A significant rise in the global volume of spam in the past two months has security analysts worried that bot nets are increasingly being used by spammers to stymie network defenses erected to curtail bulk email.
Estimates of the magnitude of the increase in junk email vary, but experts agree that an uncommon surge in spam is occurring. On the low side, Symantec, the owner of SecurityFocus, has found that average spam volume has increased almost 30 percent for its 35,000 clients in the last two months. Others have seen much more significant jumps: Spam black list maintainer Total Quality Management Cubed has seen a 450 percent increase in spam in two months, and the amount of spam filtered out every week by security software maker Sunbelt Software has more than tripled compared to six months ago.
Two weeks ago I noticed an increase of the spam creeping through my filters
and landing up in my various in boxes.
I use SpamPal on all of my PC's on my network at home and I recommend it to every person I meet.
As a long term user of SpamCop I also recommend signing up and reporting ALL the spam that people get. You can get a free reporting account and although it will not necessarily mean a decrease in the amount of spam you get, it could help reduce the amount of spam others get. I say not necessary because (1) you may be put on a gray list by spammers if they find out your are reporting your spam (and trust me, they do), or (2) until such time as every user subscribes to submitting spam to RBL's, there will always be spam creeping through
But back to the increase. On my main machine I have SpamPal configured to
use every possible blacklist and still the spam was getting through 'untagged'.
(Spampal is set up to identify spam and tag it rather than delete it. When
it reaches my mail client (Thunderbird or MS
Outlook), it is then filtered in the junk folder. Thunderbird also has
the ability to 'trust' the spampal headers that are applied to detected spam
and will automatically 'junk' that mail.
When was first born of first became a problem, it most likely originated from
a number of servers rented by a spammer and based in a country such as China
where they didn't care who was paying for what providing they paid. There was
a proliferation of machines responsible for sending out masses of spam to users
througout the world. When people first started fighting spam, this made it
easy since all you had to do was block a single IP, or block a range of known
addresses used for sending spam.
This is when the spammers started getting clever. Number one, they were paying for these servers in countries like China and depsite the profits, when they realised they could could get the service for free, it was a no brainer. By searching for and using email servers that were not protected they could send their mails using those servers. (Open Relays are one method they use). But this again has a drawback when it comes to detection because there are only so maany Open Relays and once a list of these is compiled, users can block those servers.
Using a low number of email servers to send spam could mean that a single
addition to an RBL would mean that the spam run would not be very effective.
For example, using a single email server to send 10,000,000 emails is not very effective if that email server is placed on an RBL
The ultimate aim of the spammer is to use a large number of mail servers to send his spam.
For example, using 10,000,000 email servers to send one spam each is highly effective. If would be difficult to have an RBL with 10,000,000 entries within it. And even if such a list existed, the amount of processing power required to scan a list of 10,000,000 entries would be far too consuming and mostly not be effective.
In the figures above, 10,000,000 computers used to send 1 email each was
a figure used to prove the point. But that could become a reality
There are so many Open Relays in the world and as network administrators tighten these down, it becomes harder for the spammers to find them.
There are still the 'average Joe User' types who set up their own dedicated servers or even an email server running on their home network and don't configure it properly leading to it being used as an Open Relay. But these too are reducing as ISP's close down or restrict access to what services home users can use. Likewise, network adminstrators are paying attention to the reports of nadly configured servers and terminating the accounts of those who end up getting their networks blocked becaue of mis-use by a spammer.
There will always be the network or country who turns a blind eye to the spammer, but this leads to easy identification and blocking of the servers.
So where will the spammer get his 10,000,000 computers from to use as mail servers?
Simple. Your computer.
We have all heard of viruses and trojans (if you haven't then you should be
A virus by definition now is something that does damage to your computer.
A trojan is something that resides on your computer and has the potential to do something that you are not aware of, whether that be damaging or simply logging all of your online bank details for example.
A Bot Net is a collection of computers that have had software installed on it without the knowledge of the user.
Bot Nets can be used for any number of purposes. Hosting websites, attacking other computers with DOS (Denial Of Service Attacks), finding other computers to install trojans (or make them into Bot Net clients) and amongst many other users, they can also be used to send email.
A computer that is part of a Bot Net is often linked to a controller. The controller can instruct the Bot Net to go to another computer and download more software depending on the usage required by the Bot Net controller. If the Bot Net controller recieves an order to send out a million emails, then he tells his Bot's to fetch the email application (if not already on the infected or 'owned' PC). He then tells the Bot where to get it's list of recipients to send the emails to. It behaves like a distributed email server.
So now rather than rely on a small number of email servers, or known vulnerable email servers, the spammer has the resources available to use a massive number of email servers to send a few of his emails. If a percentage of his Bot's become listed on RBL's, he loses a small percentage of his spam output.
By using someones home computer, they are unlikely to notice a few emails being sent out per hour. The spammer isn't going to give the game away by sending massive amounts of data that would be noticed by the user. It may even be clever enough to learn when you use it, and when you don't. It will use your bandwidth when you are not.
Without starting a Microsoft bashing war, since Windows based PC's are the
most predominant used in the home, and we all know the hype surround the vulnerability
with various Microsoft Operating systems, the fact remains that these computers
form the bulk of most of the Bot's that exist today.
There are a number of techniques that the Bot Net controllers will use to get the Bot Net application installed on your PC. From Viruses to Trojans in emails, to using exploits in the Operating system, exploits in Web Browser's, they hav many ways of getting them into your PC.
By looking at the IP addresses of the spam that has been getting through my
filters, there is a large increase from residential IP's.
In english, this means an increase from home users.
They will still have to employ other techniques since most home users on broadband use ADSL connections which can be easily detected.
Simarly, many home users are on Dynamic IP addresses, (ie. you get a new address each time you reset your PC/Router), and these too can be easily detected and used to form a blacklist. But the fact is, over 90% of the spam that has evaded my filtering in the past two weeks has most likely come from PC's part of a massive Bot Net.
Some will say the quick answer is to switch to Linux (or any *nix based OS)
and ditch Microsoft Windows. We all know that isn't going to happen for whatever
But you must ensure that you have a decent firewall enabled either on your PC or at your Router and ideally both.
Keep your Anti-Virus up to date.
Keep your Anti-Spyware up to date.
Right now, my personal choice for my home PC's is AVG by Grisoft.
They have had one of the better Anti-Virus solutions for a long time and send out regular updates.
Ewido was one of the better Anti-Spyware tools out there and made even better when Grisoft recently purchased them. So at the moment AVG Anti-Spyware is just Ewido with Grisoft markings, but is still the same great product underneath.
What is more, you can get both products for free and continue to use them for free after the 30day evaluation period expires. You lose some functionality, and may have to do some actions manually, (such as perform an update to get the latest definitions with AVG Spyware), but that isn't too much hassle when you consider the effectiveness of the products.
That said, I don't mind paying a subscription for something that I consider worthwhile which is why I subscribe to both AVG products.
But in singing the praises of AVG, I also use two other services just to be on the safe side. For viruses I use an online service VirusTotal. This allows me to submit files for instant verification by uploading them to VirusTotal it checks them against a number of AVG vendors. If it's a virus it will detect it.
I also use the Opensource SpyBot - Search and Destroy. The User Interface is not as user friendly as some others, but its detection and cleaning rate are up there with the best. It also has some useful tools and helps protect your browsers from known vulnerabilities.
That information is in addition to the standard good practice of not opening mail from people you don't know, not clicking sites that you don't know etc etc etc.
Posted by Chris Wright at November 3, 2006 2:03 AM
TrackBack URL for this entry: