ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Asrg] 2a. Analysis - Spam Sample

2003-11-12 15:44:29
from [Hallam-Baker, Phillip] [Permanent Link] 


However, my concern is whether this is a sign that people 
will begin to 
attack spam via spam, kind of like a story a while back where a virus 
was sent to patch a hole explotiable by another virus.


I try not to voice my concerns in public, they tend to be realised sooner
rather than later.

When I started looking at spam seriously 24 months ago I wrote an internal
report which predicted that spammers would start to use trojan horse
techniques. So the virus problem would quickly become a problem of large
numbers of zombie machines captured by spammers that are then used to
propagate themselves through the spammer sender list instead of the local
address book.

A few months ago we started to see this exact signature, the result being
that instead of receiving a spate of virus infection attempts every few
months I now receive several hundred trojan infection attempts per week.

Viruses are dead, they no longer use the address book to replicate, the
replication list is external and has millions of victims listed. 

A spammer can pick and choose the resources they want, Linux boxes were not
usually targetted by viruses, the population is too thin to allow much
propagation. Now that each machine can launch millions of attacks rather
than a few hundred we are seeing significant numbers of compromised linux
boxes. These tend to be a more interesting target for a spammer or DDoS
cracker since they are more likely to be connected to high capacity pipes
and less likely to be listed on blacklists of residential dialup/cable modem
lines.

One of the consequences of this is that IP addresses are no longer a very
useful identifier. The spammer can create new addresses faster than they are
listed. 

We have to pull this out somehow. SPF/RMX do actually provide us with some
traction here. You can hijack an IP address by hijacking the machine. But
machines hooked up with dns names that resolve to them are a different
issue.

                Phill

                Phill

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] 2a. Analysis - Spam Sample, Yakov Shafranovich
Next by Date:  RE: [Asrg] 6. Proposals - DNS-Based - LMAP, Hallam-Baker, Phillip
Previous by Thread:  Re: [Asrg] 2a. Analysis - Spam Sample, Yakov Shafranovich
Next by Thread:  Re: [Asrg] 6. Proposals - DNS-Based - LMAP], Fridrik Skulason
Indexes:  [Date] [Thread] [Top] [All Lists]