Infected Windows PCs Now Source Of 80% Of Spam 778
twitter writes "The Register is reporting a study by Sandvine.com that blames Microsoft Zombies for 80% of all spam. The study goes on to claim that 90% filtering is not effective given the unprecedented volume and that sophisticated trojans are able to drop spam directly on end user's computers despite current efforts. Just another cost of supporting Microsoft, I suppose."
Will only get worse (Score:2, Interesting)
So instead of investing all this time and money (Score:5, Interesting)
Please note the sarcasm in the "unwashed masses" comment before modding me as a troll
An Idea (Score:2, Interesting)
I admitt it would be an inconvienamce because I run a mail server like that but it might be worth the pain for less spam.
Re:An Idea (Score:2, Interesting)
training (Score:5, Interesting)
Re:Will only get worse (Score:3, Interesting)
In summary, I'm waiting a few weeks between sp2 coming out and installing it on my PCs just in case.
Unprecedented rates of infection (Score:5, Interesting)
The reason I believe it is Internet Explorer is that I have seen a machine that is behind 2 different firewalls (one of which is a very well configured PIX) get molested. It wasn't used for e-mail, no P2P programs for downloading and nothing else was used except the browser. I am SURE some people were browsing dodgy websites on that machine. So far, it is the only PC on that IP segment that has been infected so it wasn't from another machine.
Anyone else see this out there?
Re:Will only get worse (Score:4, Interesting)
Most people are using the OS that thier computer shipped with, whatever HP or Compaq or Dell put on there.
The people who are using a pirated copy, more that likely know enough about computers to actually keep a computer clean.
It's the other home users out there, joe blow, who gets his cable modem, his new PC and leaves it on all the time. That's the guy they are refering to in the article. Not someone involved enough to actually track down a pirated copy of XP, get a serial that works, and spend the time upgrading.
Re:An Idea (Score:5, Interesting)
I can't send email to *anyone* at AOL now, despite running an OpenBSD firewalled Linux server for our business. It's doesn't even bounce, just disappears into the void. There are *no* Windows worms or spam coming out of my network, but some ass at AOL decided to block the whole ADSL subnet anyway. Nice way to break the Internet guys. And THANKS AOL for replying to my question about it - NOT! The arrogance of IT geeks and uninformed management strikes again. How about thinking a little harder about it, and implementing reverse host checks based on sender address, or rate limiting with temporary blocking - a real email server can cope with that just fine. There's lots of alternatives other than just shutting yourself off from a chunk of the Internet.
On behalf of all responsible MS admins.... (Score:5, Interesting)
We keep our corporate networks nice and clean, we stomp on infections fast, we try to educate our users, we run filters and firewalls, we put in place policies and we try our damndest to prevent this stuff.
But if those users go home to an infected PC, then we've failed. failed badly. We don't get paid to keep home machines clean, but how much harder would it be to really educate our users? really?
What can we do? Well, we can impress on our users, as I'm trying to do, that thay can suffer real, genuine harm if they don't practice safe computing.
I have this idea. A user doesn't give a crap if they're not harmed directly by a virus. OK, they have a spamming trojan on their machine, do they notice? no, they don't.
So I make sure I tell my users that there are viruses out there which can log their keystrokes and, by inference, steal their credit card number or online banking details or any other personal information.
That makes them wake up. Once there's a chance they might be directly affected in ways other than a slightly slowed down machine, then they start to take notice.
I'd urge every other techie on a windows network to inform your users in the same way. make sure they know that viruses aren't just something that affects other people. then they'll wake up, and everyone else will be better off. really.
Spam - a double edged sword for ISPs (Score:1, Interesting)
Sounds low to me (Score:5, Interesting)
We get the occasional hit & run spammer who signs up for one of the $9.95/mo services with a prepaid credit card (so we can't effectively fine them) and then spams the heck out of the connection until we cut them off, but 99% of spammer complaints (that aren't due to spamcop being fooled by well crafted headers from brazil, or confused by unpublished relay hosts in our spam filtering cluster) are traced to users who have been with us for some time, who have never given us any trouble, and who have called customer service frequently for fairly basic help with simple internet setup tasks -- usually an account shared by a family with several children, or used by an old lady who just wants to look at pictures of the grandkids on the intarweb gadget. Pretty unlikely spammers.
