      So of that 1,000,000 spam you sent, only 100 had to be actually bought for you to turn a big buck. (1-100th of 1%)

      Do the math, that's why it works. Spam works due to cheap volume. Anything works if you can have cheap volume.

    • by Lumpy ( 12016 )
      The Average IQ in the world is 100.

      that means 50% of the people out there have LESS THAN 100 IQ. That makes it very very possible that 1 in 3 people you meet are near or below 90IQ and 80IQ is considered barely functional.

  • by rabtech ( 223758 ) on Thursday April 10, 2008 @03:53PM (#23029572) Homepage
    Regardless of platform, most users

    1) Run as root, administrator, or some other super-trusted user account and completely disregard security
    2) Open anything they receive in email. I've even had some users do a Save-As giving the file the correct extension to be runnable!

    These are a result of fundamental flaws in the design of Windows, Unix, et al. Most operating systems assume that all programs should have the ability to do whatever the user can do. In other words, programs are as trusted as the user account they run under.

    Given people's experiences with OS X's admin dialogs or Vista's UAC, I'm not sure changing this assumption will lead to more security either. Most users, when presented with a dialog box, will immediately press whatever button is required to dismiss the dialog without reading it.

    Even if the default is cancel, the first time they hit "naked ladies.jpg.exe", get a warning, and dismiss it they'll just figure they did something wrong and open it again, choosing the other option this time.

    I'm not sure what the solution is.
    • by Shados ( 741919 )
      The only real solution is

      A) Having users that don't need to be able to do everything to run in a sandbox. And I don't mean like running as a normal user in Unix. but seriously a sandbox, with extremely limited priviledges, appliance-style.

      B) Education, education, and more education (good luck with that one, but its the only solution). Even if tomorrow everyone switch to super locked down Linux boxes, it won't help. Users will figure out a way to recompile their kernels (even grandma) to run the attachment.
  • Botnets-spam (Score:3, Interesting)

    by gmuslera ( 3436 ) on Thursday April 10, 2008 @04:02PM (#23029672) Homepage Journal
    There are a good chart mapping current botnets and spam at Marshall TRACE center [marshal.com] (updated frequently afaik). That over 80% of all internet spam comes from botnets (and almost 50% of it just from srizbi) is a good sample of what is the impact of this kind of spam sources.
  • Gotta love how these articles always say "a million machines" rather than the clearer and more accurate "a million microsoft windows PCs"...
  • So, each of those million machines sends out 100,000 messages per day on average. Thus, if you require any machine that sends out over, say, 10,000 messages per day to be registered, and to be held to a minimum standard of security (machines not registered would be kicked off the network as soon as they reached 10,001 messages in a single day, and would not be allowed back on until registered and secured), the spam problem would be reduced by around 90%, at least from these botnets.
    Okay, so it would requir
  • In the last two months I have seen a huge increase of spam from distributed locations around the world and I get them in bursts at irregular times. The new junk is the backscatter spam that they send to other people, existing or not, and resultant rejections if they don't existing gets bounced to us. I think that burst of spam is bots controllers telling their slaves to send out spam simultaneously thus the resulting spam burst on my system.
    If someone can find the most of bot controllers and then "cleans" t
  • by John Sokol ( 109591 ) on Thursday April 10, 2008 @06:58PM (#23031226) Homepage Journal


    A friend of mine is investigating an interesting approach to spam.

    From this article it quite clear that chasing the source of the spam is quite pointless.

    His research is into tracking the destination.

    Spams only make sense if they can make some money from it. This means the payload(content) must lead
    someplace with a URL to order, a URL with adds, or a phone number for orders.

    His blog is at:
    http://spamdirect.blogspot.com/ [blogspot.com]

    I have to push him to post some of the more interesting stuff he has discussed in E-Mails with me.

    One very odd note.
    My domain unmailable.com get's no spam!
    without any filters and addresses even posted publicly there is just no spam to it.
    I think they must remove any mail reference to unmailable assuming it must not be a real domain.

Genius is ten percent inspiration and fifty percent capital gains.

Working...