Another Worm Targets Anti-Spam Sites 538
kevinvee writes "Yahoo! is reporting about the next battle of Spam Houses versus Spamhauses. This time, its W32/Mimail-L receiving the attention. "It's the third Mimail variation to come after us, except this one is trying to do more," said Steve Linford, founder of The Spamhaus Project. Apparently this reincarnation comes as an attachment offering naked photographs. Once infected, a follow-up e-mail is sent to the user stating that a CD containing child pornography will be delivered to their postal address. "These guys write trojan (viruses), they carry out DDOS attacks and they get their money through selling stolen credit cards and spamming," Linford said."
baseball bat (Score:5, Insightful)
Yeah... (Score:4, Insightful)
Yeah... apparently, people are still STUPID enough to open these things. Does ANYONE out there still beleive you can get "100% free porn, just click here!" from some sleezy, unsolicited email that just redirects you to a credit card entry, despite the "free"?
I guess so...
Re:Sue the software companies (Score:1, Insightful)
Re:Sue the software companies (Score:3, Insightful)
The fact that when opened this software is allowed to execute code, crawl through the address book, copy itself and send itself out to others is a fault with the system.
I've never had a problem when opening an attachment with Mutt.
Re:They should've known better (Score:3, Insightful)
Re:Yeah... (Score:5, Insightful)
Because, for some people, curiousity is just too strong to resist. They know it can't be true, but they'll click it anyways "just in case". Then they'll call me to ask why their computer is all of a sudden slow, at which point I clean their system and buy a new pair of boots because my old left boot is embedded in their ass...
Re:A new low (Score:5, Insightful)
The spammers are exactly the same as the mafia.
Re:baseball bat (Score:0, Insightful)
Get a life : it's email, it won't kill you.
Just use a decent mailer, some antispam filter and update it.
Why would you just physically hurt somebody ?
"He" may spam you but there is justice, after all, so let it do its job and contact your representative to get this point on top of the next government deliberation list.
Naive users are part of the problem (Score:4, Insightful)
This would scare the living daylights out of my mother if she were infected by this trojan/worm.
I think part of the problem with computer security nowadays is that home users believe that anything is possible. Computers are still far too mysterious to the average user; I'll bet you dimes to dollars many users will think this CD mailing scare is real. Unless email and antivirus vendors do something to educate homes users, what's to stop the next virus from saying "open this attachment or we'll send illegal merchandise to your door?"
Spammers, even benign ones, thrive on the naivety of home users. I still haven't received my cheque from Bill Gates and Walt Disney Jr...
Re:A honeypot credit card for spammers.... (Score:5, Insightful)
Now try to find a team of lawyers that can successfully prosecute such a case in Romania, China or Russia!
These sorts of scams generally do not originate in places like the US or UK.
For once we can't blame software companies. (Score:5, Insightful)
The problem is no matter what we do, we can't prevent our users from shooting themselves in the foot. We rename attachments (.exe becomes _exe). We deny
Then again these users are the same people that would call up the phone company complaining of $600+ phone bills to the Caribbean, etc... When you ask them if they have downloaded any programs that offer free "porn" they get all defensive, etc... A quick look at their computer shows tons of those dialer type apps that are making the equiv of 900 (in the US) type calls over seas, and they don't realize it.
For the record, my users would be the users of the ISP that I admin for...
Get them Spammer Clients (Score:4, Insightful)
The interesting thing is that for Spam to make any sense, it has to get people to pay real money. Thus any profit making Spam will give away a payment trail. So, if I may ask why in the world no authority goes after whoever sells through SPAM ?
Standard answers:
1) They will move offshore
(my reply, yes, but how will they get a payment if not through Visa/Amex/MC or other major intl institution)
2) There will be "false positives"
(I am not so sure about this one. One line of thought is that punishment may be directed to the profit coming from an Spam event, so if innocent sites make money w/out Spam they won't be very hurt. For instance, say spammers send Spam in the name of Amazon.com -- amazon might need to forfeit extra sales attributed to unusual traffic/sales in that period, attributable to the action of Spammers, if they bighugeenlargement.com doesn't have any traffic normally, they should be blown out of the water )
3) Costs of enforcement will be too high
Perhaps. But what are governments for ? If OKOKRIM can worry about persecuting 15 year old computer wizards [slashdot.org], and the DoD can worry about persecuting a 66 year old dictator [iraqi-mission.org], why can't someone go after Mr. Joe Spammer and his clients ?
