back to article Most spam comes from just six botnets

Six botnets are responsible for 85 per cent of all spam, according to an analysis by net security firm Marshal. The Srizbi botnet is reckoned to be the largest single source of spam - accounting for 39 per cent of junk mail messages – followed by the Rustock botnet, responsible for 21 per cent of the spam clogging up users' …


This topic is closed for new posts.
  1. Anonymous Coward

    Stating the bloomin' obvious

    So if we took all the 15-year old MySpackers, old Dears and everyone in between who's running an unpatched, unprotected OS and beat them into reality.. we could rid ourselves of a lot of misplaced penis enlargement offers?

    Seems like a lot of effort......

    Or we could just nuke the Russian Business Network, I'm happy either way.

    Tux, cos penguins don't do spam, tinned or otherwise!

  2. Harry Stottle

    I'm still waiting for an answer

    to a query I posted months ago on a similar Reg story.

    Granted we can't (easily) go after the botnets. But given that most spam is trying to sell something and they obviously need to tell us who to contact in order to conduct the sale, why the hell can't we go after the advertisers who are obviously "authorising" the spam?

  3. Anonymous Coward

    Where's the list of IP addresses?

    Give me a list so that I can check to see if I or a "dear one" are part of the problem. It's probably not me - "linux inside" and all that - but if I recognize an address as near to me, perhaps I can help. Yeah, so there's still lots of dynamic IP addresses on the bigger ISPs. But if an address from *my* neighborhood, then action can be taken!

  4. EmperorFromage


    @stottle: Easy, because that would make a fake spam-run a formidable DoS weapon.

  5. Ralph B

    @ Harry Stottle

    > why the hell can't we go after the advertisers who are obviously

    > "authorising" the spam?

    I suppose it might be a competitor who is authorising the spamvert on their behalf, in order to make them look bad/damage their reputation.

    But I doubt it.

    And if they can be proved to have accepted orders then I agree, send 'em down.

  6. Gerrit Tijhof

    one word

    "why the hell can't we go after the advertisers who are obviously "authorising" the spam?"



  7. Anonymous Coward
    Paris Hilton

    Nuke them

    Make it legal to remotely destroy the OS on any machine in a botnet. That way if you manage to infiltrate the botnet you can wreck every machine on it.

    Once these idiots have had to reinstall everything a few times they might actually start patching their machines and stop clicking on the "naked Paris Hilton" attachments.

  8. Anonymous Coward
    Dead Vulture

    @AC vigilante

    Shutting down a single host is going to have about the same effect on spam volumes as using a flyswatter against a plague of locusts.

  9. Anonymous Coward
    Anonymous Coward

    @@AC vigilante

    If you compromise the botnet you have access to every machine on the botnet and can therefore destroy every OS on every machine on the botnet.

  10. Hany Mustapha

    Why reverse dns a compromised computer

    Part of our anti-spam controls check whether the sending IP address is a server, and the way we do that (amongst others) is seeing if they have a reverse DNS address.

    Many ISPs routinely apply or something similar. That helps our servers think that these are real servers on the other end. Why do ISPs do this and is there any reason why they can't stop this - surely it would help reduce the volume of spam travelling on their networks.

    What am I missing here?

  11. Anonymous Coward

    Self-righteous penguins

    "Tux, cos penguins don't do spam, tinned or otherwise!"

    Tried running p0f (Passive OS Fingerprinting) on your smtp server recently? If so you'll find a fair few obviously compromised Linux systems (usually web servers) pumping out spam too. And no, these are not ISP email smarthosts.

    Sure, the numbers are not in the same league as the BillyOS Botnets, but running Linux does not imply you will never become part of the problem.

  12. Anonymous Coward
    Anonymous Coward

    IP Numbers

    The IP numbers would lead to the zombies, not to the control computers. You have some computers that control a large number of compromised computers. The messages emanate from the infected computers, not from the controllers. The IP numbers would lead to those infected computers, which in most cases are innocent victims of the spammers. Trying to block those IP numbers isn't a practical solution.

    You *can* go after the advertisers, by making a complaint to the ISP that hosts their site, or to the postal authorities if they give you a postal address. It just requires more effort than most people are willing to invest.

  13. Anonymous Coward
    Anonymous Coward


    Naked Paris Hilton? Gimme one. Gimme one!!!!

  14. Sanford Olson

    Only 6? Let's hire some mercenaries

    I'm sure there are tens of thousands or even millions of companies and computer users out there that would be happy to donate $5 towards hiring some people to back-track the spam through the ISPs, home-user infected machines, irc channels, infected webservers, etc back to the source and then hire some nasty goons to go after these guys. After a few botnet operators ended up in the hospital, perhaps they would re-think their "career" choices. And send the goons after the scum that are advertising in those SPAM e-mails too.

  15. Jeff Munson

    Fight botnets with botnets?

    How about someone infiltrates the botnets and sends out an anti-virus spam? There are freeware, GOOD anti-virus proggies out there. Obvious, simplistic, and probably impossible...but hey, it might work right?

  16. EnricoSuarve

    Joe Job?

    Wait a minute - no one can go after the advertosers because some of them might be getting framed?

