[OT] distributed spamming

[Pollywog <li...@shadypond.com>]

For about two weeks, I have noticed something very odd.  I get connections 
from mail servers (mostly in Germany) and each server tries to send one spam 
to a nonexistent user, then a different server (often at a university in 
Germany) will try with a different recipient, then a few seconds later, 
another server will try with another guessed username, and it goes on like 
that for hours at a time.  The odd thing is that it is just one spam at a 
time.  I don't think I have seen that before.  I usually see a server attempt 
to send one after another, guessing at the user names.

Is anyone else seeing anything like that?  How are spammers doing it?


8)

Re: [OT] distributed spamming

[jdow <jd...@earthlink.net>]

From: "Matt Kettler" <mk...@comcast.net>

> At 03:56 PM 12/17/2005, Pollywog wrote:
>>On 12/17/2005 07:19 pm, Matt Kettler wrote:
>>
>> > Spammers of any decent sophistication have rather extensive networks of
>> > zombies at their disposal that the can co-ordinate.
>> >
>> > Does this surprise you at all?
>>
>>Yes, because spammers are stupid and I had not seen this sort of 
>>distributed
>>spamming before.
>
>
> It is a gross and dangerous error to regard spammers as stupid. Sure, some 
> of them are stupid, but not all are. There's plenty of evidence that much 
> of our spam comes from highly organized, somewhat sophisticated, 
> multi-person, multi-national spam gangs. To underestimate ones enemy is a 
> grave error.
>
> Large-scale spammers are working together with virus writers. Virus 
> writers are installing backdoors that they can harvest and sell to 
> spammers as mail relay bot-nets. Spammers are using these in performing 
> very massive-scale dictionary scans.
>
> I'm also fairly sure that the cycle comes full circle, and every time they 
> find a valid address they kick off a few mail worms to it hoping to pick 
> up a new bot. Virus begets spam begets more viruses.
>
> This is also not the only sign we've seen of a well organized spam 
> outfits. It's quite obvious spammers analyze anti-spam tools, including 
> spamassassin, for weaknesses. Take the infamous bug 1589 that was 
> exploited by spammers forging multiple different email clients to gain 
> hefty negative scores.
>
> Also take the current heavy exploitation of Geocities. This isn't just 
> some idiot setting up a couple pages on uk/de/br.geocities.com, they're 
> using rapidly adapting automated scripts to bombard geocities with these. 
> They're probably using their botnets to create the registrations, which is 
> why it looks like just a bunch of users from all over the place to 
> geocities. If it was all coming from a few IP's it'd be easy for them to 
> stem it.
>
> These guys aren't geniuses, but the top spammers certainly more clever 
> than most people think. We often assume their moral handicaps must have 
> matching mental ones. That underestimation is one weapon the spammers, and 
> other sociopaths, have on their side.

Um, they aren't? Some of them know more about how things work than
the people who designed them. Kuvayev uses interesting side effects
on DNS behavior to work some of his nastiness, for example. It takes
both persistence and genius to do that kind of work. I can respect
his level of competance at the same time I deplore his basic morals
and ethics.

>>  It is rather clever because it can go unnoticed if one does
>>not examine the system logs carefully and often.
>
>
> At my site it happens at such a heavy rate it's blatantly obvious. 
> Dictionary attack probes are about 80% of the connections made to my 
> mailserver. With that much scanning relative to actual mail delivery the 
> distributed nature becomes pretty obvious as they're all consecutive in 
> the mail logs. It's been going on at my site continuously since at least 
> mid 2004.

A clever mail tool could use the dictionary attack to create a running
score of missed user IDs. Once a threshold is reached all mail from that
site is quietly dropped over to a tarpit machine where it languishes
for as long as the connection can be tickled into staying up.

{^_-} 

Re: [OT] distributed spamming

[Matt Kettler <mk...@comcast.net>]

At 03:56 PM 12/17/2005, Pollywog wrote:
>On 12/17/2005 07:19 pm, Matt Kettler wrote:
>
> > Spammers of any decent sophistication have rather extensive networks of
> > zombies at their disposal that the can co-ordinate.
> >
> > Does this surprise you at all?
>
>Yes, because spammers are stupid and I had not seen this sort of distributed
>spamming before.


It is a gross and dangerous error to regard spammers as stupid. Sure, some 
of them are stupid, but not all are. There's plenty of evidence that much 
of our spam comes from highly organized, somewhat sophisticated, 
multi-person, multi-national spam gangs. To underestimate ones enemy is a 
grave error.