Re:A new low (Score:5, Insightful)
When you talk about changing the economy of spam, you are talking about creating scarcity with regard to communication by taxing it. I couldn't disagree more with the suggestion that we must restrict communications in order to solve the spam problem. We demand that outfits such as the RIAA learn to adapt in a world where communication is profligate and free. How can we, in good conscience, recommend that communication be restricted in an area where our personal convenience and comfort is concerned, and not in another, where someone's multimillion dollar industry is concerned? If we think freedom of information is a good thing, we must be consistent in that belief.
Too evil? (Score:3, Insightful)
Just something to think about: This article talks about spammers along with references to not only spam, but destruction of anti-spam, virii, pornography, theft, identity theft, and child pornography. The only way they could really make spammers look any worse is if they labeled them as baby rapists.
While it could be true, it's beginning to sound like propaganda, intending to make these guys look more Evil than life. Think about the article's motivation, author, and target audience. Be careful, there may be something more going on than what we see on the surface.
~D http://www.dracosoftware.com [dracosoftware.com]
Re:ISP's need to block egress port 25!! (Score:3, Insightful)
Re:They should've known better (Score:3, Insightful)
Somebody else's bad for modding your original post "+1 Insightful" :-)
Re:A new low (Score:3, Insightful)
Re:Revenge? (Score:3, Insightful)
the ISP doesn't know what it will be used for. The site only has to stay live for a few days for the spammers to make money. By the time the ISP
has twigged and shut it down the spammers haved moved onto the next ISP to sucker.
Re:Yes, us victims deserve all the blame. (Score:3, Insightful)
Never give money to someone who initiates contact with you.
I've had the ACLU call me on the phone. I am 99% sure that they are legitimately from the ACLU, but I won't give them a single digit of my credit card, because THEY CALLED ME.
I kindly informed them that I would go to their (secure) website and make a donation. Of course the person calling me doesn't get their commission or whatever, but I'm following the rule.
Re:A new low (Score:5, Insightful)
The problem of spam is not caused by the freedom of email, any more than murder is caused by the availability of knives and other weapons. It is too easy for technically-minded people to see spam as a technical problem, which is to be solved by replacing the existing mail system with something more restrictive. However, the spam problem is not spontaneously generated by the mail system, just as knives do not go around murdering people. Spamming, like murder, is a human action that certain humans choose to engage in.
It is, of course, useful to use technology to make harmful actions more difficult. Locking up valuables makes theft more difficult; hiring bodyguards makes assassinations more difficult. However, we do not pretend that technology should make theft or murder impossible, or that the world should be transformed into a padded cell so that everyone is technologically prevented from doing anything wrong. Instead we deter and punish crime through education and law enforcement. Technology can reduce the likelihood and impact of harmful human actions, but we cannot use it as a replacement for social responses.
Regardless of whether particular legislatures have passed laws which specifically address spam, we recognize spamming as a lawless and criminal endeavor. Spammers co-opt the property of others against the will of the property owners. (Note that this is worse than simply using that property without permission.) Just as gangs protect their core unlawful enterprises with further crimes such as murdering rivals and bribing police, spammers have come to use cracking, viruses, and DDoS to protect their core activity. Structurally, spam is just like other sorts of lawless action which we see as the proper jurisdiction of law enforcement rather than technological kludgery.
There is no shortage of evidence, gathered from public sources and fully admissible in court, that particular spammers are engaged in criminal actions such as the above. Contrary to common belief, these spammers are not in "third-world nations"; they are in Western nations such as the USA, Canada, and the UK -- nations which have broadly functional legal systems, and nations whose Internet users are the chief recipients of spam as well. Volunteers have already carefully collected this information in the Registry of Known Spam Operations [spamhaus.org]. What is needed is twofold: (1) Funding for law enforcement to go after the known criminal enterprises; (2) Further litigation by major victims of spam, such as large ISPs, against those who are victimizing them.
Re:Revenge? (Score:4, Insightful)
The problem with that is that most spammers websites are hosted on innocent ISPs machines.
The objective isn't a DOS, it's to salt their data. If 99 out of 100 'orders' are fakes with invalid cc numbers, their transaction costs will go up and their profitability will plummit.
The other alternative is to track them down and burn them alive.
Neither of the above is desirable since mistakes will be made and innocents will be put out of business or killed. The desirable solution is to throw them in jail and fine the hell out of them after they are found guilty in a fair trial. However, vigilante action is the natural consequence when the law fails to take action.