    Good job the police don't use that logic for every case

    Hows this?

    1) Police go after Advertisers

    2) Police use their powers to open up their accounts and investigate unusual transactions - apart fromt he fact that every company I know hates being audited this may well lead to the spammers

    3) Police follow money to spammers and beat over head with wet fish till dead

    4) Police similarly go back to advertisers and apply same punishment

    5) Everybody rejoices (hurrah!) and Police start again with the next advert

    Step 2a) Police find no evidence linking advertiser to suspect activity, apologise and leave

    I know this is perhaps slightly simplified (jurisdictions and all) but its the way it SHOULD be I think

    Penguin as in the interests of recycling they can eat the fish after the spammers are dead

  17. Anonymous Coward


    Indeed nuking hosts is an interesting and probably effective mid-term solution, if in fact any group is willing to take the heat for such a snafu, considering the action's dubious legality, grey moral and the unstoppable controversy that would ensue.

    Of course less than 23% of all zombie hosts would be taken down after months of bloodless fierce cyberwar, and I'm just making up a wildly optimistic statistic. Granted, the issue here is not aiming for obliteration of zombie hosts. The effect would hardly hit the spamnets as I'm sure they would quickly devise new mischievious ways to own new dumb-people boxen. What then?

    It's not trying to strangle the spamnets zombie-bit-army but rather it's a war for the mounting psychological effect the nuking would generate. As the less technically oriented lusers begin to have their machines zonked by our "friends" in the hypothetical Spam Liberation Army, having their systems wrecked beyond simple fixes short of reinstallation and their personal data (hopefully) erased a word-of-mouth panic starts to pick up among the social network.

    Eventually the outcry and awareness of the troubles grow so strong that major media is simply pressed to cover the "liberation" attacks in the news, furthering FUD and in the end forcing the general public to get informed and patched, finally solving the problem for the *most* part.

    I believe our "friends" in the Military/Intelligence Circles call this a PsyOP, while our other "friends" in the corporate war call this a "Strategic Media Plan". Don't you love corporate lingo(bfuscation)? Heh. This is a horrid plan with too much fascist overtones for my taste, I'm not even sure why I'm crafting it, and I'm *certainly not* advocating it.

    All I'm saying is yeah, it could work, possibly better than expected.

    --Hung Mung

    Apostle of the Goddess and Most Venerable Chaoist

    Keeper of the Sacred Chao

  18. Keith T

    don't allow the USA to exempt its citizens from international criminal law

    Increase the penalties for unauthorized entry into a computer using international criminal law, create a law against financing unauthorized entry into a computer system, and create an international agency to help enforce the law. And then don't allow the USA to exempt its citizens from international criminal law, if they still want to be a part of the internet.

    But it won't happen.

    What will happen (sooner or later) is some large loss of life tragedy, and then the internet will be re-architected with permanent IP addresses and traceability features.

    The internet is finananced by all those people and agencies with unpatched and otherwise insecure operating systems (which includes linux and mac os), and leaky applications. I suppose people who don't want to be exposed to these people's computers could create their own network.

  19. Anonymous Coward
    Anonymous Coward

    To quote another story from today...

    I say we take off and nuke the entire site from orbit. It's the only way to be sure. (Ripley - Aliens)

  20. Anonymous Coward

    @IP Addresses

    "The IP numbers would lead to the zombies, not to the control computers."

    I'm the AC who asked for IP addresses, and it's precisely because it would lead to a zombie. I have friends and relatives who don't "do computers" for a living; they have their redmondware set up for email and surfing. And they are - in spite of my urgings - the most likely to accidentally get p0wnd.

    So I would love to see a list, not so I can be a "vigilante", but rather so I can go out and clean up messes where I can do so with the full knowledge and permission of the rightful owner(s).

    And if for some reason I see my own IP addy, well, then I'll know to try to clean up my own house.

  21. Anonymous Coward
    Anonymous Coward

    Why no good worms?

    Surely some Whitehat out there can use the same vunerabilities these worms/trojans use and turn them around to patch the vunerabilities??

    Imagine, all these innocent, and unpatched, computers having their SMTP ports blocked or limited. Spam is almost eliminated overnight.

    Come on, who wants to be the global superhero here??!

  22. Lee Mulcahy

    If you can detect it, block it!

    I'm sure I'm missing something here, but if these agencies no the precentage of spam from each botnet, they must be able to identify the botnet that sent each e-mail. If you can identify it, why can't you block it. I know they're detecting at an endpoint, but if they can identify the source, why can't the ISPs?


  23. Wile E. Veteran
    Paris Hilton

    The vigilantes miss the obvious.

    An awful lot of people will take the position, "You nuke my computer and destroy my personal files and I'll sue YOUR f**king ass off. " Or, "I'll have YOU arrested and prosecuted." No damage to the spammer, just to the vigilantes.

    Odds are, the self-righteous vigilantes will be a lot easier to find than the bad-guy spammers, too, not having developed the hiding mechanisms these criminals have.

    Might want to think of a different tactic.

    Paris, because she doesn't think before she acts, either.

  24. Anonymous Coward
    Anonymous Coward

    Going after advertisers

    Going after advertisers has been done. Once at least very effectively. Even so that spammers attacked back heavily. So heavily that that the business had to close.

