This was posted in a email discussion group I am part of so I thought I would pass this on...


Jamie

Spam levels are about to skyrocket

According to the SpamHaus Project--an U.K.-based antispam compiler of
blacklists that block 8 billion messages a day--a new piece of malicious
software has been created that takes over a PC. This "zombie" computer is
then used to send spam via the mail server of that PC's Internet service
provider. This means the junk mail appears to come from the ISP, making it
very hard for an antispam blacklist to block it.

http://news.zdnet.com/2102-1009_22-5560664.html?tag=printthis

Don't the spammers understand that if they kill email, they'll all go broke?

Previously, zombie PCs have been used as mail servers themselves, sending spam e-mails directly to recipients.Could someone explain this to me? I didn't think my computer could act as a mail server....if it can, why don't people use their own computers as mail servers? :umm:

And I thought when I was tracking down some viruses I was being sent a year ago, the emails were being sent using the ISP's mail server... :umm:

Snarpy

Could someone explain this to me? I didn't think my computer could act as a mail server....if it can, why don't people use their own computers as mail servers?There are two sides to being a mail "server" -- sending and receiving, with receiving being the harder of the two. To send, all the trojan needs to do is open up a net connection to port 25 of the victim and send data. Most viruses today include software to do this built in, it can be done in a few hundred bytes.

There is some hope...

The Mercury News (Feb. 02, 2005):
"Spam fighter has a Honey Pot of an idea"
http://www.mercurynews.com/mld/mercurynews/news/columnists/10794536.htm?1c

Google News (to read the MN article without registering, and others related):
http://news.google.com/news?hl=en&lr=&c2coff=1&tab=wn&ie=UTF-8&q=spam+honey+pot&btnG=Search+News
http://news.google.com/news?hl=en&lr=&c2coff=1&tab=wn&ie=UTF-8&q=spam+honeypot&btnG=Search+News

Project Honey Pot: Distributed Spam Harvester Tracking Network
http://www.projecthoneypot.org

Project Honey Pot: Distributed Spam Harvester Tracking Network
http://www.projecthoneypot.org

Everybody read what Juan said now.....

Come on... these infant projects need your help to grow up....

He said:

Project Honey Pot: Distributed Spam Harvester Tracking Network
http://www.projecthoneypot.org

Just to be sure you heard him correctly I'll quote it again

Project Honey Pot: Distributed Spam Harvester Tracking Network
http://www.projecthoneypot.org

Deb
- Babysteps

Could someone explain this to me? I didn't think my computer could act as a mail server....if it can, why don't people use their own computers as mail servers? :umm:
Actually, I do run my own email server on a PC at home (in my closet actually) ;)
Like Bruce said, it is recieving email that is the hard part. If YOU can send email from your PC then a virus/trojan/worm probably can too. Sending email makes you a client, recieving it makes you a server.

You are correct about the fact that most people can't run an email server on their PC. In order to do it you would need:
1. Control of the DNS for your domain name (or at least control of the MX records)
2. An always on computer (or people sending you email will get soft bounces while you are down)
3. Email server software like qmail.
4. TCP port 25 open TO you instead of just from you. Many ISPs probably block this. Some even block it both ways which is why FutureQuest offers the port 1025 alternative.
5. A static IP address. You can probably get by without this one using dynamic DNS but I wouldn't count on it. In almost all cases you will have to pay extra money to your ISP for this part. :(

--
Kevin

I like the idea of installing a trap. I'd like to do more though, and donate an MX Record.

Trying to think how to donate an MX Record to Project HoneyPot on FQ, all I can think of is to buy a domain, get an IRO, and order an MX Record Change. Will that work? Is there another way?

I poked around in my GoDaddy account looking for a way to do something with this, and found something called Domain Hosts. It says Domain hosts are not required unless, for example, you intend to set up your own DNS server. We recommend that you DO NOT use this tool unless you have a thorough understanding of this process. Well, that's not me. But maybe this tool would allow me to donate a subdomain to Project Honeypot?