The accounting department doesn't like it, would prefer to shoot first with a $100 fine and let customers beg for forgiveness later, but i argue constantly that we should give them at least one chance to disinfect their computer. We go ahead and fine 'em if they don't fix their issue within a few days, though, and then accounting makes them prove they are disinfected before giving them their money back.
It's poor customer service, ultimately, but wtf is an isp to do? If we just pestered them with email they'd assume we didn't really mean it, and would never fix their systems.
Re:Is this suprising? (Score:4, Interesting)
Re:Is this suprising? (Score:2, Interesting)
Win98 21%
WinXP 49%
Win2000 18%
WinNT 3%
Mac 4%
Win95 1%
Linux 1%
Other 3%
So "Windows" accounts for 92%.
Anti-Spam Trojan patching (Score:2, Interesting)
Unless, of course we start getting anti-anti-spam trojans - that actually patch Windoze to stop the anti-spam trojan working?!
End users AND ISP's are to blame (Score:2, Interesting)
It's not 80% _OF_ spam (Score:5, Interesting)
"After comparing those data points with the total volume of legitimate messages passing through the service provider's mail system, we are able to arrive at our percentage of 80 per cent",
It's like you'd go to a bar and observe that 80% of women leave with drunken idiots, and thus proclaim that drunken idiots are able to hit 80% of women.
There may be some causality and statistical significance, but it definitely isn't as clear as the article suggests.
Re:Symptom of the (near) mono-culture (Score:5, Interesting)
Re:Unprecedented rates of infection (Score:4, Interesting)
So what we have here is someone writing a virus that can get into a recent windows box that then looks for remote control connections and knows how to exploit them. Then it installs a different program that can scan and install a spam proxy on machines that can access the net and only machines that have net access.
That was about a year ago. MS came out with the pach many months after the box had been owned. After that, I've got a new rule, no pc can talk to anything else except the samba server by defautl. No PC has any access to the net except through squid. I don't set up default gateways now either. Default PC installs can't even ping anything but the samba/squid box. Too bad SAP Business one is forcing me to break some of this for some clients. Maybe they will port it to solaris like they said they would.
Oh, our new dev machines are made by apple.
Re:Step One: Follow the money. (Score:5, Interesting)
Various jurisdiction's spam laws vary, but at least in
Even though the evidential burden in a civil case is much less (balance of probabilities/preponderance of the evidence) than in a criminal case (beyond reasonable doubt,) it still proves difficult to tie a spam purporting to advertise, for example, penis pills, to a purveyor of penis pills.
Penis pill guy sends his spam through a few thousand of 'fresh proxies' (spam guy terminology for freshly rooted or virused machines garnered from crackers or vx people), penis spam ends up in inbox with penis pill guy's contact details.
So far so good, but there's no causal link between A and B of any forensic value whatsofuckingever. Correlation is not causation.
I'd be more inclined to see a system which plugs into the MTA somewhere between RCPT TO and DATA, which performs a basic open proxy scan on the originating MTA (similar to what many EFnet servers are doing ATM,) and if the originating MTA fails the test, mail is refused (preferably with a '550 5.1.1 no such user' error as this may help get you off certain lists) and the originating IP is added to some form of distributed blacklist for X hours (i'd suggest 48... long enough to allow ample time for the machine's owner to find out that they have a virus or spam problem and fix it, not really long enough to cause a major problem.)
I'm actually working on building such a system at the moment... Details will be posted to my website when I have some half decent code that runs (instead of making postfix' smtpd dump core.)
Re:That does it! (Score:5, Interesting)
My point is that you do what you can by...
1) Not giving out real email address in forms
2) Not posting un-obfuscated email address to the web
3) Securely running your OS
But if I follow point 4...
4) Don't give your friends your email address
Then really why do I have an email addy in the first place?
Most of my spam I get are actually those annoying bounce-back messages you get from anti-virus filters. "The email you sent had the virus W32.Blaster" etc etc. The problem is that I run a solely Linux household, so it's probably coming from a virus on someone else's computer.