Large-scale spammers are working together with virus writers. Virus writers 
are installing backdoors that they can harvest and sell to spammers as mail 
relay bot-nets. Spammers are using these in performing very massive-scale 
dictionary scans.

I'm also fairly sure that the cycle comes full circle, and every time they 
find a valid address they kick off a few mail worms to it hoping to pick up 
a new bot. Virus begets spam begets more viruses.

This is also not the only sign we've seen of a well organized spam outfits. 
It's quite obvious spammers analyze anti-spam tools, including 
spamassassin, for weaknesses. Take the infamous bug 1589 that was exploited 
by spammers forging multiple different email clients to gain hefty negative 
scores.

Also take the current heavy exploitation of Geocities. This isn't just some 
idiot setting up a couple pages on uk/de/br.geocities.com, they're using 
rapidly adapting automated scripts to bombard geocities with these. They're 
probably using their botnets to create the registrations, which is why it 
looks like just a bunch of users from all over the place to geocities. If 
it was all coming from a few IP's it'd be easy for them to stem it.

These guys aren't geniuses, but the top spammers certainly more clever than 
most people think. We often assume their moral handicaps must have matching 
mental ones. That underestimation is one weapon the spammers, and other 
sociopaths, have on their side.

>  It is rather clever because it can go unnoticed if one does
>not examine the system logs carefully and often.


At my site it happens at such a heavy rate it's blatantly obvious. 
Dictionary attack probes are about 80% of the connections made to my 
mailserver. With that much scanning relative to actual mail delivery the 
distributed nature becomes pretty obvious as they're all consecutive in the 
mail logs. It's been going on at my site continuously since at least mid 2004.

Re: [OT] distributed spamming

[Jeff Chan <je...@surbl.org>]

On Saturday, December 17, 2005, 12:56:47 PM, Pollywog Pollywog wrote:
> On 12/17/2005 07:19 pm, Matt Kettler wrote:

>> Spammers of any decent sophistication have rather extensive networks of
>> zombies at their disposal that the can co-ordinate.
>>
>> Does this surprise you at all?

> Yes, because spammers are stupid and I had not seen this sort of distributed 
> spamming before.  It is rather clever because it can go unnoticed if one does 
> not examine the system logs carefully and often.

Google for "botnets".

Jeff C.
-- 
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/

Re: [OT] distributed spamming

[Loren Wilton <lw...@earthlink.net>]

> > Does this surprise you at all?
>
> Yes, because spammers are stupid

Not ALL spammers are stupid.  They probably don't even consider themselves
unethical; but that is a side discussion.

I would say in general that there are two classes of spammers: those that
can make and/or very effectively use tools, and those that are at the script
kiddie level of barely being able to use something they bought for a hundred
bucks and don't have a clue about.

Kinda like mail program authors and knowlegable admins on the one hand, and
clueless "mail in a box" 'administrators' on the other hand.  :-)

So just as you can find the occasional well-administered mail domain, you
can find the occasional very clever spammer.

        Loren

Re: [OT] distributed spamming

[Pollywog <li...@shadypond.com>]

On 12/17/2005 07:19 pm, Matt Kettler wrote:

> Spammers of any decent sophistication have rather extensive networks of
> zombies at their disposal that the can co-ordinate.
>
> Does this surprise you at all?

Yes, because spammers are stupid and I had not seen this sort of distributed 
spamming before.  It is rather clever because it can go unnoticed if one does 
not examine the system logs carefully and often.


8)

Re: [OT] distributed spamming

[Matt Kettler <mk...@evi-inc.com>]

Pollywog wrote:
> For about two weeks, I have noticed something very odd.  I get connections 
> from mail servers (mostly in Germany) and each server tries to send one spam 
> to a nonexistent user, then a different server (often at a university in 
> Germany) will try with a different recipient, then a few seconds later, 
> another server will try with another guessed username, and it goes on like 
> that for hours at a time.  The odd thing is that it is just one spam at a 
> time.  I don't think I have seen that before.  I usually see a server attempt 
> to send one after another, guessing at the user names.
> 
> Is anyone else seeing anything like that? 

Yeah, for at least a year now.

> How are spammers doing it?

Spammers of any decent sophistication have rather extensive networks of zombies
at their disposal that the can co-ordinate.

Does this surprise you at all?