    See the Blue Frog case for more - .

    Thereafter an similar open-source project was set up. But that didn't take off either - .

  25. s. pam

    The most simple and eloquent of solutions has to be legislated!

    if the laws were changed to FORCE all ISP's to block ALL outbound SMTP *except their own relays* for home networks you would zap about 75% of all traffic/botnet computers. before you scream -- a simple scan for properly run UNIX/RFC-822 and RFC-2822 machines could be allowed out of an ISP. now this does increase to a small extent the ISP having a competent SMTP admin, but it comes at a very small price to stop at SOURCE the issue.

    then nuke the remaining 15%.

  26. Sam Penny

    Tracking down the controllers...

    So, if I have a compromised machine (easily done, just connect an unpatched windows machine to the internet and run a few unwisely chosen downloads) which then receives instructions from somewhere to send spam, shouldn't it be relatively easy to see where those instructions are coming from?

    I must try this some time...

  27. Anonymous Coward
    Anonymous Coward

    just had first hand experience ....

    A friend administers a few servers, one of which quietly started to silently install some nasties. Thankfully this was discovered early in the day. Part of the problem with getting restitution is the various jurisdictions involved. In this example a spot of research leads back to some pretty unsavoury eastern characters. Not a chance of gaining redress..... All you can really do is restore backups of compromised servers and hope to improve your security to the point that bunches of alleged gangsters don't get access in the first place.

    As far as punishing the advertisers go, it rather supposes that the companies concerned are relatively conventional, legitimate corporate entities. Research I performed for my buddy tends to indicate that not one of the spamvertised "companies" was in any way remotely legit.

    In this case the exploit was initially via msn of an admins home PC, this (keylogger) gained the FTP passwords for his hosted servers. Within hours, the servers had been accessed and rooted. The webservers in question attempted to install "java" on client PC's...... except the server they attempted to do so from were located in ..... well, Eastern Europe shall we say. Where the infection, an iFrame exploit was successful, the PC's concerned joined some muppets zombie army...

    If this can happen to someone clued up, it can happen to anyone. Default configurations of any O/S should be more secure. Scripts should be prevented from running as default, regardless of the irritation. Given that security is none trivial, and that average users can have no grasp of it, considering the potential disruption for everyone, not just average home users, users should be protected from themselves. People that should know better should be smarter than to take anything on trust, and know that there is no such thing as being "off duty", they are just as likely to be compromised at home as at work.

    I know for a fact one friend, whose PC I have purged of the pox several times before now, has taken the view that he must resort to pirated movies and software, clicking on any old icon in emails etc, et bloody cetera.... I've washed my hands - tired of securing the thing only for my security to be undone by the user. His PC now clocks up downtime like proper secure systems clock up uptime. Whilst I don't believe in the RIAA's aims, a few more high profile legal user reamings might just encourage dumb ass users to believe there friendly geek that these things are bad for their health.

    The real enemy ? Complacency. People also need to remember that for f**ks sake...There really is no such thing as something for nothing.

  28. Anonymous Coward
    Anonymous Coward


    These figures are accurate, then spam originating from bots must be easily identifiable.

    If spam originating from bots is easily identifiable, why don't ISPs simply discard it?

  29. Steve Foster

    @Hany Mustapha

    All internet hosts are supposed to have a PTR record. That's mandated in the RFCs (I can't recall which ones off the top of my head, but if you use against a domain you manage, the PTR test it runs specifies the relevant RFCs).

    Now if you want to check that the PTR actually matches the hostname - then the check is more useful.

  30. Anonymous Coward

    @ first AC "Stating the bloomin' obvious "

    "Tux, cos penguins don't do spam, tinned or otherwise!"

    While I agree with much of what you said, the above statement is blatantly wrong. OK so maybe they don't spam but they do seem to host an awful lot of phishers. Until it became too much of a problem, I used to track down the phishering 'website' that I received email about and would contact the host. Often the duffus running the system (often for BANKS!) would not have changed a root password - and most often in was a UNIX system. (OK so it was mostly out of China or Eastern Europe - but things as they are.)

  31. Anonymous Coward

    Why, I ask...

    ...does nobody care about the servers running the *web sites* that the spammers point to? They have access to only a very few bulletproof hosting sites. 90% of those are in the far East or Russia. Let's do a little check, shall we? The last five spams I've gotten:

    Kyonggi-do - Seoul - Lg Dacom Corporation

    Shanghai - Shanghai - China Mobile Communications Corporation - Shanghai

    Istanbul - Istanbul - Sistemnet Telecom International Route Block

    Beijing - Beijing - Beijing Zhongdianhuatong Limited Company

    Netherlands - Dootall B.v

    Kyonggi-do - Seoul - Lg Dacom Corporation


    New Jersey - Princeton - Patriot Media And Communications Llc (now that's a weird one)

    Jilin - Jilin - Cncgroup Jilin Province Network

    Philippines - 18-4058401_muramatsu Enterprise (changed Ip)

    China - Zbyd Technology Co. Ltd

    Kyonggi-do - Seoul - Lg Dacom Corporation

    Istanbul - Istanbul - Sistemnet Telecom Blackholed Ip

    Beijing - Beijing - Beijing Pengbo Hengyetechnology Co. Ltd

    So, here we have: SK, China, Turkey, China, NL, SK, China, USA, China, Phillipines, China, SK, Turkey, China.

