From: "Matt Kettler" <[EMAIL PROTECTED]>
At 03:56 PM 12/17/2005, Pollywog wrote:
On 12/17/2005 07:19 pm, Matt Kettler wrote:
> Spammers of any decent sophistication have rather extensive networks of
> zombies at their disposal that the can co-ordinate.
>
> Does this surprise you at all?
Yes, because spammers are stupid and I had not seen this sort of
distributed
spamming before.
It is a gross and dangerous error to regard spammers as stupid. Sure, some
of them are stupid, but not all are. There's plenty of evidence that much
of our spam comes from highly organized, somewhat sophisticated,
multi-person, multi-national spam gangs. To underestimate ones enemy is a
grave error.
Large-scale spammers are working together with virus writers. Virus
writers are installing backdoors that they can harvest and sell to
spammers as mail relay bot-nets. Spammers are using these in performing
very massive-scale dictionary scans.
I'm also fairly sure that the cycle comes full circle, and every time they
find a valid address they kick off a few mail worms to it hoping to pick
up a new bot. Virus begets spam begets more viruses.
This is also not the only sign we've seen of a well organized spam
outfits. It's quite obvious spammers analyze anti-spam tools, including
spamassassin, for weaknesses. Take the infamous bug 1589 that was
exploited by spammers forging multiple different email clients to gain
hefty negative scores.
Also take the current heavy exploitation of Geocities. This isn't just
some idiot setting up a couple pages on uk/de/br.geocities.com, they're
using rapidly adapting automated scripts to bombard geocities with these.
They're probably using their botnets to create the registrations, which is
why it looks like just a bunch of users from all over the place to
geocities. If it was all coming from a few IP's it'd be easy for them to
stem it.
These guys aren't geniuses, but the top spammers certainly more clever
than most people think. We often assume their moral handicaps must have
matching mental ones. That underestimation is one weapon the spammers, and
other sociopaths, have on their side.
Um, they aren't? Some of them know more about how things work than
the people who designed them. Kuvayev uses interesting side effects
on DNS behavior to work some of his nastiness, for example. It takes
both persistence and genius to do that kind of work. I can respect
his level of competance at the same time I deplore his basic morals
and ethics.
It is rather clever because it can go unnoticed if one does
not examine the system logs carefully and often.
At my site it happens at such a heavy rate it's blatantly obvious.
Dictionary attack probes are about 80% of the connections made to my
mailserver. With that much scanning relative to actual mail delivery the
distributed nature becomes pretty obvious as they're all consecutive in
the mail logs. It's been going on at my site continuously since at least
mid 2004.
A clever mail tool could use the dictionary attack to create a running
score of missed user IDs. Once a threshold is reached all mail from that
site is quietly dropped over to a tarpit machine where it languishes
for as long as the connection can be tickled into staying up.
{^_-}
