Infected Windows PCs Now Source Of 80% Of Spam

twitter writes "The Register is reporting a study by Sandvine.com that blames Microsoft Zombies for 80% of all spam. The study goes on to claim that 90% filtering is not effective given the unprecedented volume and that sophisticated trojans are able to drop spam directly on end user's computers despite current efforts. Just another cost of supporting Microsoft, I suppose."

Re:Symptom of the (near) mono-culture

[p_millipede]

My last Linux install was Fedora Core 2 Test 3. I've decided that I don't like Fedora 2 based on it and am going to be putting Mandrake 10 on it soon, but one thing I noticed during install was a secutity configuration dialog with "Enable Firewall" already checked. At least one distro has it enabled by default. I'd guess Red Hat does too (since Fedora is pretty much Red Hat anyway), and probably most of the other large distros do.

Fight Zombies with DShield

[Anonymous Coward]

One way to fight back against zombies is to submit your data to DShield [dshield.org]. They will correlate it and notify ISPs of the worst offendors.

(Plus, the dshield mailing list is right now talking about using all that data to setup a DNS blacklist).

Re:An Idea

[kidlinux]

Most blacklist services these days list all dynamic IPs for most Internet Service Providers. I get an occasional bounced email because my server is on one of those IPs. Annoying as hell. But at least I can add those kind of hosts to my transport map and have email destined for them routed through my ISP's mail server.

Filter SMTP based on OS type

[rohanl]

There was an interview [onlamp.com] with the pf developers a while back. One of the interesting features is filtering based on source OS type.

The firewall can look at packets and determine which operating system they came from by looking at those differences. ... The integration into the firewall allows the administrator to filter or redirect connections based on the operating system of the client. ... Find email worms annoying? Block mail that came directly from Windows machines instead of going through a UNIX mail server.

Imagine if ISPs all started implementing this. This could make a huge difference to the amount of virus/worm generated spam.

Re:Is this suprising?

[beat.bolli]

And the next generation of zombie programs will do a simple DNS lookup for the mailserver of the current domain and start sending spam through the ISP's mailserver.

Fortunately, this will not help, because most (bigger) ISPs have separate servers for incoming and outgoing mail, and there are no DNS entries for outgoing mail!

Re:Once again, I'll have to disagree with this.

[Atrax]

> Why is WindowsXP still vulnerable to the same
> viruses that Windows95 was?

Hate to say it, but it's because Windows XP-generation and its apps still have the same objective as Windows 95 and its apps did.

Functionality first, security second, internet be damned

Win95 was a pre-internet age OS. yes, the internet was around, but the vast majority of machines with 95 installed were not connected, or were connected on crappy slow modems at best. Windows XP's ethos has simply failed to keep up with the progress in internet connectivity.

Now, some users have kept up - I could run a 95 machine as securely as an XP machine right now, but the market has grown out of proportion to the average computing knowledge of the market, partly as a result of the simplicity and availability of windows. Unfortunately, the default configuration, until Windows Server 2003, has not had internet security in mind.

A non-net connected, or well firewalled, XP machine is pretty safe, just as a 95 machine is.

Resist to use heavy firepower!

[LuckyStarr]

Use greylisting [puremagic.com]. I recently implemented it on a large mailserver with modifications I found on the postfix-users mailing-list. Sorry but I do not remember who posted it. Here is how it works [wikipedia.org].

My current (modified) strategy is: Only greylist IPs which are

• listed in a DNSBL(***) of your choice or
• contain several digits in their resolving hostname which would indicate a dial-up host.

(***) i use l2.spews.dnsbl.sorbs.net and cbl.abuseat.org. I would never reject any mail with these dnsbls as the false-positives are too high, but for greylisting they work perfect.

This keeps the number of false-positives low and is really effective, as only suspicious hosts (dialup, dnsbled) are checked.

I am very satisfied by the results. The number of mails in the deferred queue dropped from ~15k to ~600, the system-load dropped from 2 to 0.5 despite the additional checking and database-lookups done. My system sends ~ 3-5 mails/second and rejects/deferrs 10-15 mails/second.

Greylisting implementations for your favourite MTA [puremagic.com] are allready available. You only have to use them.

Re:Once again, I'll have to disagree with this.

[stoborrobots]

Actually, the real story goes that with months left before shipping Win 95, Gates decided that "The Internet" was the killer app. So the entire company turned on the spot and integrated "The Internet" into the OS.

Going from a non-networked, single-user OS to the hyperconnected Internet client that Win 95 was supposed to be in just a few months must have been difficult... Probably not a lot of time for all those paradigms to be re-thought...