    14 spams, 6 countries, 9 spams from China or South Korea. Three were hosted by one company - LG Dacom.

    The billions of spams all point back to a relatively tiny number of enabling organizations. It appears, though, that nobody has the balls to even discuss this, let alone do something about it - preferring to regurgitate pointless monthly statistics. I suppose it makes sense: this way, the media, the 'anti spam' companies, the ISPs, *and* the spammers all make money at once. And, somehow, three of four get to pretend to be the good guys while doing it.

  32. Timbo
    Paris Hilton

    @ Lee

    >> If you can detect it, block it!

    I have to agree here.

    If the various "big" ISP's can see the spam email traversing *their* networks, then why don't they just block it straight away, instead of passing it through without issue.

    Likewise most spam is the same content sent to 100's of thousands of surely this sort of multiple sending would be easy to flag up very quickly...

    So, come on ISP''ll be doing us all a favour if you stop this stuff coming via your systems...

    Paris, coz she loves traversing anything in her path !!

  33. Ian Rogers

    @Why I ask

    "14 spams, 6 countries, 9 spams from China or South Korea. Three were hosted by one company - LG Dacom."

    The vigilantes on here need to understand how the world works!

    The powers that be in the likes of China and North Korea just see a tidy revenue stream being made at the expense of "corrupt westerners".

    Now although a few countries may think they a Divine Mandate to invade other countries to impose their will (though you'll notice they're only ever big and macho around the little countries) the rest of us understand the consequences of such behaviour.

    The anti-spam companies are doing what they can - providing precise information and stats - the real solution is down to the politicians and trade negotiations etc....

  34. Roger Heathcote

    @David W

    The sites they use are legion, and change frequently.

    Hundreds of people get their webspace hacked daily, a combination of laxness on the part of the owner and the administrator. When this happens you`ll end up with a dodgy subdomain hocking cheap OEM software or viagra which may go unnoticed for months, especially with the domain redirecting DNS shennanigins many of these guys employ these days.

    PS, it`s not at all clear from the confused numbers in your post that there are a `relatively tiny number of enabling organisations`. Finding more webspace is NOT a problem for these people.

  35. Roger Heathcote

    To some of the less nuanced - more confused posters...

    @ Where`s the list of IP addresses:

    @Nuke Them:

    It`s people like you who are responsible for the public`s impression of IT experts as calm, objective, well reasoned people - well done, I hope you have to spend the weekend reinstalling your grannys laptop again!

    @Hany Mustapha:

    ISPs don`t do this to help-hurt spam, it`s a useful and legitimate feature.. the fact that your spam filters use this as the test of what is a server (and therefore what is kosher or not) only means your spam filters are DEEPLY RETARDED. Start shopping around for something better.

    @Lee Mulcahy and Thad

    It`s not that simple, if it was they`d already be doing it wouldn`t they? I guess the way they figure it out is by crossreferencing the torrents of spam they get with what is coming out of honeypots they run. Look at some spam, they are NOT identical, they go to the trouble of salting each one with some random text to make sure they are not identical so even if you catch one, you can`t just filter out the rest.

    @Sam Penny

    That might have just about worked 10 years ago (see steve gibsons dos attack report at but it`s not that simple these days.. if the bot is not run via IRC (hard to trace) then the machine or site relaying the commands is as likely owned too. These people are tricky - they have thought of this.

    Roger Heathcote.

  36. BitTwister

    @George Schultz

    > OK so maybe they [Linux/Unix] don't spam but they do seem to host an awful lot of phishers.

    Well which is it? And who are "they" and what's "an awful lot"? And is the phishing stuff merely coming through a *nix box or is it actually being generated by one? There's a huge difference. I wonder how any of this, if it's actually real, compares to the *thousands* of Windows botnets?

    > Often the duffus running the system (often for BANKS!) would not have changed a root password - and most often in was a UNIX system.

    Hmm - "often" followed by another two, and all sounding rather like vague meanderings masquerading as fact. Convincing... But this assertion doesn't really make much sense because there is no default root password, and one Unix/Linux installation isn't necessarily anything like another installation. In any case if a system *had* been compromised then the root password would be irrelevant - changed or not.

  37. BitTwister


    > So, come on ISP''ll be doing us all a favour if you stop this stuff coming via your systems...

    This is rather like expecting the electricity company to do something about crap programs on TV. Just because spam comes via the pipes provided by an ISP doesn't make it something they should take control of - it's your machine, your OS, your inbox - so why not do yourself a favour and take control of it?

  38. Anonymous Coward


    @__"Surely some Whitehat out there can use the same vunerabilities these worms/trojans use and turn them around to patch the vunerabilities??"__

    No, this is illegal too, and is not feasible. Once the machine is compromised, anything can be installed on the compromised machine - patching the hole is one thing, cleaning the computer is a bigger issue. By your logic, we should proactively go after holes. Windows _should_ patch known vulnerabilities automatically using windows update. Because their 0 hassle auto-update service still isn't used ubiquitously (for a myriad reasons), Microsoft has recently been talking about releasing white worms - a thought that was decades old (and was one of the first computer "viruses").