And for my 2c, Thunderbird's spam filter isn't half bad, if you don't mind the spam hitting your box prior to filtering.
Re:On behalf of all responsible MS admins.... (Score:2, Interesting)
They are however more than happy to bring in their machines, so horribly infested that only a reinstall is adviseable, compalining that something is wrong with AOL and could I look at it?
I gave up on them long ago.
Pikes would stop the sapm (Score:5, Interesting)
I've had spam show up at new accounts that were only registered, never used. I've even had spam arrive at an email account that was sent before I even created the account!
Then theare are the moron spammers who send out group addressed emails (the ones with 20-30 variants on spelling anything at all like your name.)
Anti-spam on the client is not the solution.
Sticking there severed heads on pikes outside ISPs would be far more effective and satisfying.
Or the traffic problem could be justifiably claimed as a result of poor engineering by Microsoft, and make Bill & co. responsible for the resulting expenses.
Or we could just make ISP's responsible for disconnecting any customer who has an infected machine connected. When the machine is cleaned, then they could reconnect, not before.
No, I don't care about people who can't afford to take care of their machine, buy hardware firewalls, virus scanners, etc. I don't care that people driving rust buckets can't afford better cars, either -- get the hazard off the public byways!
I agree. License the computers / users. (Score:1, Interesting)
Re:On behalf of all responsible MS admins.... (Score:1, Interesting)
I agree that 'educating' people is a good idea as a short solution, although it can be hard.
Here's an anecdote: I recently visited a friend and noticed how his browser was hijacked. I told him that he had spyware on his computer and that this could have serious implications. I told him about passwords/CC numbers being stolen.
Well, that sounded pretty bad to him, so he asked me to remove it. There was some pretty annoying shit on his computer because adaware and spybot both couldn't get rid of it. In fact, after running Spybot, his (Windows ME *yuck*) machine wouldn't boot anymore.
You should have heard him. "It was working fine before". "I had no problems". In other words, I fucked up his perfectly fine computer.
Fortunately the problem turned out to be unrelated and was fixed and I finally was able to remove the crap, but it will suffice to say that I will think twice before I volunteer to remove that sort of shit, if that's the kind of attitude you can expect...
Anyways, in the long-term, I don't think this is the solution. Average Joe should not have to worry about this kind of stuff. Can you imagine buying a car and having to service it every day or having to go in for recalls every week?
The matter of fact is that software today is of piss-poor quality. Software is not designed with quality in mind, just features. Sure there are exceptions, but they are few.
The software industry needs to change (and I think it is). We have basically built a house of cards and in all reality it's starting to fall appart. The best prove of this is MS who even after spending since the beginning of last year with their focus on security has not been able to significantly improve the quality of their OS (and related software).
I can't say if Linux is going to be a lot better. Time will tell when the install base starts to include the Average Joes.
What I can say is that I've seen both MS and Linux source and there's a couple of observations that I made.
- The Linux kernel source seems very consistent.
- The Windows kernel source that I saw was an older version and was not very consistent and had some areas where I'd have serious concerns regarding quality. Newer kernels may be better, I dunno.
- Open Source software that I've seen seems to also vary greatly in quality and this could be a great risk for Linux, as an Operating System (not just the kernel).
Anyways, enough ranting...
Re:Once again, I'll have to disagree with this. (Score:5, Interesting)
If 80% of the users had Red Hat 9 installed, they'd be sending out 80% or more of the spam. RH9's sshd is exploitable out of the box. Heck many distros CDs come with exploitable sshds and often sshd is the service that gets started by default.
The same people who don't patch their windows machines won't patch their linux machines.
In some stupid hacking contest half a year back, there were silly people who picked RH as their O/S, didn't know how to secure it and kept getting rooted. Either they didn't patch sshd or didn't patch OpenSSL.
The spammers won't really care whether there are 100 vulns or 1 vuln in one machine. All they care is how many vulnerable machines there are.
Heck, from my webserver logs I see that at least some spammers are trying to get apache's mod_proxy to send email. They are succeeding for some configs.