Re:Unprecedented rates of infection

[Eggplant62]

The reason I believe it is Internet Explorer is that I have seen a machine that is behind 2 different firewalls (one of which is a very well configured PIX) get molested. It wasn't used for e-mail, no P2P programs for downloading and nothing else was used except the browser. I am SURE some people were browsing dodgy websites on that machine. So far, it is the only PC on that IP segment that has been infected so it wasn't from another machine.

I'm seeing nothing but and I'm making damned fine cash on the side taking care of friends and strangers alike who come to me with their computer problems. Install Adaware, Spybot S&D, Spywareblaster, Mozilla, ClamWinAV, OpenOffice, set the home page in IE to http://windowsupdate.microsoft.com (as it's the only relatively safe website accessible by Internet Exploder, and move the user's email to Mozilla mail. If it weren't for Active-Exploit scripting, we wouldn't have these problems.

Re:SPAM Masquerading as Me?

[spacefight]

If your IP shows up in the header at the correct place, you're most likely the real sender of the mail. If you find only your address as Return-path: and/or From:, then someone else (virus, spammer) is just abusing your address and you get all the bounces.

Re:Not really

[Anonymous Coward]

It's a pity I can't d/l the latest service packs

Sure you can. Go check Microsoft's web page and download the "network" install copy of the service pack. It'll be well over 100 megs and contains everything you need to install a service pack without internet access.

Re:On behalf of all responsible MS admins....

[Anonymous Coward]

It's not always the admin's fault for poor user education. The place where I currently work has tried to get HR to add a basic 5 minute bit to their mandatory "employee orientation" session for about 6 years now never mind actually trying to train existing employees. HR hasn't budged once from their firm "No." We even tried to get them to just hand out a laminated sheet during orientation as a part of their standard package. "No" again.

Politically IT here is just a sub-group of one of the bigger groups, not one of the major players. This 3000 employee organization does some of the most 'interesting' stuff as a result of this setup that I've ever seen.

Ironically other, far more draconian, efforts at stamping out viruses, spam, and whatnot get support from on high ... just as long as we don't have to teach them anything.

Re:Yes and

[etymxris]

Is it really so hard to believe that spammers would prefer hiding behind infected machines? There certainly isn't a lack of infected machines to use. Just look at shady sites like this [fastproxylist.com] if you need some convincing.

Re:An Idea

[sourcehunter]

1) checkout Postmaster.aol.com [aol.com] for a way to whitelist yourself, cleanup reverse DNS, etc.

OR

2) Route your email through your ISP's mail server

One of my customers had this problem. We went through the steps on aol's postmaster.info site. They can now send email to AOL.

Another customer of mine had this problem, we ended up having to forward their mail through their ISP's mail server.

I don't see the problem.

Re:Is this suprising?

[sabernet]

I must interject here. Albeit I do agree that blocking port 25 will definitely help filter out dumb users sending spam, it has a side effect. My ISP limits outbound attachments to 7 megs and does not allow the sending ot zip files(so I use rar). I work in animation. That really sucks, trying to get my contractor to open up an IRC or MSN client to send files out. "Freedom" has nothing to do with it. It's "functionality".

Alternatives to mailing huge files

[JCMay]

Ever heard of FTP? How about web hosting your anims somewhere and mailing your clients/contractors a link?

It isn't THAT hard to avoid spam/adware etc.

[Angry Black Man]

...if Windows users would start using Firefox or something with some real protection on it.

For example back at home my dad and sister both have their own computers. Both of these computers are constantly just clogged with so much ad/spyware that they are a chore to use. After formatting them both and reinstalling Windows XP I decided to install Firefox for them to use as their browser. It's been several months since then and both computers are FAIRLY free of all malware. There is still some but it is a major improvement.

Anybody on a Windows machine plagued with stuff needs to drop Internet Explorer unless they can manage to avoid going to sites that are notorious for infecting your computer with stuff.

Yes, spam is up, but filtering actually does work.

[Cytotoxic]

I can offer confirming evidence of the unprecedented volume of spam. Last summer my spam had reached levels of 6,000 per month. During the fall and winter the spam activity dropped by over 50%, but the respite ended about 60 days ago. I am currently looking at just shy of 9,000 spam messages per month in my inbox. Yikes! Fortunately, I have spambayes... so I only have to touch 5-10 messages in my "possible spam" folder each day. It's not as onerous as it sounds, since I only see about 1 non-spam per week in my possible spam folder, so it only takes a couple of seconds to look for something I recognize and nuke the rest.