    @__"Now if you want to check that the PTR actually matches the hostname - then the check is more useful.__"

    Not necessarily. One IP address can have many hostnames, but will only reverse to one. Therefore, it's not a reverse check that could be somewhat useful (today, to automatically rule out only a little bit of spam) but a forward lookup that would match the sending machine's 'EHLO'. Servers (AOL's, for instance) that expect mail to be coming from the same machine that the sending domain's MX records point to have it wrong and are rather annoying.

    The solution: Because there are so many residential clients perpetuating the problem, the responsibility needs to be placed on the IPSs to at least put a dent in the SPAM problem. Many ISPs block _inbound_ connections to port 80 because they don't want their clients hosting their own web servers on their residential networks (traffic on residential rings, marketing services, whatever) but, for some reason, most ISPs don't do anything to control _outbound_ port 25. This is absurd. Almost every bit of spam is coming from there driving the cost of access for each customer up, annoying the global internet community at large, yet ISPs don't take any action.

    Net neutrality is an extremely important issue. However, if ISPs started implementing a 'if you send > 100 emails per hour, your outbound port 25 access is blocked' (better yet, they inform you your computer is probably infected and your port 25 access outbound is blocked), we would see a wonderful decrease in spam. This is also MUCH different than the case Comcast is currently fighting. In my opinion, Comcast should not be looking at my traffic, classifying it and then prioritizing it based on what it thinks is best. ISPs merely need a counter ticking up when a client connects outbound on port 25 - nothing is actually looking into the contents of each connection, but just the fact that a connection occurred. Much like walking through a turnstile - something counted the fact that you were there, but nothing knows that it was you.

    This is fairly easy to implement for ISPs, yet they choose not to do it. Of course, with such a stellar lack of competition in the ISP market, many of them seemingly hiring incompetent people (Pakistan v. YouTube), and many of them now of the mindset that the service levels they continue to provide are good enough (as long as you can get to the Internet, you're happy and they're happy), we're not likely to see this kind of simple change unless demanded.

  39. Maty

    how about ...?

    Don't buy from spammers. Nothing would shut down spammers faster than a lack of sales from all their hard work. Should we not be stressing to our more ignorant computer-using brethren that spammers are by definition liars and thieves, and therefore not ideal people to do business with and to trust with credit card numbers?

    Yet do we hear anyone promoting a 'don't buy from spammers' message? Could it be that no-one wants to push this idea too hard in case their own - totally legit, real double opt-in I swear guv - marketing messages take collateral damage?

  40. JC

    Why we have spam - greed

    Why we still have spam is greed - but that the greed is focused on everything else. Sure, spam costs money but not so directly. On the other hand we have multiple organizations trying to protect IP and stop software pirates and MP3 downloading dead grandmothers.

    It's about time we quit whining about it and put some real pressure on those allowing it to happen. It is not that difficult to point the finger, like ISPs letting thousands of emails through at a time, like email servers not filtering it reasonably, like ISPs continuing to deliver hidden CC type emails.

    Even when it's a compromised system owned by an innocent party, that person should be tracked down and given the choice of being responsible or having some tracking software put on their system so the trail isn't cold, so the next machine in the IP trail, that system's owner is given the same choice of responsiblity or tracking software. Obviously it would have to be an international effort but given spammers need perpetual high volume it is not a difficult thing to accomplish in a short period of time when computers are involved.

    They can be used as tools for resolving the problem as well as the instruments for causing it. Perhaps making that a standard feature in antivirus engines would be helpful then it reports back to a central database, with the user's consent of course.

  41. jeff strayer

    FORWARD SPAM......

    I usually forward my SPAM to the company doing advertising......they should be boycotted if you ask me. I do this with regular mail as well, if it comes with a return addressed envelope, just load it up with their own crud and send it on back to 'em.....let 'em see how much they enjoy it!

  42. Ron Rumpf

    Spam Zomies

    The majority of zombies are Windows systems. For some reason the ISP’s are unwilling to help stop this. Just check with Gibson’s problem with denial of service. There is a simple solution but, can not be implemented. Since there are only a few active Trojans that are involved in this process the solution is to fix the leak in the Windows Firewall and write a specific Trojan remover and download it as an operating system update. The updates are world wide. Wednesday morning when everybody wakes up the botnets would be dissolved. The reason it can not be done is Microsoft is not in the business of writing Trojan removers and all of the companies making money for anti-virus and Trojans would protest. The government would become involved just as they did over the Internet Explorer. You can’t give away something that others are making money on! People will complain that’s slowing down their computer (not realizing that the Trojan is already eating up much more).

  43. Adam
    Thumb Up

    simple solution

    simple solution? all residential internet connections have a SMTP block. If you wish to setup a mailserver its simple, login to your account on your ISP's webpage and click "enable smtp from this account" easy.

  44. BitTwister


    > This [various functionality-limiting proposals] is fairly easy to implement for ISPs, yet they choose not to do it.