Re:A new low (Score:4, Insightful)
Re:Small tangent... (Score:3, Insightful)
Never. .biz is a good token for my bayesian filter. I guess the sleazy sound must attract spammers like moths to a flame.
I tell you, this is the most compelling argument I've ever heard for a redundant TLD.
Re:Revenge? (Score:4, Insightful)
It's their DATA that's valuable. The data that unsuspecting knuckleheads willingly provide is what they make their money from. Flood their data with garbage so they can't tell the real from the bogus and their entire database becomes effectively useless.
Re:A new low (Score:4, Insightful)
I'd actually go one step further. A Racketeering-Influenced Corrupt Organization.
> The spammers are exactly the same as the mafia.
But on that, I must dissent. The Mafia has a long and storied history of providing everything from illicit booze, prostitution, sports gambling, lotteries with better payouts than the government-run lotteries, duty-free liquor and cigarettes, financial assistance to those with whom banks will not deal, as well as a full range of soft and hard drugs.
Unlike spammers, the mafia provides things that people actually want.
Re:Revenge? (Score:3, Insightful)
I think you've missed the profit model of spam. You need to recognize the difference between the spammer and the merchant. Two different businesses, with two different objectives.
The spammer makes money by selling bulk-email services to merchants. $100 dollars for 1 million emails, that sort of thing.
The merchant spends his money for this advertising, hoping to get the promised 1% (or .1% or whatever) of responses to pay for it.
It's very important to see that the spammer gets his money regardless of whether or not the merchant makes money. The spammer stays in business. As for the merchant? The spammer certainly does not care.
There are hundreds of small businesses started each day by out-of-work ex-employees, drones tired of their McJobs, etc. They each have an idea of how to Get Rich Quick, if only they could get their message out. "I know, I'll hire a spammer!" After using up their advertising budget on spam and getting 0 returns, they fold up and go back to McWork. But another hundred try the same thing tomorrow.
All this project will do is inconvenience and annoy these suckers who were so stupid as to give a spammer their money. While you might consider it their karmic punishment for hiring spammers, you are only giving them more crap to do while they're busy going out of business. But they're going out of business regardless, because they spent their ad budgets on spam instead of a legitimate medium. They aren't going to be repeat spam customers anyway. The spammers' profits don't come from repeat customers. They come from duping this never-ending supply of rubes.
Poisoning the merchants' databases will not adversely affect the spammers, nor do I believe it will slow the tide of spam. If it makes you happy to drive the point home with these stupid merchants, fine, just don't fall into the illusion that it will have much of an effect.
Re:A new low (Score:3, Insightful)
Nice idea, but. The new federal "anti-spam" legislation specifically removes private "right of action" against spammers. That is, victims can't sue. All they can do is complain to the federal government, which can act - or not - in its own way and time. It also pre-empts states from passing anti-spam laws stricter than the Fed's
What more evidence do we need that certain dominant elements among the Majority leadership are in favor of economic rape by any means, of any resource?
Re:Revenge? (Score:3, Insightful)
If hiring a spammer means 0.1% valid responses and 1% invalid responses, then the merchants will eventually catch on and stop hiring the spammers. At some point, this ratio gets so small that it's not worth advertising.
Sure, this may take a some time and some merchants, but eventually it will work its magic.
Re:A new low (Score:2, Insightful)
Clean Air Act and Clear Skys Initiative gives free reign to industry to pollute as much as it wants with no ill consequence.
USA PATRIOT Act is the most unpatriotic and authoritarian piece of legistlation since the Alien Sedition Acts, possibly earlier.
The Medicare Reform hands medicare over to private HMO's and basically sets up Medicare for a crash in a few years.
The Energy Bill that hands over tons of money to the corporations that caused the problem in the first place.
The effort to "free" Afghanistan that basically handed that country over to opium drug lords.
They go into Iraq in part because they may be collecting radioactive material to build nuclear bombs to use on the US, and procede to dump 75 tons of depleted uranium rounds in their country [ericblumrich.com].
They critisize corporate fraud and promise to crack down, then procede to disolve legal and financial protections for whistleblowers. Not to mention many of thier own little financial escapades.
They proclaim to "Leave No Child Behind" (TM) and then procede to slash funding across the board for public education.
They "support the troops" by slashing pay and benefits for active duty and veterans and extending tour durations over and over.
And many many many more.
They make war in order to maintain peace.
They proceed to strip us of all our freedom in the name of protecting it.
They maintain security by controling hiding information.
War is peace.
Freedom is slavery.
Ignorance is strength.
This is no different, and not the least bit surprising.