Of course, that doesn't do anything about all the bandwidth and server resources that are wasted handling all of that spam.

TMDA

[TheSync]

For personal use, I am still a big fan of Tagged Message Delivery Agent [tmda.net] which I use mainly for its challenge-response and auto-whitelisting functionality. I don't get any spam, and this on an email address that has been on a popular public website for years.

Of course, TMDA is probably not what you want to use for a business, but for personal use it is great!

Did you read the story?

[tonyray]

Two points: (1) the story never mentions Microsoft and (2) it says filters are 90% effective, not ineffective.

As an ISP our biggest OS problem is Linux. Proportionally it causes far more problems than Microsoft. Why? Because Linux users sit around saying "poor MS user" and don't even know they've been hacked. And the majority have been hacked. If you say "Oh, that can't be" then you've just joined the crowd :P

Use Postfix 2.1 and header_checks

[Anonymous Coward]

Use Postfix 2.1 and configure it to use two different smtp daemons on two different ip addresses, one internal and one external. Configure header_checks (and maybe body_checks too) to filter email coming in from the external ip address and discard emails with forged sender addresses purporting to be coming from your own domain(s). Postfix 2.1 allows you to have these filters on the external network interface, but not on the internal one.

See This Postfix HOWTO [postfix.org] for more info.

Re:Unprecedented rates of infection

[thogard]

no, lots of vlans and things like workstation 22 being on 192.168.22.22 with a netmask of 255.255.255.0 and an eth0:22 ip address of 192.168.22.233 on the samba box.

Except I no longer use 192.168.*.* since that seems to be built in to every virus on the planet.

I believe this!

[Anonymous Coward]

After my day IT job I do freelance work at peoples homes. Without fail every single machine I have worked on has some relay program for spam on it. I clean the machines up and tell user how to check things out and keep their machines safe. What usually follows is a blank stare or a polite nod. The average has no clue and needs to be hand guided or automatically protected. Unless this is done I don't see things getting better.

My stats are slightly different

[mabu]

This "study" is dubious at best IMO. They don't show any details on how they came up with the statistic of 80% spam originating from zombie PCs. They just declare this as if it were factual. While I agree that the percentage of spam coming from hijacked broadband PCs is definitely increasing, I think their figures are not accurate.

Based on my own statistics, which I've begun compiling over the last year, the source of spam and amount has remained fairly consistent. In terms of the number of spam messages, the lion's share of spam continues to originate from APNIC address space (China, Korea, Etc.) -- now whether or not these systems are zombies, I don't know but I am more inclined to believe that they're not. There are spammers who have made arrangements with some ISPs overseas who seem to be able to rotate their source IP in a very large chunk of address space.

I see at least 40% of spam coming from APNIC blocks and other assorted International spam havens. The second largest chunk of spam sources seem to be: Southwest Bell, TDE, SBC and others -- these likely include a combination of zombie PCs and ISP deals.

Now I'd buy the 80% figure IF you cut out the Chinese and Korean sources, and maybe most ISPs these days are now blocking big chunks of class B space in lieu of the signal-to-noise ratio they're generating. Then it makes sense, but this "study" is no "study" - it's more like a press release without any substance.

It doesn't take a rocket scientist to recognize that zombie PCs are becoming more of a force in the spam industry. And why is that? It's because ISPs are starting to blacklist IP space -- it has NOTHING to do with content-based filtering (which I keep saying is a waste of time). So yea, we can expect more DUL PCs to be compromised, but based on my analysis of my own logs, there has not been the radical shift in spam sources that the article implies.

Re:That does it!

[Anonymous Coward]

4) Don't give your friends your email address

Then really why do I have an email addy in the first place?

I use Sneakemail [sneakemail.com]. I keep my real e-mail secret and make up "fake" addresses to give out. If I start getting spam, I know where it comes from and I can delete that address and re-issue a new one.

Irony, thy name is Overly Critical Guy

[Anonymous Coward]

Grow the hell up and spend some time away from Slashdot--it's turned you into a raving, frothing fanboy zealot who lashes out in any way possible to defend the penis size of his religion/operating system.

Says someone who at last count has eight posts in this story alone.

Re:You don't have to open anythign to get a virus

[bass2496]

In most cases, the patch for the exploit is released a month or so before the virus comes out. I've never been infected on my Windows box because I keep it up to date. It's still a case of users being stupid and not updating their software (which can easily happen with Unix-based OSes.)