    The problem exists at the scale it's reached because the "world's most 'popular' OS" is very easily compromised and is very poorly supported. This is not something ISPs should have to deal with, so they don't - and your 'solutions' are typical of those viewing all aspects of a problem as a single nail in that there's only one tool available: a large hammer.

    Perhaps it would prove more beneficial to complain to the manufacturer of the OS responsible, *demanding* that they drop the BS & face-saving spin and take responsibility for the mess they've created - and continue to assist with so-called "ease of use" and silly sugar-coated GUIs, all implemented at the expense of effective operation and system security.

  45. Anonymous Coward
    Thumb Down

    >.<;;;; Why?

    So what the hell is the problem?

    Why isn't these networks getting banned/blacklisted.

    Surely they can be traced..tracked...and eliminated?

  46. Gleb

    I actually have an idea...

    If I understand it correctly, then the botnet is operated by a master server somewhere. The master server is invisible, and there might be levels of master...y, I guess. But what must be common for all infected machines, is that they must have an open socket, on a presumably random port. And since there are only 6 or so important botnets, it's theoretically possible to blacklist the IPs by trying to connect to the machines 65k sockets and if you get an answer test if it's a botnet socket. ISPs should do this, but anyone can really.

    So. You get an email. You see if the host you got the email from is infected. If it's not, proceed as usual.

    Plotholes : 65k pings could be expensive but this might be a destributable cost. The botnets might shut off sockets periodically, but I find it unlikely, as it would limit their response times. There *could* be a scanning authority, basically green/red listing as a service, but who'd do it?

    Can *this* be done smarter?

  47. BitTwister


    > trying to connect to the machines 65k sockets and if you get an answer test if it's a botnet socket.

    Connect how? And get an answer to what, exactly - there are plenty of valid things a machine could be doing which require an open socket or two. How would any of this differentiate between 'good' and 'bad' (botnet) machines? How would this work with a machine which is part of a Windows botnet located behind a firewall running on a different OS?

    > Can *this* be done smarter?

    Yes. Fix the damned OS responsible for making it so easy to create botnets.

  48. Ken Hagan Gold badge

    Re: just had first hand experience ....

    "In this case the exploit was initially via msn of an admins home PC, this (keylogger) gained the FTP passwords for his hosted servers."

    I'm curious. Was this a case of running MSN in an administrative account? Or was it all confined to the one user-level account? In the former case, the lesson would be the rather mundane one of "Don't surf with admin privileges." which I suspect that most of the present readership already follow.

    However, in the latter case, it would presumably be "Have *two* user-level accounts: one for playing and one for anything remotely sensitive." which even the El Reg readership would regard as unusually cautious.

  49. Brett Leach


    Folk are not permitted to drive on the roads with dangerous/unroadworthy vehicles. Why not do the same for computers connected to the net.

    If a computer is identified as compromised by the ISP hosting its connection to the net, then plain and simple it is not permitted to venture out into the wider network.

    It is only permitted access to a "repair" network with tightly restricted functionality, or zero access entirely, just a page telling the computer's owner to take it to a repairer when they attempt to run their browser, an email with the same information and functionally similar messages from messaging apps. Unrecognised net apps would simply fail to work.

    Having to pony up fifty bucks once twice or a dozen times, depending on cranial density, will eventually get the message across.

    @maty. 99% plus of people don't buy spamvertised products. But even if only one in a thousand do, that's a thousand sales from a million messages sent out for an investment of well under a hundred bucks. A decent ROI in anyone's books.

    And that's if the product is even remotely legit. If the product they are selling is actually your credit card details...

  50. Anonymous Coward
    Anonymous Coward



    Botnets will not necessarily have a server waiting for connections open on a port. Some connect to an IRC network and join a specific channel. That kind of thing. You can't determine if they're compromised or not just from a port scan.

    PS: Also pinging does not work the way you described

  51. Tim Bates
    Thumb Up

    I'm with Adam...

    I agree with the mandating ISPs to block port 25 until it's specifically requested by the user (at which stage it should be required by law that they unblock within 24 hours). Brilliant idea... And I think it should apply to all service types too, since some businesses don't run their own SMTP servers, etc.

    In addition, it should be legalised for ISPs to probe for open mail relays on services that have requested SMTP access. Say once a week or so, the ISP does a quick test to confirm there is no open relays, and if there is, they flick the block back on.

    Simple, efficient and very easy to be done. This would fix almost all spam in a matter of weeks.

  52. Anonymous Coward
    Anonymous Coward

    Beating spam is easy

    No client PC should *ever* submit messages using port 25. Port 587 is the correct submission port (port 25 is for relay by servers). If all ISPs blocked port 25 and mandated SMTP-AUTH on port 587 spam would die overnight.

    SMTP_AUTH requires a username and password, but every ISP customer has a username/password to connect anyway so this could be reused.

    The fact this is so simple suggests that ISPs have a vested interest in not killing the spam problem.

  53. Anonymous Coward
    Thumb Up

    @Brett Leach: Networthiness?

    > Folk are not permitted to drive on the roads with dangerous/unroadworthy vehicles. Why not do the same for computers connected to the net.

    If ISPs can indeed detect compromised spamming machines, I think that's a brilliant idea.