Here's a victim:
http://forums.devshed.com/archive/t-9903
Here's another incident
http://cert.uni-stuttgart.de/archive/bu
Re:Unprecedented rates of infection (Score:1, Interesting)
1. I was forced to upgrade to IE 6.0 when I signed up for SBC DSL service. I wasn't given a choice. I had used IE 5.0 for years and had no problems. I didn't keep the SBC DSL line for other reasons, but I saw no reason to backgrade the browser. Within 2 weeks, I was absolutely infested with spyware. Many of the them were taken care of by Ad-Aware and Spybot but one particularly insidious variant of CoolWebsearch simply would not go away! It finally caused me to clean the machine down to bedrock and re-install.
2. I just recently cleaned a machine for someone at work. One nasty virus and 184 instances of spyware. I did a little better forensics on this machine (I didn't have the option of just cleaning it and starting over which, believe me, would have been simpler). All, repeat, ALL of the spyware infections occurred after her upgrade to IE 6.0! She was originally running IE 5.5 and upgraded to 6.0. Most of them seemed to have started with a CoolWebsearch variant, 2020Search. This spyware seems to hand the keys over to anyone, allowing installs of a bunch of spyware by anyone that knows about the holes it leaves. The latest version of CWShredder took care of most of it. Explorer (NOT IE) kept crashing whenever the file menu was opened, however. This was finally tracked down to a registry entry by Hotbar that spec'd a filetype more than 50 chars long.
Please note that all security updates were installed, Windows is installed behind a firewall with almost no ports open and the browser was locked down pretty tight (on my machine anyway)! With IE 6.0, it doesn't make any difference!
The CWShredder site has a long history of combating spyware that utilizes holes in IE. Recommended reading for anyone that considers IE to be a "good" browser!
Re:That does it! (Score:3, Interesting)
>>4) Don't give your friends your email address
Here is a semi-interesting tangent.
I gave my wife and one son (both computer illiterates) each an e-mail address.
My wife gave her e-mail address to her sister, but my wife would not write any email (she prefers Long Distance phone calls.... argh!). However her sister emails her things, include some of those stupid 'pass this on to a friend' emails. Still, my wife doesn't even read her own email. After about a month, I found her email address on one of these bulk 'pass it on' messages. Since that time, spammers have inundated her mailbox.
In the meantime, my son has never sent an email, nor has he given out his email address to anyone. As an experiment, I wanted to see if the spammers would find him. So far, they haven't.
So you are right-- if you don't want spam, don't give out your email address.
Actually (Score:2, Interesting)
If you tried deleting everything on your hard drive, you'd get errors from system files that are in use. Windows won't delete them.
In windows, click-to-infect is the norm.
I have a feeling you haven't used a copy of Windows since 1998. Pure FUD.
Backbone traffic volume (Score:3, Interesting)
The problem with front-end client spam filtering is that it does nothing to reduce the backbone traffic volume nor the data volume the email server has to process.
Someone is selling the products. They are illegally using home PC resources via spamnets. I fail to understand why the spammers can't simply be charged with theft, fraud, and locked up accordingly.
Or just shot if they happen to be in a country that permits such penalties. The genepool needs some cleaning...
Re:Once again, I'll have to disagree with this. (Score:2, Interesting)
Hidden filetypes or macros?
I've yet to find a feature of macros in Office that can't be done another way. Sandboxing would be great so that you'd know if it was going outside of the workbook/document. Some little game from someone or something with some calculations should only work within the document. I haven't tried macros in OOo. Can they go out or not?
And hidden filetypes are an "arggghhhh!" for me when I go onto a PC that isn't mine.
Re:Backbone traffic volume (Score:2, Interesting)
The problem is that the spammers are cleverer, more tenacious, more manipulative, have better survival instincts, and are just BETTER than everyone else bleating and whining about spam. Their genes are worth keeping because they are better than yours. They're better than you, they will survive better, have more money, attract better women, and breed better. They are the improvement to the genepool, the future.
What we don't need in the genepool are the genes that promote a clumping of whiners, who do nothing except clump around and whine about things and do nothing except whine. Sort of like what we have here at Slashdot.