Snarpy

Sending email makes you a client, recieving it makes you a server. I'm sorry, that sounds backwards. Aren't these being used interchangably here?

Andi

I'm sorry, that sounds backwards. Aren't these being used interchangably here?

Andi

Not for SMTP.


SMTP clients send mail. SMTP servers receive mail.


POP clients request mail. POP servers deliver mail.

Oh I see. Thank you. :)

Well, I understand the STMP and POP stuff better now....but I still don't get the point of the article Jamie posted. Maybe an explanation of how the two different types of zombies work that included header examples would help. But if no one is so inclined, that's OK. It isn't that important that I understand...I'm just curious.

Snarpy

As I see it, the difference is:

"Old" Outlook worm: Uses Outlook to send e-mail through accounts set up in Outlook.

"Old zombie spam trojan: uses built-in SMTP "servette" to send through other SMTP relays to recipients all over the world.

New zombie spam trojan: uses built-in SMTP client to connect to ISP's SMTP server and spam other users on that same ISP.

I'm sorry, that sounds backwards. Aren't these being used interchangably here?In the context of which one is client, which one is server, the most important thing to look at is what service is being offered. In the case of SMTP, the service is receiving (and potentially forwarding) email.

This often causes confusion with the XWindow system, as the "server" consists of the display and input devices, and the "clients" are programs. It all makes (at least a little) more sense when you consider that the service being offered is access to the display (and all that goes with it, like rendering etc).

Cindi, I don't think that's it. It is not staying within the ISPs network.ISPs in the United States may have already been hit. "We've seen a surge in spam coming from major ISPs. Now all of the ISPs are having large amounts of spam going out from their mail servers," Linford said.

This will cause serious problems for the e-mail infrastructure, as it is impractical to block mail with domain names from large ISPs. :dunno: ButEarthlink, which runs a dial-up and broadband service, said it noticed a gradual increase in spam volume coming from its legitimate mail servers since the beginning of 2004.Well, that's not as new as I was thinking. I thought they meant in the last month or so.

I read some of the comments on the article. Here's an interesting one:Most of the big fat-pipe ISP's (like SBC)have implemented programs designed to block outgoing SMTP "port 25" requests (meaning that you have to use their SMTP servers to send Email from their network), so the spamming industry had to modify their attack - their zombies could no longer spam via the services of the inept Web server owners/operators. andWe got hit by this almost 2 years ago now. Our machines are impervious to this type of attack now. Did not take much to do it either, just got rid of all ASP hosting, use only strictly LINUX machines, and blocked all normal port access.

Snarpy

BUT DOESN"T ANYONE WANT TO TALK ABOUT HONEYPOTS?

It all makes (at least a little) more sense when you consider that the service being offered is access to the display (and all that goes with it, like rendering etc).Hmmm... it still sounds confusing enough that even if you have a complete grasp of the concept you must always be alert to the possibility that others may be misusing it. I'll be more careful, thank you Bruce. :)

I want some honey too, Snarpy.

I installed the honeypot, but can't figure out where the proper way to link to it is.

Betsy

I chose perl for the format yet it gave me a zip file containing a .cfm executable - maybe I'll wait a while and then try again for a perl version???