    But also: imagine if Ford were selling vehicles which veered off the road at the slightest provocation - the slightest piece of less-than-perfect driving caused an instant pile-up. Something would probably be done to get Ford to stop this. So why isn't something done to Microsoft - why are they allowed to sell such operating systems that invite such horrors at the accidental click of a button?

  54. stizzleswick

    2 answers

    @Harry Stottle and the answers about joe-jobs: The concerns about joe jobs are of course well-founded, but the real reason that the perpetrators can't be tracked down is that the servers hosting the products advertised with spam are only up for a very short time following the spam run; typically a few hours or less. Also, they are hosted on "bulletproof" servers, i.e., unreachable by law (because they are situated in places like China and some other countries that don't have effective anti-spam laws) and normally are also protected against all normal modes of attack, including DDOS.

    Re "Beating spam is easy"

    Well, simple solution. Only it does not work. You see, spammers are already used to setting up bogus mail accounts with a wide variety of web hosters... so SMTP_AUTH wouldn't change a thing. Also, much spam these days comes from malware which includes its own SMTP server, so what the relaying server sees is not a client PC, but another server, which makes port 25 the correct port to do business on.

  55. Anonymous Coward
    Anonymous Coward

    Re: 2 Answers

    "Also, they are hosted on "bulletproof" servers, i.e., unreachable by law (because they are situated in places like China and some other countries that don't have effective anti-spam laws)"

    Which in turn are controlled by a few individuals in the good old US of A which apparently does not have effective anti-spam laws neither. If you're going to "follow the money" you have to follow it all the way to where the buck stops and not try passing the blame off on an intemediary.

  56. DZ-Jay

    Re: All post in this section

    To all readers in this forum:

    I'm sure most of you, if not all, would agree that Internet e-mail is a fantastically useful medium of communication; otherwise, I'd expect cries to shutdown all e-mail services instead of the usual block/restrain/limit/control requests in here.

    That said, a fact that seems to have been missed by most people is that the reasons this technology is so ubiquitous and, indeed, fantastically useful in the first place is precisely *because* of its openness, decentralization and seemingly chaotic nature -- the very features that a lot of you seem to agree should be eliminated.

    Point-to-point, centralized, authorized, and secure communications have always existed in the Internet, and they still do; however, e-mail, of all mechanisms -- for better or worse -- won out against others as the de facto messaging system for the masses.

    This is not to say that it is a perfect technology -- far from it. It could, of course, use some improvements. But the solution is not to turn the e-mail system into something it is not: a centralized, controlled environment where all entry and exit points are known. This may sound good in theory for a mass communication medium, but its just another nail in the free and open network, and it's one more potential "toll gate" for the eventual gate keepers: ISP's, or heaven forbid, governments.

    With this comes not only a monetary price, but the price of freely exchanged anonymous speech, the cornerstone of any free society. Secure and closed communications systems have their place, but the world should still have an open channel.


  57. Anonymous Coward
    Anonymous Coward


    A bogus mail account is no use. You need a username and password provided by the ISP to its customer to authenticate your SMTP submission. A spammer could abuse this, but not anonymously - I'm presuming an ISP knows who its customers are.

    Malware does indeed come with an SMTP client (not server). That's why a key part of the solution I proposed includes *blocking* port 25.

  58. Anonymous Coward
    Anonymous Coward

    I will need the following...

    A list of spammers' addresses

    My bookstick and a bunch of plane tickets!

  59. stizzleswick


    "A bogus mail account is no use."

    Currently, bogus mail accounts are all the rage at mail providers like Google, MSN, Yahoo!... And no, those mail providers don't give a crap who their customers are; they just set up the boxes and let nature run its course until somebody threatens legal action because of the flood of spam coming from their servers.

    If email were restricted to ISP-provided email only, then you have a point. Unfortunately, this is not the case, and moving several dozen million webmail users who do not currently use their ISP's email services (including yours truly) over to a new email address would prove rather impractical IMHO.

    "Malware does indeed come with an SMTP client (not server)."

    Yes, actually there are several strains out there that have their own server (not client).

  60. Graham Bartlett

    @Brett and AC

    Why are cars different from computers? Well, if cars go out of control, people die. If computers are compromised, the worst-case scenario is that your hard drive gets wiped - a scenario you should already be prepared for with backups, because hard drives have a finite lifespan. The less-worse scenario is that your machine becomes a zombie - no files are affected, but it'll hit your bandwidth usage and inflict spam on others. Either way, there's no loss of life and limited loss of money (unless zombies are used for DDoS, and this article is about spam, not DDoS).

    In other words - get some friggin' perspective, guys!

    And let's consider the case where this impractical suggestion was put into action. Letting a user shoot themselves in the foot would now result in lawsuits against the PC vendor. Every PC would therefore have to be fully locked down at sale time. You would be allowed the email clients pre-installed by the seller and no other client would be allowed to send email. Nor would you be allowed any other browser or IM client. File-sharing would be right out. Even downloading files would probably be blocked, because that's a potential route in. And of course you'd have to allow your PC vendor to remotely install updates on your machine whenever *they* saw fit, regardless of whether you wanted that update or whether you really wanted your bandwidth at that particular moment in your CS game.