What we need to do is remove the other end of the genepool, the slow and stupid bottom-feeders who buy things from the spammers, respond to spam email, and provide the spammers with all the encouragement. Spam return-on-investment will shrink, spammers will then turn their talents to other activities, and maybe the new activities will benefit everyone. Maybe.
Starting a class action against Microsoft (Score:4, Interesting)
So if you're a victim of Microsoft's negligence in making systems that can easily be converted to attack zombies, click here [lieffcabraser.com] to contact that law firm. The most effective victims would be those who run Linux, because they're not subject to Microsoft's EULA. For them, it's a pure negligence issue. A Linux-based ISP or hosting service would be the poster child for such an action. They're being hammered on, they didn't sign any Microsoft EULA, and they're clearly suffering sizable damages due to Microsoft's negligence.
It's time for this to become a major legal issue.
Re:Is this suprising? (Score:2, Interesting)
The problem is when the ISP's SMTP server doesn't behave in the manner you want it to: it's slow, often unreliable, won't accept large attachments, blocks certain file extensions as attachments, and so on. Oh, and it doesn't support SSL/TLS. This isn't just my ISP, nearly every ISP I've used in the last 5 years has had similar limitations. The unfortunate fact seems to be that ISPs provide connections. They're really not very good at providing other services like reliable email servers, webhosts, usenet servers and so on.
Personally I'd be much more comfortable paying the ISP a touch less, not having access to all the "extra" services (50mb webspace, 20 POP3 accounts, usenet, etc.) and get the services I actually need from a professional hosting company. Group a few people together on a user-mode Linux VPS and it only works out at a couple of pounds per person per month.
There's also the whole privacy issue - I don't necessarily want a large corporate entity (my ISP) having access to all the email I sent, when I send it, to whom I send it, etc. etc.. If this article were about anything apart from the unpleasant reality that is junk email, most of the comments here would be bemoaning the invasion of privacy.
is this a case of giving up some freedom (port 25) for some sanity?
My ISP already does this. What I'd encourage (see my earlier post for a fuller explanation) would be a captive portal ISPs could use for customers' machines which are victims of viruses. All it needs to be is a page telling people to sort the mess out, providing a few useful links to online virus scanning sites and so on. The message is more about informing the unsuspecting customer than it is about draconian blocking, etc.
Re:Did you read the story? (Score:3, Interesting)
Having actually worked for a mid-size ISP (~180 000 broadband subscribers when I left three years ago, a little less dial-up users then that), and having dealt with roughly 6000 tech support calls in that period (mostly part-time), I call BS on saying that Linux users cause far more problems is pure FUD.
It was not officially supported, but most calls from Linux users ended in about 2 minutes after giving them our DNS servers, mail and smtp servers, and checking if their cable modem was functionning normally on the network. It's a longshot to declare that the majority of your supposed linux users have been hacked too.
OS Finger Printing (Score:2, Interesting)
If the source of 80% of spam is infected PCs could a method of OS finger printing (ala nmap) not be used to identify the offending PC as 95/98/XP and either flag (with an X header) or reject the mail? A test of the source address would do. It's not perfect and firewalls etc would make it a tad unreliable but if you mix this with other tools like spamassassin it just might work.
Just an idea...
Paul
Re:You don't have to open anythign to get a virus (Score:3, Interesting)
Re:You don't have to open anythign to get a virus (Score:3, Interesting)
I had the misfortune of working as a technician (I know, it's idiotic -- some of us have bills to pay) at Best Buy during that time, and we had to patch every single new machine that was sold off the floor.
Of course, we charged a $25 fee for this service.
And, of course, people bitched that it was a scam, but, hey, we didn't write the virus. And we sure as hell didn't make Windows insecure by default.
Sure enough, people that refused to pay the extra $25 came back a week later, crying that they were infected.
We did some testing (nothing scientific, I assure you) and the fastest we saw a machine get infected was within thirty seconds of being on a dial-up network.
So claiming that Windows is insecure has nothing to do with the stupidity of its users (although that factor does play a role).