The "perl" .cfm file they generated for me begins with #!/usr/bin/perl but errors out with perl hpmail.cgi
Bareword found where operator expected at hpmail.cgi line 124, near ""READ" FILE"
(Missing operator before FILE?)
Bareword found where operator expected at hpmail.cgi line 124, near ""#getBaseTemplatePath()#" VARIABLE"
(Missing operator before VARIABLE?)
Bareword found where operator expected at hpmail.cgi line 129, near ""http://#__REQUEST_HOST##__REQUEST_SCRIPT#" method"
(Missing operator before method?)
Bareword found where operator expected at hpmail.cgi line 129, near ""POST" port"
(Missing operator before port?)
Bareword found where operator expected at hpmail.cgi line 131, near ""FORMFIELD" name"
(Missing operator before name?)
Bareword found where operator expected at hpmail.cgi line 131, near ""tag2" value"
(Missing operator before value?)
Bareword found where operator expected at hpmail.cgi line 133, near ""FORMFIELD" name"
(Missing operator before name?)
Bareword found where operator expected at hpmail.cgi line 133, near ""tag4" value"
(Missing operator before value?)
String found where operator expected at hpmail.cgi line 133, near "]",""
(Missing operator before ","?)
String found where operator expected at hpmail.cgi line 133, near "","",""
(Missing operator before ","?)
Bareword found where operator expected at hpmail.cgi line 133, near "","ALL"
(Missing operator before ALL?)
String found where operator expected at hpmail.cgi line 133, near "ALL")))#""
Bareword found where operator expected at hpmail.cgi line 135, near ""FORMFIELD" name"
(Missing operator before name?)
and so on :blah:

Is a perl version available that doesn't require coldfusion? (note this is for a domain not on FutureQuest)

Can we donate an MX to the project?

Donating An MX Record (http://www.projecthoneypot.org/faq.php#d)

I want some honey too, Snarpy.

I installed the honeypot, but can't figure out where the proper way to link to it is.

Betsy

When I signed up, the last page (after confirming the CGI was up and running) gave me a list of about 15 different ways to add the link to my site (all invisible to "human" browsers).

hmmm, maybe I did something wrong. I did the install part and when I went to the page got the acknowledgement it was installed properly but no linking instructions. I went back to it and got an error saying something was wrong with the install. I'll give it another shot.

betsy

This means the junk mail appears to come from the ISP, making it
very hard for an antispam blacklist to block it. Wouldn't this be very easy for the ISP itself to block internally, once this traffic flow begins? Will responsible ISP's stand still for this for very long when "ISP" is not really that large a universe and they are already very keen on the topic of spam? Just a thought.

Who better than ISP's to understand and cope with this?

Andi

I chose perl for the format yet it gave me a zip file containing a .cfm executable - maybe I'll wait a while and then try again for a perl version???

The "perl" .cfm file they generated for me begins with #!/usr/bin/perl but errors out with [code]perl hpmail.cgi
Bareword found where operator expected at hpmail.cgi line 124, near ""READ" FILE"
(Missing operator before FILE?)


I got the same thing you did and I'm on FQ. Loaded it in ASCII, ran the troubleshooting stuff in the CNC, still get that error. :dunno:

I think I'll wait a while also.

I got the same thing you did and I'm on FQ. Loaded it in ASCII, ran the troubleshooting stuff in the CNC, still get that error. :dunno:

I think I'll wait a while also.

I used the PHP version and it seems to work.

Wouldn't this be very easy for the ISP itself to block internally, once this traffic flow begins? That was my first reaction, but I can think of two reasons why it might not matter.


Spam volume per machine may be too low to attract attention.
To quote the SpamHaus guy, "ISPs have so much spam--they are too understaffed to call people up and tell them they have Trojans on their machines. And no one would know what you're talking about." I don't think the Earthlinks of the world are ready to start quarantining their paying customers. Yet.
We're doomed.

Randall

We're doomed.No, but email may be doomed. What about password protected or targeted rss feeds? If I have regular correspondants I can simply subscribe to a particular channel of their feed, it could be 'one to one' or 'one to many.' Initiating new contacts anonymously would be the only difficult task, which is what we want--no spam.

Andi

A counter-argument here:

http://www.broadbandreports.com/shownews/59886

Spamhaus's Steve Linford predicted an e-mail armageddon earlier this week, thanks to the advent of more sophisticated trojans capable of spewing spam via the infected machine's mail server. Other security experts have been quick to correct Linford, claiming that while a problem, there are technical solutions already in place to easily handle the change in tactics. A comment thread follows.

Andi