    In other words - you didn't think about the consequences before you suggested this idea.


    Your post advocates a

    (X) legislative

    approach to fighting spam. Your idea will not work. Here is why it won't work.

    (maybe) It is defenseless against brute force attacks

    (X) Users of email will not put up with it

    (X) Microsoft will not put up with it

    (X) Requires immediate total cooperation from everybody at once

    (X) Many email users cannot afford to lose business or alienate potential employers

    (X) Anyone could anonymously destroy anyone else's career or business

    Specifically, your plan fails to account for

    (X) Asshats

    (X) Jurisdictional problems

    (X) Willingness of users to install OS patches received by email

    (X) Technically illiterate politicians

    (X) Extreme stupidity on the part of people who do business with spammers

    (X) Dishonesty on the part of spammers themselves

    (X) Outlook

    and the following philosophical objections may also apply:

    (X) Ideas similar to yours are easy to come up with, yet none have ever

    been shown practical

    (X) SMTP headers should not be the subject of legislation

    (X) Countermeasures must work if phased in gradually

    (X) Why should we have to trust you and your servers?

    (X) Incompatiblity with open source or open source licenses

    (X) Feel-good measures do nothing to solve the problem

    Furthermore, this is what I think about you:

    (X) Sorry dude, but I don't think it would work.

    (maybe) This is a stupid idea, and you're a stupid person for suggesting it.


  61. Anonymous Coward
    Black Helicopters

    I like the idea of...

    a 'good' virus/worm that fixes the zombies - just need the US DoD to setup some covert/deniable ops that distributes worms that fix the zombies. Without them the spammers capabilities are significantly reduced such that it would hopefully strangle their revenue stream.

    It could end up being a bit or a war of attrition, but that would at least be more entertaining than just watching spam increase day after day

  62. Kevin Gurney

    Chinas part in the spam industry

    Seems odd to me that a country which blocks it's citizens from viewing anything that it doesn't approve of on the internet should actually be hosting the majority of the websites that the spam leads back to.

  63. G Fan

    @Chinas part in the spam industry

    It's not really so odd if you've ever worked in a Chinese office. Most Chinese are pretty clueless about malware - every home computer, 'net cafe computer and even many major organisations are riddled with it. When it comes to the internet the majority of Chinese have almost child-like trust of what they find. So most computers have download managers, password managers, cute little desktop games, funny icons and all the other standard vectors for malware.

    That's fine for home users - home PCs aren't switched on as much as they are in the West. Problem is that most Chinese companies exhibit the same child-like innocence, so few have even the most basic policy in place for controlling their workforce's habits. Result is that staff happily spend large chunks of the day on QQ and other social sites, happily downloading cute little desktop games, funny icons, etc all to their work PCs.

    Certainly there are spam/bot controllers there - it has to be in Chinese language after all but they're helped by universal ignorance in the rest of the country.

  64. Brett Leach
    Thumb Down

    @Graham Bartlett

    Actually the level of potential damage is essentially irrelevant. You are legally responsible for ensuring, by taking all reasonable precautions, that your property does not cause damage to another's. Spewing spam might not constitute harm/damage, but virtually any other use to which a compromised machine might be put certainly is. I don't believe anyone has been prosecuted for owning a zombie machine, but there is no legal reason AFAIK why someone couldn't be.

    re: users shooting themselves.

    Theoretically, PC vendors too, could find themselves in legal hot water under fitness for purpose and merchantability laws, inasmuch that a PC out of the box is very rarely in any fit state to be safely connected to the net.

    If they are selling an out of the box experience, as they essentially do, often claiming that as a selling point, then the product they are selling should come pre-configured with all appropriate services enabled/disabled, a randomly generated admin password, at least one user account, also password protected. OS patches, Basic anti-malware (I believe most motherboards come with such software and a 6/12 month "first taste is free" license on the driver disk anyway) installed, activated and within a week or so of being up to date. And as suggested in comments on an article about vulnerable routers, they too should have more robust passwords (serial number was suggested) by default.

    All of this would cost very little to implement, once a week the vendor would have to spend a few minutes bringing their install image up to date, and a few minutes on final configuration before each box went out the door. A few dollars per machine at most.

    And having taken all reasonable precautions, the vendor is off the hook legally.

    All future responsibility then devolves as it properly does to the buyer.

    Repairable ignorance alone should never be a defense or an excuse.

  65. Anonymous Coward
    Anonymous Coward


    "Currently, bogus mail accounts are all the rage at mail providers like Google, MSN, Yahoo!... And no, those mail providers don't give a crap who their customers are; they just set up the boxes and let nature run its course until somebody threatens legal action because of the flood of spam coming from their servers."

    These bogus accounts are accesses using webmail clients - you submit the email from a browser. Spammers do not submit spam this way - they use SMTP clients on a zombie. If you kill the ability to do this, as in my suggestion, spam ceases immediately.

    "Malware does indeed come with an SMTP client (not server)."

    "Yes, actually there are several strains out there that have their own server (not client)."

    SMTP servers are used to receive email - somehow I don't think that's what spammers are in the business of doing !

This topic is closed for new posts.