You think it's coincidental that Microsoft released a patch CD for free last October? (Which, btw, was FAR TOO LATE to do jack shit about intercepting Blaster's wrath.)
Re:Backbone traffic volume (Score:2, Interesting)
> recognize. How fucking clever is that?
Ah yes, the fallacy that because **you** can't get past your own personal habits, then it must be worthless. The spammers are obviously a lot smarter than you. They see the big picture, they see past their own computer screen, weigh up the odds, organise Internet connections, stay a few jumps ahead of everyone, obtain software and email lists, and spray out billions of emails, hit a small number of targets and make plenty of money out of it. Or they are smart enough to set up the systems that control the millions of zombie boxes out there that pump the email out. Some of the schemes they use are pretty impressive. You're just collateral damage because you can't read a few of the emails in different languages. You might think you're the centre of the universe, but to them you're just a few bits in a vast email list that will brings in the cash.
> the system was designed for honest people
Bullshit. The system was designed without thought of security. Had nothing to do with honesty. Had to do with a major lack of foresight on the SMTP developers. Now that we have experienced the flaws in the system, and flaws that have nothing to do with honesty, it's time to develop a better design.
> Your genes aren't worth a damn, because you
> believe that anyone who is dishonest enough to
> lie about who they are should be able to turn
> a profit on it. Fuck you.
You know, you really need to take a few lessons in comprehension. It might help you understand posts. It would appear that spammers are a lot cleverer than you, even the redneck hick spammers who live in trailers and don't have much clue about what they are doing, other than earning money. Spammers succeed because enough people respond to their spam and channel money to them. I don't care about morality or honesty. I see the results. They make money; you whine impotently in a forum. I don't admire them, but I laugh at you. If you had enough smarts to back up your lame flame, you'd be actively working against the spammers in one way or another. But no, you just accept all the spam thrown at you, what? hundreds a day, allowing the bandwidth of the Internet be clogged just that little bit more, and the best you can come up with is to filter it and then delete it. Is that it? Is that all you can do?
The spammers are as smart as any other American conman businessman. They just fit right in with the boys of Enron and the Savings and Loans boys. They found a way around the system because they are smart enough to do it, and they make money from it. Eventually, their business model will go away and they'll move on to something else. Maybe prison, maybe a mansion. You'll just be sitting at home same as always, frothing impotently about something or other.
My beliefs about who is allowed to earn money and how were not expressed in my original post. You made some typical childish assumptions. I spit on your pathetic assumptions.
Re:Pikes would stop the sapm (Score:3, Interesting)
Or we could just make ISP's responsible for disconnecting any customer who has an infected machine connected. When the machine is cleaned, then they could reconnect, not before.
And how does your average user "clean" their machine without a net connection? They can't get to Windows update, they can't get virus updates, they can't find how-to documents on locking down the box until a patch arrives, etc. Even assuming these users had access to a PC on another connection, would they be able to get the patch/data they need and stick it on their own PC? Do they have the knowledge (or the equipment - access to another PC with a CD burner to stick a bunch of patches on, for example) to do so? Would they even know what was wrong? Short of having some app sitting on the user's machine (spyware risks, anyone?) that will pop up a dialog telling them what happened, how would they know?
A perhaps better approach would be to restrict that PC's line to connections to Windows Update, and maybe the ISP's own mirror of the latest virus data. Hell, they could redirect all HTTP connections to a page they host, explaining the problem and what to do about it to get their connection restored to normal.
My biggest gripe.... (Score:3, Interesting)
This is true, but I am a Windows user for a long time now (still run Linux on my server) and I haven't had a computer virus in AGES (at LEAST 6-7 years).
Because I have a firewall, I don't use IE or Outlook, and I keep stuff patched.
The point? If you learn more about your computer you can make Windows alot safer. and I guarantee you it wont take as much learning/suffering as it takes to get started in Linux on the desktop. Not to mention patching my Windows machine is as simple as running windows update....my linux server? Well, depending on what were talking about it could be as simple as downloading an RPM or, and this is the fun part, updating something from source....either way its nowhere near as easy as updating Windows....hopefully someday it will be!